Romania

[RO] Emergency Decree on the Processing of Personal Data and Protection of Private Life

IRIS 2012-5:1/35

Eugen Cojocariu

Radio Romania International

The Romanian Government approved on 3 April 2012 an Emergency Decree for the modification and completion of Legea nr. 506/2004 privind prelucrarea datelor cu caracter personal şi protecţia vieţii private în sectorul comunicaţiilor electronice (Law no. 506/2004 with regard to the processing of personal data and the protection of private life in the electronic communications sector).

The Decree transposes into Romanian legislation the modifications of Directive 2002/58/EC, the spokesman of the government stated. He explained the Decree was adopted because the transposition of European legislation was behind the schedule and this delay could have triggered an infringement procedure against Romania (see IRIS 2011-2/35 and IRIS 2012-2/33). The Law no. 504/2006 provides for the obligation of electronic communications service providers to guarantee the security of their services. Through the modification of Directive 2002/58/EC, the focus moved on guaranteeing the security of personal data processing, in order to avoid the accidental or illegal destruction, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or processed in connection with the provision of electronic communication services directed to the public.

The main obligations for service providers provided by the Decree, as to ensure the security of personal data processing, are as follows:

- to inform users if their personal data were compromised or are at risk to be compromised due to an infringement of data processing security;

- to implement a security policy with regard to the processing of personal data;

- to notify the data protection authority about breaches of personal data processing security;

- to keep a record of all personal data security breaches.

The document approved by the government also provides for users’ rights:

- to be informed about information storage in the used equipment;

- to be informed about the reasons for processing stored information;

- to have their personal data included in all public registers of subscribers, in written and electronic format;

- to oppose to the inclusion of personal data in subscribers’ registers;

- to be informed with regard to the reason to set up subscribers’ registers and the possibilities to use the personal data included in these registers.

On the other hand, the document stipulates the roles of the data protection authority, the Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (National Supervisory Authority for Personal Data Processing):

- the possibility to audit the measures taken by providers in order to guarantee personal data security;

- the possibility to issue recommendations regarding best practices with regard to the security level these measures have to reach;

- the possibility to decide upon the circumstances under which providers are obliged to notify data security breaches, along with the format of notification;

- to verify the observance of the obligations imposed to providers.

The European Commission started an infringement procedure against Romania on 16 June 2011 for not implementing Data Retention Directive 2006/24/EC, which includes, among others, modifications of Directive 2002/58/EC. A draft law on data retention was rejected on 21 December 2011 by the Senate (upper Chamber of Romania’s Parliament). On 22 March 2012 the European Commission transmitted a Reasoned Opinion to Romania with regard to the non-transposition of Directive 2006/24/EC.