Monitorul Oficial no. 651/26 July 2018 has published the Law No. 190/2018 (hereinafter referred to as the „Law”) on measures for implementing the Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the ”Regulation”).
The provisions of the Law are intended to establish the necessary measures for implementing at national level the art. 6 par. 2, art. 9 par. 4, art. 37-39, 42, 43, art. 83 par. 7, art. 85 and art. 87-89 of the Regulation. The law will enter into force within 5 days of publication, more precisely on 31 July 2018. The law provides for special rules for the processing of certain categories of personal data, among which we can mention:
- The processing of a national identification number will be possible in the cases provided by the Regulation, the data controller having to establish some safeguards. In this respect, the processing should be done in accordance with the principle of minimizing data by establishing time-limits for storage according to the nature of the data and the purpose of the processing, as well as specific deadlines for deleting them.
- Processing of personal data in the context of employment relationships if employee monitoring systems are used. In this case, the processing is allowed only if the legitimate interests pursued by the employer are duly justified, the employer consulted the employees’ representatives, prior information of employees have been made, and other less intrusive forms of supervision to achieve the purpose pursued by the employer have not previously proved their effectiveness. Also, the duration of storage of personal data is proportional to the purpose of the processing, but NOT longer than 30 days, except as otherwise expressly provided by law or by the cases duly justified.
- Processing of personal data in the context of performing a task serving a public interest is permitted in compliance with the principles laid down in the Regulation, in particular the principle of minimizing data and the principle of integrity and confidentiality. Also, the duration of storage of personal data should be explicitly determined.
In accordance with the provisions of the Regulation, the Law establishes for the controllers or the persons empowered by the controller to process personal data the obligation to appoint a data protection officer, leaving no opportunity for controllers to assess whether the appointment of an officer is necessary or not. Also, the officer’s activity and tasks will be carried out in compliance with the provisions
of the Regulation.
Finally, the Law stipulates that the violation of the provisions thereof is a contravention and is sanctioned by a warning or by a civil fine, the duties for ascertaining violations being the responsibility of the National Supervisory Authority. At the same time, the sanctioning conditions will be those provided by the Regulation.