Following the adoption of the GDPR, an important new element was brought into Romania’s legal framework – the required designation of a Data Protection Officer (DPO), which is mandatory in some cases.
Romania has implemented the provisions of the GDPR and enacted additional rules in Law No. 190/2018 to enforce the GDPR at the national level, add additional criteria for designating a Data Protection Officer to those in the GDPR, and establish that national identification numbers (e.g., personal identification number, series and number of ID card, passport number, driver’s license number, social security code) can be processed only if there is a legitimate interest in the processing and if additional guarantees are established by the data controller.
Such guarantees are: (i) ensuring data minimization, security, and confidentiality of processing by implementing appropriate technical and organizational measures; (ii) appointing a DPO; (iii) adhering to an approved code of conduct intended to contribute to proper enforcement of the GDPR; (iv) setting data retention periods, as well as specific data erasure deadlines; (v) regular training, regarding data protection obligations, of persons who process personal data under the direct authority of the data controller in order to raise awareness regarding the obligations laid down by the GDPR.
To determine whether it is mandatory to appoint a DPO, the practice according to the provisions of Romanian law is to make an assessment/evaluation of the activity of each entity’s department in order to determine the manner in which personal data is processed and whether the entity has the legal obligation to appoint a DPO in accordance with GDPR rules and Romanian legal provisions.
In addition, Romania’s National Supervisory Authority for Personal Data Processing (ANSPDCP) recommends that companies document the analysis regarding the appointment of a DPO under the GDPR, as well as their final choice with respect to the appointment. Companies can also appoint external DPOs.
Even in cases when companies do not have an express obligation to appoint a DPO, the ANSPDCP recommends an appointment due to the beneficial effect of the responsible person’s activity on compliance with the GDPR. Should the company decide to voluntarily appoint a DPO, the same requirements regarding the position and tasks apply as would have applied if the appointment had been mandatory. The ANSPDCP has launched a portal where controllers and processors can notify the ANSPDCP of the identity of the DPO.
In addition, Draft Law No. B653/2020 regarding the organization of the profession of the Data Protection Officer has been published on the website of the Romanian Senate. The draft law is designed to define the duties of the person responsible for personal data protection and to identify the conditions that he or she must meet. Another goal pursued by the Romanian legislator was to regulate a profession that can be exercised in Romania only by persons who have been registered in a professional body and are legal persons of public and autonomous utility. Because the draft did not satisfy the norms of legislative procedure required by law, being deficient in terms of both content and substantiation of the proposed legislative solution, it did not receive the approval of the Legislative Council.
It is important to mention that, since 2017, the position of DPO has been included in the Romanian Classification of Occupations under code 242231.
In conclusion, a DPO can play a key role in an organization’s data protection governance structure and help improve accountability. Our recommendation is to appoint a DPO even if such an appointment is not mandatory. This will help to ensure that the company is proactive in monitoring GDPR compliance.
By Raluca Botea, Coordinator of Data Protection Practice, and Flavia Denisa Margas, Associate, Noerr Bucharest