Three Months until the Enforcement of New Rules on Personal Data Protection

Less than 100 days remain until May 25, 2018, when the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 will be enforced in all European Union Member States. The new rules will become effective two years after the adoption and entry into force of the said document.

We remind you that on May 4, 2016, the legislative package on data protection in the EU was published in the Official Journal of the European Union, and consists of:

- Regulation  (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC (General Data Protection Regulation), which will be directly enforced in all member states, including in Romania, beginning with May 25, 2018;

- Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

Guidance to facilitate a direct and smooth application of the rules

To support those concerned, the European Commission (EC) has recently published guidance to facilitate a direct and smooth application of the new data protection rules across the EU as of 25 May. The guidance recalls the main innovations, opportunities opened up by the new rules, takes stock of the preparatory work already undertaken and outlines the work still ahead of the EC, national data protection authorities and national administrations. The Commission is dedicating EUR 1.7 million to fund data protection authorities, but also to train data protection professionals. A further EUR 2 million is available to support national authorities in reaching out to businesses, in particular SMEs.

The General Data Protection Regulation enables the free flow of data across the Digital Single Market. It will better protect the privacy of Europeans and reinforce trust and security for consumers, while at the same time opening up new opportunities for businesses, especially smaller ones.

The guidance recalls the main elements of the GDPR:

- One set of rules across the continent, guaranteeing legal certainty for businesses and the same data protection level across the EU for citizens.

- Same rules apply to all companies offering services in the EU, even if these companies are based outside the EU.

- Stronger and new rights for citizens: the right to information, access and the right to be forgotten are strengthened. A new right to data portability allows citizens to move their data from one company to the other. This will give companies new business opportunities.

- Stronger protection against data breaches: a company experiencing a data breach, which put individuals at risk, has to notify the data protection authority within 72 hours.

- Rules with teeth and deterrent fines: all data protection authorities will have the power to impose fines for up to EUR 20 million or, in the case of a company, 4% of the worldwide annual turnover.

New and consolidated rights for natural persons

GDPR concerns natural persons, regardless of their citizenship or residency, in relation to personal data protection. Therefore, the new regulations provide citizens with more rights they can exercise free of charge in relation to the companies processing their data – data operators, as follows: the right to information, the right to access personal data, the right to correct and erase (the right to be forgotten), the right to restrict processing, the right to data portability, the right to object. These rights are explained on the National Supervisory Authority for Personal Data Processing website.

Online tool to support the practical application of the Regulation

Knowledge of the benefits and opportunities brought by the new rules is not evenly spread. In this context, the EC considers there is a particular need to step up awareness and accompany compliance efforts for SMEs. For this purpose, the EC launched an online Q&A tool addressed to citizens, companies, particularly SMEs, and other organizations. This tool helps stakeholders prepare to apply the GDPR and comply with the new European rules in the field. The online guide is available on the European Commission website.

Guidelines on applying the General Data Protection Regulation for operators

To support operators’ efforts to comply with the new personal data processing rules, the Guidelines on applying the General Data Protection Regulation for operators was published on the National Supervisory Authority for Personal Data Processing (ANSPDCP) website, within the special section for GDPR. This document is intended to be a useful tool for all operators in their efforts to prepare for the application of the Regulation (EU) 2016/679.

Data Protection Officers

A new element brought by this European regulatory document in the Romanian legislation is the obligation for the controller or the processor to designate, under certain circumstances, a data protection officer. To ensure the uniform application of GDPR, the Art.29 Working Party attached to the European Commission issued the Guidelines on Data Protection Officers (‘DPOs’), available on the special section for the General Data Protection Regulation on ANSPDCP’s website.

Cases requiring the designation of a data protection officer:

- The processing is carried out by a public authority or body, except for  courts acting in their judicial capacity;

- The core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale;

- The core activities of the controller or the processor consist of processing on a large scale of special data categories or personal data relating to criminal convictions and offences.

When is a data protection officer not necessary?

- When personal data are not processed on a large scale. For instance: a private medical practice processing patient’s data; a private law firm processing personal data on criminal convictions and offences.

Tasks of a data protection officer:

- To inform and advise the controller or the processor and the employees who carry out processing;

- To monitor compliance with the Regulation and  with other Union or Member State data protection provisions;

- To advise the controller data protection impact assessment  and monitor its  performance;

- To cooperate with the Supervisory Authority and act as the contact point for this authority;

- To have due regard to the risk associated with processing operations in the performance of his/her tasks.

The occupational standard for Personal Data Protection Officers (DPOs), included in the Romanian Classification of Occupations, was validated

With the new regulations’ application deadline getting closer, the occupational standard for Personal Data Protection Officers was included in the Romanian Classification of Occupations and was validated by the Ministry of National Education (MNE).

According to a press release, „PwC Romania and D&B David and Baias achieved the validation of the occupational standard for Personal Data Protection Officers (or DPOs) from the Sectoral Committee for Administration and Public Services within the National Qualifications Authority, part of the Ministry of National Education. The standard, developed by PwC team together with D&B David and Baias, will form the basis of professional training courses for this position organized in the future in Romania”. This achievement is also the result of the efforts made by the same team with the Ministry of Labour for the inclusion of this occupation in the RCO for the first time in Romania.

The role of Personal Data Protection Officer (DPO) is specified by the new General Data Protection Regulation.

Information campaigns for SMEs

Despite the fact that record keeping obligations do not usually apply to SMEs, companies or organizations with less than 250 employees are required to keep records if processing may generate risks to individuals’ rights and freedoms, if processing is not occasional or includes special categories of data, a great number of companies being in such a situation.

According to the representatives of the National Council of Small and Medium Sized Private Enterprises in Romania (CNIPMMR), our country does not have SMEs guidance and support measures/programs for GDPR implementation. Therefore, the representatives of small and medium sized enterprises believe the following measures need to be adopted:

- The provision of a free of charge advisory service for SMEs, at least two months before the Regulation’s application deadline;

- The development of a comprehensive practical guide for SMEs, consisting of the steps to be taken, operating procedures, institutions, deadlines, forms, etc., available online;

- An extensive information campaign adapted to the particularities of SMEs; the application of art. 3 para. (1) of the Prevention Law no. 270/2017, according to which „All public authorities/institutions with the power to control, detect and sanction contraventions have the obligation, as per the areas under their responsibility, to draft and disseminate documentary materials and guidelines and to dedicate special sections on their website for public information, within 3 months after this Law becomes effective”;

- The application of art. 3 para. (3) of the Prevention Law no. 270/2017, according to which public authorities/institutions with control powers have the obligation to develop guidance and control procedures, to publish  often recurring cases and the guidance solutions issued on their own websites, to actively exercise their guiding role, providing, as per the procedures, the necessary indications and directions to avoid further breaches of the legal provisions;

- The application of art. 3 para. (4) of the Prevention Law no. 270/2017, according to which „The central public administration authority with the power to coordinate the business environment at national level (i.e. the Ministry for Business Environment, Commerce and Entrepreneurship) has the obligation to develop and operate a portal providing centralized online services and resources to raise awareness regarding the provisions of para. (1), within 6 months after this Law becomes effective”.

ANSPDCP: Enforcing the maximum penalty is NOT the major purpose of the Regulation

To the extent an individual’s rights have been breached, the Regulation provides that individual with the right to file a complaint to the National Supervisory Authority for Personal Data Processing (ANSPDCP). The complaint is tax-free.

If the complaint is valid, it can be followed by an investigation of the data operator against whom the complaint was made.

The corrective measures ANSPDCP may implement pursuant to GDPR are: issuing a warning to an operator, a reprimand, ordering an operator to inform the person concerned regarding a data protection breach, a temporary or permanent restriction, including an interdiction on processing, a rectification or removal of data or processing restrictions etc.

According to the information provided by ANSPDCP, the imposition of penalties will be based on „a thorough assessment, based on the circumstances of each particular case. When deciding whether to impose an administrative penalty and its value in each case, due care shall be given to the criteria provided by the General Data Protection Regulation, so as to ensure the proportionality principle”.

Considering the publicly circulated opinions according to which the maximum prescribed penalties will be imposed for breaches of the new rules, ANSPDPC stated that: “The Supervisory Authority intends to increase the level of awareness and understanding of the risks, rules, guarantees and rights related to data processing and dissociates itself from increasingly publicized misleading opinions according to which maximum penalties are the only corrective measures that can be taken. At the same time, The Supervisory Authority dissociates itself and rejects the aggressive publicity used by certain third parties in an attempt to monetize the provisions of the General Data Protection Regulation, by circulating the «possibility that the maximum penalty of 4% of the turnover will be imposed» and endorsing the false idea that imposing the maximum penalty is the key objective of the Regulation. Therefore, the Supervisory Authority will create a FAQ section on its own website,, concerning the key objectives of GDPR”.  

Written by

Leave a Reply