Skip to main content Scroll Top
Complico (5)
Contact Us
Get in touch

Romania Compare Privacy Laws

4-1 (Demo)
  • Home
  • Romania Compare Privacy Laws
4-2 (Demo)
PRIVACY LAWS

Navigating GDPR in Romania: Key Deviations and Law No. 190/2018

ABCDESFFafdfsfd

While the General Data Protection Regulation (GDPR) establishes a harmonized privacy framework across the European Union, it is not a rigid, standalone rulebook. Through “opening clauses,” member states have the authority to introduce national deviations to adapt the regulation to their local legal landscape.

In Romania, the GDPR is directly applicable but is heavily supplemented by Law No. 190/2018, which provides specific measures for its implementation. Regulated by the National Supervisory Authority for Personal Data Processing (ANSPDCP), the Romanian landscape is known for its rigorous stance on employee monitoring and the processing of national identification numbers.

At Complico Consulting GmbH, we specialize in decoding these localized laws to keep your operations secure, compliant, and thriving in the Romanian market. Here is your guide to the essential GDPR deviations in Romania.

1. The Age of Digital Consent Remains at 16

Under Article 8 of the GDPR, the default age for a child to provide valid digital consent (for social media, apps, and online services) is 16, though member states can lower it to 13.

The Romanian Stance: Romania opted not to lower this threshold. The age of valid digital consent remains firmly at 16 years old.

Compliance Action: Any business offering “information society services” directly to minors in Romania must ensure that users under 16 have verifiable consent from a parent or legal guardian. This is a common trap for international platforms that assume a lower threshold across the EEA.

2. Strict Rules for Processing the National Identification Number (CNP)

Romania has specific, strict requirements for the processing of the Cod Numeric Personal (CNP), which is the national identification number assigned to every citizen and resident.

The Romanian Deviation: Under Law 190/2018, processing the CNP based on the “legitimate interest” of the controller (rather than a legal obligation or consent) is only permitted if the following four conditions are met:

  • Mandatory DPO: The controller must appoint a Data Protection Officer (DPO).

  • Minimization & Security: Appropriate technical measures must be implemented to ensure data minimization and high-level security.

  • Storage Deadlines: Specific, documented data storage and deletion timescales must be established.

  • Regular Training: Personnel involved in the processing must receive periodic data privacy training.

3. Workplace Monitoring: The “Legitimate Interest” Hurdle

Workplace surveillance, including video monitoring and the tracking of electronic communications (email/internet), is one of the most scrutinized areas in Romania.

The Romanian Deviation: Law 190/2018 dictates that an employer may only rely on “legitimate interest” for workplace monitoring if:

  • Subsidiarity: The employer can prove and document that other, less intrusive methods were previously attempted and found ineffective.

  • Prior Consultation: The employer has consulted with the trade union or employees’ representatives before implementing the monitoring.

  • Retention Limit: Data resulted from monitoring can generally be stored for no longer than 30 days, unless a specifically documented justification or legal requirement dictates otherwise.

4. Specific Exemptions for Political and Journalistic Purposes

Romania has utilized opening clauses to provide broad derogations for data processing in the public and democratic interest.

The Romanian Deviation:

  • Political Parties & NGOs: Political parties, minority organizations, and NGOs are granted broader legal grounds to process data (including special categories) for activities that fulfill democratic or constitutional objectives, provided they implement adequate safeguards.

  • Journalism & Art: Broad exemptions apply to the processing of data for journalistic, academic, artistic, or literary expression, where strict GDPR requirements (like information obligations or certain data subject rights) may be limited to protect freedom of speech.

5. Milder Sanctions for Public Authorities

While private companies face the full force of GDPR fines (up to €20 million or 4% of global turnover), Romania has established a more gradual, “staggered” approach for the public sector.

The Romanian Specificity: Under Law 190/2018, public authorities and bodies that breach data protection rules are initially issued a remedy plan by the ANSPDCP. Only if they fail to implement the required changes within the prescribed timeframe can they be hit with administrative fines, which are capped significantly lower than those for the private sector.

Why Partner with Complico Consulting GmbH?

Expanding into Romania requires a partner who understands the high standards of the ANSPDCP and the unique constraints of Law 190/2018. A generic EU privacy policy is rarely sufficient to meet the strict “prior consultation” and “DPO mandate” requirements for CNP processing or employee monitoring.

At Complico Consulting GmbH, we provide:

  • Localized Compliance Audits: We evaluate your HR and marketing data flows against the specific requirements of Law 190/2018.

  • Monitoring Compliance: We help you draft the mandatory internal regulations and documentation required to legally operate CCTV or email monitoring.

  • DPO Services & Representation: We act as your bridge to the ANSPDCP, managing correspondence and representing your interests during audits.

  • CNP Strategy: We ensure your use of national ID numbers is backed by the mandatory safeguards, including DPO appointment and staff training.

Secure Your Presence in Romania

Don’t let the specificities of Romanian implementation slow down your business. Contact Complico Consulting GmbH today for a comprehensive review of your Romanian data protection strategy.