The Romanian Data Protection Authority (DPA) has announced the first three fines levied in Romania, worth a total of EUR 148,000, for breaches of the EU General Data Protection Regulation (GDPR). Specialists told BR that local companies are still getting to grips with this landmark legislation.
By Romanita Oprea
According to a survey conducted by Deloitte Legal in Romania, Bulgaria, Croatia, the Czech Republic, Hungary, Lithuania, Poland and Slovakia, the largest numbers of controls and fines for possible violations of the GDPR provisions have been reported in highly regulated and client-facing industries, which process large volumes of personal data. The study covers the period from when the GDPR entered into force until May 31, 2019.
Alongside telecom and financial services, the industries with the most GDPR-related controls include the public sector, media, technology – mostly for mobile apps – private healthcare and postal services. The national data protection authorities’ actions were mainly related to observance of data minimization, purpose limitation and data retention principles, compliance with data subjects’ rights, video surveillance, direct marketing, profiling and cookies.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, if they target or collect data related to people in the EU. The regulation came into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people entrust their personal data to cloud services, and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
Until May 31, 2019, the eight surveyed countries saw 34 fines applied for GDPR violations, amounting to almost EUR 750,000. In Romania, up to May 2019, the data protection authority performed 981 inspections, imposed 57 corrective measures, and issued 23 warnings, and a large number of investigations is still pending.
“Romania has just reported its first fine for GDPR violations, of EUR 130,000, applied to a bank. We’ve also seen various and significant controls across Europe and fines imposed almost each week in many jurisdictions, of which the greatest is the EUR 50 million fine given to Google in France,” said Georgiana Singurel, partner at Reff & Associates, a member of the Deloitte Legal network, which coordinates the law firm’s specialized data protection team.
“Let’s say that now, after there have been a few fines, the business sector is beginning to properly understand what GDPR actually is and what is its purpose. And this situation is not only in Romania, but European-wide. Because now we are starting to understand that it is a continuous process, a thing that must be incorporated in the business culture, not just a one-moment update of the policy and privacy terms and conditions,” commented Ioana Anescu,executive director IAB Romania.
As for the specific local legislation regarding personal data protection, the survey conducted by Deloitte Legal underlines that CEE countries have introduced the GDPR provisions in national legal orders, with particular emphasis on matters related to employment relations, surveillance systems, child consent in relation to online services, banking and insurance laws, and services processing biometric data.
When it comes to data breaches reported to national data protection authorities, Poland leads, with 2,000 notifications, followed by the Czech Republic (626), Romania (398), Hungary (380), Lithuania (93) and Bulgaria (33).
“The GDPR has been a major disruptor for any entity processing personal data and Romanian companies across all industries have worked on identifying the main risk areas and on assuring compliance with the regulation. We see amongst our clients a continued focus on setting up complex internal processes and on adjusting legal documents in order to comply with the GDPR, as well as on training their employees in this area,” outlined Singurel.
True awareness or not?
But how does it really look close up to agencies, clients and legal parties in Romania? According to Anca Teletin, senior operations manager at Grapefruit, at the beginning, one of their concerns when the GDPR regulations were announced was the lack of clear guidelines/regulations for the region and the delay in their announcement. “It was a blurry moment at first with no benchmarks in sight: you didn’t know what to expect on behalf of companies, clients, consumers, employees. Everyone was talking about it, but no one knew what it actually meant. With each client we established the necessary requirements to implement the GDPR guidelines. After that we decided to set things in motion, building a common plan for all the teams involved,” said Teletin.
And on her turn, Ioana Anescu thinks that there are still problems at the understanding of GDPR impact at all levels, as all employees & departments need to understand that GDPR is not just the responsibility of the legal department, but also financial, IT, marketing, sales etc. “We are all under the GDPR umbrella and its purpose was not to undermine businesses, but to help them understand the importance of respecting personal data & privacy for the users’ sake. Maybe the procedures for application of the law weren’t clear enough, so it created confusion, but now, that the law was enforced, it is something that needs to be made aware at the entire company level, just like accounting or health security is,” pointed out IAB Romania’s representative.
From everyone talking about it to reaching true understanding has proven to be a big step though, as many consultants on the market believe that there is still space for greater awareness about the real issues involved and how and what companies need to do to really adapt. For Grapefruit, for example, the most expensive part of adapting was hiring a dedicated person to act as legal and regulation consultant, so the agency could serve as a true consultant for its clients. And that proved to be a good decision. Teletin says that, in her opinion, in Romania there are still problems in keeping up with all the GDPR’s regulation updates and details that emerged in its first year. “At first each player settled its own guidelines and workflow. This was a double-edged sword. On one hand we have flexibility and creativity in building GDPR solutions, but on the other hand there’s no common ground to compare with,” said the Grapefruit representative.
Moreover, according to Roxana Ionescu, partner, head of data protection practice at NNDKP, full implementation of GDPR rules is not yet complete, although organizations are working on it. “After the GDPR application became a reality on May 25, 2018, organizations stopped focusing on the date itself and started to work on how they could actually apply their newly-adopted GDPR policies and procedures in practice. This meant moving away from general gap assessments to actual reviews of each process and activity involving the collection and use of personal data. And, here is the catch: GDPR compliance is a moving target: reassessment is necessary every time a process changes or when the legal framework on which a process relied on changes,” said Ionescu.
Still, in her opinion, the starting point is the same: an organization should understand what personal data it uses and why, and under what conditions it can do it. From there, it can put in place the proper information notices, ensuring the proper level of transparency. It can also hold its records of processing, and determine which processes require more in-depth assessments, like legitimate interests or personal data protection assessments. And it can also help organizations more swiftly assess if a data breach (should it occur) involves risks which require the notification of the data protection authority (DPA) or affected individuals. “Awareness is still not what it should be, especially when moving from large organizations to macro and small enterprises, but the GDPR is a ‘theme’ that will not go away. It is therefore likely that awareness will increase and with it the actual effective protection of personal data the GDPR is supposed to bring about,” said Ionescu, seconding Teletin’s opinion.
Another important point is that the adapting processes and IT solutions are still a work in progress. As NNDKP’s head of data protection practice points out, companies, especially large ones, can hardly claim that the GDPR is a done deal. This is because their processes and IT solutions are constantly changing and, with each change, GDPR compliance needs to be reassessed. “But the core of such assessment remains the same: companies need to ensure they understand what they want to do with the personal data and why, whether and under what conditions they can do it, and then explain this to the individuals in question. Companies also need to focus on ensuring that they do not use such data excessively or retain it when it’s no longer relevant, hence the intense discussion over data retention periods. They should also be able to protect the data while they retain it,” commented Ionescu.
As the latest Romanian DPA enforcement actions underline, this does not mean merely adopting technical measures for data security, but also organizational ones. Therefore, companies should take a hard look at how they manage user access to personal data, how and when such data may be shared and printed and how all such actions can be documented and ultimately controlled.
But they are not alone. To help companies and agencies get a full understanding of the law and smooth things along, IAB Europe launched its GDPR Implementation Group, which brings together leading experts from across the digital advertising industry to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector. And all their discussions and findings can be accessed and used. Moreover, in August last year, the WFA and the Dutch Advertisers Association (BVA) partnered with Digital Decisions to create a data processing agreement (DPA) template for advertisers. The goal is to protect brands from signing DPA documents – created to comply with GDPR rules – that are one-sided and leave advertisers exposed to unfair risk. As with the media contract originally designed by the UK advertiser association ISBA, the idea is that a template document will be adaptable to the needs of individual brands, while also alerting them to key areas of risk. “In the last couple of months, it has become more and more clear that from an advertiser perspective, generic data processing agreements don’t cover all controllers’ issues. This is why we have taken the initiative to create a specific DPA template together with Digital Decisions and the WFA. We recommend advertisers internally check their current (and future) DPAs against this template to know what’s in their best interest to include in their DPAs,” said Frenkel Denie, chairman of the BVA, at that time.