The Decision of the National Supervisory Authority for Personal Data Processing (the “Authority”) no. 200/2015 (the “Decision”) was published in the Official Gazette no. 969/28.12.2015.
The change in the legal regime regarding the notification of the Authority
The main amendment brought to the specific legal framework governing personal data processing through the Decision is the change in the legal regime regarding the notification of the Authority.
According to the Decision, the notification to the Authority regarding personal data processing will become an exception, being applicable only in the cases expressly stated by law and mentioned below, while the general rule would be that personal data processing is allowed without any other prior notification.
This new legal regime does not exempt the data controller from its other obligations based on Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, especially obligations to protect the rights of the persons in cause, the confidentiality and security of data.
Notification of data processing cases to the Authority
The exceptions mentioned below for which the obligation to notify the Authority will still be applicable are justified either by the nature of the criteria on which the data processing is performed, or in consideration of certain qualities of the individual whose personal data are processed or taking into consideration the way in which the data is collected:
1. Processing personal data related to ethnical or racial origins, political, religious, philosophical or other similar beliefs, union affiliation, as well as data regarding health conditions or sex life;
2. Genetic and biometric personal data processing;
3. Personal data processing which allows directly or indirectly geographical localisation of natural persons through electronic communication devices;
4. Processing minors’ personal data, if such activity was performed:
– during direct marketing activities;
– via internet or electronic messages;
5. Personal data processing regarding the perpetration of an offence by the person in cause or regarding criminal convictions, preventive measures or administrative or minor offences’ sanctions applicable to the person in cause, performed by private law entities;
6. Personal data processing via electronic devices aiming to monitor and/or evaluate aspects such as personality, professional capacity (competence), credibility, behaviour or other similar aspects;
7. Personal data processing via electronic devices within evidence systems aiming to take automatic individual decisions relating to the evaluation of solvability, financial and economic situation, actions which may imply disciplinary, minor offences’ or criminal liability of natural persons by private law entities;
8. Personal data processing via video surveillance systems, including the transfer of such data to a non-EU state.
Exceptionally, the notification of the Authority for the case where the personal data processing is performed by an individual in his/her own personal interest will not be necessary, even if the images saved also comprise public domain pictures.
However, the general rule will be applied, meaning that it will not be necessary to notify the Authority, even in one of the above mentioned situations, if one of the following situations are applicable:
1. Personal data processing is provided by law (e.g. credit institutions);
2. Personal data processing is performed in view of the transfer abroad based on a special law or an international treaty ratified by Romania;
3. Personal data processing is performed exclusively for journalistic, literary or artistic purposes, if the data was made public manifestly by the person in cause or they are related to the public person quality of the individual in cause or by the public characteristic of the actions in which he/she is involved.
The time when the notification of the Authority must be performed
The operator has to notify the Authority of the personal data processing prior to the actual processing. At the same time, if the personal data processing falls within the situations mentioned at points 1, 2, 5 above, the Authority will order a prior control. In case the Authority does not inform the data controller regarding the control within 5 days of the notification, the data controller will be able to proceed with the personal data processing.
Transfer of personal data outside the EU
The transfer of personal data to countries outside the European Union, European Economic Area, as well as to countries for which the European Commission has not recognised by decision an adequate level of protection will continue to be notified to the Authority. In addition, such transfers will require prior authorisation by the Authority.
Partner, Reff & Associates Attorney at Law
Associate Partner, Reff & Associates Attorney at Law
Managing Associate, Reff & Associates Attorney at Law
Partner, Deloitte Risk Advisory
Manager, Deloitte Risk Advisory