by Mihaela NITU
Senior Associate, Gruia Dufaut Law Office
As a member State of the European Union, Romania will have to implement, from May 25th, 2018, European Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This regulation shall repeal former Directive no. 95/46/CE and must provide a uniform regulation for all the EU members and substitute the national laws in this field.
We hereby remind you that the Romanian law in this field is currently represented by Law no. 677/2001 on the protection of personal data, but also by the decisions of the National Authority for the Supervision of Personal Data Processing (“ANSPDCP”).
From May 25th, 2018, companies from the EU member States will have to comply with the new Regulation and adapt their business strategies, as well as their policies, procedures, logistics and commercial documents. Amongst the novelties:
- All internal procedures must be reassessed, including those regarding the consent of private persons whose personal data will be collected;
- All data processing operations will have to be written down, something which is not currently done;
- The appointment of a Data Protection Officer (DPO); the services of the DPO may either be provided by an employee or they may be outsourced;
- The obligation to report any security incident etc.
Hereinafter you will find a brief presentation of the most important changes that will be brought top the current Romanian legislation.
Elimination of the Preliminary Notification of the Authority Regarding Data Processing
The law in force in Romania provides the obligation to notify ANSPDCP before any processing of personal data. Once the European Regulation will take effect, this notification obligation will no longer exist. Therefore, the operator will be able to proceed with data processing at any moment, provided that he complies with the applicable legal provisions.
The Legal Basis for Data Processing
Now, in order to process data, you have to obtain the “consent” of the relevant person. As an exception, it is possible to proceed with data processing without such consent if the operator has a legal obligation to do so under a contract, legitimate interest etc.
The Regulation provides all the legal bases, without stipulating a rule and exceptions, all having the same regime and power. Therefore, companies will be able to process data pursuant to the legal bases hereafter:
- The consent of the relevant person;
- In order to execute a contract;
- If the data operator has a legal obligation to process the aforementioned data;
- If there is a legitimate interest from the operator, unless the fundamental rights and freedom of the relevant person prevail;
- Protection of life and physical integrity;
- Implementing certain measures of public interest.
According to Romanian Law no. 677/2001, consent can be expressed by an action or by inaction.
As per the Regulation, consent is a manifestation of the free, specific, informed and non-ambiguous will of the relevant person, by which he/she accepts, by declaration or unambiguous action, the processing of his/her personal data.
Therefore, the consent must be expressed by an action or a declaration and should concern all activities and the objective of the process. The operator must inform the concerned person of all activities and objectives of the process and must ask for the consent of such person. Moreover, the operator will be compelled to prove the existence of the consent of the person concerned.
The Data Protection Officer (DPO)
Whereas the current Romanian law does not provide such concept, the Regulation expressly provides the companies’ obligation to appoint a “data protection officer”. The appointment of a DPO is mandatory if one of the following conditions is complied with:
- The processing is done by a public authority or entity, except for courts of law exercising their jurisdictional function
- The main activities of the operator or of the person authorized by the operator are processing operations which, by their nature, scope of application and/or objectives require a large scale, regular and systematic monitoring of the concerned persons.
- The core activities of the operator or of the person authorized by the operator are the large scale processing of certain special data or personal data concerning criminal charges or offences.
The Data protection Officer can be an employee (member of the staff) of the company or of the person authorized by the operator or he/she may perform his/her tasks pursuant to a service contract.
Likewise, it is possible to appoint only one DPO for a group of companies, provided that such DPO is easily accessible to each company.
The Data Protection Officer has to meet several conditions: have specialized knowledge of the legal field and of standard practices applied in the data protection field (the Regulation does not require a specific professional training); be independent (he/she does not receive instructions on how to perform his/her tasks), but he/she can also cumulate another position within the operator (as long as his/her independence is ensured); cannot be sanctioned or fired in connection with his/her attributions (however, she/he can be sanctioned/fired if he/she fails to comply with such attributions); comply with the obligation of non-disclosure/professional secrecy.
The main attributions of the DPO are to inform and advise to operator, as well as with regard to the employees in charge of processing concerning their duties, carry out audits, act as liaison in relation with the authorities/persons concerned.
Records of Processing Operations (inventory)
The Regulation introduces the obligation for the company to keep a record of all data processing operations and submit such record to the ANSPDCP, upon request thereof.
Important: companies with less than 250 employees are not compelled to keep these records, save the following exceptions: the data processing will potentially generate a risk for the rights and freedoms of the concerned persons; the data processing is not occasional; the data processing includes special categories of data or personal data concerning criminal charges and offences.
Evaluation of the Impact of Data Processing
As of the date of entry into force of the Regulation, companies will have to carry out an evaluation of the impact of data processing, if processing operations – especially those using new technologies – are likely to generate a high risk for the rights and freedoms of private individuals.
The evaluation has to be done prior to the data processing operation and has to contain a description of the operations performed, the objective/legitimate interest of the operator, the evaluation of the necessity of such processing and its proportionality with its objective, the evaluation of the risks for the rights and freedoms of the concerned persons, as well as the actions taken into account for risk management/mitigation.
Indeed, it will be necessary for each operator to carry out a pre-evaluation of their data processing operations, in order to identify whether it would be necessary to carry out an impact evaluation.
Notification of Security Incidents & sanctions
Security incidents in connection with personal data have to be notified to the relevant authority no later than 72 hours from the moment they were ascertained.
The Regulation also provides a complicated sanctions system, applicable by the relevant authority, that ranges from a simple warning to fines up to 20 million Euros or up to 4% of the company’s annual global turnover.