The role of Romanian courts in the protection of personal data in the post GDPR era

12.03.2019

Where does the role of the data protection authority (DPA) end and where the court takes priority? The relevant legal provisions are spread around the national laws and regulations, most of them being included in the laws regulating the organization of the Romanian DPA.

We summarized the available challenge options from the perspective of all three main actors: (1) data subject, (2) controller/processor and (3) DPA (see summaries below).

We certainly expect a high number of disputes related to data protection matters. On the basis of the legal recourse options summarized below, we expect at least the following:

  • a high number of court challenges against sanctions and other measures imposed by the DPA;
  • a high number of civil
  • claims based on data protection matters; 
  • disputes related to the suspension/rejection by the DPA of a complaint which is also brought before a court;
  • issues raised by claims lodged in courts by the DPA as proxy of the data subjects;
  • complexities raised by collective complaints/claims and the involvement of not-for-profit organizations representing the interests of data subjects;
  • debates regarding the acts/measures that require a preliminary procedure before the DPA before lodging a court challenge (versus DPA acts that sanction a misdemeanor and can be challenged directly in court);
  • last but not least, vexatious behavior and "extortion" attempts (e.g. threats with complaints before the DPA and settlement requests).

Therefore, which options are available to the data protection actors?

Who? DATA SUBJECTS 

WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Complaint (plangare)DPAController / processorFor any non-observance of their rights under data protection legislation

Can be suspended/rejected in case an identical court action is also initiated (same parties and object).

DPA can impose a fee for repetitive or obviously ungrounded (vexatious) complaints

Complaint (administrative action) (plangere)DPADPA actAs mandatory preliminary action against any action/omission of the DPA (e.g. failure to periodically inform the data subject of the course of the investigation)
Court action (administrative action) (contestatie)

Court

Tribunal in first instance

DPAAgainst the outcome of the investigation of a complaint for various reasons (e.g. decision on inadmissibility of a complaint)
Court action (civil action)CourtController / processor

Observance of/failure to observe data protection legislation.

Reparation of damage caused to data subject (monetary, non-monetary)

No court fees. The action can be initiated by the DPA and the data subject will have the option to take-over the claim or to waive it

Who? CONTROLLER/PROCESSOR

WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Court action (administrative action) (contestatie)

Court

Tribunal in first instance

Cour of appeal in appeal

DPAAgainst a measure and/or sanction and/or fines for the delay in complying with the obligations

No express provision regarding necessity of the preliminary administrative action before the DPA. To be determined when such a preliminary action is necessary and when it is not (sanctioning of a misdemeanor).

It suspends only the payment of fines up to final court decision (not also other measures or sanctions)

Court action (civil action)CourtOther parties (controllers / processors / data subjects)For any monetary or non-monetary damage related to a data protection context
Court action (administrative action) (contestatie)

High Court

Decision of Court of AppealChallenge of lower court's decision re. obligation of controller/processor to grant access to locations and documents during DPA investigationsDoes not suspend the enforcement decision of first instance

Who? DPA

WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Court action (administrative action)Court of AppealController / processorObligation of controller/processor to grant access to locations and documents during DPA investigations

 

Court action (civil action)CourtController / processorLodged on behalf of the data subjects for observance of data protection legislation and/or reparation of damage caused to data subject Question: Only non-monetary or also monetary damage?

 

This brief reflects the legislative status as of 28 February 2019.

 

Article provided by: Adelina Iftime-Blagean (Attorney at Law, Wolftheiss)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.