ROMANIA

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Law no. 190/2018

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

No Deviation

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

SPECIFYING REQUIREMENT: Processing of genetic, biometric, or health data for the purpose of automated decision-making, including profiling, is permitted with an individual’s explicit consent or under an express legal provision provided that there are appropriate measures protecting individuals’ rights, freedoms, and legitimate interests (Art 3 Romanian Act).

When processing of national ID numbers is based on legitimate interests of a controller or third party under Art 6(1)(f) GDPR, the following is required: (1) appropriate technical and organizational measures per Art 32 GDPR; (2) appointment of a DPO; (3) specific retention and deletion policies; and (4) regular training of personnel involved in the relevant processing activities (Art 4 Romanian Act).

CCTV (Art 6)

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

INFORMATION OBLIGATION (ART 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

No Deviation

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

Data protection impact assessment (Art 35)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

No Deviation

CERTIFICATION (ART 42)

SPECIFYING REQUIREMENT: The Romanian Accreditation Association (RENAR) is responsible for accreditation of certification bodies (Art 11 Romanian Act).

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

No Deviation

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING REQUIREMENT: An administrative fine issued on public authorities or bodies will be between RON 10,000 and RON 200,000.

PENALTIES (ART 84)

No Deviation

Freedom of expression and information (Art 85)

SPECIFYING REQUIREMENT: Personal data is permitted to be processed for journalistic or academic, artistic, or literary expression if such data have been made manifestly made public by the individual or are strongly related to an individual’s public status or the public nature of facts involving an individual. To ensure a balance between such processing and the right to data protection, derogations from the following chapters of the GDPR apply: II–VII and IX (Art 7 Romanian Act).

HR PROCESSING (ART 88)

SPECIFYING REQUIREMENT: Monitoring of employees via electronic communications and/or video surveillance based on an employer’s legitimate interest is permitted only if such interests prevail over the interests or rights and freedoms of employees and (1) the employer has given prior notice to employees; (2) the employer has consulted with the trade union or the employees’ representatives before processing; (3) other less intrusive means to achieve the employer’s purpose are not effective; and (4) data retention is proportional to the purpose of processing and must not exceed 30 days unless otherwise permitted by law or well-justified instances (Art 5 Romanian Act).

 

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

SPECIFYING REQUIREMENT: Art 15, 16, 18, and 21 do not apply to the processing of data for scientific or historical research purposes to the extent the application of these articles render impossible or seriously impair the achievement of the purposes of processing, and such derogations are necessary for achieving such purposes.

Art 15, 16, and 18–21 do not apply to the processing of data for archiving purposes in the public interest to the extent the application of these articles renders impossible or seriously impairs the achievement of the purposes of processing, and such derogations are necessary for achieving such purposes (Art 8 Romanian Act).

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

LOCAL DPA GUIDANCE & LEGAL SOURCES

REMARKS

SPECIFYING REQUIREMENT: Processing of personal data, including sensitive personal data, by political parties and civil organizations of national minorities and non-governmental organizations is permitted without individuals’ express consent provided the following safeguards are implemented: (1) providing individuals with notice of such processing; (2) ensuring transparency of information, communication, and methods for exercising individuals’ rights; and (3) the right to rectification and deletion (Art 9 Romanian Act).