Romania Publishes Draft GDPR Law

The Ministry of Internal Affairs in Romania published a draft bill on 5 September 2017 amending the country’s current data protection legal framework ahead of the introduction of the European Union General Data Protection Regulation (GDPR).

The Draft amendment seeks to adapt the Romanian Legal framework to the new EU legislation and consequently update the law number 102/2005 as well as repeal 677/2001. Law number 102/2005 states that the Draft will update deals with National Supervisory Authority for Personal Data Processing while no. 677/2001 deals with data protection law.

The Draft Amendment revises the Law no. 102/2005 to match certain requirements under the GDPR. Fundamental aspects of the revision include an extension of the DPA’s competences and powers, new regulations regarding the supervisory and compliance role of the country’s DPA, and specific ways and processes of dealing with complaints.

Independence of RDPA

The Draft Law asserts the independence of the RDPA. It equates its officers with parliament’s public officers who enjoy more privileged status. It also sets out the independence of RDPA’s president. Under the Draft law, the RDPA president will have the authority to monitor the application of the EU GDPR and ensure involvement in the European Data Protection Board.

RDPA Investigative Capacity

The Draft Law increases the investigative powers of the RDPA. It reinforces its capacity by increasing its personnel from the current 50 to 85 officers. The EU legislation gives the RDPA the authority to obtain whatever kind of information it requires. This includes personal data and those in the custody of the data processors and controllers. The data controllers and processors under investigation are permitted to file an objection within fifteen days after the protocol communication is made. If no objection is entered within the stipulated time, the protocol becomes an executory title. The administrative penalty becomes due within 15 days.

Fines for failure to provide information

The RDPA has necessary structures to mount pressure on those under investigation. RDPA can impose an administrative penalty of up to RON 3,000 per day of delay to make requested files available. Data subjects may forward their grievances to RDPA. The RDPA has a maximum of 30 days to determine if a complaint raised is admissible.

The RDPA published guidelines for the data processors and controllers. The guidelines borrow heavily from GDPR and put the country on the right track towards synchronizing its data protection laws to mirror the EU legislation. The recommendations in the RDPA’s guidelines include the appointment of data protection officer, conducting an impact assessment and the obligations of the data controller to draft and execute internal procedures to ensure compliance with the data protection regulation.

The publication of the draft law is a positive move for Romania as far as data protection and personal data processing are concerned. However, the country must do more to adapt the new EU regulations.