Romania and GDPR: 5 years from implementation

This article was written with the precious collaboration of Dragos A. Codreanu and Bianca Stancu.

May 2023 marks the fifth anniversary of GDPR’s adoption in the EU and Romania; nonetheless, the basic legislative framework for data protection has altered significantly from May 2018, when GDPR went into effect. Despite the GDPR’s direct application in all EU Member States, the regulation recognizes Member States‘ powers to establish derogations or extra protections in certain instances or with regard to particular categories of processing.

To govern such deviations, the Romanian Parliament issued a law that was published in the Official Gazette No. 651 on July 26, 2018. The Law contains particular requirements for the processing of certain categories of personal data, derogations from the GDPR, provisions for Data Protection Officers (DPO) and Certification Authorities, and provisions addressing appropriate punishments for public and private enterprises.

In January 2019, Law No. 363/2018 of 28 December 2018 on Provisions Regarding the Processing of Personal Data by Competent Authorities for the Prevention, Detection, Investigation, Prosecution, and Control of Criminal Offences or the Execution of Sanctions, Education, and Measures came into force.

Finally, in 2019, the Law was subject to a “corrigendum”. Specifically, processing for statistical purposes had been included amongst the cases benefiting of the exemption regulated by Article 89(2) of the GDPR.

The National Authority

The functions, powers, and responsibilities of the ANSPDCP (National Authority for the Supervision of the Processing of Personal Data) have been modified via a separate act, Law No. 129 of 15 June 2018^[1] integrating the previous Law No. 102/2005.^[2]

According to the new ANSPDCP Law, the primary powers, functions, and obligations of the ANSPDCP are those defined by the GDPR. Nonetheless, this Act clarifies the execution of specific rights and responsibilities, such as the authority to conduct investigations and the treatment of data subject complaints.

In addition, the ANSPDCP has been granted the following additional powers: 1) to conduct unannounced onsite investigations at the ANSPDCP’s headquarters or via written correspondence with the ANSPDCP; 2) to request and obtain from the controller or processor, onsite and/or within a set time limit, any information and documents, regardless of the storage medium; 3) to make copies of the requested information or documents; and 4) to have access to any premises of the controller or processor.

The ANSPDCP has published a GDPR information centre^[3] that provides a general guide for GDPR implementation. In addition, the ANSPDCP provided in May 2019 instructions on the implementation of GDPR commonly asked questions.^[4]

Sanctions

The sanctions regime of the ANSPDCP has been created by both the Law and the ANSPDCP Law if a violation of the GDPR or national law occurs.

Sanctioning system established by ANSPDCP Law

For violations of the GDPR or national law, the ANSPDCP may apply administrative measures including a warning and an administrative fee.

The ANSPDCP may apply these penalties within three years of the date on which the violation occurred. This period, however, will be terminated if the ANSPDCP has initiated any legal action, with a maximum duration of four years. Where infringements occur continuously or are the result of actions or inactions that have occurred at different time intervals, based on the same resolution, but each has been committed in the context of the same offence, the statute of limitations will begin on the date of discovery; or on the date of cessation of the last action, if this moment occurs prior to the date of discovery.

When the sum of the fine exceeds €300,000, only the ANSPDCP Chairman has the authority to impose the penalties. In addition, remedial actions may be implemented either by ANSPDCP decisions or by minutes published by its representatives. Certain remedial actions, such as temporary or permanent limitation on processing, correction, or deletion of personal data, and restriction of processing, can only be implemented by ANSPDCP rulings.

Notably, the imposed fines or corrective measures may be appealed before the relevant tribunal within 15 days of the day the minutes or decision was notified or delivered. The court’s decision may only be appealed to the appropriate court of appeal. The challenge will defer the payment requirement only until a final decision is rendered. Any fine imposed must be paid within fifteen days of the day the minutes or judgment was notified or delivered.

In the event of non-compliance with the measures ordered, or in the event of a tacit or express refusal to provide all the information and documents requested in the investigation, or in the event of a refusal to conduct the investigation, the ANSPDCP may, by decision, impose a fine of up to RON 3,000 (approximately €615) per day of delay, calculated from the date specified in the decision.

Regarding complaints filed or investigations initiated prior to May 25, 2018 that are still outstanding as of this date, the ANSPDCP will impose fines in accordance with the laws existing at the time of the violation, if the sanctions imposed by the GDPR are greater.

Sanctioning system established by Law No. 363/2018

Public authorities and entities are sanctioned according to a unique set of regulations. As a result, any violation of the GDPR or national law by public authorities and bodies will initially be punished with a warning and a solution plan will be enforced by the ANSPDCP, which will also establish a remedy period.

If, within ten days after the conclusion of the remedy period, the public authority or body fails to implement the actions outlined in the corrective action plan, the ANSPDCP may apply monetary fines. In accordance with the terms of Law No. 363/2018, the competent authority may be granted a 30-day extension of the remedy period. In such circumstances, however, administrative fines are restricted at RON 200,000 (about €41,030).

Such provisions have not been regulated in reference to private businesses or persons. Consequently, such entities may be punished immediately with a fine within the GDPR’s limitations, depending on the gravity and effects of the violation.

Sanctioning system established by Law No. 362/2018

The sanctions system for providers of critical services includes additional specific measures. Before imposing a sanction for violation of any obligation under the Essential Services Law or any act issued by the DNSC, the auditing body shall notify the essential service provider in default of the violation, the mandatory measures to be implemented, the deadline, and the potential sanction if the provider fails to comply. Consequently, administrative fines range from RON 3,000 (about €610) and RON 50,000 (approximately €10,250), with up to RON 100,000 (approximately €20,515) for repeated infractions.

In addition, businesses having a turnover in excess of RON 2 million (about €410,290) are liable to administrative fines ranging from 0.5% to 2% of revenue, and up to 5% of turnover for repeated infractions.

Sanctioning system established by Law No. 506/2004

The laws for sanctioning providers of electronic communications also have their own framework. Administrative sanctions for violations of the requirements of Law No. 506/2004 vary from RON 3,000 (about €610) to RON 100,000 (approximately €20,515). In addition, businesses with a revenue above 5 million RON (about €1.024 million) are liable to administrative fines of up to 2% of revenue. In addition, the ANSPDCP can impose daily fines of up to RON 5,000 (about €1,025) for failing to notify a data subject of a security breach.

A few numbers on fines

During the first year of GDPR (i.e., between May 2018 and May 2019), the Romanian Data Protection Authority issued no fines and only suggestions, while conducting a significant number of ex-officio investigations (namely 336). This year was actually devoted to housing.^[5]

In the ensuing years (May 2019–December 2021), the Authority continued to undertake ex-officio investigations, averaging 385 investigations per year and levying an average of 14 fines each year.^[6]

According to a news release published on the Authority’s website, in 2020 the Authority conducted the most ex-officio investigations (398), while in 2022 it imposed the most sanctions (50).^[7] Romania placed third in the European Union between 2018 and the beginning of 2022 in terms of the number of fines issued by the Authority (i.e., 68 fines). Given the increase in the amount of fines in 2022, we can only estimate that Romania’s standing will remain unchanged or even improve.

However, the total amount of fines in Romania was just €721,000, resulting in a low average fine of €10,603 per offense. This suggests a continuation of the previous local penalizing practice, even after the implementation of GDPR.

Types of infractions

The majority of sanctions were imposed for violations of: 1) the security and confidentiality measures for the processing of personal data, by failing to adopt adequate technical and organisational measures by data controllers to ensure the security of processing; 2) the processing principles, especially those relating to lawfulness, transparency, and proportionality; and 3) the rights of data subjects (e.g., right of access).

As they appear to be very basic, it is possible that local data controllers have not yet implemented GDPR, allowing the Authority to readily identify a violation during an audit. Relevant examples of sanction enforcement include those in which:

• Romania Mobile Communications S.A. was fined €10,000 for violating Article 32(1) and (2) of the GDPR and €3,000 for failing to implement adequate security measures to ensure the security of the personal data processing. Due to Telekom Romania’s inability to install proper security measures, a fine was levied. This incident resulted in the unauthorized exposure of data belonging to 99,210 data subjects, including their customer ID, sex, and telephone number, as well as unauthorized access to personal data kept in the accounts of 413 customers.
• UniCredit Bank S.A. was fined €130,000 for violating Article 25(1) of the GDPR concerning the Data Protection by Design and by Default principles. Failure to apply sufficient technological and organizational precautions led to the online publication of the IDs and addresses of over 300,000 data subjects, which resulted in the imposition of the penalties.
• The Bucharest Branch of ING Bank N.V. was fined €80,000 for lacking adequate technological and organizational safeguards for information security. The ANSPDCP determined that the credit institution failed to apply necessary safeguards for its automated data processing system during the card settlement procedure, resulting in the execution of duplicate transactions. The defect affected more than 220,000 subscribers.
• Raiffeisen Bank S.A. and Vreau Credit S.R.L. were fined €170,000 for violations of Article 32 of the GDPR (€150,000 for Raiffeisen Bank S.A. and €20,000 for Vreau Credit S.R.L.) (insufficient technical and organisational measures to ensure information security). The ANSPDCP discovered that two employees of Raiffeisen Bank S.A. got copies of IDs of natural people from workers of Vreau Credit S.R.L. using the WhatsApp mobile application (potential clients of Vreau Credit S.R.L.). The workers of Raiffeisen Bank S.A. ran scoring simulations using the computer program employed by Raiffeisen Bank S.A. in the crediting activity, and the result of the credit scores was conveyed to the employees of Vreau Credit S.R.L., in violation of internal regulations. The authority determined that 1,194 simulations were conducted, affecting 1,177 persons.

Authority’s actions in courts

The number of data privacy lawsuits has increased once the GDPR went into effect. Most of these lawsuits (that have been made publicly available) were brought by paying clients who were upset about credit bureau reports that had low credit scores. In essence, the claimants requested that their information be deleted from the Credit Bureau database (before the expiry of the retention period applicable to the Credit Bureau system). The claimants asserted that this processing falls under their “right to be forgotten.” Since there is a predominately legitimate interest on the part of the participants in the Credit Bureau system to have access to information about the payment behaviour of the customers of the credit institutions, the courts typically reject such claims as unfounded, upholding that the right to be forgotten does not apply in such cases.

Recently, the Romanian Data Protection Authority released facts and statistics about its work before the courts. It appears that more than 72 percent of the Authority’s punishments in 2019-2022 were contested in court by data controllers.

In addition, the Authority said that as of March 31, 2023, 23 claims brought by data controllers with the court had been resolved. 18 of these allegations were ruled in favor of the Authority, with the violations being upheld. This covers situations where the fine was decreased or even replaced with a warning (e.g., Raiffeisen Bank SA, World Trade Center Bucharest SA).

Among the pertinent examples are those in which:

• Banca Transilvania S.A. was forced to pay moral damages of RON 10,000 (about €2,050) and material damages of RON 1,200 (approximately €246) for the unlawful processing of personal data beginning on April 14, 2009. When moving the data subject’s information from the Biroul de Credit S.A. filing system to the FICO filing system, the data controller failed to inform the data subject in a transparent manner. Beginning on 14 April 2009, all data included in the filing system of Biroul de Credit S.A. were processed by FICO Score, an automated decision-making system, which might have adverse impacts on the data subject.
• Following the publishing of the data subject’s contact details (i.e., complete domicile address) and ID data on the company’s website, National Company “Bucharest Airports” S.A. was compelled to pay an indemnity of RON 10,000 (approx. €2,050) to a member of its Board of Directors (personal numeric number, series, and the ID number, date of issuance, and issuing authority). Such information was included in a shareholder meeting resolution authorizing the nomination of the data subject to the Board of Directors (processing which does not trigger any legal issues). Nonetheless, the corporation published the verdict on its website without disguising the personal information that was unnecessary to guarantee the transparency of the corporate decision-making process in accordance with the appropriate corporate laws. In this instance, the court affirmed the violation of the data minimization principle, stating that it would have been sufficient to publish simply the first and last names of the persons and that the processing lacked a legal basis.
• Iași Municipality was forced to pay RON 15,000 (about €3,077) in damages. In the matter at hand, Iași Municipality published on its website a list of debtors to the public budget, which contained the claimant’s identifying information, even after the claimant had paid off their obligations. Thus, the court determined that Iași Municipality lacked a legal basis for processing the claimant’s personal information. The posting of such information on its website even after the payment of the debt harmed the claimant’s reputation, entitling the claimant to compensation for the resulting moral harm.

References

1. https://www.dataguidance.com/legal-research/law-no1292018-set-organisation-and-0 ↑
2. https://www.dataguidance.com/legal-research/law-no-1022005-regarding-setting-organisation-and-functioning-national-supervisory ↑
3. https://www.dataprotection.ro/?page=Regulamentul_nr_679_2016 ↑
4. https://www.dataprotection.ro/?page=IntrebariFrecvente1 ↑
5. https://www.kinstellar.com/news-and-insights/detail/2277/five-years-of-gdpr-an-overview-of-gdpr-implementation-in-romania ↑
6. https://www.kinstellar.com/news-and-insights/detail/2277/five-years-of-gdpr-an-overview-of-gdpr-implementation-in-romania ↑
7. https://www.kinstellar.com/news-and-insights/detail/2277/five-years-of-gdpr-an-overview-of-gdpr-implementation-in-romania ↑