While preparing for the GDPR – Romania's perspective


Data protection becomes hotter and hotter. Years ago a rather low tier area of law and practice, data protection is now being perceived as one of the coolest area to be within. High fines raise awareness and interest from the business environment. The Data Protection Authority is the new Competition Council, empowered to calculate and apply fines at the level of global revenues of an organization.

Everybody is passionate about getting at least some information about GDPR. While the GDPR entered into force in May 2016, it is only starting 2017 that all stakeholders included the topic on their agenda and budgets. Now every Tom, Dick, and Harry is organizing events on GDPR readiness: media, IT companies, law firms and other consultants. The authority is invited and graciously accepts such invitations.

IT companies seem already prepared to deliver their technical input through applications, programs and gap analysis services. Companies controlling and processing personal data in any form and/or capacity may give the impression however of being slightly lost or lacking project management or GDPR granularity. That is why multi-disciplinary consortia and collaborations are being initiated, data protection officers are searched for within organizations or externally and GDPR impact is being considered. The Data Protection Authority is at its turn preparing and learning and appears rather empathic with controllers and processors and sensitive to their concerns. A grace period even following the entrance into effectiveness of the GDPR looks slightly implicit and accepted, at least for the time being.

Traditionally, Romania was typically more formalistic in terms of processes and procedures than its peers within the EU. For instance, currently still, transfers to third countries outside the EU, the EEA, as well as to countries considered as not offering an adequate level of protection, require in all instances at least the prior notification, if not the authorization of the Data Protection Authority, even if the consent of data subjects is being obtained, respectively standard clauses are in place. The Data Protection Authority reviews and assesses the transfer underlying documentation and the transfer cannot be implemented until the Data Protection Authority approves such transfer. From a timing perspective, this process may take 2-3 months. The change of perspective under the GDPR is therefore even more interesting and welcome in Romania.


Article published by:

Adelina Iftime-Blagean


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.at


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.