In April 2016, the European Union adopted the EU Regulation 2016/679 (General Data Protection Regulation – GDPR) on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and the subsequent repeal of Directive 95/46/EC The GDPR is to apply starting on 25th May 2018, giving the member states and the companies a two-year period to take all the necessary measures to prepare for its implementation.
In a nutshell, the main changes brought by the GDPR is to extend the material and territorial scope of data protection. Firstly, it broadens the array of data which are subject to protection, location data, online identifier (computer IP address), biometric (facial images or physical data) and genetic data. Secondly, as for the territorial impact, it will affect also the servers or processors which are not established in the EU, if the processing activities are related to: the offering of goods or services to natural persons in the EU; or to the monitoring of their behaviour as far as their behaviour takes place within the EU.
Although the GDPR will be directly applicable within the territory of the Member States, without the requirement of being incorporated into the national legislations, the Member States may adopt specific rules till 25 May 2018 to ensure its applicability.
In this regard, the Ministry of Internal Affairs of Romania and the Romanian National Supervisory Authority for Personal Data Processing (the Supervisory Authority) have jointly prepared a Bill, aimed to modify and supplement Law No. 102/2005 on the establishing, organizing and functioning of the National Supervisory Authority and to repeal the Law No. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data. The Bill was recently published on the Ministry of Internal Affairs website and it will be open to public review and opinion till 25 September 2017.
According to the Explanatory Note of the Bill, it aims to consolidate the role, the powers and the autonomy of the Supervisory Authority. The main changes refer to the following issues: consolidating the status of the Supervisory Authority, strengthening of the control and sanctioning competences, and setting up the procedural aspects of solving a data protection complaint.
Consolidating the status of the Supervisory Authority
The personnel of the Supervisory Authority will have the same status and rights as the members of parliament, being considered public servants. Furthermore, the activity conducted by the legal staff will count toward seniority, being assimilated to any other legal professions (lawyers, notaries, etc.), which means that after having 5 years of experience, they can participate in the selection process to be appointed as a judge or prosecutor.
Moreover, the Supervisory Authority will increase the number of its members and the Bill expressly states that it shall make available the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers.
Strengthening of the control and sanctions
Article 58 para. 6 of the GDPR provides that each Member State may provide by law that its supervisory authority shall have additional powers to those referred in the GDPR.
Thus, the Bill adds some new prerogatives to the Supervisory Authority. It should be mentioned that some of these new provisions just a mere copy of the GDRP provisions, adding a few changes or references in which circumstances the Supervisory Authority’s tasks shall be exercised.
Nevertheless, this article will focus on those powers which are not included in the GDPR. For example, that the Supervisory Authority is authorised to perform unannounced controls, and to obtain from the operator any information and documents regardless of the storage support. The Authority is authorised to take copies, as well as to verify any equipment, or any data storage support. It may also order the carrying out of an expertise an even hear persons whose statements are considered relevant and necessary for the investigation.
If the operator refuses to provide the requested information or documents or to take part in the investigation, it can be subject of a fine of RON 3000 per day of delay. Furthermore, the decision rendered by the Supervisory Authority, in this regard, it is considered a writ of execution, consequently the enforcement process can be started immediately, without the court’s intervention.
Data protection complaints procedure
The right to lodge a complaint with the Supervisory Authority is recognised also for the spouse and the relatives up to second degree (parents, children, grandparents and grandchildren) of the person who considers that his or her rights under this GDPR have been infringed.
In solving the complaint, the Supervisory Authority will conduct a two-step analysis: (i) firstly, on the admissibility, and subsequently it shall inform the complainant within 30 days about its outcome, (ii) and secondly, it will analyse the complaint on the merits and update the complainant within 3 months about the status of the enquiry. In cases where the Supervisory Authority does not comply with the previous obligations, the complainant will have the right to bring an action before the administrative court.
If after the analysis of the complaint, the Supervisory Authority concludes that the complainant’s rights have been infringed and only a court of law can provide a remedy, the Supervisory Authority is entitled to act on behalf of the complainant in court who will further ratify or not the action.
From the above it shows clearly that Romania is focusing mostly on the status and powers of the Supervisory Authority and less on the natural persons’ rights with regard to the processing of personal data, even if according to the GDPR the Member States are given the possibility to adopt additional provisions in this regard, for example introducing further conditions, including limitations, as to the processing of genetic data, biometric data or data concerning health.
As the Bill in its current form may undergo further changes the reader should be prepared for further changes. Also they need to ensure now that they full understand the provisions of the GDPR so far as it relates to their business in Romania, which may be different for other jurisdictions.