Romania: New rules on personal data protection
A few days ago, the European Union adopted the General Data Protection Regulation (that will often be referred to in its abbreviated form, GDPR, in the future). This Regulation with direct applicability in Romania will replace the existing EU Directive in less than two years, on May 25th 2018.
The new legislation is quite extensive, and compared to the current Romanian data protection regulation, which has been operating for 15 years without any major changes, GDPR will bring many revolutionary changes in the collecting, processing and storing of personal data. These include, among others:
- a dramatic increase in penalties for breaches of personal data protection rules. Compared to the current situation, where maximum fines amount to 50.000 lei, the Regulation sets out the DPA may impose a fine of up to 83,610,000 lei (20 million EUR), or 4% of the total worldwide turnover;
- expanding the current and introducing new individual's rights, including the right to request restrictions on the scope of the processing of personal data, the right to data portability, the right to be provided with a copy of the personal data at no charge, and the so-called right “to be forgotten”;
- the obligation to formally notify the intent to process personal data is revoked, and on the contrary, the obligation to keep internal records of personal data processing is introduced;
- many companies will have to establish a job position of a data protection officer;
- supervisory authorities will be considerably strengthened, and will be allowed to conduct joint coordinated investigations in several EU member states;
- the rules for technical and organisational measures aimed at protecting personal data are refined;
- the data controller will have a new duty to assess the impact of the data processing on the personal data protection and, if necessary, consult the supervisory authority on a mandatory basis;
- any breach of personal data security and the individuals concerned will have to be immediately notified to the DPA;
- completely new concepts for technology development regulation in terms of data protection and privacy are introduced (privacy by design and privacy by default);
- data controllers seated in non-EU countries may also be effectively sanctioned.
Although the entering into force date of the GDPR in two years appears to be a period long enough for adjusting company's internal processes relating to the personal data protection and generally for ensuring compliance with the new regulation, our first experience and consultations with the European supervisory authorities show that the changes are so fundamental that this period is not as long as it seems to be. We believe immediate preparation for the GPDR is necessary.
Moreover, in line with the increased awareness on European level for the processing of data protection, the Romanian Authority for Data Protection (“A.N.S.P.D.C.P”) has been very active recently in applying fines up to 7500 lei in cases regarding the infringement of obligation to priory notify A.N.S.P.D.C.P according to the law 677/2001 any personal data processing (i) by usage of employee biometric data (fingerprints) or (ii) for the excessive fingerprint data collection in order to monitor employee’s working hours (which could have been achieved by other less intrusive means) – 7000 lei fine, (iii) by way of video surveillance of persons, spaces and public/private goods, (iv) via Electronic (e-mail) advertising without having obtained an express agreement from the individuals in question – 6000 lei fine), (v) in case of minors without observing the legal obligations – 4000 lei fine).