Radu si Asociatii is a member firm of Ernst & Young Global Ltd
Bucharest Tower Center, etaj 22 B-dul Ion Mihalache
nr. 15-17 011171 Bucuresti, sector 1, Romania
+40 21 402 4000
RO || EN
Law project for the implementation of the GDPR in Romania

Law project regarding measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)

We have summarized below the novelties and completions brought by this law project (hereinafter the “Project”) with respect to the implementation of the GDPR.

The Project has been filed at the Senate and is open to public consultation until the 13th of May 2018.

General provisions

The Projects brings novelties and completions, inter alia, with respect to: (i) processing of genetic, biometric or health related data; (ii) processing of the personal identification number (PIN); (iii) the video surveillance of employees; (iv) the certification bodies; (v) the application of GDPR.

Processing of genetic, biometric or health related data

The Project provides that processing genetic, biometric or health related data for automate decision making or for profiling is forbidden, except for the processing made by a public authority or under its control. The prohibition remains in force irrespective of the data subject’s consent.

Processing of the personal identification number (PIN)

The Project includes the PIN in the broader category of national identification number that comprises also national health security number, ID card series and number, driving license number, passport number and provides that it can be processed as per the conditions regulated by art. 6 (1) of the GDPR. Consequently, processing the PIN may also be carried out in the absence of the data subject’s consent.

For the case when PIN as well as the other national identification data are processed for the purposes of the legitimate interest of the controller or of a third party, the controller has to apply the following supplementary guarantees:

Video surveillance of employees

In case of video surveillance of employees, the controller has to take the following cumulative measures:

Certification bodies

The certification bodies mentioned in art. 43 of the GDPR will be accredited by the Romanian Accreditation Association – RENAR. These bodies will be accredited according to the EN-ISO/IEC 17065 standards, as well as according to the provisions of the abovementioned art. 43 and to the supplementary requirements imposed by the supervisory authority.

Application of GDPR

The Project provides that GDPR is applicable to the complaints filed with the supervisory authority starting with the 25th of May, as well as to those filed before this date and which are still pending, in all respects, including with respect to the investigation proceedings and the sanctions. However, if GDPR provides a sanction which is higher than the one regulated by the former legislation, the sanction will be determined as per the legal provisions in force at the time the infringement occurred.


Raluca Silaghi, Manager – Head of Data Protection Practice

For additional information, please contact:
Dragoș Radu, Partner – Head of Legal