GDPR Rules Promulgated by President Klaus Iohannis

On Tuesday, July 17, 2018, President Klaus Iohannis passed the law on the implementation of  the (EU) 2016/679 regulation of the European Parliament and of the Council of April 27, 2016 for the protection of individuals with regard to the processing of personal data and the free movement of these data (the European Data Protection Directive – GDPR), and the repealing of the 95/46 / EC Directive, according to the Presidential Administration. The law is to become effective 5 days after its publication in the Official Gazette of Romania, Part I.

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, and applies to any organization operating within the EU, as well as to any non-EU organization that offers goods or services to EU customers or businesses.

The purpose of the GDPR is to ensure a consistent level of protection to natural persons throughout the Union and to prevent disparities hampering the free movement of personal data within the internal market.

The GDPR does not apply to personal data processing relating to legal entities or institutions with legal personality.

This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

Although the GDPR applies to all Member States across the EU without there being a need to transpose it into the national law (as in the case of directives, for example), the European Parliament allows Member States to”maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, bio-metric data or data concerning health. (art. 9 par. 4)”

As a result, this law (Law no.190/2018) establishes the necessary measures for national implementation, mainly of the following provisions of the General Data Protection Regulation (GDPR):

  • Defines a series of concepts (art 2, par. 1, b-e), namely:

National identification number – “The number by which a natural person is identified in certain record-keeping systems, and which has general applicability, such as: the personal numeric code, the serial number and identity card number, passport number, driving license, the social health insurance number”

Remedial Action Plan – is the document annexed to the record of proceedings in the case of infringements drawn up under the conditions stipulated in art. 11, by which the National Supervisory Authority For Personal Data Processing (ANSPDCP) establishes remedial measures and a deadline for remediation.

Remedial measures – The solution provided by ANSPDCP in the remedial plan in order to fulfill the obligations stipulated by the law.

GDPR compliance deadline – the 60 to 180 days time frame from the date of communication of the record of proceedings in the case of infringement, in which the public authority / body has the possibility to remedy the detected irregularities and to fulfill the legal obligations.

  • Establishes special rules for the processing of certain personal data categories
  • Rules on the processing of genetic data, bio-metric data or data concerning health (Article 3)

The processing of genetic data, bio-metric data or data concerning health for the purpose of defining an automated decision-making process or creating profiles is permitted with the explicit consent of the concerned person or if the processing is carried out under explicit legal provisions, and appropriate measures are in place.

  • Special rules for processing a national identification number (Article 4)

(1) The processing of a national identification number (national identification number, serial number and identity card number, passport number, social security card number, driver’s license number), including collecting or disclosing documents containing it, may be carried out in the situations stipulated by art. 6 par. (1) of the General Data Protection Regulation.

(2) The processing of a national identification number, including by collecting or disclosing the documents containing it, for the purpose provided by art. 6 par. (1) lit. f) of the General Data Protection Regulation, namely the achievement of the legitimate interests pursued by the operator or by a third party, shall be carried out by the operator or by the third party while establishing the following guarantees:

  1. a) the implementation of adequate technical and organizational measures to respect, in particular, the principle of data minimization, as well as to ensure the security and confidentiality of personal data processing, according to the provisions of art. 32 of the General Data Protection Regulation;
  2. b) the appointment of a Data Protection Officer, in accordance with Art. 8 of the present law;
  3. c) setting storage time-limits, according to the nature of the data and the purpose of processing, as well as specific terms by which personal data must be erased or checked for deletion;
  4. d) regularly training persons who process personal data under the direct authority of the operator or the person empowered by the operator, regarding their obligations.
  • Special rules for personal data processing in the context of employment (art. 5)

An employer using electronic communications monitoring systems and / or video surveillance equipment at the workplace may process personal data of the employees in order to achieve the pursued legitimate interests only if:

  1. a) the legitimate interests pursued by the employer are duly justified and prevail over the interests or rights and freedoms of the data subjects;
  2. b) the employer has completed the mandatory, complete and explicit notification of the employees;
  3. c) the employer consulted the trade union or, as the case may be, the representatives of the employees before the introduction of the monitoring systems;
  4. d) other less intrusive means and ways to achieve the goal pursued by the employer have not previously proved effective;
  5. e) the duration of storage of personal data is proportional to the purpose of its processing, but Moreno longer than 30 days, except for situations that are expressly regulated by the law or duly justified cases.

Moreover, Law no.190/2018 on the GDPR implementation details the general remedies and sanctions provisions. Under this law, the National Supervisory Authority may apply two types of contravention sanctions: the written warning and the contravention fine.

If public authorities/bodies violate the provisions of the General Data Protection Regulation (GDPR) and of this law, the ANSPDCP will conclude a record of proceedings the contravention, through which the warning sanction is applied, and to which a remedial plan is attached.

The remedial deadline is determined in relation to the risks associated with the processing, as well as to the necessary steps to ensure compliance.

Within 10 days of the remedial deadline, the ANSPDCP may resume control.

The remedial plan model that is attached to the record of proceedings is provided in the Remedial Plan annex, which is an integral part of the present law.

 

Regulile pentru GDPR au fost promulgate de presedintele Klaus Iohannis

 

Marti, 17 iulie 2018, presedintele Klaus Iohannis a promulgat Legea privind masurile de punere in aplicare a regulamentului (UE) 2016/679 al Parlamentului European si al Consiliului din 27 aprilie 2016 privind protectia persoanelor fizice in ceea ce priveste prelucrarea datelor cu caracter personal si privind libera circulatie a acestor date (Regulamentul European privind protectia datelor-GDPR) si de abrogare a Directivei 95/46/EC, dupa cum informeaza Administratia Prezidentiala. Legea intra in vigoare la 5 zile de la data publicarii in Monitorul Oficial al României, Partea I.

Regulamentului General privind Protectia Datelor (GDPR) a intrat in vigoare pe 25 mai 2018 si se aplica oricarei organizatii care opereaza in cadrul UE, precum si oricarei organizatii din afara UE care ofera bunuri sau servicii clientilor sau intreprinderilor din UE.

Scopul GDPR este de a asigura un nivel uniform de protectie pentru persoanele fizice in intreaga Uniune si a preintampinarii discrepantelor care impiedica libera circulatie a datelor in cadrul pietei interne.

Regulamentul GDPR nu se aplica prelucrarii datelor cu caracter personal care privesc persoane juridice sau institutii cu personalitate juridica.

Desi GDPR se aplica la nivel european tuturor statelor membre, fara sa fie necesara transpunerea lui in dreptul intern (asa cum este in cazul directivelor, de exemplu), Parlamentul European permite statelor membre sa introduca “conditii suplimentare, inclusiv restrictii, in ceea ce priveste prelucrarea de date genetice, date biometrice sau date privind sanatatea “ (cnf. Art 9 alin 4.)

Ca urmare, prezenta lege (Legea nr.190/2018) stabileste masurile necesare punerii in aplicare la nivel national, in principal a urmatoarelor prevederi din Regulamentul general privind protectia datelor (GDPR):

Numarul de identificare national – “numarul prin care se identifica o persoana fizica in anumite sisteme de evidenta si care are aplicabilitate generala, cum ar fi: codul numeric personal, seria si numarul actului de identitate, numarul pasaportului, al permisului de conducere, numarul de asigurare sociala de sanatate”

Plan de remediere – anexa la procesul-verbal de constatare si sanctionare a contraventei intocmit in conditile prevazute la art. 11, prin care Autoritatea Natonala de Supraveghere a Prelucrarii Datelor cu Caracter Personal, denumita in continuare ANSPDCP, stabileste masuri si un termen de remediere.

Masura de remediere – solutie dispusa de ANSPDCP in planul de remediere in vederea indeplinirii de catre autoritatea/organismul public a obligatilor prevazute de lege.

Termen de remediere – perioada de timp cuprinsa intre 60 si 180 de zile de la data comunicarii procesului-verbal de constatare si sanctonare a contraventei, in care autoritatea/organismul public are posibilitatea remedierii neregulilor constatate si indeplinirii obligatilor legale.

  • Stabileste reguli speciale pentru prelucrarea unor categorii de date cu caracter personal
  •  Reguli privind prelucrarea datelor genetice, a datelor biometrice sau a datelor privind sanatatea (art 3)

Prelucrarea datelor genetice, biometrice sau a datelor privind sanatatea, in scopul realizarii unui proces decizional automatizat sau pentru crearea de profiluri, este permisa cu consimtamantul explicit al persoanei vizate sau daca prelucrarea este efectuata in temeiul unor dispoziti legale exprese, cu instituirea unor masuri corespunzatoare.

  • Reguli speciale privind prelucrarea unui numar de identificare national (art 4)

 (1) Prelucrarea unui numar de identificare national (CNP, serie si numarul cartii de identitate, numarul pasaportului, numarul cardului de asigurare sociala, numarul permisului), inclusiv prin colectarea sau dezvaluirea documentelor ce il contin, se poate efectua in situatiile prevazute de art. 6 alin. (1) din Regulamentul general privind protectia datelor.

(2) Prelucrarea unui numar de identificare national, inclusiv prin colectarea sau dezvaluirea documentelor ce il contin, in scopul prevazut de art. 6 alin. (1) lit. f) din Regulamentul general privind protectia datelor, respectiv al realizarii intereselor legitime urmarite de operator, sau de o parte terta, se efectueaza cu instituirea, de catre operator sau de catre partea terta a urmatoarelor garantii:

  1. a) punerea in aplicare de masuri tehnice si organizatorice adecvate pentru respectarea, in special, a principiului reducerii la minim a datelor, precum si pentru asigurarea securitatii si confidentialitatii prelucrarilor de date cu caracter personal, conform dispozitiilor 32 din Regulamentul general privind protectia datelor;
  2. b) numirea unui responsabil pentru protectia datelor, in conformitate cu art. 8 din prezenta lege;
  3. c) stabilirea de termene de stocare in functie de natura datelor si scopul prelucrarii, precum si de termene specifice in care datele cu caracter personal trebuie sterse sau revizuite in vederea stergerii;
  4. d) instruirea periodica cu privire la obligatiile ce le revin, a persoanelor care, sub directa autoritate a operatorului sau a persoanei imputernicite de operator, prelucreaza date cu caracter personal.
  • Reguli speciale privind prelucrarea datelor cu caracter personal in contextul relatiilor de munca (art 5)

Angajatorul care utilizeaza sisteme de monitorizare prin mijloace de comunicatii electronice si/sau mijloace de supraveghere video la locul de munca, poate prelucra date cu caracter personal ale angajatilor, in scopul realizarii intereselor legitime urmarite de acesta, numai daca:

  1. a) interesele legitime urmarite de angajator sunt temeinic justificate si prevaleaza asupra intereselor sau drepturilor si libertatilor persoanelor vizate;
  2. b) angajatorul a realizat informarea prealabila obligatorie, completa si in mod explicit a angajatilor;
  3. c) angajatorul a consultat sindicatul sau, dupa caz, reprezentantii angajatilor inainte de introducerea sistemelor de monitorizare;
  4. d) alte forme si modalitati mai putin intruzive pentru atingerea scopului urmarit de angajator nu si-au dovedit anterior eficienta
  5. e) durata de stocare a datelor cu caracter personal este proportionala cu scopul prelucrarii, dar nu mai mare de 30 de zile, cu exceptia situatiilor expres reglementate de lege sau a cazurilor temeinic justificate.

De asemenea, in Legea nr.190/2018, privind masurile de punere in aplicare a Regulamentului GDPR sunt formulate si dispozitiile generale privind masurile corective si sanctiunile. Conform acesteia, Autoritatea nationala de supraveghere poate aplica doua tipuri de sanctiuni contraventionale: avertismentul scris si amenda contraventionala.

In cazul constatarii incalcarii prevederilor Regulamentului general privind protecta datelor  (GDPR) si ale prezentei legi de catre autoritatle/organismele publice, ANSPDCP incheie un proces-verbal de constatare si sanctonare a contraventei prin care se aplica sanctiunea mustrarii si la care anexeaza un plan de remediere.

Termenul de remediere se stabileste in functe de riscurile asociate prelucrarii, precum si demersurile necesar a fi indeplinite pentru asigurarea conformitati prelucrarii.

In termen de 10 zile de la data expirarii termenului de remediere, ANSPDCP poate sa reia controlul.

Modelul planului de remediere care se anexeaza la procesul-verbal de constatare si sanctonare a contraventei este prevazut in anexa Plan de remediere, care face parte integranta din prezenta lege.