nicolau@avocatulmeu.ro
+4 0722 501 414

GDPR

The general data protection regulation

Law 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data transposes the acquis represented by Directive 95/46 / EC, which regulates the general legal framework of personal data protection at the level of the European Union.

This directive seeks to protect the right to intimate, family and private life, namely the right of the person not to reveal, without his / her consent, the true name, address, age, family situation, use of free time, habits, etc.

In Romania, the central authority empowered to control is the National Supervisory Authority for Personal Data Processing. The Authority monitors and controls, in terms of legality, the processing of personal data falling within the scope of Law no. 677/2001.

In the event of a security incident, our specialists can advise both data operators and targeted individuals.

The supervisory authority may apply contravention sanctions to the operator for:

– failure to notify and notification in bad faith;

– unlawful processing of personal data; – non-fulfillment of the confidentiality obligations and the application of security measures;

– refusal to provide information.

Contravention sanctions shall be applied by the supervisory authority through the personnel empowered for this purpose. The amount of the fines that may be imposed in the case of committing the abovementioned contraventions varies between RON 500 and RON 50,000.

 

OBLIGATIONS OF PERSONAL DATA OPERATORS

  According to the framework law (Law 677/2001), the personal data controller – may be any natural or legal person, whether private or public, including public authorities, their institutions and their territorial structures, which establishes the purpose and means of processing personal data or which is thus designated by a normative act.

Operators have the following obligations:

– to notify the supervisory authority of any processing or assembly of processing operations having the same or related purposes;

– not to start processing the personal data until it receives the registration number communicated by the supervisory authority;

– not to initiate the processing of personal data when the supervisory authority has announced that it has carried out a prior check in the case of processes susceptible to special risks;

– to complete the notification at the request of the supervisory authority;

– to indicate the registration number of the notification received from the supervisory authority on each act by which personal data are collected, stored or disclosed;

– to notify the supervisory authority of any change likely to affect the accuracy of the information contained in the notification within 5 days;

– to prove the payment of the notification fee or the assignment to a category of tax-exempt persons, according to Law 476/2003;

– to ensure compliance with security measures by empowered persons;

– to conclude written contracts with the persons empowered to process personal data on behalf of the operator;

– to develop instructions for ensuring confidentiality of processing for any person acting under the authority of the operator or the person empowered, including the person empowered to do so;

– to apply appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, modification, disclosure or unauthorized access, in particular if the processing involves data transmission within a network and against any form of illegal processing. 

 

DATA SUBJECT RIGHTS

The rights of the data subjects were expressly provided for by the legislator:

  1. Right to information

Where the personal data are obtained directly from the data subject, the operator is required to provide at least the following information:

  1. a) the identity of the operator and his representative, if any;
  2. b) the purpose of data processing;
  3. c) additional information, such as recipients or categories of recipients of the data; if the provision of all required data is mandatory and the consequences of the refusal to provide them; the existence of the rights provided by the present law for the data subject, in particular the right of access, data interference and opposition, as well as the conditions under which they may be exercised;
  4. d) any other information the provision of which is required by the provision of the supervisory authority, taking into account the specific nature of the processing.

Where the data are not obtained directly from the data subject, the operator shall, at the time of data collection or, if it is intended to be disclosed to third parties, at the latest at the time of the first disclosure, provide at least the following information to the data subject, unless the data subject already possesses the information:

  1. a) the identity of the operator and his/her representative, if any;
  2. b) the purpose of data processing;
  3. c) additional information such as: the data categories concerned, the recipients or categories of recipients of the data, the existence of rights under the present law for the data subject, in particular the right of access, data interference and opposition, and the conditions under which they can be exercised;
  4. d) any other information the provision of which is required by the provision of the supervisory authority, taking into account the specific nature of the processing. 

 

  1. Right of access to data

Any data subject has the right to obtain from the operator upon request (free of charge for a request per year) that his or her personal data is processed or not, as well as the following information:

  1. a) information on the purposes of the processing, the categories of data concerned and the recipients or categories of recipients to whom the data are disclosed;
  2. b) communicating in an intelligible form the data subject to processing as well as any available information on the origin of the data;
  3. c) information on the operating principles of the mechanism by which any automatic processing of data relating to that person;
  4. d) information on the existence of the right to interfere with data and the right to object and the conditions under which they may be exercised;
  5. e) information on the possibility of consulting the registry for personal data processing, submitting a complaint to the supervisory authority, as well as addressing the court to appeal the decisions of the operator in accordance with the legal provisions.

The operator is obliged to communicate the requested information within 15 days of receipt of the request.

 

  1. Right to interfere with data

Any person concerned has the right to obtain free of charge from the operator by means of a written, dated and signed application:

  1. a) correcting, updating, blocking or deleting data whose processing does not comply with this law, in particular incomplete or inaccurate data;
  2. b) the transformation into anonymous data of data whose processing does not comply with Law no. 677/2001;
  3. c) notification to the third parties to whom the data have been disclosed if such notification is not impossible or does not involve a disproportionate effort to the legitimate interest likely to be harmed.

An operator is required to communicate the measures taken and, where appropriate, the name of the third party to whom the personal data relating to the data subject have been disclosed within 15 days of receipt of the request. 

 

  1. Right of opposition

The data subject concerned has the right to oppose at any time, by a written, dated and signed request, for well-founded and legitimate reasons relating to his / her particular situation, that the data subject to him / her are processed, except in cases where there are contrary legal provisions. In the case of justified opposition, the processing may no longer cover the data concerned.

The data subject has the right to oppose at any time, free of charge and without any justification, that data intended to be processed for direct marketing on behalf of the operator or a third party or disclosed to third parties in – for such a purpose.

The operator is obliged to communicate to the data subject the measures taken and, where appropriate, the name of the third party to whom the personal data relating to the data subject have been disclosed within 15 days of the date of receipt of the application.

 

  1. The right not to be subject to an individual decision

Everyone has the right to ask for and obtain:

  1. a) the withdrawal or the annulment of any decision having legal effects in respect of him/her, adopted solely on the basis of the processing of personal data by automated means intended to assess certain aspects of his/her personality, such as professional competence, credibility, conduct or other similar issues;
  2. b) the reassessment of any other decision taken in respect thereof which significantly affects him/her if the decision was adopted solely on the basis of a data processing meeting the conditions set out above. 

 

  1. The right to appeal to justice

Without prejudice to the possibility of addressing the supervisory authority with complaint, any person who has suffered damage as a result of the processing of unlawful personal data may apply to the competent court for repair.

The competent court is the one in whose territory the applicant is domiciled. The claim for legal action is exempt from stamp fee.

Contact us

Our office can help you with GDPR related issues

Contact
Scroll Up

We use cookies to give you a more enjoyable browsing experience and site functionality. Continuing using this site represents the acceptance of the cookie policy.

Privacy Settings saved!
Setari confidentialitate

Cand navigati pe orice site, acesta poate stoca sau informatii in browser-ul dumneavoastra, cel mai probabil sub forma de cookie-uri. Controlati setarile aici.

required

  • PHPSESSID
  • pll_language
  • redux_current_tab
  • redux_current_tab_get
  • wordpress_logged_in_
  • wordpress_sec_
  • wp-settings-
  • wordpress_gdpr_allowed_services
  • wordpress_gdpr_cookies_allowed
  • wordpress_gdpr_cookies_declined

Decline all Services
Accept all Services