Your cart
There are no more items in your cart
Art. 1. - Object of the law
This law establishes the necessary measures for the implementation at the national level, mainly, of the provisions of art. 6 para. (2), art. 9 para. (4), art. 37-39, 42, 43, art. 83 para. (7), art. 85 and of art. 87-89 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC , published in the Official Journal of the European Union, series L, no. 119 of May 4, 2016, hereinafter referred to as the General Data Protection Regulation.
Art. 2. - Definitions
(1) In applying the General Data Protection Regulation and this law, the terms and expressions below are defined as follows:
a) public authorities and bodies - the Chamber of Deputies and the Senate, the Presidential Administration, the Government, ministries, other specialized bodies of the central public administration, autonomous public authorities and institutions, local and county public administration authorities, other public authorities, as well as the institutions under their subordination/coordination. For the purposes of this law, cult units and associations and foundations of public utility are assimilated to public authorities/organizations;
Magazines (3)
b) national identification number - the number by which a natural person is identified in certain record systems and which has general applicability, such as: personal numerical code, series and number of the identity document, passport number, driver's license number, number of social health insurance;
c) remedial plan - annex to the record of detection and sanctioning of the contravention, drawn up under the conditions provided for in art. 11, by which the National Supervisory Authority for the Processing of Personal Data, hereinafter referred to as the National Supervisory Authority, establishes measures and a remedial deadline;
d) remedial measure - solution ordered by the National Supervisory Authority in the remedial plan in order for the authority/public body to fulfill the obligations provided for by law;
e) remedial period - the period of time of no more than 90 days from the date of communication of the minutes of detection and sanctioning of the contravention, during which the authority/public body has the opportunity to remedy the irregularities found and fulfill the legal obligations;
f) performing a task that serves a public interest - includes those activities of political parties or organizations of citizens belonging to national minorities, of non-governmental organizations, which serve to achieve the objectives provided by constitutional law or public international law or the functioning of the democratic system, including encouraging participation citizens in the decision-making process and the preparation of public policies, namely the promotion of the principles and values of democracy.
Magazines (1)
(2) The definitions provided in art. are also applicable within the scope of this law. 4 of the General Data Protection Regulation.
CHAPTER II
Special rules regarding the processing of certain categories of personal data
Art. 3. - Processing of genetic data, biometric data or health data
(1) The processing of genetic, biometric or health data, in order to carry out an automated decision-making process or to create profiles, is allowed with the explicit consent of the person concerned or if the processing is carried out on the basis of express legal provisions, with the establishment of appropriate measures to protect the rights, freedoms and legitimate interests of the data subject.
(2) Health data processing carried out for the purpose of ensuring public health, as defined in Regulation (EC) no. 1,338/2008 of the European Parliament and of the Council of December 16, 2008 on Community statistics relating to public health, as well as health and safety at work, published in the Official Journal of the European Union, series L, no. 354/70 of December 31, 2008, it cannot be carried out later, for other purposes, by third parties.
Art. 4. - Processing of a national identification number
(1) The processing of a national identification number, including through the collection or disclosure of the documents containing it, can be carried out in the situations provided by art. 6 para. (1) of the General Data Protection Regulation.
(2) The processing of a national identification number, including by collecting or disclosing the documents that contain it, for the purpose provided for in art. 6 para. (1) lit. f) from the General Regulation on data protection, respectively the realization of the legitimate interests pursued by the operator or a third party, is carried out with the establishment by the operator of the following guarantees:
a) the implementation of appropriate technical and organizational measures to comply, in particular, with the principle of data minimization, as well as to ensure the security and confidentiality of personal data processing, according to the provisions of art. 32 of the General Data Protection Regulation;
b) appointment of a data protection officer, in accordance with the provisions of art. 10 of this law;
c) establishing storage terms depending on the nature of the data and the purpose of the processing, as well as specific terms in which personal data must be deleted or reviewed for deletion;
d) periodic training regarding the obligations of the persons who, under the direct authority of the operator or the person authorized by the operator, process personal data.
Art. 5. - Processing of personal data in the context of employment relations Magazines (3)
If monitoring systems are used by means of electronic communications and/or by means of video surveillance at the workplace, the processing of employees' personal data, in order to achieve the legitimate interests pursued by the employer, is allowed only if:
a) the legitimate interests pursued by the employer are thoroughly justified and prevail over the interests or rights and freedoms of the persons concerned;
b) the employer provided the mandatory, complete and explicit prior information to the employees;
c) the employer consulted the union or, as the case may be, the representatives of the employees before the introduction of the monitoring systems;
d) other less intrusive forms and ways to achieve the goal pursued by the employer have not previously proven their effectiveness; and
e) the duration of storage of personal data is proportional to the purpose of processing, but not longer than 30 days, except for situations expressly regulated by law or thoroughly justified cases.
Art. 6. - Processing of personal data and special categories of personal data, in the context of the performance of a task that serves a public interest Magazines (2)
If the processing of personal and special data is necessary for the performance of a task that serves a public interest according to art. 6 para. (1) lit. e) and art. 9 lit. g) of the General Regulation on data protection is carried out with the establishment by the operator or by the third party of the following guarantees:
a) the implementation of appropriate technical and organizational measures to comply with the principles listed in art. 5 of the General Regulation on data protection, in particular the minimization of data, respectively the principle of integrity and confidentiality;
b) appointment of a data protection officer, if this is necessary in accordance with art. 10 of this law;
c) establishing storage terms depending on the nature of the data and the purpose of the processing, as well as specific terms in which personal data must be deleted or reviewed for deletion.
CHAPTER III
Exceptions
Art. 7. - Processing of personal data for journalistic purposes or for the purpose of academic, artistic or literary expression Magazines (4)
In order to ensure a balance between the right to the protection of personal data, freedom of expression and the right to information, processing for journalistic purposes or for the purpose of academic, artistic or literary expression may be carried out, if it concerns personal data that have been manifestly public by the data subject or which are closely related to the data subject's status as a public person or to the public nature of the facts in which he is involved, by way of derogation from the following chapters of the General Data Protection Regulation:
a) chapter II - Principles;
b) chapter III - The rights of the concerned person;
c) chapter IV - The operator and the person authorized by the operator;
d) chapter V - Transfers of personal data to third countries or international organizations;
e) chapter VI - Independent supervisory authorities;
f) chapter VII - Cooperation and coherence;
g) chapter IX - Provisions relating to specific processing situations.
Art. 8. - Processing of personal data for scientific or historical research purposes, for statistical purposes or for archiving purposes in the public interest Magazines (1)
(1) The provisions of art. 15, 16, 18 and 21 of the General Data Protection Regulation do not apply if personal data are processed for scientific or historical research purposes, to the extent that the rights mentioned in these articles are likely to make it impossible or to seriously affect the achievement of the specific goals, and the respective derogations are necessary for the fulfillment of these goals.
Modifications (1), Magazines (1)
(2) The provisions of art. 15, 16, 18, 19, 20 and 21 of the General Data Protection Regulation do not apply if personal data are processed for archiving purposes in the public interest, insofar as the rights mentioned in these articles are of a nature to make impossible or seriously affect the achievement of the specific purposes, and these exemptions are necessary for the fulfillment of these purposes.
Magazines (2)
(3) The exemptions provided for in para. (1) and (2) are applicable only subject to the existence of appropriate guarantees for the rights and freedoms of the persons concerned, provided for in art. 89 para. (1) of the General Data Protection Regulation.
(4) If the processing referred to in para. (1) and (2) serves at the same time another purpose, the exemptions apply only to processing for the purposes mentioned in the respective paragraphs.
Art. 9. -
(1) In order to ensure proportionality and a balance between the right to the protection of personal data and special data and the processing of such data by political parties and organizations of citizens belonging to national minorities, non-governmental organizations, the following guarantees will be implemented:
Magazines (1)
a) informing the data subject about the processing of personal data;
b) guaranteeing the transparency of information, communications and ways of exercising the rights of the data subject;
c) guaranteeing the right to rectification and deletion.
(2) The processing of personal and special data is allowed to political parties and organizations of citizens belonging to national minorities, non-governmental organizations, in order to achieve their objectives, without the express consent of the person concerned, but on the condition that the appropriate guarantees, mentioned in the previous paragraph, are provided .
CHAPTER IV
The data protection officer
Art. 10. - Designation and tasks of the data protection officer Magazines (1)
(1) Operators and persons authorized by the operator appoint a data protection officer in the situations and conditions provided for in art. 37-39 of the General Data Protection Regulation.
(2) If the operator or the person authorized by the operator is a public authority or a public body, as defined in art. 2 para. (1) lit. a), a unique data protection officer may be appointed for several of these authorities or bodies, taking into account their organizational structure and size.
(3) The activity and tasks of the data protection officer are carried out in compliance with the provisions of art. 38 and 39 of the General Data Protection Regulation and applicable national legal regulations.
CHAPTER V
Certification bodies
Art. 11. - Accreditation of certification bodies
(1) Accreditation of the certification bodies provided for in art. 43 of the General Regulation on data protection is carried out by the Romanian Accreditation Association - RENAR, as the national accreditation body, in accordance with Regulation (EC) no. 765/2008 of the European Parliament and of the Council of July 9, 2008 establishing the requirements for accreditation and market surveillance regarding the marketing of products and repealing Regulation (EEC) no. 339/93, published in the Official Journal of the European Union, series L, no. 218 of August 13, 2008, as well as in accordance with Government Ordinance no. 23/2009 regarding the accreditation activity of conformity assessment bodies, approved with amendments by Law no. 256/2011.
(2) The certification bodies will be accredited according to the applicable legal regulations, in accordance with the EN-ISO/IEC 17065 standard and with the additional requirements established by the National Supervisory Authority, as well as in compliance with the provisions of art. 43 of the General Data Protection Regulation.
CHAPTER VI
Corrective Actions and Penalties
Art. 12. - General provisions regarding corrective measures and sanctions Magazines (1)
(1) Violation of the provisions listed in art. 83 para. (4) - (6) of the General Data Protection Regulation constitutes a contravention.
Magazines (1)
(2) The main contraventional sanctions are the warning and the contraventional fine.
Magazines (2)
(3) Violation of the provisions of art. 3-9 of this law constitutes a contravention and is sanctioned under the conditions provided for in art. 83 para. (5) of the General Data Protection Regulation.
(4) Finding the contraventions provided by this law and applying the contraventional sanctions, as well as the other corrective measures provided by art. 58 of the General Data Protection Regulation are made by the National Supervisory Authority, in accordance with the provisions of the General Data Protection Regulation, of Law no. 102/2005 regarding the establishment, organization and operation of the National Supervisory Authority for the Processing of Personal Data, with subsequent amendments and additions, and of this law.
Art. 13. - Application of corrective measures to authorities and public bodies Magazines (2)
(1) In the event of a violation of the provisions of the General Regulation on data protection and of this law by the public authorities/organizations, the National Supervisory Authority concludes a record of the finding and sanctioning of the contravention by which the sanction of the warning is applied and to which a remedial plan.
Magazines (3)
(2) The remediation period is determined according to the risks associated with the processing, as well as the necessary steps to be taken to ensure compliance with the processing.
(3) Within 10 days from the expiry of the remedial period, the National Supervisory Authority may resume control.
(4) The responsibility for the fulfillment of the remedial measures rests with the public authority/organization which, according to the law, bears the contraventional liability for the ascertained facts.
(5) The model of the remedial plan that is attached to the record of finding and sanctioning the contravention is provided in the Remedial Plan annex, which is an integral part of this law.
Art. 14. - Finding contraventions and applying sanctions to authorities and public bodies Magazines (2)
(1) If following the control provided for in art. 13 para. (3) it is found that the public authorities/bodies have not fully implemented the measures provided for in the remedial plan, the National Supervisory Authority, depending on the circumstances of each individual case, may apply the contravention sanction of the fine, taking into account of the criteria provided for in art. 83 para. (2) of the General Data Protection Regulation.
(2) Violation by public authorities/organizations of the following provisions of the General Data Protection Regulation, relating to:
a) the obligations of the operator and the person authorized by the operator in accordance with the provisions of art. 8, art. 11, art. 25-39, art. 42 and 43;
b) the certification body's obligations in accordance with art. 42 and 43;
c) the obligations of the monitoring body in accordance with art. 41 para. (4).
(3) Violation by public authorities/organizations of the provisions of art. 3-9 of this law.
(4) The contraventions provided for in para. (2) and (3) are sanctioned with a fine from 10,000 lei to 100,000 lei.
Magazines (2)
(5) Violation by public authorities/organizations of the following provisions of the General Data Protection Regulation, regarding:
a) the basic principles for processing, including the conditions regarding consent, in accordance with art. 5-7 and art. 9;
b) the rights of the persons concerned in accordance with art. 12-22;
c) transfers of personal data to a recipient from a third country or an international organization, in accordance with art. 44-49;
d) any obligations under national legislation adopted under Chapter IX;
e) non-compliance with a decision or a temporary or definitive limitation on the processing or suspension of data flows, issued by the National Supervisory Authority pursuant to art. 58 para. (2), or not granting access, in violation of the provisions of art. 58 para. (1).
(6) By derogation from the provisions of art. 8 para. (2) lit. a) from Government Ordinance no. 2/2001 regarding the legal regime of contraventions, approved with amendments and additions by Law no. 180/2002, with subsequent amendments and additions, the contraventions provided for in para. (5) is sanctioned with a fine from 10,000 lei to 200,000 lei.
(7) Violation by public authorities/organizations of a decision issued by the National Supervisory Authority in accordance with art. 58 para. (2) in conjunction with art. 83 para. (2) of the General Data Protection Regulation.
(8) By derogation from the provisions of art. 8 para. (2) lit. a) from Government Ordinance no. 2/2001, with subsequent amendments and additions, the contraventions provided for in para. (7) is sanctioned with a fine from 10,000 lei to 200,000 lei.
Art. 15. -
In application of the provisions of art. 58 para. (2) lit. b) from the General Regulation on data protection, art. 142 para. (1) from Law no. 102/2005 regarding the establishment, organization and operation of the National Supervisory Authority for the Processing of Personal Data, published in the Official Gazette of Romania, Part I, no. 391 of May 9, 2005, with subsequent amendments and additions, is amended and will have the following content: