Our global pages
Close- Global home
- About us
- Global services/practices
- Industries/sectors
- Our people
- Events/webinars
- News and articles
- Eversheds Sutherland (International) Press Hub
- Eversheds Sutherland (US) Press Hub
- News and articles: choose a location
- Careers
- Careers with Eversheds Sutherland
- Careers: choose a location
The implementation of the GDPR in Romania
- United Kingdom
- Romania
- Privacy, data protection and cybersecurity
16-04-2019
We report on Romania’s recently introduced data protection law, focussing on the provisions relating to the processing of national identification numbers and the rules on the use of CCTV and monitoring in an employment context.
In July 2018, Romania implemented Law no. 190/2018, which contains new measures to ensure a better protection of the data subjects and their personal data (the “Law”), against the backdrop of the GDPR’s entry into force.
The Law contains certain specific local measures which were anticipated by local companies as they had been areas of focus of regulatory oversight in Hungary even since before the application of GDPR – i.e. the national identification number and the use of monitoring in the employment context.
Processing national identification numbers
According to the Law, a national identification number is a generally applicable number, used in public evidencing records, by which an individual may be identified. Such number is: the personal identification number, the number and series of the identity card, the passport number, the health insurance number etc.
The specific provision is that the processing of the national identification number, pursuant to Article 6(1)(f) GDPR (based on the legitimate interests of the controller) is subject to the following mandatory requirements:
• implementing technical and organisational measures to especially ensure the data minimization principle, as well as the security and confidentiality of the personal data
• appointing a Data Protection Officer (“DPO”) and notifying the Romanian Data Protection Authority of such appointment
• establishing specific terms for storing and deleting the personal data
• periodic training of the controller’s personnel, who is in charge of processing the personal data
Processing personal data by CCTV in the workplace and other means of monitoring in the employment context
Under the Law, the monitoring of the employees’ personal data via CCTV or by using any electronic communication systems at the workplace, on the basis of the legitimate interests of the employer, is only permitted if:
• the legitimate interest of the employer is highly justified and prevails over the rights and interests of the employees
• the employer has previously informed the employees of such monitoring, in a complete and explicit manner (e.g. the reference in the employer’s internal handbook should be sufficient)
• the employer has consulted the trade union or the employees’ representatives on the relevant monitoring, prior to the implementation of the monitoring
• less intrusive means for reaching the purposes followed by the employer have proved inefficient in the past – on this topic, certain commentators suggest that the company should be able to prove that it actually tested in practice such other means and these failed
• the storage period of the images does not exceed 30 days, unless otherwise required by the law or in highly justified cases
Under the previous Romanian legislation, the installation of video cameras in the workplace required the prior approval of the Romanian data protection authority. The current legislation no longer contains this obligation, however organisations should not install such cameras unless they have a legitimate interest to do so, which prevails over the rights and interests of the employees – especially since this approach aligns with the previous decisions of the European Court of Humans Rights.
Non-compliance with the above requirements is deemed a contravention and is sanctioned by the Romanian Data Protection Authority in accordance with Article 83(5) GDPR.
What does the future hold?
Although Romania has made progress in implementing and ensuring higher protection of the rights and interests of data subjects, further measures are expected from both the legislator and the Romanian Data Protection Authority – in terms of investigating complaints, greater elaboration on the procedures for conducting a data protection impact assessments etc. Watch this space.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.
- UK COVID testing - returning to the workplace part 3
- UK COVID vaccination - returning to the workplace part 2
- Decarbonising the UK’s Railways: will electric, hydrogen and batteries power the future of rail travel in the UK?
- Right to work checks: New requirements following COVID-19 lockdown
- Quarterly Fraud and Corruption Enforcement update - April 2021
