Romanian Data Protection Authority issues draft regulation on mandatory privacy impact assessments

The Romanian National Authority for the Supervision of Personal Data Processing (the “RDPA”) has recently issued a draft proposal (the “Draft Regulation”) for secondary legislation regulating which cases of personal data processing will require mandatory privacy impact assessments (“PIAs”).

Under the Draft Regulation, the following cases of personal data processing will require performance of a PIA by the data controller:

1. the processing of personal data for the purposes of a systematic and comprehensive evaluation of personal aspects of an individual, which is based on automated processing of personal data (including profiling) and which serves as the basis for a decision which has a legal effect on or similarly significantly affects such individual
2. large scale processing of personal data related to racial or ethnic origin, political opinions, religious beliefs, philosophical convictions, trade union membership, genetic data, biometric data, health data, data regarding sexual life or data relating to criminal convictions or offences;
3. the processing of personal data for the purposes of large scale monitoring of public areas, such as video surveillance in public areas (including access ways, parks, markets or similar areas);
4. large scale processing of personal data by using innovative technological solutions or new automated technical solutions, especially where such processing restricts the data subjects’ ability to exercise their rights (such as face recognition techniques used to permit access in various locations);
5. large scale processing of personal data generated through IoT (Internet of Things) connected devices (such as smart TVs, connected cars, smart meters, smart toys or similar applications), for the purposes of evaluating the economic situation, health, preferences or personal interests, solvability or behaviour of the data subjects, or the geographic location thereof;
6. large scale or systematic processing of telephony, Internet or other communication data, including metadata and any geolocation or tracking data in relation to individuals (such as Wi-fi tracking, geolocation of passengers on public transport or similar situations), to the extent the processing is not strictly necessary for the purposes of providing a service at the request of the data subject.

Once adopted by the RDPA, the Draft Regulation will be published in the Official Gazette, when it shall enter into force.

For further information in relation to the above, please contact Cristina Popescu.