TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

ROMANIA

 

The National Authority for the Supervision of Personal Data Processing website: http://www.dataprotection.ro/index.jsp?page=home&lang=en

 

Law 677/2001 on the protection of Individuals with regard to the processing of personal data and the free movement of such data (as amended in 2004 and 2008) http://www.dataprotection.ro/index.jsp?page=legislatie_primara&lang=en

 

What needs to be done prior to collection?

 

Notify the National Supervisory Authority:

 

Article 22 – The Notification Addressed to the Supervisory Authority

 

  1. The data controller is obliged to notify the supervisory authority, either personally or through a representative, before initiating any kind of data processing which has a similar or related purpose to previous data processing activities

 

  1. Notification is not necessary in the event that the sole purpose of the data processing is to keep a record available for public reference, open for consultation to the general public or to any person who proves a legitimate interest,  provided that the data processing is strictly limited to such data that are necessary to the above mentioned record

 

  1. The notification shall contain the following information

 

    1. The name, addresses or premises of the data controller and of his representative, as the case may be
    2. The purpose of the data processing
    3. A description of the category/categories of the data subjects and of the data, or of the categories of data, that are to be processed
    4. The recipients or the categories of recipients to whom the data is intended to be disclosed
    5. The guarantee accompanying the disclosure to a third party
    6. The manner in which the data subjects are informed of their rights, an estimate date on ending data processing operations and the future destination of the data
    7. Transfers abroad of personal data intended to be carried out
    8. A general description that allows a preliminary assessment of the measures taken in order to ensure data processing security
    9. Mention of any data filing system related to the processing of, and of possible relation to other processing or other data recording systems irrespective of the fact that they are situated on Romanian territory or not
    10. The reasons that justify the enforcement of the provisions of Article 11 and 12 paragraph (3) or (4), or of Article 13 paragraph (5) or (6), in cases that the data processing is performed exclusively for journalistic, literacy, artistic or statistical purposes, or for historical or scientific research

 

  1. If the notification is incomplete, the supervisory authority shall demand its completion

 

  1. Within its investigative powers, the supervisory authority may demand other information, notably regarding the data’s origin, the automatic processing technology used and details about the security measures.

 

  1. If the processed data is intended to be transferred abroad, the notification shall consist of (a) the data categories subject to the transfer and (b) the country of destination for each data category

 

  1. Deleted

 

  1. Deleted

 

  1. The Supervisory Authority may establish other situations in which the notification is not required, other than those provided in paragraph (2), or situations in which the notification may be submitted in a simplified manner  well as the content of such a notification, in the following cases;

 

    1. In situations in which, considering the nature of the data which are processed, the processing may not infringe, at least apparently, the rights of the data subject, on the condition that the purposes of that processing, the data or categories of processed data, the data subjects or categories of data subjects, the recipients or categories of recipient and the period for which the data are stored are all precisely mentioned
    2. In situations in which the processing is carried out in accordance with the provisions of Article 7 paragraph 2 letter d

 

Inform the data subject:

 

Article 12 – Informing the data subject

 

  1. When personal data are obtained directly from the data subject, it is the data controller’s obligation to provide the data subject the following information, except for the situations in which he/she already has this information;
    1. The identity of the data controller and, if required, of the data controller’s representative
    2. The purpose of the data processing
    3. Additional information, such as; the recipients, or the categories of recipient, of the data; whether the requested information is compulsory, and the consequences of the refusal to provide it; the existence of the data subject’s rights, stated by this law, notably the right of access, intervention and objection as well as the terms in which they may be exerted
    4. Any other information which may be expressly requested by the supervisory authority considering the processing’s specific situations

 

  1. When the data are not obtained directly from the data subject, it is the data controller’s obligation, at the moment of collecting data or at least before the first disclosure takes place, if he has the intention to disclose that data to a third party, to provide the data subject with the following minimum information, unless the data subject already possesses that information:
    1. The identity of the data controller and, if required, of the data controller’s representative
    2. The purpose of the data processing
    3. Additional information, such as; the recipients, or the categories of recipient, of the data; whether the requested information is compulsory, and the consequences of the refusal to provide it; the existence of the data subject’s rights, stated by this law, notably the right of access, intervention and objection as well as the terms in which they may be exerted
    4. Any other information which may be expressly requested by the supervisory authority considering the processing’s specific situations

 

  1. The provisions of paragraph 2 do not apply when the processing of data is carried out exclusively for journalistic, artistic or literacy purposes if their enforcement might reveal their source of information

 

  1. The provisions of paragraph 2 do not apply when the processing of data is carried out for statistical, historical or scientific research, or in any other situations if providing such information proves to be impossible or would involve a disproportional effect towards the legitimate interest that might be damaged, as well as in the situations in which recording or disclosure of the data is expressly stated  by law

 

What needs to be done prior to shipping?

 

Article 29 – Conditions for the Transfer Abroad of Personal Data

 

  1. The transfer to another state of data that are subject to processing or are destined to be processed after being transferred may only take place if Romanian law is not infringed and the state of destination ensures an adequate level of protection
  2. The protection level will be assessed by the supervisory authority taking into account all the circumstances in which the transfer is to be performed, especially the nature of the data to be transferred, the purpose and period of the time proposed for the processing, the state of origin and the state of final destination, as well as the legislation of the latter state. In case the supervisory authority notices that the protection level offered by the state of destination is unsatisfactory, it may ban the data transfer
  3. Data transferred to another state shall always be subject to prior notification to the supervisory authority
  4. The supervisory authority may authorise the data transfer to another state which does not offer at least the same protection level as the one offered by Romanian legislation, provided that the data controller offers enough guarantees regarding the protection of fundamental individual rights. These guarantees must be established through contracts signed by the data controllers and the natural or legal persons who have offered the transfer
  5. The provisions of paragraphs 2, 3 and 4 do not apply in case the data transfer is based on a special law or on an international agreement ratified by Romania, notably if the transfer is done to the purpose of prevention, investigation or repressing a criminal offence
  6. The provisions of the present article do not apply when the data is processed exclusively for journalistic, literary, or artistic purposes, if the data were made public expressly by the data subject or are related to the data subject’s public quality or to the public quality of the facts he or she is involved in

 

Article 30 – Situations in which the Transfer is always allowed

 

The data transfer is always allowed in the following situations:

 

(a)     When the data subject has explicitly given his/her consent for the transfer; if the data transfer is linked to any of the data provided in Articles 7, 8 and 10 the consent must be written;

(b)     When it is required in order to carry out a contract signed by the data subject and the data controller, or to apply some pre-contractual measures taken upon the request of the data subject;

(c)     When it is required in order to sign or carry out a contract concluded or about to be concluded between the controller and a third party, in the data subject’s interest;

(d)     When it is necessary for the accomplishment of a major public interest, such as national defence, public order or national safety, carrying out in good order a criminal trial or ascertaining, exercising or defending a right in court, on the condition that the data is processed solely in relation with this purpose, and only for as long as it is required;

(e)     When it is required in order to protect the data subject’s life, physical integrity or health

(f)      When it is a consequence of a previous request for access to official documents that are open to the public or of a request for information that can be obtained from registers or any other documents or public acces

 

What are the Sanctions for non-compliance?

 

Article 31 – Failure to Notify and Malevolent Notification

 

Failure to submit the compulsory notification under the terms set out by Article 22 or Article 29 paragraph (3), as well as incomplete notification or one that contains false information, if the respective maladministration falls short of a criminal offence, are considered minor offences liable to a fine of 5 million to 100 million ROL (Romanian Currency – lei)

 

Article 32 – Illegal Processing of Personal Data

 

The processing of personal data by a controller or by an empowered person of the data controller breaching the provisions of Articles 4-19, or while disregarding the rights set out in Articles 12-15 on in Article 17 is considered a minor offence if the respective maladministration falls short of a criminal offence and is fined from 10 million to 250 million ROL

 

 

 

Please refer to the National Authority for the Supervision of Personal Data Processing website for more information on the Statute

 

 
© TRILANTIC - All rights reserved. | Disclaimer | Client Login