Since May 25, 2018, radical changes to data privacy laws in the European Union have come into effect. The General Data Protection Regulation ("GDPR") has impacted businesses, regardless of whether they have a corporate presence in the EU or use EU-based assets to process data (which was the former test for EU data protection rules application). If a business offers goods or services to EU-based customers or monitors their behavior, it potentially is within the scope of the GDPR (please see below for more details).

The extra-territorial reach means that, in practice, many businesses operating internationally need to adopt European data privacy standards, which are becoming the default global standards. The increased sanctions under the GDPR (up to 4% of global revenue or EUR 20 million, whichever is higher), together with general public expectations about data privacy, mean that compliance with data privacy laws cannot be treated as a minor regulatory issue. Potential fines and other penalties under the GDPR will put data privacy and cybersecurity at the same level as antitrust or anti-bribery and corruption programs on the corporate compliance agenda. This will require board-level awareness and leadership and the combined input from a range of professionals, including legal, IT, finance, procurement and vendor management and HR.

The GDPR is directly effective in all EU Member States without the need for further national legislation. However, the GDPR has specific areas in which the Member States are either permitted or required to enact national legislation to give effect to its provisions, for example, in relation to the procedure for imposing an administrative fine; the processing of special categories of personal data; the age of consent for processing personal data in the context of online services; and the restrictions and limitations on the application and exercise of data subject rights. 

Moreover, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications) (“e-Privacy Directive”) contains provisions regarding the protection of privacy on the Internet.

In Romania, the GDPR is directly applicable, being complemented by Law No. 190/2018 on measures for the implementation of the GDPR, and the e-Privacy Directive is transposed by Law No. 506/2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.

• Court of Justice of the European Union ("CJEU"), No. C-311/18, Judgment of the Court, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, July 16, 2020
  • The CJEU upheld the validity of the European Commission's standard contractual clauses ("SCCs"), while indicating that, in order to use them, it is up to the data controller, where applicable in cooperation with the recipient of the transferred data, to assess whether, in practice and for the transfer envisaged, these SCCs ensure that the transferred data enjoy a level of protection essentially equivalent to that ensured in the European Union. If the effect of these clauses is limited or completely excluded by the legislation of the third country applicable to the transfer of such data, the data controller must implement additional measures to ensure the required level of data protection or notify the competent data protection authority of its intention to continue transferring data without these safeguards.
  • The CJEU analyzed U.S. legislation on access to data from internet service providers and telecommunications companies by U.S. intelligence services (Section 702 FISA and Executive Order 12 333). It concluded that the interference with the privacy of individuals whose data is processed by U.S. companies and operators subject to this legislation is disproportionate in relation to the requirements of the Charter of Fundamental Rights. In particular, the Court ruled that the collection of data by intelligence services is not proportionate and that the remedies, including judicial remedies, available to individuals with regard to the processing of their data are insufficient. The CJEU therefore invalidated the European Commission's adequacy decision.
• CJEU, No. C-131/12, Judgment of the Court, Google Spain SL and Google Inc. v. Spanish Data Protection Agency (AEPD) and Mario Costeja González, May 13, 2014
  • The CJEU has clarified that operators of internet search engines are now responsible for the processing of personal data appearing on web pages published by third parties.
  • Every data subject has the right to obtain the removal of personal data concerning them, i.e., the operator of a search engine must, at the request of said data subject, remove from the list of results obtained following a search carried out using a person's name, links to web pages published by third parties containing information relating to that person.
• CJEU, No. C-673/17, Judgment of the Court, Federal Association of Consumer Organizations and Consumer Associations – Verbraucherzentrale Bundesverband eV v Planet49 GmbH, October 1, 2019
  
  • In the European Economic Area ("EEA"), users of websites and apps cannot be tracked using cookies or similar technologies without their specific consent through active behavior. Pre-ticked checkboxes are not sufficient to constitute consent. Users must also be informed of the possibility of third-party access to cookies and the lifetime of cookies. 
• CJEU, No. C-40/17, Judgment of the Court, Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, July 29, 2019 
  
  • The manager of a website that inserts the Facebook “Like” button on said website becomes jointly responsible (with Facebook) for the processing of personal data of visitors to its website regarding the collection and transmission of such data to Facebook. If the manager wishes to rely on consent as a legal basis for processing, they must obtain it and inform visitors of their rights prior to the collection of data.
• CJEU, No. C-300/21, Judgment of the Court, UI v Österreichische Post AG, May 4, 2023 
  
  • In the event of a breach of the GDPR, the right to compensation is subject to three cumulative conditions, which are as follows: (i) a breach of the GDPR, (ii) material or non-material damage resulting from that breach, and finally (iii) a causal link between the breach and the damage. Based on these three cumulative conditions, a simple breach does not in itself give rise to a right to compensation. Furthermore, the GDPR does not define the concept of “damage.” It merely states explicitly that both “material” and “moral” damage may give rise to a right to compensation, “without any threshold of seriousness being required” (§ 45).

The following section outlines several sanctions imposed by the Romanian data protection authority ("ANSPDCP"), along with illustrative cases that provide insight into the practical application of the legislation:

• In Romania, on June 26, 2025, ANSPDCP fined a controller in the construction and retail sector approximately EUR 4,000 for placing non-essential cookies without user consent and ordered corrective measures to ensure such cookies (e.g., marketing, analytics) are installed only after consent.
  
  On March 25, 2025, ANSPDCP imposed an administrative fine of EUR 25,000 on a controller in the information technology services and consulting sector for failing to implement adequate technical and organizational measures to ensure data security. ANSPDCP found that, following a cyberattack, the company’s IT infrastructure was compromised, resulting in unauthorized access to a significant volume of personal data, including sensitive information such as identification documents, financial records, employment data, and health-related data. In addition, the authority noted that the controller failed to notify the supervisory authority within the 72-hour deadline required by Article 33(1) GDPR.
  
  
• In Decision No. 39/2024, the High Court of Cassation and Justice ("ICCJ"), Romania’s supreme court, examined the admissibility of secretly recorded phone calls in labor disputes. The Court held that such recordings may be admitted as evidence even without the interlocutor’s consent, provided they are indispensable and proportionate to the right to evidence. Although rooted in procedural law, the ruling refers to data protection regulations, underlining the balance between privacy and the right to a fair trial.
  
  
• In Decision No. 2684/2025, the Bucharest Tribunal annulled a EUR 2,000 fine imposed on a controller in the fuel distribution sector, following a data breach incident. The court held that the controller could not be held liable because the processor had handled personal data in a manner incompatible with the controller’s instructions and in a way that could not reasonably be deemed consented to by the controller. At the same time, the court found that the training provided to the processor was inadequate - consisting only of PowerPoint presentations and an online platform—which was not suitable for the employee categories concerned (e.g., gas station workers), as simple email presentations or automated confirmation via a digital checklist were insufficient to ensure effective training.

Personal Data

The GDPR regulates the processing of personal data within the meaning of Article 4.1 of the GDPR, i.e. any information relating to an individual who can be identified, either directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR does not apply, however, to fully anonymized or aggregated data where a living individual cannot be identified.

Sensitive Data

Sensitive data is a special category of personal data that is subject to a higher level of protection under Article 9.1 of the GDPR.

This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

The definition of sensitive data is set out in Article 6 of the French Data Protection Act.

Data relating to criminal convictions or offenses are subject to specific protection under the GDPR and may only be processed under the control of official authority or where authorized by Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

In France, in accordance with Article 46 of the French Data Protection Act, the categories of users who can access this data for research purposes are strictly regulated (public authorities, public services, victim support associations approved by the Ministry of Justice).

Personal data and sensitive data are protected by the GDPR through a set of principles and technical obligations designed to ensure their confidentiality, integrity, and availability throughout their lifecycle.

Under GDPR, processing of personal data is subject to:

• the main principles set forth in Article 5.1 of the GDPR: lawfulness, fairness and transparency; purpose limitation; data minimization and accuracy; storage limitation; and integrity and confidentiality;
• existence of a valid legal basis for the processing (GDPR, Article 6);
• enhanced protection of sensitive data (GDPR, Article 9);
• provision of complete and transparent information to data subjects (GDPR, Articles 12 to 14);
• possibility given to data subjects to exercise their rights;
• data protection by design and by default (GDPR, Article 25);
• documenting relations with data processors (GDPR, Article 28);
• inclusion of the processing in a record of processing activities (as a data controller or processor) (GDPR, Article 30);
• security obligations (GDPR, Article 32); and
• notification of personal data breaches to he supervisory authority where there is a risk for the data subject (GDPR, Article 33) and communication to the data subject when the risk is high (GDPR, Article 34).

All of these elements ensure optimal protection of the data collected.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

The GDPR’s obligations primarily apply to data controllers, defined as any natural person, corporate entity or other legal person, public authority, agency or other body that determines the purposes and means of data processing (alone or together with others). It also provides for certain direct obligations on data processors, which are any natural person, corporate entity or other legal person, public authority, agency or other body that processes personal data on behalf of the data controller. 

The GDPR applies to:

• The processing of personal data in the context of the activities of a data controller’s or data processor’s establishment in the EU (i.e., implying the effective and real exercise of activity through stable arrangements), regardless of whether the data is processed in the EU or not or regardless of whether the data relates to EU residents or not. 
• The processing of personal data of persons within the EU by data controllers or data processors who are established outside the EU, where the processing is related to:
  • the offering of goods or services to such data subjects in the EU (irrespective of whether payment is required); or
  • the monitoring of the behavior of such data subjects as far as the behavior takes place in the EU.

In accordance with Article 4.2 of the GDPR, data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The processing of personal data is not necessarily computerized: paper files are also concerned and must be protected under the same conditions.

Data processing must have a purpose, a specific aim determined prior to the collection and use of the data.

Under the GDPR, a data controller must comply with the following principles under Article 5:

• Lawfulness, Fairness and Transparency – the data shall be processed lawfully (i.e., based on one of the six specified legal bases), fairly and in a transparent manner (e.g., pursuant to a privacy policy that meets the requirements of the GDPR) in relation to the data subject;
• Purpose Limitation – the data
  
  • shall be collected for specified, explicit and legitimate purposes; 
  • shall not be further processed in a manner incompatible with those purposes.
• Data Minimization – the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed or are further processed;
• Accuracy – the data shall be accurate and, where necessary, kept up to date;
• Storage Limitation – the data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed; 
• Integrity and Confidentiality – the data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures; and 
• Accountability – The data controller shall be responsible for and be able to demonstrate compliance with the above principles.

To be processed lawfully, the GDPR requires that personal data processing are based on one of the specified legal bases, which include the following:

1. Consent

Personal data may be processed based on the data subject’s specific, freely given and informed consent.

• such consent must be provided by way of “a statement or by a clear affirmative action”(pre-ticked boxes and implied consent fall short of the standard);
• Data subjects have the right to withdraw their consent at any time and in an easy manner.

The controller is under an obligation to demonstrate the data subject’s consent where the processing is based on consent.  

The controller is under an obligation to demonstrate the data subject’s consent where the processing is based on consent.  

Consent from a child in relation to online services will only be valid if authorized by a parent or guardian. According to Article 8 of the GDPR, a child can consent from 16 years old, though the Member States may reduce this age to 13 years old. 

2. Legitimate Interests

A data controller may process personal data based on its legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.  

The data controller must, however, inform the data subject of the particular legitimate interest pursued and the data subject has the right to object to the legitimate interest-based processing on grounds particular to his or her situation (see Right of Objection below). 

Public authorities may not rely on this legal basis in the performance of their tasks.

3. Contractual Necessity

Personal data may be processed where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract. The processing must, however, be necessary to contract performance rather than merely facilitative. 

4. Legal Obligation

A data controller may process personal data where it is necessary to comply with a legal obligation to which it is subject. 

5. Vital Interest of the Data Subject

The data controller may process personal data where it is necessary to protect the vital interests of the data subject or another natural person. 

6. Public Interest or in the exercise of Official Authority

The data controller may process personal data where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

Special Categories of Personal Data

The processing of special categories of personal data is prohibited, except where it relies on one of the exceptions set out in Article 9:

1. The data subject has given explicit consent;

2. Processing is necessary for compliance with obligations or exercising rights under employment and social security and social protection laws, as set out in EU or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the rights and freedoms of data subjects;

3. Processing is necessary to protect the vital interest of the data subject or another natural person where the data subject is physically or legally incapable of giving consent;

4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a political, philosophical, religious or trade union foundation, association or not-for-profit body and relates to the personal data of its members, former members and persons in regular contact, only which are not disclosed outside without consent;

5. The personal data processed are manifestly made public by the data subject;

6. Processing is necessary for the establishment, exercise or defense of a legal claim or whenever courts are acting in their judicial capacity;

7. Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law, which is proportionate, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the rights and interests of the data subjects;

8. Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional;

9. Processing is necessary for reasons of public interest in the area of public health on the basis of EU or Member State law;

10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes on the basis of EU or Member State law.

Member States may have further conditions with regard to the processing of genetic data, biometric data or data concerning health.

Please note that in Romania, the processing of genetic, biometric, or health data for automated decision-making or profiling is permitted only with the explicit consent of the individual or where expressly provided by law, subject to safeguards protecting their rights and freedoms. In addition, health data processed for public health purposes (as defined in Regulation (EC) No. 1338/2008) cannot subsequently be used by third parties for other purposes.

In addition to these special categories of data mentioned in Article 9, Member States may also further determine the specific conditions for the processing of a national identification number or any other identifier of general application.

In Romania, the processing of a national identification number, including through the collection or disclosure of documents containing it, is permitted in the situations provided under Article 6 (1) GDPR. Where the legal basis relied upon is legitimate interest under Article 6 (1) (f) GDPR, the law requires the implementation of specific safeguards. These include the adoption of appropriate technical and organizational measures, in line with Article 32 GDPR, to ensure in particular data minimization as well as the security and confidentiality of the processing, the appointment of a data protection officer, the establishment of retention periods tailored to the nature of the data and the purpose of the processing, together with periodic reviews for deletion, and the provision of regular training for staff involved in the processing of such data under the controller’s authority.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

Risk-Based Approach 

Data controllers must also have “appropriate technical and organizational measures” in place to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, taking a risk-based approach (Article 24). This requires that the controller takes account of the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The measures must be reviewed and updated where necessary and shall include the implementation of appropriate data protection policies.  

Privacy by Design and Privacy by Default

The GDPR also introduces new concepts of ‘privacy by design’ and ‘privacy by default’ under Article 25. This requires that a controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. That obligation applies to:

• the amount of personal data collected;
• the extent of their processing; and 
• the period of their storage and their accessibility. 

The GDPR requires that “appropriate technical and organizational measures” are in place to protect the security of personal data and that personal data not be retained for longer than is necessary for the purpose or purposes for which the data are processed.

Article 32 provides some detail on the standards that controllers and processors should take into account in determining appropriate security measures against unauthorized or unlawful processing, accidental damage, destruction or loss of data. The data controller must take into account:

• the state of the art; 
• the cost of implementing the measures; 
• the nature, scope, context and purposes of processing; and
• the risk of varying likelihood and severity for rights and freedoms of the data subject posed by the processing, in particular, those presented against unauthorized or unlawful processing, accidental damage, destruction or loss of data.

The GDPR notably states that pseudonymization and encryption should be considered where appropriate and that controllers maintain system resilience and security testing, backup, recovery and continuity measures.

Data controllers and data processors must ensure all of their employees comply with the security measures in place and not process personal data other than on the instructions of the controller.

Personal data may not be kept for longer than is necessary for the specified purpose or purposes for which it was collected and a data retention procedure or policy should be implemented in this respect. 

Please note that in Romania, in the context of employment, where electronic communications or video surveillance systems are used at the workplace, the retention of personal data must be proportionate to the purpose of the processing and may not exceed 30 days, except where expressly regulated by law or in duly justified cases.

Under the GDPR, data subjects have enhanced rights in relation to their personal data, most of which only apply in specific circumstances. 

The data controller shall provide information on action taken on a request within one month of receipt, which period may be extended by two further months where necessary, taking account of the complexity and number of requests and provided that the controller informs the data subject of such extension within one month of the request. 

Where requests are manifestly unfounded or excessive, in particular, because of their repetitive character, the data controller may charge a “reasonable fee based on administrative costs” or refuse the request.

Right of Access 

The data subject can ask a data controller for a copy of his or her personal data being processed by the data controller. 

Right of Rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed.

Right of Erasure

In certain circumstances, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

Right of Restriction of Processing

The data subject has the right to obtain from the controller restriction (i.e. suspension) of the processing in certain circumstances, such as where the accuracy of the data is being contested, the processing is unlawful or the data subject has objected to the processing. 

Right to Data Portability

The right to data portability of personal data is the right to receive the personal data provided by the data subject to the controller (on the basis of consent or contractual necessity) in a structured, commonly used and machine-readable format and to transmit that data to another controller.

Right to Object

The data subject has the right to object, on grounds relating to his or her particular situation, to the processing of the personal data based on the performance of a task carried out in the public interest or for the legitimate interests of the controller or a third party.

The controller must no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. 

Where personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of his personal data at any time.

Automated Decisions with Legal or Significant Effects

Data subjects have a right not to be subject to automated decision-making in respect of the personal data, including profiling, with no human intervention where such a decision produces legal effects concerning the data subject or similarly significantly affects him or her (e.g., creditworthiness check or e-recruitment). This does not apply where explicit consent is provided, the processing is authorized by EU or Member State law or the processing is necessary for the purposes of entering into or performing a contract with the data subject. 

Pursuant to Article 23 of the GDPR, these data subject rights may be subject to limitations or restrictions as prescribed by Member State law where necessary and proportionate to safeguard various matters specified in Article 23, ranging from issues of national security to the enforcement of civil law claims.

In Romania, the processing of genetic data, biometric data or health data for the purpose of automated decision-making or profiling is permitted only with the explicit consent of the data subject, or where expressly provided by law, subject to the implementation of appropriate safeguards to protect the rights, freedoms and legitimate interests of the individual.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

Consent is one of the legal bases provided for by the GDPR on which the processing of personal data may be based. It is defined in Article 4.11 of the GDPR as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The consent of the individual is systematically required for certain types of processing, which are governed by specific legal provisions: for example, to carry out commercial prospecting by email.
Under Article 7 of the GDPR, four cumulative criteria must be met for consent to be valid. Consent must be:

1. Free: consent must not be coerced or influenced. The individual must be offered a genuine choice, without suffering any negative consequences if they refuse;
2. Specific: consent must correspond to a single processing operation for a specific purpose;
3. Informed: to be valid, consent must be accompanied by a certain amount of information communicated to the person before they consent (the identity of the data controller, the purposes pursued, the categories of data collected, the existence of a right to withdraw consent, where applicable: the fact that the data will be used in the context of automated individual decisions or that it will be transferred to a country outside the European Union);
4. Unambiguous: consent must be given by a clear statement or other affirmative act. There must be no ambiguity as to the expression of consent.
   
   For example, the following methods of obtaining consent cannot be considered unambiguous: pre-ticked or pre-activated boxes, “bundled” consent (where a single consent is requested for several separate processing operations), or inaction (e.g., failure to respond to an email requesting consent).

The data subject has the right to withdraw consent, and as such, they must be able to withdraw their consent at any time, using a method that is as simple as the method used to obtain consent (for example, if consent was obtained online, it must also be possible to withdraw consent online).

In addition, the data controller must be able to demonstrate at any time that the individual has given valid consent. To do so, the data controller must document the conditions under which consent was obtained.

When the child is under 16 years of age, processing is only lawful if consent is given or authorized by the holder of parental responsibility over the child. The GDPR allows Member States to vary the age below which consent must be given by parents between 13 and 16 years.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

Authorization to use personal data is managed through the selection and justification of a legal basis for each processing operation and, in certain cases, through the collection of explicit consent.

The GDPR requires that all processing of personal data be based on at least one of the six legal bases provided for in Article 6.

Authorization to use data does not therefore necessarily imply consent from the data subject, provided that the use is based on another legal basis provided for in Article 6.

In the case that an entity that has collected data wishes to reuse it for purposes other than those initially specified, the consent of the data subject must be obtained again.

The use of consent boxes that are checked by default is prohibited. Furthermore, silence on the part of the person concerned (e.g., the person visits the website without accepting or refusing cookies) does not constitute consent.

The GDPR also restricts the transfer of personal data to a country outside the European Economic Area ("EEA") unless certain conditions or safeguards are in place. 

Transfer to Adequate Countries Outside the EEA

Transfers of data to a third country or international organization are permitted where the European Commission has taken an adequacy decision under Article 45 of the GDPR that there is an adequate level of protection of personal data in that country or organization.

The existing list of countries that have been approved by the EU Commission will remain in force. Transfers of personal data to the following countries can take place without too much concern:

• Andorra
• Argentina
• Canada (partial adequacy decision for personal data transferred to recipients subject to the Canadian Personal Information Protection and Electronic Documents Act 2000) 
• Faroe Islands
• Guernsey
• Israel
• Japan
• Jersey
• New Zealand
• Republic of Korea
• Switzerland
• The Isle of Man
• United Kingdom
• Uruguay

While the Privacy Shield was a partial adequacy decision covering transfers to organizations that complied with the Privacy Shield Principles in the United States, it has been invalidated by the decision of the European Court of Justice in case C-311/18 dated 16 July 2020 ("Schrems II decision") and is not applicable anymore.

In the wake of the invalidation of the Privacy Shield, the European Commission issued an adequacy decision for the EU–US Data Privacy Framework (“DPF”). Such transfers can occur freely with U.S. companies that are certified under the DPF, without needing additional safeguards. However, some concerns were raised regarding the consequences of the U.S. surveillance laws, and there is a belief that the DPF might be invalidated by the European Court of Justice.

Transfer to Non-Adequate Countries

Where the country to which the personal data will be transferred does not appear on an approved list of countries (such as the transfer to U.S. companies not certified under the DPF), the transfer of personal data can still take place only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies are available. 

The appropriate safeguards may be provided by:

• a legally binding and enforceable instrument between public authorities or bodies; 
• binding corporate rules in accordance with Article 47; 
• so-called standard contractual clauses adopted by the European Commission or the supervisory authority, which incorporate the EU standards into the contract;
• an approved code of conduct pursuant to Article 40, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or
• an approved certification mechanism pursuant to Article 42, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; 
• binding corporate rules pursuant to Article 47.

The standard contractual clauses are the most commonly used appropriate safeguard mechanism. However, according to the Schrems II decision, controllers relying on standard contractual clauses or BCRs are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area. Where necessary, supplementary measures (i.e., legal, technical or organizational measures) have to be implemented to ensure such an essentially equivalent level of protection.

The GDPR also provides for derogations to the prohibition of personal data transfers, for instance, where the data subject has explicitly consented to the transfer, after having been informed of the possible risks due to the absence of an adequacy decision. 

The GDPR does not relate to “incidents” related to personal data, but to “breaches”, i.e., any security incident, whether malicious or not, and occurring intentionally or unintentionally, that compromises the integrity, confidentiality, or availability of personal data.

In accordance with Article 4.12 of the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

The GDPR introduces a compulsory requirement for controllers to report data breaches to the competent national supervisory authority(ies) (please see below) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects.  

A risk assessment will, therefore, need to be taken by the controller in evaluating whether the obligation to report arises. Where a breach poses a high risk to data subjects, the GDPR also requires that the controller communicate the breach to the affected data subjects without undue delay. Regardless of whether notification to the regulator is made or not, controllers must document all personal data breaches, comprising the facts, its effects and remedial action taken. 

Where a processor has suffered a personal data breach, the processor must notify the controller “without undue delay” after becoming aware of the breach.

Providers of publicly available electronic communications services in public communications networks in the EU are subject to a mandatory reporting obligation in accordance with EU Regulation No 611/2013.

Supervisory Authority

Article 55, GDPR, provides that each national supervisory authority has the competence to act in relation to matters in its territory. In Romania, the supervisory authority is Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal ("ANSPDCP"): https://www.dataprotection.ro/. 

In France, the National Oversight Commission for Intelligence-Gathering Techniques ("CNCTR") monitors the surveillance techniques used by French intelligence services and verifies that any infringement of the right to privacy is proportionate.

Lead Supervisory Authority

In circumstances where a controller or a processor is engaged in “cross-border processing” (being the processing of personal data which takes place in the context of activities of establishments of that controller or processor in more than one Member State or processing which substantially affects or is likely to substantially affect data subjects in more than one Member State), then the supervisory authority of the main or single establishment of the controller or processor shall have the competence to act in respect of such cross-border processing.

Tasks and Powers of a Supervisory Authority

The GDPR provides for enhanced, wide-ranging powers of enforcement to supervisory authorities, who may impose substantial fines for breaches of the GDPR. 

The tasks of a supervisory authority are set out in Article 57 of the GDPR and include, among others:

• monitoring and enforcing the application of the GDPR; 
• promoting awareness;
• handling complaints; 
• conducting investigations;
• cooperating with other supervisory authorities;
• administrative tasks such as drawing up codes of conduct, reviewing certifications and approving standard contractual clauses for transfers of personal data outside the EEA. 

The powers of a supervisory authority are set out in Article 58 and include, among others:

• ordering the production of information from controllers and processors;
• conducting investigations in the form of audits, including onsite investigations;
• issuing warnings, reprimands, and enforcement orders, 
• ordering the suspension or ban of non-compliant processing activities;
• the imposition of administrative fines; and
• advising, for example, in relation to high-risk processing or issuing opinions.

The European Data Protection Board ensures that EU rules designed to protect data are applied consistently across all EU countries, so that all citizens have the same rights, regardless of where they live.

Finally, the European Commission and the CJEU contribute to the interpretation and enforcement of the GDPR.

Administrative Fines

The imposition of administrative fines by a supervisory authority is subject to appropriate procedural safeguards in accordance with Union or Member State law and therefore, the mechanism and procedure for imposing a fine may vary from Member State to Member State.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

The level of administrative fines is set out in Article 83, together with examples of aggravating and mitigating factors in determining whether to impose a fine and, if so, the level of such fine. In each case, the supervisory authority is to ensure that the imposition of fines is effective, proportionate and dissuasive. The amount of a fine depends on the nature of the infringement in question, with the applicable thresholds being up to:

• 2% of the total global annual turnover of an undertaking for the preceding financial year or EUR 10,000,000, whichever is higher; or
• 4% of the total global annual turnover of an undertaking for the preceding financial year or EUR 20,000,000, whichever is higher.

Direct marketing to individuals is currently regulated at a Member State level under national legislation that gives effect to the e-Privacy Directive ("Directive 2002/58/EC"). 

The use of publicly available electronic communications services to send unsolicited communications or to make unsolicited calls for the purpose of direct marketing is restricted. Generally, such communications by electronic means require consent or are subject to a right to opt out.

In Romania, Article 12 of Law No. 506/2004 prohibits unsolicited commercial communications by automated systems, fax, email, or other electronic means, unless the subscriber or user has given prior express consent. An exception applies where a customer’s email address has been obtained directly in the context of a sale, allowing marketing of similar products or services by the same entity, provided the customer is clearly offered a simple and free opt-out both at collection and with each message. It is also prohibited to conceal the sender’s identity, omit a valid contact address for opt-out requests, or promote websites that contravene electronic commerce rules. These restrictions apply, as a rule, equally to natural and legal persons.

In January 2017, the European Commission published its proposal for an e-Privacy Regulation, which will replace and modernize the existing e-Privacy Directive and should particularize and complement the GDPR as its lex specialis on the protection of privacy and confidentiality of electronic communications. On February 10, 2021, the Council of the European Union finally agreed on a draft text of the e-Privacy Regulation, along with a mandate for its Presidency to start negotiations with the European Parliament in order to reach a consensus thereon. The 1st political trilogue concerning the ePrivacy regulation took place on May 20, 2021, under the Portuguese Presidency. The e-Privacy scope of application is set to have a broader reach than the GDPR, as inter alia concerns EU end-users – to whom electronic communications data (including both the content and metadata thereof) refer – regardless of whether they are natural or legal persons. On February 11, 2025, the European Commission disclosed in the “2025 Work Programme” that it will withdraw the proposal for a new e-Privacy Regulation (replacing the current e-Privacy Directive). The current e-Privacy Directive and its national transposition laws will remain in force.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

Healthcare sector

In accordance with Article 9.1 of the GDPR, the processing of health data is prohibited in principle, except in the specific cases provided for in Article 9.2.

In Romania, the processing of genetic, biometric or health data for automated decision-making or profiling is permitted only with the explicit consent of the data subject or where expressly provided by law, subject to appropriate safeguards to protect the individual’s rights and freedoms. Furthermore, health data processed for public health purposes, as defined in Regulation (EC) No. 1338/2008, cannot subsequently be used by third parties for different purposes.

Employment sector

In Romania, the processing of employees’ personal data through workplace monitoring systems (such as electronic communications or video surveillance) is permitted only where the employer’s legitimate interests are duly justified, employees are fully informed in advance, employees’ representatives are consulted, less intrusive measures have proven ineffective, and the retention period does not exceed 30 days unless expressly provided by law or otherwise duly justified.

Public interest sector

In Romania, the processing of personal data, including special categories of data, for the performance of a task carried out in the public interest under Article 6 (1) (e) and Article 9 (g) GDPR is permitted only with appropriate safeguards in place. These include implementing technical and organizational measures in line with the principles of GDPR (notably data minimization, integrity and confidentiality), appointing a data protection officer where required, and establishing storage periods based on the nature and purpose of the processing, with periodic review and deletion.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

Article 37 of the GDPR sets out the procedures for appointing a Data Protection Officer ("DPO").

This appointment is mandatory when:

• The processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 
• The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or 
• The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

The DPO must have legal and technical expertise in personal data protection and a good understanding of the business sector, internal organization, particularly processing operations, information systems, and data protection and security requirements.

In addition, the DPO must have sufficient resources to perform their duties (Article 38.2, GDPR), which means that they must:

• be involved in all matters relating to personal data protection;
• have sufficient time to perform their duties;
• have adequate material and human resources;
• have access to relevant information;
• be able to maintain their specialized knowledge;
• be easily accessible to the persons concerned.

Finally, the DPO must be able to act independently (Article 38.3, GDPR), which means:

• not being in a conflict of interest if their role as a delegate is combined with another role;
• be able to report on their actions to the highest level of the organization's management;
• not be penalized for performing their duties as a delegate;
• not receive instructions in the performance of their duties as a delegate.

The tasks assigned to the DPO are detailed in Article 39 of the GDPR and mainly involve advising, informing, monitoring, and managing relations with supervisory authorities.

Under the GDPR, archiving and documentation obligations are part of the principle of accountability, which means that every organization must be able to demonstrate its compliance with the GDPR at any time, imposing specific requirements for document retention and maintenance.

Any entity that processes data must document and regularly update its records demonstrating compliance with the GDPR.

It is necessary to document the processing of personal data in the following documents:

• Records of data processing activities (both for data controllers and data processors) (Article 30, GDPR);
• DPIAs for, if applicable,  processing operations likely to result in high risks to the rights and freedoms of individuals (Article 35, GDPR);
• Where there are data transfers outside the European Union, appropriate documentation, depending on the context of such transfer, e.g., standard contractual clauses, BCRs, and certifications (Articles 28 and 42, GDPR).

It is also necessary to keep the information provided to data subjects, the templates used to obtain consent from data subjects, and the procedures put in place for data subjects to exercise their rights.

Finally, contracts that define the roles and responsibilities of those involved in processing must also be archived, including contracts with subcontractors, internal procedures in the event of data breaches (Article 33, GDPR), and evidence that data subjects have given their consent when the processing of their data is based on this basis.

With regard to the archiving of personal data, Article 5.1(e) GDPR imposes a limited retention period for data, i.e., a period not exceeding that necessary for the purposes for which they are processed. These retention periods must be documented in the processing records, internal document management policies, and information notices to data subjects.

Article 35 of the GDPR requires that a Data Protection Impact Assessment ("DPIA") be carried out when a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

The DPIA is carried out by the data controller, in collaboration with the DPO (if a DPO has been appointed). If a data processor is involved in the processing, they must provide assistance and the information necessary to carry out the DPIA.

The DPIA shall be required in particular in the following cases:

• a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 
• processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 
• a systematic monitoring of a publicly accessible area on a large scale. 

In addition, if the processing meets at least two of the nine criteria set out in the G29 Guidelines, a DPIA is mandatory:

• evaluation/scoring (including profiling);
• automated decision-making with legal or similar effects;
• systematic monitoring;
• collection of sensitive or highly personal data;
• large-scale collection of personal data;
• cross-referencing of data;
• vulnerable individuals (patients, elderly people, children, etc.);
• innovative use (use of new technology);
• exclusion from the enjoyment of a right or contract.

In Romania, the ANSPDCP has published an additional list of seven types of processing operations for which a DPIA is required. 

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

The DPIA shall contain at least:

• a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
• an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 
• an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
• the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned. 

The DPIA must be conducted before processing operations begin. It should be started as early as possible and updated throughout the treatment cycle.

It is also necessary to review the DPIA regularly to ensure that the level of risk remains acceptable throughout the treatment, as the environment, particularly the technical environment, will evolve, requiring adjustments to the measures implemented.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

In the context of the GDPR, a third-party vendor refers to any external entity that processes personal data on behalf of another organisation. This may include cloud service providers, marketing agencies, payment processors, and IT support companies, among others. As these vendors handle personal data, they become an extension of the organisation and must adhere to the same compliance requirements.

Cases where the third-party vendor is considered a data processor:

• The third-party vendor may be considered a data processor if it processes personal data solely in accordance with the instructions of the data controller and does not use the data for its own purposes (hosting, customer support, emailing, data analysis).
• A third-party vendor may only reuse personal data for its own purposes if such reuse is compatible with the initial processing and the data controller has given its written authorization.
• This entity can be considered a subcontractor as defined in Article 4 of the GDPR, i.e., a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 

Cases where a third-party vendor cannot be considered a data processor:

• The third-party vendor may be considered an independent data controller if it decides on the purposes and means of the processing itself or if it is jointly responsible for the processing with the data controller (advertising service provider that collects data for its own targeting purposes).
• In this case, the third-party vendor must obtain the consent of the data subjects in order to legally use their data for a purpose other than that initially intended.

In all cases, before entering into a contract with the third-party vendor, you must:

• assess its level of security and compliance (certifications);
• ensure that appropriate technical and organizational measures are in place;
• analyze the risks associated with the processing (nature and sensitivity of the data, purposes, transfers abroad);
• in the event of international transfers, ensure that guarantees equivalent to those of the GDPR are in place;
• ensure that an effective data breach management policy is in place (rapid notification, obligation to cooperate, security tools).

Article 83 of the GDPR sets out the general conditions for supervisory authorities to impose administrative fines on controllers or processors of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In Romania, the ANSPDCP may also impose non-monetary sanctions, such as warnings. In addition, the ANSPDCP can impose corrective measures, for example, the deletion of unlawfully processed data, communication of responses to data subjects’ requests or the implementation of specific technical and organizational measures to ensure compliance with the GDPR.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly. 

The GDPR does not impose any obligation to carry out a compliance audit, unlike DPIA, which may be mandatory in certain situations.

However, Articles 5 and 24 of the GDPR impose a principle of accountability on data controllers. As such, they must implement appropriate technical and organizational measures and must be able to demonstrate compliance with the processing at any time.

Thus, the implementation of regular internal audits ensures that the obligations imposed by the GDPR are being met and identifies any unauthorized practices so that they can be stopped.

In the event that the data controller uses a subcontractor, the latter must make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (Article 28.3(h) GDPR).

Finally, data protection authorities have a right similar to an audit right, allowing them to monitor an entity's compliance and request the provision of documents to prove it (Article 58 of the GDPR).

The ANSPDCP in Romania has issued a general Guidance on the Application of the GDPR for Controllers. This document is more of an introductory and explanatory tool, focusing on the main obligations under the GDPR, such as data mapping, the designation and role of a Data Protection Officer, risk management, and internal procedures. Moreover, the ANSPDCP recently issued its annual activity report for the previous year. No further specific guidelines or legislative changes are currently anticipated at the national level.

The European Commission issued a project of reform of the GDPR on 21 May 2025, which would notably exempt some data processors from the obligation to hold a record of data processing. This would apply to data processors who have less than 750 employees, and subject that the processing is not likely to result in high risk for the rights and freedoms of data subjects.

For detailed information on how this aspect of GDPR is enacted in Romania, please contact Nestor Nestor Diculescu Kingston Petersen directly.