Data protection in Romania: overview
A Q&A guide to data protection in Romania.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
Please note: this Q&A was written before the ruling of the ECJ concerning the validity of the EU-US Safe Harbor framework. Therefore, the answers referring to safe harbours do not reflect the ruling.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
Directive 95/46/EC on data protection was implemented by Law No. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data (DPL).
The following sectoral laws apply:
Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector (Romanian E-Privacy Law), which implemented Directive 2002/58/EC on the protection of privacy in the electronic communications sector (E-Privacy Directive).
Law No. 365/2002 on electronic commerce (Romanian E-commerce Law), which implemented Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Electronic Commerce Directive).
Scope of legislation
The DPL applies to:
Data processing activities performed in Romania by natural or legal entities, which are from the public or private sector, regardless of whether they are Romanian or foreign.
Foreign entities, where the means used for data processing activities (such as the server) are located within Romania, unless these means are used for transit purposes only.
The Romanian E-Privacy Law applies to electronic communications providers that process personal data within their business activity. The Romanian E-commerce Law applies to suppliers of information society services located in Romania.
DPL regulates personal data, which is defined as any information regarding an identified or identifiable natural person. An identifiable natural person is a person that can be identified either directly or indirectly, particularly by reference to an identification number or one or more factors specific to his physical, physiological, psychic, economic, cultural or social identity.
Personal data is classified into two categories:
Ordinary personal data, which includes:
date of birth;
Sensitive personal data (see Question 11).
The DPL applies to Romanian data controllers and foreign data controllers performing data processing operations in Romania (see Question 2).
Process. Data controllers must, either personally or through an agent, file a notification with the National Supervisory Authority for the Personal Data Processing (DPA) before engaging in any data processing operations (Article 22, DPL).
The notification form must be filled in and submitted online. Then the first page of the notification form must be printed, signed and stamped by the legal representative of the controller, and transmitted in hardcopy to the DPA within 30 days.
Following notification, the data controller is given a four digit data controller number and registered in the National Registry of Data Controllers, which is available on the DPA's website. This number must appear in all official documents of the data controller.
Contents. A precise form of notification has been prescribed by the DPA, which is available online at www.dataprotection.ro/notificare/ (Romanian version only).
The notification must contain the following information:
The name, address of the data controller.
The purpose of processing.
The categories of data subjects.
The personal data that are being processed.
The recipients of personal data.
The manner in which data subjects are informed of their rights.
Details concerning any international data transfers.
A general description of security measures.
The location of the server where personal data is being stored.
Data controllers must also file a template of the consent form that will be signed by data subjects as well as the data processing security measures attached to the notification.
In cases involving the transfer of personal data to a country that is not considered to provide "adequate" protection by the European Commission, the data controller may also be required to file an agreement concluded with the data importer (see Question 20).
If the notification form is incomplete, or if the DPA deems it necessary, it may request further information or clarifications from the data controller.
Exemptions. The DPA has exempted certain data processing activities from the notification requirement, including:
Data processing activities for human resources and economic and financial management purposes, provided that personal data is not transferred outside Romania.
Data processing activities relating to participants at conferences, seminars and other similar events provided they are performed solely for these purposes.
Personal data processing activities of self-employed individuals, authorised to perform an independent activity based on a special law (for example, Law No. 51/1995 on the organisation and exercise of the lawyers' profession, and Government Ordinance No. 71/2001 on the organisation and exercise of tax consultancy activities).
Personal data processing performed for the purpose of lending books, cinematographic works, other audio-visual works by public and private entities or for real estate intermediary operations.
The authorisation of the DPA is required for both:
The processing of sensitive data.
International data transfers to third countries (that is, a country which is not considered by the European Commission to provide "adequate" protection).
Main data protection rules and principles
Main obligations and processing requirements
Data controllers must comply with the following main obligations (Articles 4-20, 22, 29, 30, DPL):
The processing of sensitive personal data is generally prohibited (see Question 10), unless:
the data subject has expressly given his prior consent; or
processing is necessary for the protection of life, physical integrity or a public interest.
All processing must be done in good faith.
Personal data must be processed for explicit, well-determined and legitimate purposes.
Personal data must be adequate, pertinent, proportional and non-excessive by reference to the purpose of processing.
Personal data must be up to date.
Data controllers must adopt the necessary measures to remove or rectify any inaccurate personal data.
Data controllers must inform data subjects of their rights (see Question 13).
Data controllers must ensure the confidentiality of processed data.
Data controllers must take the appropriate technical and organisational measures to ensure the confidentiality and security of the processed data.
Data controllers must obtain the data subject's express and unequivocal consent before engaging in data processing activities (Article 5 paragraph 1, DPL), except for certain cases where consent is not required (see Question 10). However, please note that implied or inferred consent is not sufficient.
Although the DPL does not provide any specific requirements in relation to minors, the general principles of the Civil Code apply as follows:
As a general principle, minors (that is, persons below the age of 18) do not have full legal capacity and therefore cannot conclude disposition acts (Romanian act de dispoziţie) in their own name (Article 43 paragraph 3 and Article 41 paragraph 3 related to Article 38, Civil Code). 14 to 18 year olds have a limited legal capacity of exercise allowing them to conclude binding legal acts if the prior approval of their parents or legal guardians is obtained (Article 41 paragraph 2, Civil Code).
Providing personal data by minors to a data controller may be deemed as a disposition act under Romanian law. In such case, data controllers must obtain the approval of parents or legal guardians prior to processing personal data of minors. The processing of personal data of minors in the context of marketing or online activities are deemed as data processing operations entailing special risks (Decision No. 11/2009 on the categories of personal data likely to present special risks issued by the President of the DPA). Therefore, under these circumstances, the DPA must authorise the processing of personal data of minors.
Consent is not required from data subjects when one of the following applies (Article 5 paragraph 2, DPL):
The processing is necessary for:
the performance of an agreement to which the data subject is party;
the adoption of certain measures, at the data subject's request, before the conclusion of an agreement;
the data controller's compliance with a legal obligation;
the achievement of a legitimate public interest, which does not prejudice the rights, obligations and interests of the data subject;
the protection of the life, physical integrity, health of the data subject or another person; or
for the performance of public interest measures.
The processing relates personal data contained in publicly accessible documents.
The processing is made exclusively for statistical, historical or scientific research purposes.
Sensitive data includes data relating to, among other things:
Political, religious and philosophical beliefs.
Race and ethnicity.
Health, genetic and biometrical data.
Bank account information (such as personal identification number).
Identity card and passport details.
The processing of sensitive personal data is prohibited (Articles 7-10, DPL), unless either:
The data subject has given express consent.
Processing is necessary for the protection of life, physical integrity or a public interest.
The processing of sensitive personal data is subject to detailed scrutiny by the DPA, especially if the scope of processing is considered excessive. If the DPA believes that data processed falls under the category of sensitive data, it may carry out an audit of the controller (Article 23, DPL). If the controller does not receive an audit notification letter within five days from filing the notification with the DPA, it can proceed with the data processing operations.
Rights of individuals
If personal data is obtained directly from the data subject, the data controller must provide the data subject with the following information:
The identity of the controller and all relevant representatives.
The purposes and duration of processing.
The content of personal data that is being processed.
All information regarding international data transfer operations, including the identity of all recipients of personal data.
The mandatory nature of providing personal data.
The consequences of the refusal to provide data.
The rights of data subjects under the DPL (see Question 13).
If personal data is not obtained directly from the data subject, the data controller must supply the data subject with this information at the moment of collection or when the first disclosure occurs.
Data subjects are granted the following rights under the DPL (Articles 12, 13, 14, DPL):
Right to be informed if their data is being collected, processed transferred, and so on.
Right to free access to their processed personal data.
Right to intervene over the processed data. More specifically, data subjects are granted the right to amend and update their data, in case such data is incomplete or inaccurate.
Right to object to the processing and to request the deletion of the processed data.
Right not to be subject to an individual decision based on automatic data processing.
Right to address to a court of law or to the DPA if data subjects' rights have been breached.
Data subjects may exercise the rights of access, intervention and opposition by filing a signed and dated petition with the data controller, which must provide an answer to the data subject within 15 days of receipt.
The minimum data processing security measures are contained in Order 52/2002 regarding the approval of minimum security measures in relation to personal data processing operations (issued by the Romanian Ombudsman), which requires:
Identification and authentication of users. Users must be authorised to access a personal data database. Each user must have his own unique username and password. Passwords must be periodically changed. A minimum of five consecutive unsuccessful password attempts to access IT systems must result in the blocking of that user.
Type of access. Users must only be allowed to access data that relates to their work duties. System programmers must not be able to access personal data, except in exceptional circumstances.
Data collection. Only specially authorised users can collect and process personal data within the controller's IT systems. The IT system must register all access to personal data, including the date and time of access, and the user's identity.
Back-up copies. The controller must ensure that databases containing personal data are backed up. Safety copies must be kept in locations with restricted access.
Training of personnel. Employees must receive proper training on the risks of personal data processing.
Access files. The controller must keep access files, which record all access to personal data, for a minimum period of two years.
Telecommunication systems. The controller must:
periodically check for malfunctions in telecommunication systems;
ensure measures are in place to prevent the transmission or interception of personal data; and
encrypt personal data transmitted by unsecured telecommunication systems.
Computer use. Users must be prohibited from using external or suspicious software. Antivirus software programs must be implemented. Computers and access terminals must be kept within secured areas. Printing data must only be performed by authorised users and should be kept to a minimum.
Under the DPL, there is currently no requirement to notify personal data security breaches to data subjects or the national regulator.
However, a data breach notification requirement incumbent on providers of electronic communications services is provided for (Article 3, Romanian E-Privacy Law). In this sense, the DPA must be informed without undue delay in the case of a data breach, except for when the controller has proved to the DPA in a satisfactory manner that it has implemented adequate technological measures that have actually been applied to the personal data affected by the breach.
If the respective data breach has an impact over data subjects, the controller must also notify data subjects about the data breach, without undue delay. Notification to the data subjects must include at least a description of the nature of the personal data breach as well as the contact persons of the data controller able to provide more information in this respect. The data controller must also set out recommendations aiming to mitigate any possible negative outcomes of the data breach. In addition to this, notification to the DPA must include a description of the consequences of the data breach as well as the measures proposed or adopted by the controller in order to remedy the consequences of the breach.
Processing by third parties
A written contract must be in place between data controllers and third party processors, and contain both of the following mandatory clauses (Article 20, DPL):
The processor can only act in accordance with the data controller's instructions.
The data processor must apply appropriate technical and organisational measures to protect processed personal data against accidental or illegal destruction, loss, alteration, disclosure or unauthorised access, especially if the respective processing entails transmission of data through a network.
Based on the provisions of Article 20 of the DPL, the DPA considers that data controllers remain liable to the DPA and data subjects for the data processing operations of processors, regardless of the terms of the contractual arrangement.
As cookies are essentially used to collect personal information to identify individual users, they trigger the provisions of the applicable data protection legislation. According to Romanian E-Privacy Law, cookies can only be installed on terminal equipment if the data subject consents thereto on entering the respective website (opt-in). This consent can be given by ticking a box if the accompanying text lists all the mandatory provisions required by the DPL (especially those in relation to the data subject's rights). All information must be easily-accessible for data subjects and provided in a clear and user-friendly language.
If the provider of electronic communications services allows third parties to store cookies on data subjects terminals, the information of data subjects will also have to include the purpose of the processing of such information by third parties as well as the manner in which data subjects may adjust their web browser settings to block third parties from accessing information.
The data subjects' consent may also by granted through web browser settings or any similar technology (Article 4, Romanian E-Privacy Law).
However, a data subject's consent is not required if the storage of cookies is necessary solely for the purpose of performing a communication via an electronic communications network or when such operations are necessary for the performance of an electronic communications service expressly required by the data subject (Article 6, Romanian E-Privacy Law).
The following are prohibited, unless the recipient gives his express prior consent:
Marketing communications sent by e-mail (Article 6, Romanian E-Commerce Law).
Commercial communications made through automated call systems that do not require the intervention of a human operator (such as fax, e-mail or any other method using electronic communication systems destined for the public) (Article 12 paragraph 1, Romanian E-Privacy Law).
Commercial e-mails must comply with several conditions, including (Article 6, Romanian E-Commerce Law):
They must be clearly identifiable as commercial communications.
The natural or legal entity on behalf of which the communications are made must be clearly identified.
Promotional offers (such as discounts, awards and gifts) must be clearly identifiable, and all relevant conditions must be easily accessible and presented in a clear manner.
Competitions and promotional games must be clearly identifiable as such, and the conditions for participating must be easily accessible and clearly presented.
Failure to comply with the opt-in requirement is punishable by fines ranging between about EUR230 and EUR11,630 (as at 1 June 2012, US$1 was about EUR0.8).
An exception to the opt-in mechanism requirement applies when the controller has obtained the consumer's e-mail address on entering a contractual relationship for the sale of certain products or services (Article 12 paragraph 2, Romanian E-Privacy Law). However, the controller can only use the relevant e-mail address for marketing communications relating to similar products or services marketed by the controller, and must comply with the opt-out conditions (see below, Opt-out requirement).
All commercial communications must grant customers, in a clear and express manner, the possibility to opt out from receiving these communications through a simple and free of charge procedure (Article 12 paragraph 2, Romanian E-Privacy Law).
The opt-out policy must be granted not only at the time the customer's e-mail address has been obtained by the controller, but also each time a message has been sent, in case the customer has not initially opposed but later changes his mind.
Failure to comply with these requirements is qualified as a minor offence and sanctioned with fines ranging from about EUR1,170 to EUR23,300. However, for companies whose turnover exceeds about EUR1.16 million, the amount of the fines can reach up to 2% of the company's turnover.
All commercial communications (including publicity), which directly infringe consumers' rights, are deemed as an abusive or incorrect commercial practice or both (Article 2 paragraph 1 point 22, Government Ordinance No. 21/1992 on consumer protection).
International transfer of data
Transfer of data outside the jurisdiction
The transfer of personal data outside Romania to third parties or within a group of companies (as the DPA has not yet recognised the Binding Corporate Rules) is regulated differently depending on the country of destination:
If the recipient is situated within the EU, the transfer must only be notified to the DPA.
If the recipient is situated in a country outside the EU that does not provide an adequate level of protection, the DPA must approve the transfer. To this end the data controller can file:
a consent form in which data subjects have expressly consented to the data transfer; or
a contract incorporating the standard data processing model clauses approved by the European Commission. (For the avoidance of any doubt, these agreements must be concluded between the data importer and the data exporter in all circumstances, even if the agreement is not ultimately filed with the DPA.)
Data transfer agreements
The authorisation of an international data transfer can be granted on the basis of either:
Data transfer agreements incorporating model clauses approved by the European Commission, if the recipient entity is located outside the EEA.
The data subject's express consent to the transfer.
The DPA may require further clarifications or additional information regarding the controller's international data transfer operations.
The DPA must only approve the data transfer agreement when the transfer is made outside the EU to a third party country whose level of protection has not been considered as "adequate" (see Question 20).
Enforcement and sanctions
The DPA can (Article 21 paragraph 3 letters a) to m), DPL):
Conduct an audit of the data controller's processing operations.
Temporarily suspend data processing activities.
Demand the termination of data processing activities.
Demand the partial or full deletion of the processed data.
File actions in civil courts.
Refer cases to the criminal authorities.
Conduct investigations following complaints or ex officio.
The main sanctions and remedies for non-compliance with data protections laws are:
Fines from about EUR120 to EUR2,325 for:
failing to file a data processing notification;
filing an incomplete notification; or
filing a notification in bad faith.
Fines from about EUR232 to EUR5,800 for:
unlawful data processing; or
failure to comply with the rights of data subjects.
Fines from about EUR3,500 to EUR11,700 for failing to comply with confidentiality and data security measures.
Fines from about EUR230 to EUR3,500 for failing:
to respond to the DPA's queries; or
to submit the required documentation.
The DPA has conducted several investigations in the past few years during which several sanctions (including fines) were applied. The DPA is likely to impose monetary fines where data controllers fail to comply with specific warnings and recommendations.
The regulatory authority
National Supervisory Authority for Personal Data Processing (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) (DPA)
Main areas of responsibility. The DPA:
Manages the National Registry of Data Controllers.
Analyses the notification form submitted by data controllers and authorises data processing operations, according to Data Protection Law.
Initiates legislative proposals or provides comments regarding any normative rules having an impact over personal data.
Co-operates with other national and international authorities.
Sanctions data controllers in the case of breaches of data processing legal requirements.
DLA Piper Romania
Qualified. Romania, 1999
Areas of practice. Intellectual property; data protection; corporate law; mergers and acquisitions.
- Advising pharmaceutical companies, banking institution, hotels, leisure and entertainment operators in relation to their registration process as data controllers with the Data Protection Authority and other regulatory aspects.
- Advising companies operating in the E-Commerce sector in relation to regulatory compliance.
- Advising gambling operators in relation to online gambling regulatory issues.
DLA Piper Romania
Qualified. Romania, 2009
Areas of practice. Intellectual property; data protection; corporate law.
- Advising pharmaceutical companies, banking institutions, hotels and leisure and entertainment operators in relation to their registration process as data controllers with the Data Protection Authority and other regulatory aspects.
- Advising companies operating in the E-Commerce sector in relation to regulatory compliance.
- Advising gambling operators in relation to online gambling regulatory issues.