New Data Privacy Rights for Romanian Citizens, GDPR

Romania’s Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) or Law No. 190/2018 for short is a data protection law that was passed in 2018. Law No. 190/2018 was passed for the purposes of implementing the provisions of the General Data Protection Regulation or GDPR for short into Romanian law, in accordance with a provision within the EU’s GDPR law that required member states to enact national legislation in conjunction with said law. Subsequently, Law No. 190/2018 establishes the obligations and responsibilities that data controllers and processors operating within Romania have as it concerns data processing activities within the country, as well as the punishments that can be imposed for failing to adhere to these obligations and responsibilities.

What is the scope and application of Romania’s Law No. 190/2018?

In terms of the scope and application of Law No. 190/2018, the personal scope of the law applies to all data processing activities that occur within the country of Romania, irrespective of whether said activities are conducted by private or public entities. Alternatively, the territorial scope of the law applies to “processing operations undertaken in the territory of Romania or by controllers/processors headquartered in Romania.” Moreover, the material scope of the law “sets derogatory rules for the processing of particular types of data or specific data purposes/operations”, which include certain regulations concerning the collection and processing of personal data regarding employees, biometric data, and health data, among other things.

What are the variations between Romania’s Law No. 190/2018 and the EU’s GDPR law?

The provisions set forth by Romania’s Law No. 190/2018 are largely identical to those that were established in the EU’s GDPR law. However, there are some differences between the two pieces of legislation as it concerns the requirements of data controllers and processors within Romania, as well as the rights of Romanian citizens. For instance, as it relates to data retention, the law states that “controllers are under the obligation to delete or proceed to the anonymization of traffic data pertaining to users and subscribers when such data are no longer necessary for the communication, but no later than three years from the communication date.” Another way in which the two laws differ are the requirements regarding special categories of personal data.

Under Romania’s Law No. 190/2018, “the processing of special categories of data, where such processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, may only be carried out if the controller or the third party has implemented the following safeguards:”

• Technical and organizational measures to ensure that such processing is carried out in accordance with the principles set out in Article 5 of the GDPR, in particular, the data minimization as well as integrity and confidentiality principles;
• If necessary, have appointed a DPO; and
• Have set up storage periods in accordance with the nature of the data and the purpose of the processing, as well as specific terms for data erasure or revision for deletion.

What are the rights of Romanian citizens under Law No. 190/2018?

Under Law No. 190/2018, Romanian citizens are entitled to a number of rights as it relates to the protection of their personal data and privacy. These rights include but are not limited to the right to access, the right to rectification, the right to data portability, and the right to restrict the processing of personal data. However, Law No. 190/2018 does set forth certain conditions and circumstances under which the rights of Romanian citizens may be derogated. For example, the right to be informed of data processing activities does not apply to personal data regarding criminal investigations, national security issues or concerns, the rights and freedoms of other Romanian citizens, or factors regarding public safety or order.

In terms of penalties relating to noncompliance with the law, Law No. 190/2018 is enforced by Romania’s National Supervisory Authority for Personal Data Processing, or the ANSPDCP for short. As such, data controllers and processors within Romania who violate the provisions of the law are subject to the following punishments, sanctions, and monetary penalties:

• A warning.
• Corrective measures.
• An administrative fine ranging from RON 3,000 ($703) to RON 2 million ($468,016), depending on both the severity and scope of the violation in question, as well as if the party or parties involved are repeat offenders.
• A fine of up to €10 million or up to 2% of the total global annual turnover for a business’s previous financial year, whichever amount is higher, to a fine of up to €20 million or up to 4% of the total global annual turnover for a business’s previous financial year, whichever amount is higher.

Romania’s Law No. 190/2018 Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) stands are the foremost means by which the personal data of Romanian citizens is granted data protection. What’s more, as the law both implements the provisions of the EU’s GDPR law and also establishes national variations that are pertinent to the data collection and processing landscape within the country of Romana, Romanian citizens are provided with personal privacy protection in a number of different ways. As such, said citizens will have a number of means by which they can pursue compensation and ultimately justice, should their rights be infringed upon at any time.