Frequently Asked Questions
1. What does is mean data controller?
Pursuant to Article 4 of the General Data Protection Regulation, “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
2. What does it mean joint controllers?
Pursuant to Article 26 of Regulation (EU) 2016/679, where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
3. What does it mean processor?
Pursuant to Article 4 of Regulation (EU) 2016/679, processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
4. Is it still necessary to notify the data processing?
Having regard to the fact that, starting with the 25th of May, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC becomes applicable, the controllers shall no longer have the obligation to notify the data processing.
5. What does it mean public authorities and bodies?
The public authorities and bodies are: Chamber of Deputies and Senate, Presidential Administration, Government, the ministries, the other specialised bodies of the central public administration, the autonomous public authorities and institutions, the local public administration authorities and at county level, other public authorities, as well as the subordinated/under coordination institutions and the cults and associations and public utility foundations. pursuant to Article 2 paragraph (1) letter a) of Law no. 190/2018 on implementing measures to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
6. What obligations do I have as a controller pursuant to Regulation (EU) 2016/679?
The obligations the controllers have are regulated by Chapter IV of Regulation (EU) 2016/679. Among the main obligations of the controller for the application of the Regulation we mention:
- the designation of a data protection officer under the conditions of Article 37 to 39 of the Regulation;
- mapping the personal data processing (Article 30 of the Regulation);
- ensuring the security of the data (Articles 25 and 32 of the Regulation);
- notification of the personal data breaches under the conditions of Article 33 of the Regulation;
- data protection impact assessment and respecting the rights of the data subjects (Article 35 of the Regulation).
For additional information please consult the Indicative Guidelines for the application of the General Data Protection Regulation issued by the National Supervisory Authority.
7. When do I have to designate a data protection officer (DPO)?
Pursuant to the provisions of Article 37 paragraph (1) of Regulation (EU) 2016/679, the designation of the data protection officer is required when:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
For additional information, you can consult the Guidelines on the Data Protection Officer issued by the European Data Protection Board.
8. What does it mean processing on a large scale?
When determining whether the processing is done on a large scale, the following factors must be considered:
- the number of the data subjects (either an exact number or a percentage of the relevant population);
- the volume of data and/or the range of different elements of data being processed;
- the duration or permanence of the data processing activity;
- the geographical surface of the processing activity.
For additional information, you can consult the Guidelines on the Data Protection Officer issued by the European Data Protection Board. (link document in EN)
9. What conditions the data protection officer should fulfil?
The data protection officer is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil its tasks. The required level of specialised knowledge shall be determined according to the data processing operations performed and the level of protection required for the personal data processed.
For additional information, you can consult the Guidelines on the Data Protection Officer issued by the European Data Protection Board.
10. Is it allowed to appoint a single data protection officer for a group of undertakings or for several public authorities and bodies?
Article 37 paragraph (2) of Regulation (EU) 2016/679 allows a group of undertakings to appoint a single data protection officer provided that a data protection officer is “easily accessible from each establishment”. The notion of accessibility refers to the tasks of the data protection officer as a point of contact regarding the data subjects, the supervisory authority, but also internally within the organisation, since one of the tasks of the data protection officer is to inform and advise the controller and the processor, as well as the employees in charge of processing with regard to their obligations under Regulation (EU) 2016/679.
Article 37 paragraph (3) of Regulation (EU) 2016/679 allows, also, the designation of a single data protection officer for several public authorities or bodies, taking account of their organisational structure and size.
The controller and the processor have the obligation to publish the contact details of the data protection officer and to communicate these data to the supervisory authority.
For additional information, you can consult the Guidelines on the Data Protection Officer issued by the European Data Protection Board.
11. How shall I communicate the data protection officer to the supervisory authority?
The communication of the data protection officer is done by filling in the form for declaring the data protection officer, available on the website of the authority, under Section “Data Protection Officer”.
Where a group of undertakings or several public authorities or bodies appoint a single data protection officer, each data controller or processor shall fill in the form for declaring the data protection officer available on the website of the authority, under Section “Data Protection Officer”.
12. When Regulation (EU) 2016/679 is not applicable?
Regulation (EU) 2016/679 does not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Union law;
- by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- by a natural person in the course of a purely personal or household activity;
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; there are regulated by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
13. What are the legal conditions for processing the personal data, other than the special ones?
Pursuant to Article 6 of Regulation (EU) 2016/679, the
Processing shall be lawful only if and to the extent that at least one of the following conditions provided by paragraph (1) applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
14. What are the conditions for processing the special categories of personal data?
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
The processing of these categories of data is allowed only under the conditions provided by Article 9 paragraph (2) of Regulation (EU) 2016/679.
Law no. 190/2018 on implementing measures to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) provides in Article 3 paragraph (1) that the “the processing of genetic data, of biometric data or of health data for the purpose of automated decision-making or profiling is permitted with the explicit consent of the data subject or if the processing is carried out under explicit legal provisions, with appropriate measures protecting the rights, freedoms and legitimate interests of the data subject”.
15. If the processing is provided for by a normative act, it is still necessary to obtain the consent of the data subjects?
When the processing is necessary in order to fulfil a legal obligation of the controller, it is no longer necessary to obtain the consent of the data subjects.
16. What are the conditions for granting and validity of the consent?
Pursuant to Article 7 paragraph (1) of the Regulation, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
Article 7 paragraph (3) of the Regulation provides that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Where the consent is withdrawn, the controller shall have the obligation to erase, without undue delay, all personal data of the data subject who exercise his/her right provided by Article 17 paragraph (1) letter b) of the Regulation.
Recital 32 of the Regulation (EU) 2016/679 establishes the following: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
For additional information, please consult the Guidelines on consent issued by the European Data Protection Board.
17. Under what conditions the personal data of the children may be processed in relation to the offer of information society services?
The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology (Article 8 of Regulation (EU) 2016/679).
18. Are the controllers required to maintain a record of data processing?
Each controller and each processor shall maintain a record of processing activities under its responsibility in writing, including in electronic form. That record shall contain all the information provided by Article 30 paragraph (1) of Regulation (EU) 2016/679.
The choice of how to maintain the record of data processing remains at the discretion of the controllers, by taking into account the activity carried out so far in the field of personal data.
The record of the processing shall contain all the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32 paragraph (1).
19. When is it necessary to perform a data protection impact assessment?
Where the processing of personal data is identified as may presenting high risks for the rights and freedoms of the natural persons, the controller or processor shall carry out a data protection impact assessment, according to the Article 35 of the General Data Protection Regulation.
The data protection impact assessment shall be performed prior to the collection and processing of personal data.
A data protection impact assessment shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10;
- a systematic monitoring of a publicly accessible area on a large scale.
The assessment shall contain at least:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
For additional information, you can consult the Guidelines on the data protection impact assessment issued by the European Data Protection Board, as well as the Indicative Guidelines for the application of the General Data Protection Regulation issued by the National Supervisory Authority.
20. What is the deadline for the notification of the personal data breaches?
The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
By Decision no. 128 of 22nd of June 2018, the president of the Supervisory Authority adopted the standardised form for the notification of personal data breach, in accordance with Regulation (EU) 2016/679.
For additional information, you can consult the Guidelines on the personal data breach notification issued by the European Data Protection Board.
21. What are the rights of the data subject?
Chapter III of Regulation (EU) 2016/679 regulates the rights of the data subjects:
- right to information (Articles 13 and 14);
- right of access (Article 15);
- right to rectification (Article 16);
- right to erasure (“right to be forgotten” – Article 17);
- right to restriction of processing (Article 18);
- right to data portability (Article 20);
- right to object (Article 21);
- right not to be subject to a decision based solely on automated processing (Article 22);
- right to submit a complaints to a supervisory authority (Article 77).
In order to exercise these rights, the data subjects shall submit a request to the controller in this regard. The controller shall provide the data subject with information on the actions taken within one month after receiving the request. This period may be extended by two months when necessary, by taking into account the complexity and number of requests.
For additional information, you can consult the Guidelines on the right to data portability and the Guideline on automated individual decisions and profiling. (link documente in EN)
22. How can I submit a complaint to the supervisory authority?
An electronic complaint form is available on the website of the supervisory authority, www.dataprotection.ro, under section Complaints.
Also, we recommend you taking into consideration the provisions of Decision no. 133/2018 of the president of the supervisory authority on the approval of the Procedure for handling complaints.
23. When a complaint is admissible?
Pursuant to the Decision no. 133/2018 and in conjunction with Law no. 102/2005 on the set up, organisation and functioning of the National Supervisory Authority for Personal Data Processing, with subsequent amendments and completion, for the receipt and valid registration of the complaints, it is mandatory to provide the following data of the petitioner: name, surname, postal address of domicile or residence. If the complaint is filed electronically, it is mandatory to provide the petitioner’s e-mail address.
In the case of complaints submitted by a representative, beside the data of the petitioner referred to in paragraph (1), it is also mandatory to provide the following data of the representative: name and surname/name, postal address of correspondence/headquarters, e-mail address, telephone number, registration number in the register of associations and foundations, if applicable.
For valid receipt and registration of complaints, it is mandatory to provide the identification data of the complainant data controller or processor, such as name and surname/name, address/headquarters, or at least the available information held by the petitioner for identification.
The submitted complaints shall be signed by handwriting or by electronic means, and, in the case of electronically submitted petitions that cannot be signed, ANSPDCP may request the confirmation of the correctness of the data transmitted electronically.
The national supervisory authority shall inform the data subject about the admissibility of the complaint, within 45 days from the registration. If it is found that the information in the complaint or the documents transmitted are incomplete or insufficient, the National Supervisory Authority requests the data subject to complete the complaint in order to be considered admissible for the purpose of carrying out an investigation. A new deadline of no more than 45 days starts from the date of filing the complaint.
The national supervisory authority shall inform the data subject about the progress or outcome of the investigation, within three months from the date on which it was notified that the complaint is admissible.
24. How data transfer abroad is carried out?
The transfer of personal data can be done through:
- the adequate decisions adopted by the European Commission concerning the level of protection ensured by a third country;
- standard contractual clauses adopted by the Commission;
- binding corporate rules in accordance with Article 47 of the Regulation;
- other modalities provided in by Article 46 and Article 49 of the Regulation.
25. What measures shall be implemented in order to ensure the security of personal data processing?
The security of the personal data is regulated by Article 25 and Article 32 of Regulation (EU) 2016/679.
In order to ensure an appropriate level of security the controller shall implement appropriate technical and organisational measures, including inter alia:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
26. For how long can I store the personal data?
Pursuant to Article 5 paragraph (1) letter e) of the Regulation (EU) 016/679, “personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”).”
Pursuant to the General Data Protection Regulation, the data shall be stored in a form which permits the identification of the data subjects for no longer that is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of safeguards.
The retention period can be established by normative acts that regulate the specific fields of activity. To the extent required, it is necessary to amend/supplement them so that the rules are brought into compliance with the General Data Protection Regulation.
27. Who accredits the certification bodies?
Pursuant to Article 11 of Law no. 190/2018 on implementing measures to Regulation (EU) 2016/679, the accreditation of the certification bodies, provided by Article 43 of General Data Protection Regulation, is carried out by Romanian Accreditation Association – RENAR, as the national accreditation body, pursuant to Regulation (EC) no. 765/2008 of the European Parliament and of Council of the 9th of July 2008, as well as pursuant to Government Ordinance. No. 23/2009 on the accreditation activity of the conformity assessment bodies, approved with amendments by Law no. 256/2011.
28. What guidelines did the European Data Protection Board issued?
The European Data Protection Board adopted and published a series of guidelines:
- Guidelines on data protection officers;
- Guidelines on consent;
- Guidelines on the right to data portability;
- Guidelines on transparency;
- Guidelines on the data protection impact assessment;
- Guidelines identifying a controller or processor’s lead supervisory authority;
- Guidelines on personal data breach notification;
- Guidelines on automated individual decision-making and profiling;
- Guidelines on derogations provided by Article 49 of the Regulation (EU) 2016/679.
These guidelines are accessible on the website of the authority, www.dataprotection.ro, under the section dedicated to the new General Data Protection Regulation.
29. What guidelines did the national supervisory authority issued?
The national supervisory authority made available the Indicative Guidelines for the application of the General Data Protection Regulation, available under Section “the New Regulation”, on the website of the national supervisory authority.