Romania: implementation of the GDPR – law no. 190/2018

In Romania, law no. 190/2018, and thus the national implementation of the GDPR, took effect as of 31/07/2018. In comparison with other EU countries, law no. 190/2018 was rather short.

Obligation to appoint a data protection officer (DPO)
The law is not clear about whether and to what extent a DPO must be appointed, and in this context merely refers to the GDPR.

According to Art. 37 GDPR, a DPO must be appointed if the core activity of the enterprise in question comprises:

  • the execution of processing operations that require extensive regular and systematic monitoring of data subjects based on their nature, scope and/or purposes;
  • the extensive processing of special categories of data or personal data on criminal convictions and offences.
  • As the majority of enterprises do not have the dissemination of special categories of data or criminal convictions as core activities, it is generally relevant to check that the prerequisites mentioned under 1 are met.

Because the law of 190/2018 contains no further clarifications, the general understanding is to be used, according to which the prerequisites are met if personal data is processed on a large scale or there is a large number of data subjects.

If the prerequisites for appointing a DPO are met, the latter must be registered using a standard form of the Romanian data protection authority. Even if there is the possibility of the appointment of a joint group DPO for the entire group of undertakings, previous (short) practice has shown that the Romanian data protection authority is not favourable to the appointment of a foreign DPO, and prefers a local person to be appointed who is fully proficient in the Romanian language. Such a specification is not contained in the GDPR. Furthermore, in some cases in which the prerequisites for the appointment of a DPO were not met, the Romanian authority has nonetheless requested the appointment of a DPO.

Derogations for authorities
The law 190/2018 provides significantly lower penalties or sanctions for authorities than for enterprises. The maximum penalty in the case of transgressions on the part of authorities is around 200,000.00 lei, (approx. EUR 43,200.00).

Furthermore, the possibility is only provided for authorities to eliminate any data protection breaches within a grace period of up to three months, based on a predetermined resolution plan.

Romanian legislators have made minor use of the European opening clauses. On the other hand, exceptions for public authorities that were not very meaningful were included in the national regulations. To what extent these regulations will last also in consideration of EU law remains to be seen.

Authors: Helge Schirkonyer & Mihai Turcu