9th November 2018
by Christian Bogaru, Managing Partner
Measures to implement the
General Data Protection Regulation in Romania
The Law no. 190/2018 (hereinafter the “Law”) was adopted as instrument in the implementation of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons and the free movement of such data and the repealing of Directive 95/46/EC, published in the Official Gazette, no. 651 on 26 July 2018 (hereinafter the “GDPR”) in Romania.
The most important measures are related to the processing of the national identification number, personal data in the context of labor relationships, the processing of genetic data, biometric data or data concerning health.
The national identification number
The Article 87 from GDPR allows to the Member States to determine the specific conditions for the processing of a national identification number or any other identifier of general application, only under appropriate safeguards for the rights and freedoms of the data subject pursuant by GDPR.
The Law comes and defines the national identification number and specifies the guarantees which must be provided by the controller in order to be able to lawful process it.
The Law no. 190/2018 defines the national identification number as the number by which it is identified a natural person on some systems of record and which has general applicability, such as: the personal code number, the ID series and number, the passport number, the driving license, the health social insurance number.
For the processing of the national identification number in the purposes of the legitimate interests the operator must provide the following guarantees:
- The implementation of technical measures to comply with the data minimization principle and ensure the security measures;
- The appointment of a data protection officer;
- The establishment of the storage periods;
- The periodic training of the personnel who process the personal data under the authority of the controller or its processor.
So, if the controller chooses as lawful basis for the processing of the national identification numbers the legitimate interests he must appoint a data protection officer, unlike the situation when he chooses any other lawful basis provided by GDPR.
The Law no. 190/2018 provides that the employer may use electronic means audio/video at the place of work in order to supervise the employees, only if he provides the fallowing guarantees:
- the legitimate interests pursued by the employer is duly justified and prevails over the interests or the rights and freedoms of the data subjects;
- the employer has made the mandatory, complete and explicit notification of the employees;
- the employer has consulted with the employees’ union or, where appropriate, with the representatives of the employees before introduction of the monitoring systems;
- other forms and modalities less intrusive for fulfilling the purpose of the employer have previously proven ineffective;
- the employer will storage the personal data for a duration that cannot exceed 30 days, except for the cases expressly regulated by law or toughly justified cases.
In all the cases, the period of storage of the personal data must be proportional with the purposes of the processing and for a limited period of time.
The processing of genetic data, biometric data or data concerning health
According to the Article 9 (4) from GDPR Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
The Law specifies that processing of genetic, biometric data or data concerning the health shall be permitted in the base of the explicit consent of the concerned person or if there is an express legal provisions and only with the establishment of the appropriate measures to protect the rights, freedoms and legitimate interests of the person concerned.
The processing of personal data for journalistic purposes or for academic, artistic or literal expression
The processing for journalistic purposes or for academic, artistic or literal expression can be carried out, where it concerns personal data which have been made available to the public by the concerned person or which are closely linked to its public status or is linked to the public nature of the facts in which the person is involved.
So, if the conditions above mentioned are met, the Law no. 190/2018 doesn’t require to be obtained the data subject’s consent.
The processing of personal data for the purposes of historical or scientific research, or for statistical purposes or for archiving purposes of public interest
By derogation from the provisions of GDPR the Law no. 190/2018 mentions that some rights provided by GDPR are not applicable if the purpose of the processing is the historical or scientific research, for archiving purposes of public interest, if the rights mentioned are of such a nature as to make it impossible or seriously affect the attainment of the purposes, and the derogations in question are necessary in order to achieve those purposes.
If the purpose is the archival in the public interest, besides the rights above mentioned the Law mentions by derogation from GDPR two more rights that will not apply, respectively: the right to receive any communication about the rectification or erasure of personal data or restriction of processing carried out by the controller and the right to data portability.
The processing of personal data is permitted to political parties and organizations of citizens belonging to national minorities, non-governmental organizations, in order to achieve their objectives, without the express consent of the data subject, if they provide the appropriate guarantees mentioned by the Law.
Corrective measures and penalties
The Law no. 190/2018 establishes differentiated sanctions regime between public authorities and bodies and the rest of the entities.
The general rule provided by GDPR is that the supervisory authority may order a series of measures including a fine up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher or fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, depending on the violation.
The Law no. 190/2018 maintain the general rule provided by GDPR but establishes limitations of sanctions for public authorities and bodies. One of the most important rules set is that public authorities and bodies will first be warned and a remedy plan will be imposed by the supervisory authority. Only if the measures set in the remedy plan are not fulfil, the fine will be apply. The fine in this case is up to 200 000 RON.