The Senate voted amendments to the law regulating the activity of the National Supervisory Authority for Personal Data Processing (ANSPDCP), just days before the enforcement of new data protection rules across the European Union through the General Data Protection Regulation (GDPR) on May 25.
The authority will be able to control private and public companies in Romania, to check whether the GDPR rules are applied and to issue fines if organizations fail to comply with the law.
The updated version of the law regulating the authority includes provisions on control operations and states that if the fine issued by ANSPDCP exceeds EUR 300,000, its enforcement has to be done based on the signature of the authority.
The sanctions for companies that break the GDPR rule can start from the partial or permanent limitation of data processing, but the authority can order the erasure of personal data or suspect the flow of data towards a receiver from a third country.
The approved version of the law also states that the authority can increase its staff count from 50 to 85. The draft bill approved by the Senate has to be signed into law by president Klaus Iohannis.
Organizations that fail to comply with GDPR rules face fines of up to EUR 20 million or 4 percent of the annual turnover.