Home / Publications / Data Law Navigator | Romania

Data Law Navigator | Romania

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection

Last updated April 2020

Risk scale

Rick Scale Green

For the time being, the RDPA (although relatively active) has not seemed inclined to issue material fines for breaches of data privacy. There is no guarantee that this approach will continue to be preferred.


As an EU Member State, Romania complies with GDPR, which is directly applicable. To correlated existing data protection legislation with the GDPR, Law no. 190/2018 was issued.

In addition, the Romanian Data Protection Authority (see below) (“RDPA”) has issued secondary legislation, regulating mainly:

  1. data breach notification (RDPA Decision no. 128/2018);
  2. solving data privacy complaints (RDPA Decision no. 133/2018)
  3. data privacy investigations (RDPA Decision no. 161/2018);
  4. data processing operations which require mandatory data privacy impact assessments (RDPA Decision no. 174/2018).


Romanian National Supervisory Authority for Personal Data Processing

Anticipated changes to law


If applicable: stage of legislative implementation of GDPR

Not applicable – GDPR is directly applicable and enforceable in Romania. Following the entry into force of the GDPR, the existing privacy legislation was reconciled with the GDPR, as per Law no. 190/2018. 

If applicable: local derogations as permitted by GDPR 

In principle, local regulations are in line with the GDPR.

RDPA Decision no. 174/2018 sets out data processing operations which require mandatory DPIA. These include:

  1. systematic and comprehensive assessment of personal aspects based on automated processing (including profiling), which serves as the basis of decisions producing legal effects regarding the data subject or which affect the data subject in a similar way;
  2. large scale processing of personal data regarding race or ethnicity, political opinions, religious or philosophical beliefs, trade union affiliation, genetic or biometric data, health data, sex life or sexual orientation, or of personal data related to criminal convictions or criminal offences;
  3. large scale systematic monitoring of public areas;
  4. large scale processing of data related to vulnerable individuals (especially minor and employees), through automated monitoring/systematic recording of behaviour;
  5. large scale monitoring of personal data through the use of innovative or new technologies (such as facial recognition) especially where the data subject’s ability to exercise his rights are limited as a result;
  6. large scale processing of personal data generated by equipment or devices transmitting data via the Internet (e.g. IoT applications);
  7. large scale and/or systematic processing of traffic and/or location data related to individuals, where processing is not necessary for the performance of a service at the request of the data subject.


Romanian data privacy regulations have a similar scope to the GDPR.


The RDPA has only set particular penalties for specific GDPR breaches for data controllers in the public sector (i.e. public authorities/institutions). For all other data controllers, the GDPR limits apply. 

For public institutions/authorities, Law no. 190/2018 provides for a maximum threshold of RON 200,000 in fines for GDPR-related breaches. 

Registration / Notification 

Registration/notification applies as per the GDPR (e.g. for notification of the DPO to the RDPA). No additional local rules apply. 

Main obligations and processing requirements

Same as per the GDPR. 

Data subject rights

Same as per the GDPR. 

Processing by third parties

Same as per the GDPR. 

Transfers out of country

Same as per the GDPR. 

Data Protection Officer

Same as per the GDPR. 


Same as per the GDPR. 

Breach notification

Same as per the GDPR. 

The template format of the data breach notification is as set out in RDPA Decision no. 128/2018.

Direct marketing

Same as per the GDPR.


Same as per the GDPR and the ePrivacy Directive.

Useful links

Cyber Security

Risk scale

Risk Scale Orange

Laws and regulations

Law no. 362/2018 on ensuring a high common level of security of network and information systems (transposing the NIS Directive)

Order no. 599/2019 approving the Methodological Norms for identifying operators of essential services and digital services providers

Order no. 600/2019 approving the Methodological Norms for the operation of the Registry of operators of essential services

Order no. 601/2019 approving the Methodology for determining the significant disruptive effect of security incidents in networks and information systems of operators of essential services

Government Decision no. 271/2013 approving Romania’s cyber security Strategy and Action Plan for the implementation of the National Cyber Security System

Government Decision no. 494/2011 setting up CERT-RO (the National Cyber Security Incident Response Centre)

Anticipated changes to law



Similar to the NIS Directive, Romanian cyber security legislation applies to operators of essential services and digital services providers, defined as follows:

  1. Operators of essential services – operators in a number of sectors of the economy (i.e. energy, transport, banking and financial markets, healthcare, water, digital infrastructure), which meets the following conditions: (a) provide a service which is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems and (c) an incident would have significant disruptive effects on the provision of that service.
  2. digital services providers – any legal entity providing a digital service i.e. (a) Online marketplace; (b) Online search engine; or (c) Cloud computing service.).


CERT – RO (the Romanian National Cyber Security Incident Response Centre).

Key obligations 

In line with the NIS Directive.


Breaches of Romanian cyber security legislation are sanctioned by a fine ranging from 3,000 to 50,000 RON or up to 100,000 RON for repeated breaches.

For companies with a turnover exceeding 2 ml RON, the fine ranges from 0.5% to 2% of the turnover, or even up to 5% of the turnover in case of repeated breaches.

For newly set up entities (without a reference turnover in the last approved/published financial statements) the fine ranges from 1 to 25 times the minimum wage. Penalties apply, inter alia, for:

  1. failure to notify oneself for the purposes of registration in the Registry of operators of essential services;
  2. failure to respond to requests for information from CERT-RO;
  3. failure to implement measures imposed by CERT-RO to remedy deficiencies in cyber security;
  4. failure to implement measures for ensuring the minimal security requirements;
  5. failure to implement adequate measures to prevent and mitigate the impact of cyber security incidents;
  6. failure to notify cyber security incidents or delayed notification;
  7. refusal to submit oneself to a CERT-RO audit.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes, CERT – RO (the Romanian National Cyber Security Incident Response Centre).

Is there a national incident management structure for responding to cyber security incidents?

Same as above.

Other cyber security initiatives 

eCSI – an initiative by CERT-RO to enhance national cyber security services and capabilities (co-financed by the EU under the Connecting Europe Facility). The Project objectives are:

  1. creating a National Cyber Services Platform at the level of CERT-RO to enhance its technical capabilities in the management of cyber security incidents;
  2. creating a National Cybersecurity Call Centre for processing cyber security incidents/notifications;
  3. creating Digital Forensic and Malware Analysis Lab  

Useful links


<< back to Overview 


Cristina Popescu
Cristina Popescu
Senior Counsel and Head of CEE Insurance Practice Group