As a Member State of the European Union, Romania will have to implement, starting from May 25th, 2018, European Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”). The GDPR shall take direct legal effects in all Member States.
Therefore, as of the abovementioned date, Romanian companies will have to comply with the new GDPR rules and adapt their business strategies, as well as their policies, procedures, logistics and commercial documents.
This regulation shall repeal former Directive no. 95/46/EC (the “Directive”), shall provide a uniform regulation for all EU members and shall substitute the national laws in this field.
Currently, the Romanian law in this field is represented by Law no. 677/2001 on the protection of personal data and by the decisions of the National Supervisory Authority for Personal Data Processing (“ANSPDCP”).
The new legislation is quite extensive and, by comparison to the current Romanian regulation on data protection, which has been operating for 15 years without any major changes, the GDPR will bring many revolutionary changes in relation to the collection, processing and storage of personal data. These include, among others:
- a dramatic increase in the penalties for breaching the personal data protection rules. Compared to the current situation, where the maximum fines amount to RON 50,000, the Regulation states that the ANSPDCP may impose a fine of up to RON 83,610,000 (EUR 20 million) or 4% of the annual overall turnover of the preceding financial year;
- expanding the current and introducing new rights for individuals (data subjects), including the right to request restrictions regarding the purpose of the personal data processing, the right to data portability, the right to be provided with a copy of the personal data, free of charge, as well as the so-called right “to be forgotten”;
- additional rules shall apply when seeking to secure the consent of a child;
- the obligation to formally notify the intent to process personal data is revoked and, on the contrary, the obligation to keep internal records of personal data processing is introduced;
- many companies will be required to introduce a Data Protection Officer (DPO) position in their organizational charts; the services of the DPO position may be provided by an employee or outsourced;
- supervisory authorities will have considerably stronger powers and will be allowed to conduct joint coordinated investigations in several EU Member States;
- the rules for technical and organizational measures aimed at protecting personal data are refined;
- the data controller will have the new duty to assess the data processing impact on personal data protection and, if necessary, to consult the supervisory authority on a mandatory basis;
- any breach of personal data security related to the individuals concerned will have to be immediately notified to the ANSPDCP;
- completely new concepts for technology development regulations in terms of data protection and privacy are introduced (privacy by design and privacy by default);
- the data controllers located in non-EU countries may also be effectively sanctioned.
Please find below a presentation of the most important changes that will be brought to the current Romanian legislation:
INCREASED TERRITORIAL SCOPE (EXTRA-TERRITORIAL APPLICABILITY)
The greatest change brought to the regulatory landscape of data privacy involves the extended GDPR jurisdiction, which applies to all the companies that are processing the personal data of subjects residing in the European Union (EU), regardless of said companies’ locations. Therefore, the GDPR applies to:
- the processing of personal data by controllers and processors established in the EU, regardless of whether the processing takes place in the EU or not;
- the processing of personal data of subjects residing in the EU, by a controller or processor that is not established in the EU, for activities related to: providing goods or services to EU citizens (irrespective of whether payment is required) and monitoring behaviors within the EU.
ELIMINATION OF THE PRELIMINARY NOTIFICATION TO THE AUTHORITY REGARDING DATA PROCESSING
The law in force in Romania provides for the obligation to notify the ANSPDCP before any processing of personal data.
Once the European Regulation takes effect, this notification obligation will no longer exist. Therefore, the data controller will be able to proceed with the data processing at any moment, provided that it complies with the applicable legal provisions.
LEGAL GROUNDS FOR DATA PROCESSING
According to the GDPR, in order to process data, the data controller must obtain the “consent” of the data subject. As an exception, it is possible to process data without such consent if the data controller has a legal obligation to do so under a contract, legitimate interest, etc.
The GDPR provides all the legal grounds, without stipulating rules and exceptions, under the same regime and with the same power. Therefore, companies will be able to process data pursuant to the legal grounds hereafter:
- The consent of the data subject;
- In order to execute a contract to which the data subject is party or in order to take steps, at the request of the data subject, prior to entering into a contract;
- If the data controller has a legal obligation to process the aforementioned data;
- If the data controller has a legitimate interest, except for where the interests or fundamental rights and freedoms of the data subject prevail;
- The protection of life and physical integrity;
- The implementation of certain measures of public interest.
CONSENT OF THE DATA SUBJECT
According to Romanian Law no. 677/2001, consent may be expressed by an action or an inaction.
As per the GDPR rules, consent is a specific, informed and unambiguous manifestation of the data subject’s free will, by means of which said data subject accepts, by declaration or unambiguous action, the processing of his/her/its personal data.
Therefore, the conditions regarding consent have been strengthened, as the request for consent must be given in an intelligible and easily accessible form, with the data processing purpose attached to it. Also, the consent must be clear and distinguishable from other matters, using clear and plain language.
In addition, the data controller must inform the data subject of all the activities and objectives of the process and must ask for the consent of the latter. Moreover, the data controller will be compelled to prove the existence of such a consent granted by the data subject concerned.
ACCOUNTABILITY AND GOVERNANCE
The GDPR provides a new principle of accountability – requiring the data controller to demonstrate the active compliance with its legal responsibilities, which include:
- Keeping a detailed record of the processing operations (Inventory)
The Regulation introduces the obligation for the data controller (legal entity or individual, as applicable) to keep records of all data processing operations and to submit such records to the ANSPDCP, upon request.
Important note: companies with less than 250 employees are not required to keep such records, save the following exceptions:
- The data processing may generate a risk in relation to the data subject’s rights and freedoms;
- The data processing is not occasional;
- The data processing includes special data or personal data categories concerning criminal convictions and offences.
- Performing data protection impact assessment
As of the date on which the Regulation enters into force, companies will have to carry out an assessment of the impact of data processing, if processing operations – especially those involving new technologies – are likely to generate a high risk for the rights and freedoms of private individuals.
The assessment must be performed before the data processing operation and must contain a description of the conducted operations, the objective/legitimate interest of the data controller, an assessment of the necessity and proportionality of the processing operations in relation to its objective, an assessment of the risks to the rights and freedoms of the data subjects, as well as the actions taken into account for risk management/mitigation.
- Appointment of a Data Protection Officer (DPO), if required
A DPO must be appointed if:
- the data controller/data processor is processing personal data as a public entity;
- the core activities require the regular and systematic monitoring of data subjects on a large scale;
- the core activities of the data controller consist of processing special data categories or data related to criminal convictions and offences, on a large scale.
- Notifying and keeping comprehensive records of data breaches
- Implementing data protection by design and by default
The GDPR introduces the concepts of “data protection by design and by default”, as follows:
“Data protection by design” requires taking data protection risks into account throughout the process of designing new technologies, products and systems.
“Data protection by default” requires ensuring that mechanisms are in place within the company to ensure that, by default, only personal data which are necessary for each specific purpose are processed.
Under the GDPR, data processors will be required to comply with several specific obligations, including the obligation to maintain adequate documentation, implement appropriate security measures, report data breaches to the data controller, maintain a register of data processing activities and seek authorization from the data controller before allowing third parties to sub-process personal data.
These are in addition to the requirement for data controllers to ensure that, when appointing a data processor, they conclude a written data processing agreement with said processor.
The GDPR requires both data controllers and processors to adopt appropriate technical and organizational measures in order to protect personal data. Certain enhanced measures such as encryption, pseudonymisation, the ability to restore availability and access to personal data in a timely manner, in the event of a physical or technical incident, as well as the regular testing of effectiveness, are required “where appropriate”.
An IT audit (in addition to the legal audit) will often be recommended and may involve a need to purchase better security software. Also, the adoption of strict internal guidelines and sufficient training shall be required starting from May 25th, 2018.
DATA BREACH NOTIFICATION
One of the most profound changes to be introduced by the GDPR is a European-wide requirement to notify data breaches to the supervisory authorities and affected individuals. In this respect, the GDPR requires the data controller to send a notification, for any personal data breach, to the relevant supervisory authority (ANSPDCP).
Breach notifications must be sent within a tight deadline – the supervisory authority should be informed within 72 hours of the moment such breaches are ascertained, unless it is unlikely the breach would result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must also notify the affected individuals, without undue delay.
TRANSFER OF DATA TO THIRD COUNTRIES
The GDPR restates the Directive’ principles that govern the prohibition on the transfer of data to countries outside the EU, unless adequate levels of protection exist in the country of destination.
Therefore, transfers of personal data to third countries outside the EU which ensure an adequate level of protection do not require any specific authorization.
In addition to the existing rules on the adoption of model clauses and binding corporate rules, the GDPR anticipates other mechanisms to support lawful transfers, including:
- codes of conduct, and
- a new certification mechanism.
The failure to comply with GDPR’s transfer requirements attracts the highest category of fines, of up to EUR 20 million or, in the case of companies, up to 4% of annual overall turnover of the data controller.