First step towards General Data Protection Regulation application
First step towards General Data Protection Regulation application
Romania has taken the first step towards ensuring the direct applicability of the General Data Protection Regulation (GDPR) starting from 25 May 2018 with the publishing by the Ministry of Internal Affairs of a draft law aimed at aligning the national legislation with the GDPR’s provisions.
The proposed law aims to expressly repeal the current main Romanian data protection applicable law, namely Law No. 677/2001 on the Protection of Individuals with regard to the processing of personal data and the free movement of such data, starting with 25 May 2018.
Furthermore, the draft law aims to strengthen the role of the Romanian Data Protection Authority (DPA), which shall be mainly responsible for ensuring the GDPR enforcement, by amending the current law regulating the organization and functioning of the Romanian Data Protection Authority (DPA), namely Law 102/2005 for the establishment, organization and functioning of the National Supervisory for Personal Data Processing.
Some of the modifications/ novelties in respect of the DPA’s abilities envisaged to be enforced through the law proposal, consist in the following:
- The DPA representatives shall have the right to perform investigations, including unannounced ones and to request any information and documents, irrespective of their storage media, to take copies and verify, according to the law, any equipment, storage media or tool, necessary for the performance of the investigation. According to the law proposal, the investigation procedure shall be further regulated through the decision of DPA’s president.
- The DPA may apply the following sanctions: warning, reprimand (Romanian:”mustrare”) and fines.
- The sanctions may be applied within three years from the breach’s occurence. This is a departure from the current regulatory framework for administrative fines, which apply to breaches occurred in the prior 6 months.
- Fines below the amount of 300,000 Euros may be applied by the DPA’s control representatives, whereas fines above this threshold may be applied only by the DPA’s president.
- Challenges to the DPA’s sanctioning minutes may be submitted within fifteen days from the communication thereof. The reports which were not challenged become enforceable titles. The short deadline for the submission of a challenge will give rise to practical challenger and warrant due attention by the controllers from now on.
- Distinctly from the report’s challenge submitted to the DPA, the interested person can address the competent courts of law in order to go against the DPA’s decision.
The law proposal for the repeal of Law No. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data and the amendment of Law 102/2005 for the establishment, organization and functioning of the National Supervisory for Personal Data Processing was published on the 5th of September 2017 and may be found together with the official statement of reasons on the website of the Ministry of Internal Affairs (http://www.mai.gov.ro/). The law proposal is available to public’s comments for only 20 calendar days from its publication date.
For additional details and information, please contact us.