Romania: Milestone decision of the Romanian data protection authority


The National Supervisory Authority for Personal Data Processing (“ANSPDCP”) has recently issued a landmark decision regarding categories of personal data and the obligation of data controllers to notify the supervisory authority, which eliminates most of data processing cases requiring prior notification and/or approval of ANSPDCP and clearly sets forth new criteria for companies to reassess their data protection policies. This decision fits within the wider context of data protection reform at EU level, considering that on 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonized data protection framework across the EU.

In line with this reform, ANSPDCP’s decision is meant to ease the administrative burden of the authority, which now should focus mainly on sensitive data processing and cross-border transfers outside EU.