New General Data Protection Regulation in Romania
In Romania, and perhaps in the rest of Europe, little attention seems to be paid to Data Protection and the implication of the regulations which are passed both at European Union and Romanian National level.
To date, Romania has assimilated into its national legislation the provisions of EU Directive 95/46/EC and will now have to consider the effect and implication of the new General Data Protection Regulation EU 2016/679 which will come into effect in Romania on 25th May 2018.
The new regulation seeks to consolidate the experience of the prior period and therefore incorporates a number of important changes, which will mean that there will have to be changes as to the way data is collected, processed and stored in Romania. Whilst it may appear that there will be time to implement the new changes time maybe shorter than people think.
I do not intend to go through the changes in detail as to how they will impact in Romania but would point out those points which the reader may consider important.
The first consideration is an expansion of individual rights including the right to request a limitation on the scope of processing the data, the right to data portability and the right to be provided at no charge with the data information. There is also the right to apply for the data information to be deleted and for the data subject to be forgotten.
It will be obligatory for the company to keep internal records of personal data. The Regulation also requires the appointment in certain cases of a data protection officer in addition to the data controller. The data controller will have to assess the impact of data processing and if they consider it necessary to consult the relevant local supervising authority. The local Data Protection authority in each EU country will have enhanced powers of enforcement and in addition, there are increased notification powers from each data user to its own authority.
A thing to note is that the amount of the fines for breaching Data Protection Laws has been considerably increased. Currently, the level of fines is a maximum amount of just over ten thousand Euro. Under the new rules, the amount can be up to twenty million Euro or a percentage of turnover (including worldwide turnover) such percentage not exceeding 4%.
The Regulation also includes two new concepts. Privacy by design and privacy by default. Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. An organisation needs to be able to show that they have adequate security in place and that compliance is monitored. In practice, this means that an IT department must take privacy into account during the whole life cycle of the system or process development.
Privacy by Default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. In other words, no manual change to the privacy settings should be required on the part of the user. There is also a temporal element to this principle, as personal information must by default only be kept for the amount of time necessary to provide the product or service.
For example: imagine signing up for a new social media service on which you can share personal information, life events and other content you may deem relevant. In order to successfully publish your profile only your name and email address are required, yet the new service also automatically publishes your age and location and makes it available to the public rather than just to your connections. This would be a clear breach of the privacy by default principle as more information is disclosed to the public than is necessary to provide you with the service. It is worth noting that the regulation specifically identifies and prohibits services that by default make personal information accessible to an indefinite number of individuals. This is a significant step in ensuring privacy on social media platforms and it is of particular importance to younger users.
The Regulation also seeks to sanction data controllers not in the EU. This will impact on Brexit although I am sure safeguards will be built in.
The new Regulation is an attempt to clarify a number of issues which in the past have caused concerns and conflicts both in Romania and other European Union Countries. There are however a number of fundamental changes in the regulations which will impact on all persons using personal data.
As the European Union moves to a more regulatory position it is possible that the authorities will take a closer look at the steps being taken by individual countries and how the new Regulation is being and will be implemented. This places increased duties on those dealing with Data protection. This in itself will mean more and more companies will have to be concerned as to data protection and should take legal advice in Romania accordingly to ensure that they are compliant.
ABOUT THE AUTHOR: Nicholas Hammond
Nicholas Hammond is a solicitor practising international and commercial law in Romania for over 25 tears and managing partner and founder of Hammond, Minciu a& Associates.
Copyright Hammond, Minciu and Associates
More information from Hammond, Minciu and Associates
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.