Law project for the implementation of the GDPR in Romania
Law project regarding measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)
We have summarized below the novelties and completions brought by this law project (hereinafter the “Project”) with respect to the implementation of the GDPR.
The Project has been filed at the Senate and is open to public consultation until the 13th of May 2018.
General provisions
The Projects brings novelties and completions, inter alia, with respect to: (i) processing of genetic, biometric or health related data; (ii) processing of the personal identification number (PIN); (iii) the video surveillance of employees; (iv) the certification bodies; (v) the application of GDPR.
Processing of genetic, biometric or health related data
The Project provides that processing genetic, biometric or health related data for automate decision making or for profiling is forbidden, except for the processing made by a public authority or under its control. The prohibition remains in force irrespective of the data subject’s consent.
Processing of the personal identification number (PIN)
The Project includes the PIN in the broader category of national identification number that comprises also national health security number, ID card series and number, driving license number, passport number and provides that it can be processed as per the conditions regulated by art. 6 (1) of the GDPR. Consequently, processing the PIN may also be carried out in the absence of the data subject’s consent.
For the case when PIN as well as the other national identification data are processed for the purposes of the legitimate interest of the controller or of a third party, the controller has to apply the following supplementary guarantees:
- using technical and organizational measures for the purpose of ensuring minimization, security and confidentiality of the processing;
- appointing a data protection officer (DPO);
- adherence to a code of conduct approved by the national supervisory authority;
- determining deadlines for storage and erasure of the data;
- ensuring periodical training for the employees that take part in the processing activity.
Video surveillance of employees
In case of video surveillance of employees, the controller has to take the following cumulative measures:
- the employer’s legitimate interests have to be duly justified, have to be related to particularly important activities and must prevail over the data subject’s interests/rights;
- the employer has to explicitly and completely inform the employees before implementing the measure;
- the employer has to consult the syndicate/representatives of employees prior to the implementation;
- the employer has previously used other methods, less intrusive, but they proved inefficient;
- the data should be stored for a proportional period of time; however this period cannot be longer than 30 days, unless otherwise provided by law or for duly justified cases.
Certification bodies
The certification bodies mentioned in art. 43 of the GDPR will be accredited by the Romanian Accreditation Association – RENAR. These bodies will be accredited according to the EN-ISO/IEC 17065 standards, as well as according to the provisions of the abovementioned art. 43 and to the supplementary requirements imposed by the supervisory authority.
Application of GDPR
The Project provides that GDPR is applicable to the complaints filed with the supervisory authority starting with the 25th of May, as well as to those filed before this date and which are still pending, in all respects, including with respect to the investigation proceedings and the sanctions. However, if GDPR provides a sanction which is higher than the one regulated by the former legislation, the sanction will be determined as per the legal provisions in force at the time the infringement occurred.
Author:
Raluca Silaghi, Manager – Head of Data Protection Practice