The significant Romanian information security laws are:
- Law no. 677 of 2001 on the Protection of citizens about the Processing of Personal Data and the Free Movement of Such Data, as further altered (“Law no. 677”)
- Law no. 506 of 2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector
The relevance of the Law no. 677
The arrangements of the Law no. 677 apply when the information controller
(I) is domiciled in Romania, or
(ii) Utilizes gear or intends to process individual information situated in Romania, (except if the hardware or means are used distinctly for motivations behind travel information through Romania). On the off chance that the information controller uses methods and gear in Romania, yet isn’t domiciled in Romania, the information controller must assign an agent in Romania.
The handling of individual information is characterized by Law no. 677 as any activity or set of tasks that including personal details, performed via programmed or non-programmed implies, for example, gathering, recording, stockpiling, adjustment or modification, recovery, interview, use, divulgence to an outsider by transmission, scattering or by some other methods.
The individual information controller is a characteristic, or legitimate individual, which settles on the reason and methods for personal information handling. Works a chronicle arrangement of own information accumulation and preparing which gives explicit criteria to get to the particular information.
Warning of the Data Processing
As indicated by Law no. 677, the information controllers must advise the individual information preparing to the National Authority for the Supervision of Personal Data Processing (the “DPA”).
The Warning is sent to the DPA before beginning any preparing or move of individual information. Every one of the archives to be recorded with the DPA must be in Romanian. No recording charges must comprise paid when documenting a Notification.
If the information controller forms individual information for at least two inconsequential purposes, at that point, it commits filling in discrete Notifications for every one of these reasons. The information controller must tell the DPA preceding beginning any handling of the individual information.
The inability to advise, in the cases where the Notification is compulsory, just as the fragmented Notification or the Notification which contains false data. This infringement deserving of fines, given that they are not carried out in such conditions that will make them subject to criminal law.
Thus, the information controller should acquire the DPA’s affirmation that the Notification is substantial and was allocated an enrollment number in the Register of Recording of the Personal Data Processing. After receipt of the previously mentioned affirmation, the information controller may begin preparing as well as moving the information.
Sensitive information is the information identified with racial or ethnical cause, political, religious, philosophical conclusion, criminal offenses, minor offenses or different feelings, worker’s guild participation, just as information in regards to wellbeing or sexual coexistence.
Notwithstanding this information, under Law no. 677, individual recognizable proof numbers, or other personal information with a general ID work, i.e., national ID/visa subtleties observe as delicate information. The accumulation and handling of touchy information require the earlier and express permission of the proprietor of the data.
The move of the individual information abroad
As per the Law no. 677, the exchange of personal data to another nation is dependent upon the recording of an earlier Notification with the DPA. The transfer of information doesn’t need to be approved by the DPA if the data moved to an EU/EEA nation, or a non-EU/EEA nation.
The European Commission has given enough choice, or different components are set up to guarantee a satisfactory degree of security. Further to the Judgment of the European Court of Justice of October 6, 2015, which negated the Safe Harbor guideline, the US-EU Safe Harbor structure is never again perceived as giving a sufficient degree of insurance.
As a result, right now the exchange of the individual information to the USA might be done dependent on the Standard Contractual Clauses endorsed by the European Commission, or conditional on the consent of the information subject.
Library for Recording for the Personal Data Processing
The Registry of Recording of the Personal Data Processing has the job of guaranteeing the transparency concerning the information controllers’ exercises and might be counseled by any intrigued individual, such being accessible online on the: