The General Data Protection Regulation act of the European Union officially became effective on 25th May, 2018. The act builds and strengthens the EU’s data protection framework, replacing the Data Protection Directive of 1995. The core of these regulations is rules that give citizens of EU countries control over personal data.
Following the implementation, the Romanian Parliament and the Romanian RDPA (Romanian Data Protection Authority) created legislation that guided the implementation of GDPR laws in Romania. The adoption of GDPR in Romania added to the list of the existing two data protection legal frameworks applicable in Romania, which included the National Authority for the Supervision of Personal Data Processing guidelines and the guidelines issued by Article 29 of DPA.
While implementation of GDPR slightly varies among EU member states, adoption of these laws in Romania meant the following:
Applicability of GDPR
GDPR applies to all companies or organizations operating within the European Union. It also affects companies or businesses outside the EU but supplies products and services to individuals and businesses in the region. This means that most major companies across the globe should be GDPR compliant.
Article 4 of the GDPR outlines two types of data handlers guided by these legislations. They include:
- Controllers – these are individuals, agencies, or public authorities that determine the reasons and methods of processing personal data.
- Processors – are individuals, agencies, or public authorities that process personal data on behalf of controllers.
GDPR places legal responsibilities on the processor to keep records of personal data. They are also the highest legal liability if the personal data stored in the organization is breached. Controllers should ensure that their contracts with processors comply with GDPR guidelines.
What is Considered Personal Data?
The many types of private data include names, home addresses, email, and photos. GDPR also includes IP addresses, and sensitive personal information, such as biometric data, genetic data, and any other form of data that can be processed to identify a person uniquely, to be personal data.
Compliance with GDPR Provisions in Romania
Businesses and organizations become GDPR compliant by:
Identifying Data Processing Operations in the Company and Keeping Records of Data Processing Activities
Romanian and international companies with over 250 employees should keep records of data processing activities. Small companies with less than 250 employees are exempted from keeping these records unless they engage in frequent and risky businesses that include sensitive personal information. The records should:
- Include categories of data processed – GDPR prohibits processing personal data that reveals racial, ethnic, religious, biometric, health, and other personal details.
- Have a legal basis for data processing
- Include the location of data storage systems and data recipients
- Highlight security measures put in place to protect against data breach
Carrying Out Data Privacy Impact Assessment
Companies and organizations should regularly carry out a data privacy impact assessment. This is a systemic evaluation of new personal data to determine its risk and consequences of breach. As per GDPR provisions, data controllers and processors should comply with the general principles of GDPR and prove their compliance. If the controller is undertaking high-risk data processing, they should conduct a DPIA and consult DPA.
Appoint a Data Protection Officer
Private entities, regardless of their size and capacities, should appoint a DPO if they conduct large-scale data processing or are involved in monitoring data subjects. The guidelines posted on the Romanian DPA website assign the following roles to DPA:
- Inform company management and employees of GDPR compliance requirements
- Conduct compliance audits and proactively address arising issues
- Train staff involved in processing personal data
- Serve as a point of contact between DPA and the company
- Maintain records of data processing activities of the company
Companies and organizations in Romania should strive to remain GDPR compliant. The RDPA is responsible for overseeing the implementation of GDPR and can conduct unannounced investigations on processor and controller premises.