Romania: Key aspects in the Romanian Data Protection Authority’s annual activity report (2019)

Irina Macovei, Roxana Rosu and Andrei Stoica

On 28 September 2020, the Romanian National Supervisory Authority for the Processing of Personal Data (ANSPDCP) published on its website the annual activity report for 2019. The report offers insights on the activity of the authority, its opinion on legislative proposals, points of view on certain data protection matters, as well as a summary of the sanctions applied throughout 2019.

The below summarizes what we see as the highlights of the annual report.

A. Points of view

1. Qualification of the parties involved in personal data processing activities

The position of different actors in the context of personal data processing activities should be determined based on (i) the actual activity performed by the entities involved and (ii) the way in which the relationship between them has been shaped.

Importantly, ANSPDCP officially confirms that the legal framework allows for a certain degree of flexibility as regards the quality of each party as controller or processor.

As such, ANSPDCP concludes that controllers and processors are in a position to determine their quality, taking into account the detailed knowledge of the data processing activity for certain purposes and the use of certain means, as well as of the rights and obligations of each party.

2. Retention period in the context of recruitment activities

ANSPDCP distinguishes between personal data of the candidates which were employed versus data of rejected candidates.

With regard to the latter, storage of personal data of rejected candidates does not fall under the archiving requirements for public interest, and the retention period should be set, insofar as there are no specific legal rules, for a duration not exceeding the period necessary to achieve the purpose for which the data are processed – in ANSPDCP’s opinion, this is the completion of the selection process.

Nevertheless, ANSPDCP admits that data of rejected candidates may be further stored past this moment (i) on the basis of the legitimate interest of the controller, (ii) with prior information to the candidate and (iii) by offering to the rejected candidate the possibility to exercise his/her rights.

3. Use of GPS tracking systems

Geolocation devices involve certain risks to the rights and freedoms of the person using the asset which is tracked (the employee). Thus, ANSPDCP considers that, before installing such surveillance systems, the employer (controller) must assess the risks to which its activity is subject in order to establish the need to use geolocation devices, and substantiate and prove that the controller’s legitimate interest prevails over the interest, rights and freedoms of the natural person concerned.

4. Video surveillance of employees

ANSPDCP is of the view that video monitoring of employees can take place only under the legal conditions established by the GDPR and art. 5 of Law no. 190/2018.

More importantly, video surveillance performed in order to ensure security and monitoring of public spaces cannot be used for monitoring employees at work, such purposes being incompatible.

5. Commercial communications by electronic means

ANSPDCP reiterates the rules under the ePrivacy legal framework, emphasizing that commercial communications through e-mail may be sent only with the express consent of the subscriber or user, given prior to receiving such communications. Also, the e-mail address of a client obtained on the occasion sale of a product or service – and not when negotiating / concluding a contract – may be used for the purpose of making commercial communications concerning similar products or services sold by the controller.

6. Obligation to carry out a data protection impact assessment

ANSPDCP states that the performance of an impact assessment is mandatory for situation falling under the cases regulated by art. 35 of GDPR and ANSPDCP Decision no. 174/2018 on the list of operations for which it is mandatory to carry out the data protection impact assessment.

The authority emphasizes that it is the controller’s responsibility to analyse the extent to which such processing poses a high risk to the rights and freedoms of data subjects, as well as to justify and document the reasons for not carrying out such an assessment.

7. Biometric data – facial recognition techniques

ANSPDCP confirms its prior position as regards processing of biometric data of visitors and employees for access in office buildings, re-stating that, absent a law which provides adequate guarantees for the protection of data and the rights of data subjects, the purpose pursued does not justify such level of intrusion.

B. Sanctions applied by ANSPDCP in 2019

In 2019, ANSPDCP received a total of 6193 complaints and security incidents notifications, based on which 912 investigations were opened.

As a result of the investigations carried out, 28 fines were applied in a total amount of RON 2,339,291.75 (approx. EUR468,000).

In addition, 134 warnings were applied and 128 corrective measures were ordered.

Complaints regarding possible non-compliance with the legal provisions concerned issues such as:

  • disclosure of personal data without the consent of data subjects;
  • violation of the rights and principles set out in GDPR;
  • data transmitted to the Credit Bureau;
  • installation of video surveillance systems at the level of various entities;
  • receiving unsolicited commercial messages;
  • violation of security and confidentiality measures for the processing of personal data, respectively, failure of controllers to take appropriate technical and organizational measures to ensure the security of the processing;
  • non-compliance with the conditions regarding consent in the online environment.

For comparison purposes, between January and September 2020, ANSPDCP received a number of 3952 complaints, 176 notifications and 128 notifications regarding security incidents, based on which investigations were opened.

As a result of the investigations carried out, 22 fines were applied in a total amount of EUR68,900 and RON10,000 (approx. EUR2,000), respectively, a fine applied under Law no. 506/2004.

Also, 46 warnings were applied and 42 corrective measures were ordered.