Data protection (GDPR) in Romania has an increasing importance as more and more people are entrusting their personal data on a daily basis to multiple companies in Romania. Given the fact that GDPR’s goal is to offer more protection to individuals, this is the reason why it is crucial that there is compliance with GDPR by each company which processes personal data in Romania. Otherwise, hefty fines await these respective companies. Pavel, Margarit and Associates Romanian Law Firm recommends contacting a lawyer specialized in commercial law and GDPR legislation in Romania who can advise you in drafting or reviewing the necessary documents or advising on the implementation of GDPR policies in labour relations in Romania.

What is data protection in Romania? Is it a misnomer?

Data protection is the process of safeguarding important data from corruption, compromise or loss and providing the capability to restore the data to a functional state should something happen to render the data inaccessible or unusable.

Data protection assures that data is not corrupted, is accessible for authorized purposes only, and is in compliance with the applicable legal or regulatory requirements. It aims to strike a balance between individual privacy rights while still allowing data to be used for business purposes.

However, one must keep in mind that data protection is not concerned with the protection of data but the protection of individuals, as it regulates information about its person which is valuable to them. Moreover, it is only concerned with personal data which is related to specific individuals, such as name, address, phone number, bank details.

What is the scope of the GDPR? To whom does it apply?

In regards to the GDPR’s applicability, if you are operating a business or organization which is handling personal data, then you are obliged to comply with all of the rules under the GDPR, including the seven principles of the GDPR found in Chapter 2 from the GDPR. When it comes to the territorial scope of the GDPR, Art. 3 from the GDPR is relevant. The GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.

How can a company comply with the GDPR in Romania?

Organizations with fewer than 250 employees in Romania should conduct a data protection impact assessment because it will make complying with the GDPR’s other requirements easier. In your list of processing activities, the Romanian company should include: the purposes of the processing data in Romania, what kind of data you process in Romania, who has access to it in your organization, any third parties (and where they are located) that have access, what you’re doing to protect the data in Romania (e.g. encryption), and when you plan to erase it (if possible).

A lawyer specialized in commercial law and GDPR legislation in Romania can advise a Romanian company to comply with GDPR in Romania. It is mandatory for companies in Romania to ensure data protection in Romania and to protect personal data in Romania.

Where is the GDPR transposed in Romania?

As the GDPR, which was drafted and passed by the European Union (EU), is a Regulation, each Member State of the EU, including Romania, is obliged to transpose it into national legislation within two years after its adoption.

Law No 190/2018 on measures transposes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General data Protection Regulation). The National Supervisory Authority For Personal Data Processing (NSAPDP) is the guarantor of respecting the fundamental rights to private life and to the protection of personal data.

What happens if a company infringes the GDPR in Romania?

Under GDPR, organizations who fail to comply and/or suffer a data breach could face a fine in Romania. In the most serious cases, this fine could be up to 17 million euros, or 4% of a company’s annual turnover.

When deciding whether to impose a fine in Romania following a data breach, some factors need to be taken into consideration, such as:

  • The severity and duration of the data breach
  • Whether the breach was intentional or negligent
  • If the company has had a previous data breach
  • The type of personal data involved in the breach
  • Whether the breach affects the rights and freedoms of the individuals affected

More than either of the above consequences, perhaps the biggest ramification of failing to comply with GDPR in Romania is the damage to your company reputation in Romania, which can sometimes be beyond repair. The Pavel, Margarit and Associates Romanian Law Firm recommends addressing to a lawyer specialized in commercial law and GDPR legislation in Romania who will be able to guide you in order to implement strong GDPR policies in order to avoid penalties or fines.

To conclude, the point of the GDPR is to provide clarity and consistency for the protection of personal data in Romania. In regards to GDPR’s applicability, it imposes rules on organisations in Romania that offer goods and services to people in the EU, or that collect and analyse data tied to EU residents. The GDPR establishes enhanced personal privacy rights and an increased duty for protecting data by implementing GDPR policies.