Page 1

LAW No. 363/2018 of December 28, 2018
on the protection of individuals with regard to the processing of personal data
personally by the competent authorities for the purpose of prevention, detection,
investigation, prosecution and combating crime or execution
penalties, educational and security measures, and on freedom
circulation of this data
ISSUER: PARLIAMENT OF ROMANIA
PUBLISHED IN: OFFICIAL GAZETTE NO. 13 of January 7, 2019
The Romanian Parliament adopts this law.
ARTICLE 1
(1) This law regulates the processing of personal data in
the purpose of carrying out the activities of prevention, discovery, research, pursuit
criminal and combating crimes, execution of punishments, measures
educational and safety, as well as maintaining and ensuring order and
public safety by the competent authorities, within the limits of their competences
established by law.
(2) Processing of personal data for carrying out the activities of
maintaining and ensuring public order and safety is achieved only if
they are required by law and are necessary to prevent a danger
little on the life, bodily integrity or health of a person or a
its property, as well as for combating crime.
ARTICLE 2
(1) The purpose of this law is to protect fundamental rights and freedoms
of natural persons, in particular the right to the protection of personal data
personal.
(2) This law establishes the conditions under which the free movement of
personal data in order to carry out the activities provided in art. 1 .
(3) Free movement of personal data on the national territory or in
the relationship with the member states of the European Union, limited to the achievement
the activities provided in art. 1 , cannot be prevented for reasons related to
protection of the person against the processing of personal data as long as
terms of this Act or, where appropriate, of EU Regulation 2016/679 of
European Parliament and of the Council of 27 April 2016 on protection
individuals with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46 / EC
(General Data Protection Regulation), hereinafter referred to as "the Data Protection Regulation"
General Regulation on data protection , or from national legislation
its implementation are met.
ARTICLE 3
(1) This law applies to the processing of personal data by
the competent authorities for the purposes provided in art. 1 .

Page 2

(2) This law applies to the processing of personal data made
in whole or in part by automated means, as well as processing by other means
means other than automated, of the personal data that are part
from a data record system or which are intended to be included in a
such a system.
(3) This law does not apply to the processing of personal data
carried out to carry out activities in the field of national defense and
national security, within the limits and with the restrictions established by the legislation in
material.
ARTICLE 4
For the purposes of this law, the terms and expressions below have the following
meanings:
a) personal data - any information regarding a natural person
identified or identifiable, hereinafter referred to as the data subject ; a
an identifiable natural person is a person who can be identified, directly or indirectly
indirectly, in particular by reference to an identifying element, such as a name,
an identification number, location data, an online identifier, or one
or several elements specific to his physical, physiological identity,
genetic, mental, economic, cultural or social;
b) processing - any operation or set of operations performed on the data
personal data or personal data sets, with or without
the use of automated means, such as collection, registration,
organization, structuring, storage, adaptation or modification, extraction,
consultation, use, disclosure by transmission, dissemination or making available
disposition in any other way, alignment or combination, restriction, deletion
or destruction;
c) restriction of processing - marking of stored personal data,
in order to limit their future processing;
d) profile creation - any form of automatic data processing with
personal data consisting in the use of personal data to
evaluate certain personal aspects related to a natural person, in particular
to analyze or anticipate workplace performance issues,
economic situation, health, personal preferences, interests, fairness,
the behavior, location or movements of that individual;
e) pseudonymization - the processing of personal data in such a
so that they can no longer be attributed to a specific person without
additional information is used, to the extent that this information
are stored separately and are subject to technical and technical measures
intended to guarantee the non-assignment of a natural person
identified or identifiable;
f) data record system - any structured set of character data
staff accessible according to specific criteria, be they centralized,
decentralized or distributed according to functional or geographical criteria;

Page 3

g) competent authority - any public authority or any other body, or
entity vested with the exercise of state authority, competent in matters of
prevention, detection, investigation, prosecution and combating of crimes
or the execution of punishments, including in the matter of maintaining and ensuring order
and public safety;
h) operator - the competent authority which, alone or together with others,
establishes the purposes and means of processing personal data;
when the purposes and means of processing are established by an act
normative, the operator or the specific criteria for its determination are
establish by the normative act of reference;
i) person authorized by the operator - natural or legal person,
public institution / authority, agency or other body which processes data with
personal character on behalf of the operator;
j) addressee - natural or legal person, public institution / authority,
the agency or other body to which the personal data are transmitted,
whether or not it is a third party; are exempt from the meaning of the definition
competent authorities that may receive personal data in a
surveys in accordance with applicable law, and data processing with
they shall comply with the rules applicable in
data protection in accordance with the purposes of the processing;
k) breach of security of personal data - any event,
action or inaction that may cause a security breach, leading to
accidentally or illegally, upon destruction, loss, modification, disclosure
unauthorized access to personal data transmitted,
stored or otherwise processed;
l) genetic data - personal data related to characteristics
inherited or acquired genetics of an individual who provides information
on the physiology or health of that individual, as
results mainly from an analysis of a sample of biological material
harvested from that individual;
m) biometric data - personal data resulting from
specific processing techniques, related to physical and physiological characteristics
or behavioral of a natural person, which allow or confirm
unique identification of that individual, such as facial images or
dactyloscopic data;
n) health data - personal data related to physical health
or mental health of an individual, including the provision of assistance services
medical, which reveals information about her health;
o) supervisory authority - National Supervisory Authority a
Personal Data Processing, designated according to Law no. 102/2005
on the establishment, organization and functioning of the National Authority of
Supervision of the Processing of Personal Data, with the modifications and
subsequent additions;

Page 4

p) international organization - an organization and its subordinate bodies
governed by public international law or any other body which is
established by an agreement concluded between two or more states or under
such an agreement;
q) interoperability - the operation of connecting character data
personally contained in a file, database or system
automatically records with those contained in one or more files, databases
or automated record - keeping systems that are managed by different operators or by
to the same operator, but with different, similar or related purposes, as appropriate;
r) passive record - personal file or database set up in
the purpose of limited access and subsequent deletion of data stored in the system
evidence;
s) Member State - any Member State of the European Union;
ş) remediation plan - annex to the minutes of finding and sanctioning a
contravention, drawn up under the conditions provided in art. 62 , whereby the Authority
National Office for the Supervision of Personal Data Processing establishes
measures and a deadline for remediation;
t) remedial measure - solution ordered by the National Authority of
Supervision of Personal Data Processing in the remediation plan
in order to be fulfilled by the operator or by the person empowered by
it of the obligations provided by law;
ţ) remediation term - the period of time between 60 and 180 days from
the date of communication of the report of finding and sanctioning the contravention,
in which the operator or the person empowered by him has the possibility
remedying the irregularities found and fulfilling the legal obligations.
ARTICLE 5
(1) Personal data must be:
a) processed legally and equitably;
b) collected for determined, explicit and legitimate purposes and not to be processed
in a manner incompatible with these purposes;
c) adequate, relevant and not excessive in relation to the purposes for which they are
processed;
d) accurate and, if necessary, up to date; all measures must be taken
reasonable to ensure that personal data that are
inaccurate, given the purposes for which they are processed, to be deleted or
rectified without delay;
e) kept in a form that allows the identification of the persons concerned on a
period which does not exceed the period necessary to fulfill the purposes for which
the respective data are processed;
f) processed in a way that ensures adequate data security with
personal data, including protection against unauthorized processing or
illegal and against accidental loss, destruction or damage by
taking appropriate technical or organizational measures.

Page 5

(2) Personal data may be processed for carrying out activities
provided in art. 1 by the same operator or by another operator in another
purpose other than that envisaged at the time of collection of personal data,
only if the following conditions are cumulatively met:
a) the operator is empowered to process such personal data in
that purpose, in accordance with the applicable regulatory framework;
b) the processing is necessary and proportionate in relation to that purpose, in
compliance with the applicable regulatory framework.
3. Personal data may be processed by the same controller or
by another operator for archiving in the public interest or for scientific purposes,
statistical or historical related to the performance of the activities provided in art. 1 para. (1),
provided that adequate guarantees for the rights and freedoms are established
targeted persons.
(4) The operator is responsible for the observance of the provisions of par. (1) - (3) and
take measures and / or establish procedures to demonstrate compliance
stipulations.
ARTICLE 6
(1) The normative acts, regardless of the level of legislation, which establishes
processing of personal data in order to carry out the activities provided
the art. 1 , must establish at least the following aspects:
a) the general context of the processing and its objectives;
b) personal data to be processed;
c) the purposes of processing;
d) general and, as the case may be, specific storage terms of the character data
personal.
(2) The establishment of specific retention periods is mandatory in the following
situations:
a) processing of personal data regarding minors;
b) processing of special categories of personal data;
c) processing of personal data whose accuracy has not been established
or could not be established;
d) in any other situation where the processing involves major risks for
the person concerned.
3. The specific storage periods may not exceed half of
the general storage term corresponding to the purpose of the processing.
(4) Upon fulfillment of the storage terms, the personal data may be:
a) archived in the public interest in accordance with the special legislation;
b) stored in passive records for a period not exceeding half of
initial storage period;
c) destroyed or erased by the use of irreversible procedures, if not
falls into one of the situations provided in letter a) or b).
(5) The processing of personal data based on the use of new ones
technologies or which are likely to pose a high risk to human rights and

Page 6

the freedoms of individuals may be established for the purpose of carrying out activities
provided in art. 1 only on the basis of a normative act published in the Monitor
Official Gazette of Romania, Part I, establishing the necessary guarantees to be established in
under this law.
ARTICLE 7
(1) Operators shall take the necessary measures for the purpose of highlighting separately
and structuring personal data, taking into account the following criteria:
a) data regarding persons in respect of whom there are solid indications that they have
committed or is about to commit an offense, including those against
who has been given a pre-trial detention measure;
b) data regarding persons convicted for committing a crime
or persons who have been ordered to carry out an educational measure or
safety;
c) data on persons victims of a crime or persons in
about which there are reasons to believe that they may be the victims of a
crimes;
d) data regarding other persons related to the crime, as well
persons who may be called to testify in related investigations
of offenses or in subsequent criminal proceedings or persons who may
provide information on crimes or related persons or
associated with the persons provided in let. a) or b).
(2) The personal data processed under this law are
ordered according to their degree of accuracy and precision. For this purpose,
operators shall take the necessary measures to distinguish between data
collected as a result of the finding of certain facts, respectively data whose collection is
based on the subjective perception of individuals.
(3) Operators shall take all necessary measures to ensure that the data
personally inaccurate, incomplete or out of date not to be transmitted
or made available to the recipient.
(4) The measures provided in par. (3) also include periodic evaluations for the purpose
ensuring the quality of personal data by reference to the purpose for which they have
were collected and subsequently processed.
(5) The evaluation deadlines are established by administrative acts adopted by
to operators, who are provided with a form of advertising. Frequency of evaluations
is determined by the purpose for which the personal data were collected,
the quality of the data at the time of collection, the quantity of the data, if they are processed
special categories of personal data. In the case of automated systems
evidence, the evaluation deadlines may not exceed 2 years from the time of collection,
respectively from the previous evaluation.
(6) The evaluation of the quality of personal data is mandatory before
personal data are transmitted or made available to another operator.

Page 7

(7) In the situation of the transmission of personal data, for the purpose of insurance
data quality, the operator may add information to the authority
competent authorities to assess:
a) data accuracy;
b) the integral character of the data;
c) the usefulness of the data related to the purpose of the processing;
d) if they are updated.
(8) In case of a transmission non-compliant with the legislation in force of some data
personal data or if it is found that personal data
personnel do not have the necessary quality, the operator is obliged to notify immediately
the recipient. The data that have been transmitted are, as the case may be:
a) rectified or deleted;
b) restricted to processing.
(9) The restriction of the processing of personal data provided in par.
(8) is ordered only in one of the situations provided in art. 18 para. (4).
ARTICLE 8
(1) The personal data collected for the purpose provided in art. 1 can not be
processed for other purposes, except as expressly provided by law.
(2) In the exceptional situations provided in par. (1), additional processing
personal data is made in accordance with the provisions
General Data Protection Regulation , except for activities
provided in art. 3 para. (2), in which case the corresponding provisions apply
contained in special laws.
(3) Personal data collected by the competent authorities in
other purposes than those necessary for the performance of the activities provided in art. 1 para.
(1) shall be processed in accordance with the provisions of the General Regulation
regarding data protection, except for the activities provided in art. 3 para. (2),
situation in which the corresponding provisions contained in special laws apply.
(4) The provisions of par. (3) shall also apply to the processing of data with
personal character for archiving purposes in the public interest, for research purposes
scientific or historical or for statistical purposes.
ARTICLE 9
(1) In the situation of processing personal data in the form of transfer
to the recipients, the competent authority transferring the character data
personally has the obligation to inform the recipient of personal data with
on the specific processing conditions and the obligation to comply with them, in
the extent to which such conditions are imposed by law.
(2) The recipient of personal data has the obligation to comply
the specific processing conditions communicated in accordance with the provisions
para. (1).
(3) In case of transfer of personal data to recipients from
Member States of the European Union or to agencies, offices and bodies
established in accordance with Chapters 4 and 5 of Title V of the Treaty on

Page 8

functioning of the European Union, no specific processing conditions can be imposed,
in accordance with the provisions of par. (1), additional to those provided by
law for the transfer to the competent authorities in Romania.
ARTICLE 10
Personal data that reveals racial or ethnic origin, opinions
political affiliations, religious denominations or philosophical beliefs, trade union affiliation,
processing of genetic data, processing of biometric data for identification
of a natural person, the processing of health data or data
on the sexual life and sexual orientation of an individual can be processed
only if they are strictly necessary in a given case, if they are instituted
adequate guarantees for the rights and freedoms of the data subject and if any
one of the following conditions is met:
a) the processing is expressly provided by law;
b) the processing is necessary to prevent an imminent danger at least
on the life, bodily integrity or health of the data subject or of another
individuals;
c) the processing refers to personal data that are made public in
manifestly by the data subject.
ARTICLE 11
(1) The adoption of a decision based exclusively on automatic processing,
including the creation of profiles, which produces a negative legal effect for
the person concerned or which significantly affects him is prohibited, with
unless the processing is expressly regulated by law, being
adequate guarantees are provided for the rights and freedoms of the data subject,
including the right to obtain human intervention from the operator.
(2) The processing of the categories of personal data provided in art. 10 in
the purpose of adopting decisions under the conditions provided in par. (1) is prohibited, with
unless appropriate protection measures are put in place
the rights, freedoms and legitimate interests of the data subject.
(3) Creating profiles that result in discrimination against individuals
based on the criteria that determine the categories of data provided in art. 10 is
forbidden.
ARTICLE 12
1. Operators shall be required to put in place organizational, technical and management measures
procedure to provide the data subject with the necessary information accordingly
the provisions of art. 13 and art. 16 - 21 and to ensure the transmission of a response in
in connection with the processing carried out under the conditions provided in art. 11 or in
in connection with the notification of data subjects in the event of an incident of
security, under the provisions of art. 39 .
(2) The answer must be formulated in a concise, intelligible and easy form
accessible, using clear and simple language.
(3) The communication of the information under the conditions provided in par. (2) is performed
in the same format in which the request was made, with the following exceptions:

Page 9

a) the identity of the applicant cannot be established exactly, under the conditions
provided in par. (10);
b) the format chosen for the transmission of the request involves processing risks
unauthorized or illegal or accidental loss, destruction or damage,
by reference to the amount of personal data, the degree of sensitivity of
information, especially in the situation of the data categories provided in art. 10 times a
data on minors.
(4) The operator is obliged to establish organizational and procedural measures
in order to facilitate the exercise of the rights of the data subject
the provisions of art. 11 and art. 16 - 21.
(5) The operator has the obligation to inform the data subject, in writing, about it
to the way of solving the requests formulated under the present law.
The reply shall be sent free of charge within a maximum of 60 calendar days.
(6) Where the requests from a data subject are manifestly obvious
unfounded or excessive, especially because of their repetitive nature, the operator
may be:
a) to charge a reasonable fee that takes into account the administrative costs
for the transmission or communication of information or for taking action
requested; or
b) to refuse to comply with the request.
(7) The amount of the fee provided in par. (6) lit. a) will be established, respectively
updated by administrative act issued at the level of the operator.
The unfounded or excessive nature of the application shall be determined on a case - by - case basis in
depending on the following criteria:
a) the object of the request;
b) the repetitive nature of the request;
c) the existence of additional processing of personal data, by
compared to those carried out at the time of the previous request.
(9) The unfounded or excessive character of the request, under the conditions provided in par.
(6), must be demonstrated by the operator.
(10) If the identity of the person making a request under
the provisions of art. 16 or 18 could not be determined exactly, the operator told him
requests additional information necessary to confirm identity.
(11) The additional information collected according to the provisions of par. (10) I can't
be processed for any purpose other than to confirm identity and are destroyed in
within 3 years of collection. The operator can set longer retention periods
small.
ARTICLE 13
Operators are obliged to establish organizational, technical and management measures
procedure in order to make the following available to interested parties
categories of information:
a) the identity and contact details of the operator;
b) the contact details of the data protection officer, as the case may be;

Page 10

c) the purposes for which the personal data are processed;
d) the right to lodge a complaint with the supervisory authority and the data of
its contact;
e) the right to request from the operator access to personal data
concerning the data subject or the rectification or deletion of such data or
restricting their processing.
ARTICLE 14
Upon request, when the law does not provide otherwise, the operator communicates to the person
concerned the information provided in art. 13 , as well as the following information
additional:
a) the legal basis of the processing;
b) the period for which the personal data are stored or, if
which is not possible, the criteria used to determine that period;
c) if applicable, the categories of recipients of personal data,
including from third countries or international organizations;
d) any other additional information, depending on the specifics of the activities of
processing, especially when personal data are collected without
knowledge of the data subject.
ARTICLE 15
1. The operator may, where appropriate, order the postponement, restriction or
failure to provide information to the data subject under the conditions provided in art. 14
only if, taking into account the fundamental rights and legitimate interests of
to the data subject, such a measure is necessary and proportionate in a
democratic society for:
a) avoiding the obstruction of the good development of the criminal process;
b) avoiding the prejudice of prevention, discovery, investigation, prosecution and
combating crime or the execution of punishments;
c) protection of public order and safety;
d) protection of national security;
e) protection of the rights and freedoms of others.
(2) The measure of postponing the provision of information shall be ordered for a period not
may exceed one year, if the incidence of the conditions makes it impossible
communication is limited in time. The measure of postponement may be extended in
within one year. Upon fulfillment of the term for which the measure
postponement of the provision of information has been ordered, the operator transmits the information
provided by law.
(3) The data subject shall be informed in writing, within a maximum of 60 calendar days
from the registration of the request, regarding the measure of postponing the supply of
information and the reason for its disposition, regarding the term for which it was
ordered this measure, as well as on the fact that it can be addressed
the supervisory authority with a complaint against the operator's decision or may
challenge the operator's decision in court.

Page 11

(4) The measure of restricting the provision of information shall be ordered in the situation where
the incidence of conditions that make communication impossible is not limited in time. Into the
the situation of restricting the provision of information, the operator transmits to the person
targeted an answer. The form and content of the answer are determined by each
operator in part.
(5) The measure of omission to provide information shall be ordered in the situation where
even simply informing the data subject about one or more
processing operations is likely to affect one of the activities
provided in par. (1) lit. a) - d).
(6) The omission to provide information may be partial or total. Into the
the situation of partial omission, the data subject is informed, within a maximum of
60 calendar days from the registration of the application, regarding the categories of
processing that is not likely to affect the activities provided in par. (1). Into the
the situation of total omission, the operator sends a response to the data subject. Form
and the content of the answer is determined by each operator.
(7) The operator is obliged to keep records of the situations in which it was ordered
the measure of omitting the provision of information and documenting its adoption
measures.
(8) In January of each year, the operator has the obligation to inform
the supervisory authority regarding the statistical situation of the measures
failure to provide information adopted in the previous year, broken down for
each of the activities provided in par. (1) lit. a) - d).
ARTICLE 16
(1) The data subject has the right to obtain from the operator, upon request and in the manner
free of charge, confirmation that the personal data concerning her are
or are not processed by it.
(2) The operator is obliged, in the situation in which he processes data with character
personnel concerned, to communicate to him, within the
no more than 60 calendar days from the registration of the request, under the conditions
provided in art. 12 para. (2) and (3), in addition to confirmation, including data with
personal data subject to processing, as well as the following information:
a) the purposes and legal basis of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the data have been disclosed
personal data, in particular recipients from third countries or organizations
international;
d) where possible, the period for which they are expected to be
stored personal data or, if this is not the case
possibly the criteria used to determine this period;
e) the right to request from the operator the rectification or deletion of data with
personal data or restricting the processing of personal data
relating to the data subject;

Page 12

f) the right to lodge a complaint with the supervisory authority and the data of
its contact;
g) communication of personal data that are being processed and a
any available information regarding the origin of personal data.
ARTICLE 17
(1) The provisions of art. 16 does not apply if, taking into account the rights
fundamental rights and legitimate interests of the natural person, such a measure is
necessary and proportionate in a democratic society for:
a) avoiding the obstruction of the good development of the criminal process;
b) avoiding the prejudice of prevention, discovery, investigation, prosecution and

combating crime or the execution of punishments;
c) protection of public order and safety;
d) protection of national security;
e) protection of the rights and freedoms of others.
(2) The measure of limitation of the right of access may be total or partial and
disposes of one or more processing operations in the situation
whose disclosure is likely to affect one of the activities set out in
para. (1).
(3) In the situation provided in par. (2), the data subject may be informed
regarding the categories of processing that are not likely to affect the activities
provided in par. (1), the reason for the adoption of this measure, as well as regarding
the possibility to lodge a complaint with the supervisory authority or to
court address.
(4) By exception from the provisions of par. (3), the reason for the adoption of the measure of
limitation of the right of access is not communicated in the event that the disclosure
it is likely to affect one of the activities provided in par. (1) lit.
a) - d).
(5) The operator is obliged to keep records of the cases in which it was ordered
measure to limit the right of access and document its adoption
measures.
(6) In January of each year, the operator has the obligation to inform
the supervisory authority regarding the statistical situation of the cases in which a
the measure limiting the right of access was adopted in the previous year, broken down
for each of the activities provided in par. (1).
ARTICLE 18
(1) The data subject has the right to obtain from the operator, upon request and in the manner
free of charge, the rectification of inaccurate personal data concerning her.
(2) The data subject has the right to request the completion of the character data
personnel concerning it, including by providing an additional statement.
(3) The operator has the obligation to delete, through irreversible procedures, ex officio
or at the request of the data subject, personal data the processing of which does not
complies with the provisions of art. 1 para. (2), art. 5 or 10 times to be deleted in
by virtue of fulfilling an obligation expressly provided by law.

Page 13

(4) The operator has the obligation to restrict the processing of character data
personally, and not to delete them, if one of the incidents is
the following situations:
a) the accuracy of the personal data is contested by the data subject,
and the accuracy or inaccuracy of such data cannot be established with
certainty;
b) personal data must be kept as evidence.
(5) The operator is obliged to communicate to the data subject, under the conditions of art. 12
para. (2) - (4), within a maximum of 60 calendar days from the registration
request, confirmation or, as the case may be, refusal to resolve the requests made
according to the provisions of par. (1), (2) or (3), the grounds on which the measure is based
refusal, as well as the fact that he can file a complaint with the authority of
supervision or may challenge the operator's decision in court.
(6) The term provided in par. (5) may be extended by up to 60 days
insofar as the settlement of requests requires procedures
in particular, in consultation with competent authorities abroad.
The data subject shall be informed of the extension of the time limit before
expiration of the initial term.
(7) Lifting the restriction of the processing established according to the provisions of par. (4)
LIT a) is performed by the operator, simultaneously with the notification of the data subject
on the measure taken.
(8) The provisions of par. (5) does not apply if, taking into account the rights
fundamental rights and legitimate interests of the natural person, such a measure is
necessary and proportionate in a democratic society for:
a) to avoid obstructing the proper conduct of the criminal proceedings;
b) not to prejudice prevention, discovery, investigation, prosecution and
combating crimes or executing punishments;
c) to protect public order and safety;
d) to protect national security;
e) to protect the rights and freedoms of others.
ARTICLE 19
(1) In the situation of rectification of personal data according to the provisions of art.
18 para. (1), the operator has the obligation to verify the way in which they were
collected.
(2) If personal data have been collected by transfer
from a competent authority, the operator has the obligation to transmit to it a
notification of data rectification.
(3) In case of rectification, deletion or restriction of character data
personnel according to the provisions of art. 18 para. (1), (3) or (4), the operator has
the obligation to verify that they have been sent to a previous consignee
rectification.
(4) If the personal data have been transmitted to a
recipient before rectification, the operator has the obligation to send him a

Page 14

notification of rectification, deletion or restriction of processing
personal data, as appropriate.
(5) The addressee located on the territory of Romania or to whom the law applies
Romanian has the obligation to order a measure similar to the one in respect of which a
has been notified, except for incidence, in case of deletion or restriction of data
personal, of one of the following situations:
a) the data are necessary for prevention, discovery, research, follow-up
criminal proceedings and the fight against offenses or the execution of sentences other than those
for which they were transmitted;
b) the data are necessary for the conduct of other judicial proceedings or
directly related to prevention, discovery, research, pursuit
criminal law and the fight against crimes or the execution of punishments;
c) the data are necessary to prevent an imminent and serious danger to the address
public order and safety.
(6) In the situation of the incidence of any of the situations provided in par. (5) lit. a) c), the data subject is informed with the application, as the case may be, of the provisions of art. 14 ,
with regard to the measure taken, the reasons on which the measure of annulment is based,
as well as the fact that he can file a complaint to the
supervision or may challenge the operator's decision in court.
ARTICLE 20
(1) In the situations provided in art. 15 , art. 17 para. (3) or art. 19 para. (6),
the data subject may contact the supervisory authority for the exercise
the rights provided by law.
(2) The operator has the obligation to inform the data subject about
the possibility provided in par. (1).
(3) In the situation provided in par. (1), the supervisory authority undertakes
the necessary measures according to its legal attributions.
4. The supervisory authority shall inform the data subject of the
the issues found, as well as regarding the possibility to address the court
court.
ARTICLE 21
Art. 13 , 16 and 18 shall apply even if the personal data
are contained in court decisions, criminal records or within
criminal proceedings, except for the situations expressly provided by law.
ARTICLE 22
1. The operator, taking into account the nature, scope, context and
the purposes of the processing, as well as the degree of interference with rights and freedoms
individuals, is obliged to apply technical and organizational measures
appropriate to ensure and be able to demonstrate the processing
in accordance with this law.
(2) The measures adopted according to the provisions of par. (1) must be
proportional to the processing operations performed by the operator and include
appropriate personal data protection policies.

Page 15

ARTICLE 23
(1) In order to effectively implement the principles of protection of
personal data, as well as for minimizing a
processing of personal data, but also for the purpose of integrating guarantees
necessary in processing to meet the requirements of this law and for
to protect the rights of data subjects, the operator is obliged that at the time
establishing the means of processing, as well as that of the actual processing, to
implement appropriate technical and organizational measures, taking into account:
a) the current state of technology;
b) implementation costs;
c) the nature, scope, context and purposes of the processing;
d) risks with different degrees of probability and severity to the address
the rights and freedoms of the natural persons that the processing presents.
(2) In order to fulfill the objectives provided in par. (1), the operator
evaluates, at the time of establishing the means of processing, for the purpose
identification of appropriate technical and organizational measures, at least the possibility
introduction of a pseudonymization solution or another technical solution with effect
similar.
(3) The operator has the obligation to implement technical measures and
appropriate organizational arrangements to ensure that, by default, they are
processed only personal data that are necessary for each purpose
specific processing.
(4) The obligation provided in par. (3) aims at:
a) the volume of personal data collected;
b) the degree of their processing;
c) storage period;
d) their accessibility.
(5) By the measures ordered according to the provisions of par. (3) and (4), the operator
you must ensure that personal data is not accessible without
human intervention, to an indefinite number of users.
ARTICLE 24
(1) The associated operators are designated by a normative act, in the content
whose purposes and means of data processing are jointly established
personal character.
(2) The normative act provided in par. (1) must include a delimitation of
the responsibilities of each of the associated operators under the conditions
of this law.
(3) The normative act provided in par. (1) must include at least
the following aspects:
a) the manner of exercising the rights of the data subjects, in relation to
any of the operators;
b) the duties of each of the associated operators regarding the supply
the information provided in art. 13 ;

Page 16

c) the single point of contact for the data subjects.
(4) If the purposes and means of processing are not established
by normative act, the responsibilities incumbent under the conditions of this law
associated operators may be established by means of a legal act. This
must include the elements provided in par. (3) and is subject to the obligation of
making available to data subjects. The obligation to make available must
fulfilled at least 5 days before the entry into force of that act
legal.
ARTICLE 25
(1) The appointment of the persons empowered by the operator is only possible
whether there are sufficient guarantees for the implementation of the technical measures and
appropriate organizational requirements so that the processing meets the requirements
this law and to ensure the protection of the rights of the data subject.
(2) The designation, by a person empowered by the operator, of a
other persons empowered to carry out one or more operations
processing is only possible with the written consent of the operator. Agreement
written can be issued only if the conditions provided in par. (1).
(3) The person empowered by the operator has the obligation to inform
the operator of any planned changes to the addition or
replacement of other persons authorized by the operator.
(4) The designation provided in par. (1) or, as the case may be, par. (2) is achieved by
by means of a contract or protocol concluded between the parties, which must
detail:
a) the object and duration of the processing;
b) the nature and purpose of the processing;
c) the type of personal data and the categories of data subjects;
d) the obligations and rights of the operator.
(5) The protocol or, as the case may be, the contract provided in par. (4) is placed at
at the disposal of the persons concerned and must determine the responsibility of the person
empowered by the operator the following obligations:
a) to act only on the instructions of the operator;
b) to guarantee that the persons authorized to process data of character
personally committed to respect confidentiality or have a legal obligation to
appropriate confidentiality;
c) to assist the operator by any appropriate means to ensure
compliance with the provisions on the rights of the data subject;
d) to delete or return, at the disposal of the operator, all data with
personal data after the cessation of the provision of data processing services with
personal data and delete existing copies, unless
there is an express legal provision enabling him to continue storing
data;
e) to make available to the operator all the information necessary to
demonstrate compliance with the provisions of this article;

Page 17

f) to comply with the conditions provided in par. (2) - (4) for the recruitment of another
persons authorized by the operator.
(6) The protocol or, as the case may be, the contract provided in par. (4) can be put to
available to data subjects, upon request, in electronic format.
(7) The person empowered by the operator is considered the operator in the case
in which, in violation of the provisions of this law, it establishes the purposes and
the means of processing personal data provided by
to the operator.
(8) In the situation provided in par. (7), the operator is exonerated from liability
only if it demonstrates that the person empowered by the operator a
acted in bad faith.
ARTICLE 26
(1) The person empowered by the operator to process the data is prohibited
with personal character in excess of the instructions received from the operator, with
except for the situations expressly provided by law.
(2) Any person acting under the authority of the operator or a
the person authorized by the operator, who has access to character data
personally, may process them only on the basis of the operator 's instructions, with
except for the situations expressly provided by law.
ARTICLE 27
(1) The operator is obliged to keep records of all categories of activities
processing under its responsibility.
(2) The evidence provided in par. (1) contains the following information:
a) the name and contact details of the operator and, where applicable, of
the associated operator and the data protection officer;
b) the purpose or purposes of the processing;
c) the categories of recipients to whom the data were or will be disclosed
personal data, including recipients from third countries or organizations
international;
d) a description of the categories of data subjects and of the data categories with
personal character that are processed;
e) if applicable, mentions regarding the development of the activity of creation of
profiles;
f) if applicable, the categories of transfers of personal data to
a third state or an international organization;
g) indication of the legal basis of the processing operation, including al
transfers of personal data made;
h) if possible, the deadlines foreseen for deleting the different ones
categories of personal data;
i) if possible, a general description of the technical and organizational measures
security referred to in art. 35 .
ARTICLE 28

Page 18

(1) The person empowered by the operator is obliged to keep records
all categories of processing activities under its responsibility.
(2) The evidence provided in par. (1) contains the following information:
a) the name and contact details of the person or persons empowered by
to the operator, of each operator in whose name this person acts
and, where applicable, those of the person responsible for the protection of personal data;
b) the categories of processing activities carried out on behalf of each
operator;
c) where applicable, transfers of personal data to a third country, or
to an international organization, including the indication of the third country or a
the international organization concerned, when they have received explicit instructions
in this sense from the operator;
d) if possible, a general description of the technical and organizational measures
security referred to in art. 35 .
ARTICLE 29
(1) The records provided in art. 27 and 28 are kept in paper format and in
electronic format.
(2) The operator and the person empowered by the operator have the obligation to
make the records available to the supervisory authority, at its request
provided in art. 27 and 28 .
ARTICLE 30
(1) The operator or the person authorized by the operator is
obliged to register, within the automatic processing systems,
all personal data processing operations.
(2) The registrations provided in par. (1) must contain at least the following
information:
a) the type of processing operation;
b) the identification code of the user and of the workstation used;
c) the name of the accessed file;
d) the number of processing operations performed;
e) the code of the executed operation or the program used;
f) date of access - year, month, day, including the time and minute at
which has been processed.
(3) In the case of processing operations in the form of consultation or disclosure
it is mandatory to record the reason for the processing that must allow
identification of the concrete document / situation that was the basis and justified
processing of personal data and, where appropriate, recipients of personal data
personal character.
(4) The registrations provided in par. (1) may be used only in the following
situations:
a) verification of the legality of the processing;
b) own monitoring carried out by the operator or, as the case may be, by
the person authorized by the operator;

Page 19

c) ensuring the integrity and security of personal data;
d) in criminal proceedings, under the conditions and with the restrictions imposed by
law.
(5) The person responsible for the protection of personal data, in the realization
his attributions, has access to the records provided in par. (1).
(6) The registrations provided in par. (1) shall be made available to the
supervision, at its request.
ARTICLE 31
The operator or, as the case may be, the person empowered by the operator is
obliged to cooperate with the supervisory authority, at its request, and to
order any measure necessary for the performance of its tasks.
ARTICLE 32
(1) In case the introduction of a new data processing is intended
personal, especially where this involves the use of
new technologies, the operator is obliged to evaluate the following aspects of
processing:
a) the nature of the personal data processed;
b) scope;
c) the context and purposes of the processing.
(2) To the extent that the processing provided in par. (1) is likely to
pose a high risk to the rights and freedoms of individuals,
the operator is obliged to carry out an assessment of
the impact of the expected processing operations on the character data
personal.
(3) For existing processing operations, operators are obliged to
perform the evaluation provided in par. (1) and, where appropriate, the impact assessment
of the processing operations provided in par. (2) within 2 years of entry
in force of this law.
(4) The evaluation of the impact of the processing operations provided in par. (2)
includes at least the following:
a) general description of the expected processing operations;
b) risk assessment of the rights and freedoms of data subjects;
c) the measures envisaged in order to address the risks;
d) guarantees, security measures and mechanisms intended to ensure
protection of personal data and to demonstrate compliance with the provisions
of this law, taking into account the rights and legitimate interests of
data subjects and other interested persons.
ARTICLE 33
(1) The operator or, as the case may be, the person authorized by the operator is
obliged to consult the supervisory authority before processing
personal data that are part of a new record system
data, in situations where:

Page 20

a) assessment of the impact on the protection of personal data
provided in art. 32 indicates that processing would generate a high risk in
the absence of measures taken by the operator to mitigate the risk;
b) the type of processing, in particular where new technologies are used,
mechanisms or procedures, involve a high risk to rights and
the freedoms of the data subjects.
(2) Within the procedures for elaborating the draft normative acts which
regulates the processing of personal data or on the basis of which they will be
carried out such processing it is mandatory to consult the authority of
supervision.
(3) The supervisory authority is empowered to establish a list of
processing operations subject to prior consultation provided for in
para. (1).
(4) The operator or, as the case may be, the person authorized by the operator
forward to the supervisory authority within 30 calendar days of
completion, but before starting the processing, the evaluation provided in art. 32 .
(5) At the request of the supervisory authority, the operator or, as the case may be, the person
empowered by the operator shall make available to it any information in
the purpose of assessing the conformity of processing and the risks to protection
personal data of the data subject and related guarantees.
ARTICLE 34
1. If the supervisory authority finds that the operations of
processing for which it is consulted according to the provisions of art. 33 violates
the provisions of this law, especially if the risk has not been identified
or sufficiently attenuated by the operator, it also formulates
transmit to the operator or, as the case may be, to the person empowered by the operator
observations or recommendations, within a maximum of 30 working days from the date
registration of the request for consultation.
2. Depending on the complexity of the intended processing, the time limit laid down in
para. (1) may be extended by 20 working days. Supervisory authority
inform the operator and, where appropriate, the person empowered by the operator, in
within 20 working days of the registration of the request for consultation, with
on the extension of the term, including on its reasons.
(3) The right of the supervisory authority to comment or
recommendations, in the situation provided in par. (1), does not affect in any way
exercising any of its powers provided in Law no.
102/2005 , with subsequent amendments and completions.
ARTICLE 35
1. The operator or, as the case may be, the person empowered by the operator
implements appropriate technical and organizational measures to ensure
an appropriate level of security.
(2) When establishing the appropriate level of security, the operator or, after
case, the person empowered by it takes into account the current state of technology

Page 21

and implementation costs and takes into account the nature, scope,
the context and purposes of the processing, as well as the degree of interference with
the rights and freedoms of individuals, in particular with regard to processing
special categories of personal data provided in art. 10 .
(3) In the case of processing by automatic means, the operator or, as the case may be,
the person empowered by the operator is obliged to carry out an assessment of
risks incident to the expected processing.
(4) Following the evaluation provided in par. (3), the operator or, as the case may be, the person
empowered by the operator has the obligation to implement the measures
menite:
a) to ensure the control of the access to the processing equipment used
for processing, hereinafter referred to as access control to equipment ;
b) to ensure the control over the data supports, in order to prevent
any unauthorized reading, copying, modification or deletion thereof, referred to as
further control of data media ;
c) to ensure the control over the entry of personal data,
as well as on the unauthorized inspection, modification or deletion of data with
stored personal data, hereinafter referred to as storage control ;
d) to ensure the control over the use of automatic processing systems with
the aid of data communication equipment, hereinafter referred to as
user control ;
e) to ensure that the authorized persons have access only to the data with
for which they have authorization, hereinafter referred to as control
access to data ;
f) to ensure that it is possible to verify and identify the bodies to which
have been transmitted or made available to them or may be transmitted to them or
provided personal data using computer equipment
data communication, hereinafter referred to as communication control ;
g) to ensure that it is possible to subsequently verify and identify the data
personal data introduced in automatic processing systems, the moment
entry of personal data and the entity that entered it, named
further control of data entry ;
h) prevent the unauthorized reading, copying, modification or deletion of
personal data during transfers of personal data
or during the transport of data media, hereinafter referred to as control
transportation ;
i) to ensure the possibility of recovering the installed systems in case of a
interruptions, hereinafter referred to as recovery ;
j) to ensure the functioning, reliability and integrity of the system, by establishing
measures to report malfunctions as well as to ensure
the impossibility of corrupting the personal data stored due to
system malfunction.
ARTICLE 36

Page 22

1. If the controller finds a breach of data security,
notify the supervisory authority without undue delay.
2. Depending on the complexity of the security breach, the notification provided for in
para. (1) shall be transmitted no later than 72 hours. In this situation, the operator
he is also obliged to provide a justification for the delay. The term begins to flow
at the time the operator became aware of the security breach
personal data.
(3) The notification provided in par. (1) is not required if
breach of security of personal data is not likely to
generate a risk to the rights and freedoms of individuals.
(4) The person empowered by the operator has the obligation to inform
the operator, without undue delay, regarding the existence of an infringement of
security of personal data.
(5) The operator has the obligation to implement all the necessary measures to
ensure that the person empowered by the operator respects and complies
the obligations incumbent on him according to the provisions of par. (4).
(6) The notification provided in par. (1) must contain at least the following
information:
a) a description of the nature of the personal data breach,
including, where possible, the categories and approximate number of persons
concerned, as well as the categories and approximate number of records of
personal data in question;
b) the name and contact details of the data protection officer or a
another point of contact from where more information can be obtained;
c) description of the probable consequences of the data security breach with
personal character;
d) description of the measures taken or proposed by the operator to remedy
breach of security of personal data, including, where applicable, a
necessary measures to mitigate its possible adverse effects.
(7) If it is not possible to provide the information at the same time
provided in par. (6), they may be transmitted gradually, without undue delay,
within a period not exceeding 48 hours from the time of transmission
initial notification.
ARTICLE 37
(1) The operator has the obligation to document all cases of violation of
security of personal data and keep documents for a
period of 5 years from the transmission of the notification provided in art. 36 .
(2) The documents provided in par. (1) must include:
a) description of the situation in which the data security breach took place with
personal character;
b) description of its effects;
c) description of the remedial measures taken.

Page 23

(3) The documents provided in par. (1) must allow the authority to
supervision to verify compliance with the provisions of this Article.
ARTICLE 38
(1) The operator has the obligation to transmit the information provided in art. 36 para.
(6) to the entity which, where applicable, provided the personal data or to
which were transmitted personal data, if the violation
Data security involves personal data that has been transmitted by a
operator from another Member State or to such an operator.
(2) The transmission of information according to par. (1) shall be made within the term
provided in art. 36 para. (2).
ARTICLE 39
(1) If the personal data breach is
likely to pose a high risk to rights and freedoms
natural persons, the operator shall inform the data subject without delay
unjustified, but not more than 10 calendar days from the notification
the supervisory authority, carried out on the basis of the provisions of art. 36 , regarding
breach of personal data security.
(2) The information provided in par. (1) must contain a description, using a
simple and clear language, the nature of the personal data breach and
at least the information provided in art. 36 para. (6) lit. b) - d).
(3) The information provided in par. (1) is not required if it is
any of the following conditions is met:
a) the operator has implemented appropriate technological and organizational measures
protection, incidents in the case of personal data affected by the breach
security of personal data, in particular measures to ensure that
personal data becomes unintelligible to anyone who is not
authorized to access them, such as encryption;
b) the operator has taken further measures to ensure that the risk is high at
the address of the rights and freedoms of the data subjects mentioned in par. (1) no more
it is likely to materialize;
c) requires a disproportionate effort; in this case, the information shall be replaced by

public information or a similar measure by which the data subjects are
informed in an equally effective way.
(4) In the situation of receiving a notification according to the provisions of art. 36 , authority
taking into account the likelihood of a security breach
personal data to generate a high risk, may dispose of
to inform the data subject or, as the case may be, to find that any
among the situations provided in par. (3) is incidental.
(5) The information provided in par. (1) may be postponed, restricted or omitted
under the conditions of the provisions of art. 15 .
ARTICLE 40
(1) The operator is obliged to designate a data protection officer
personal.

Page 24

(2) The courts are exempted from the obligation provided in par. (1) when
act in the exercise of their judicial function.
(3) The person responsible for data protection may be designated
meets the following conditions:
a) has appropriate professional qualities;
b) has specialized knowledge in the field of legislation and practices
on the protection of personal data;
c) has the capacity to fulfill the tasks provided in art. 42 .
(4) Taking into account their organizational structure and size, more
many competent authorities may designate the same data protection officer.
(5) The operator has the obligation to publish the contact details of the person in charge of
data protection and communicate them to the supervisory authority.
ARTICLE 41
(1) The operator has the obligation to consult the data protection officer with
properly and in a timely manner in all matters relating to
protection of personal data.
(2) The operator has the obligation to provide support to the person responsible for protection
personal data in fulfilling the tasks provided in art. 42 , in
especially by, but not limited to:
a) ensuring the necessary resources for the accomplishment of the tasks;
b) ensuring access to personal data and to data operations
processing;
c) ensuring the necessary resources for maintaining the knowledge of
specialty and adaptation to new technologies.
ARTICLE 42
The data protection officer performs the following main tasks:
a) informs and advises the operator and his employees who perform
processing with respect to their obligations under this law and s
other legal provisions regarding the protection of personal data;
b) monitors the observance of the provisions of this law, of other provisions
on the protection of personal data and the operator's policies
with regard to the protection of personal data, including allocation
responsibilities and actions of awareness and training of staff
involved in processing operations, as well as related audits;
c) advise, upon request, on the assessment of the impact on protection
personal data and monitoring its operation, in
in accordance with art. 32 ;
d) cooperates with the supervisory authority;
e) is designated as a contact person in relation to the supervisory authority
on processing issues, ensuring prior consultation
provided in art. 33 , as well as, if necessary, consultation on any
another matter.
ARTICLE 43

Page 25

(1) The transfer of personal data which are being processed or
which are intended for processing after transfer to a third country or to a
international organization, including subsequent transfers to another third country
or another international organization, can only take place with respect
the provisions of this law and only if the following conditions are met:
a) the transfer is necessary for the achievement of the purposes provided in art. 1 ;
b) personal data are transferred to an operator in a third country,
which is a competent authority, within the meaning of art. 4 lit. g), or an organization
international, established for the purpose provided in art. 1 ;
c) if the personal data have been transmitted or have been
made available by the competent authorities of another Member State, that State
Member State has previously authorized the transfer in accordance with
its domestic law;
d) The Commission has adopted a decision on the adequacy of the level of
protection, pursuant to art. 36 of Directive (EU) 2016/680 of the Parliament
European Parliament and of the Council of 27 April 2016 on the protection of individuals
regarding the processing of personal data by the authorities
competent for the purpose of prevention, detection, investigation or prosecution of
offenses or the execution of punishments and on their free movement
and repealing Council Framework Decision 2008/977 / JHA, or in the absence of
to such a decision, adequate guarantees exist or are offered pursuant to art. 37 din
Directive or, in the absence of a decision on the adequacy of the level of
protection in accordance with art. 36 or appropriate safeguards accordingly
with art. 37 , derogations apply for special situations in accordance with art. 38
from that;
e) in the case of a subsequent transfer to another third country or organization
the competent authority that made the initial transfer or another
the competent authority of the same Member State shall authorize the subsequent transfer,
taking due account of all relevant factors.
(2) When evaluating the factors relevant for the transfer, under the conditions of par. (1) lit.
e), at least the following aspects are taken into account:
a) the gravity of the crime;
b) the purpose for which the personal data were initially transferred;
c) the level of protection of personal data in the third country or in
the international organization to which the data are subsequently transferred
personal.
(3) The Romanian competent authorities authorize the transfer of character data
personally to a third country or to an international organization, at the request of a
competent authorities of a Member State, only if they are fulfilled
the conditions provided by this law.
(4) The authorization provided in par. (3) is transmitted quickly, but no longer
no later than 30 calendar days from receipt of the request. If not
the conditions provided by this law for authorization are met

Page 26

the competent authority of the Member State which made the request i
the reasons why the transfer cannot be authorized shall be communicated.
(5) The Romanian competent authorities may make the transfers without the authorization
by another Member State, in accordance with the provisions of para. (1) lit.
c), only if the transfer of personal data is necessary for
prevention of an immediate and serious threat to order and safety
of a Member State or a third country or of fundamental interests
of a Member State and prior authorization cannot be obtained in good time.
The authority responsible for granting prior authorization is
informed without delay.
(6) The provisions of this article, as well as those of art. 44 - 48 applies
to ensure that the level of protection of individuals guaranteed by
this law is not undermined.
ARTICLE 44
1. Transfer of personal data to a third country or organization
international is always possible, under the conditions of art. 43 para. (1) lit. d), then
when the European Commission has decided that the third state, a territory or one or more
administrative-territorial divisions determined by that third state or organization
ensure that an appropriate level of protection is provided.
(2) The transfers made under the conditions of par. (1) does not require special authorizations.
3. The competent authorities shall, in the case of transfers provided for in
para. (1), to monitor and comply exactly with the provisions of the implementing acts
application adopted by the European Commission.
(4) Decision of the European Commission repealing, amending or suspending a
adequacy decisions are without prejudice to transfers of personal data
to the third country, to the territory or to one or more specified sectors
from that third country or to the international organization concerned in accordance
with art. 37 and 38 .
(5) The Romanian competent authorities have the obligation to monitor the list of states
third parties, of the territories and administrative-territorial divisions determined from the states
third parties and international organizations in which the European Commission has decided
that the appropriate level of protection is provided or is no longer provided by
consultation of the Official Journal of the European Union and the Commission's website
European.
ARTICLE 45
(1) By exception from the provisions of art. 43 para. (1) lit. d), in the absence of a
decisions taken by the European Commission, the transfer of personal data
to a third country or to an international organization may then take place
When:
a) adequate safeguards have been established with regard to data protection with
personal character by a legally binding act; or

Page 27

b) the operator has assessed all the circumstances related to the data transfer with
personal and concluded that there are adequate safeguards in this regard
protection of personal data.
(2) In order to fulfill the conditions provided in par. (1) lit. b), the operator
must take into account at least the following:
a) the general situation regarding the observance of human rights and freedoms
fundamental;
b) the relevant legislation, both general and sectoral, including on order
and public safety, defense, national security and criminal law, and
implementation of this legislation;
c) access of public authorities to personal data;
d) the legislation regarding the protection of personal data;
e) measures regarding the security of personal data;
f) the legislation regarding the subsequent transfer of personal data to another
third country or international organization;
g) the effective and opposable rights of the persons concerned and effective reparations
administratively and judicially for the data subjects whose data with
personal character are transferred.
3. The operator shall inform the supervisory authority of the
the transfers made under the conditions of par. (1) lit. b).
(4) The operator has the obligation to keep records of the transfers made in
the conditions of par. (1) lit. b), specifying at least the following:
a) date and time of transfer;
b) information on the receiving competent authority;
c) information on the justification of the transfer;
d) personal data transferred.
(5) The documentation provided in par. (4) shall be kept for a period of 10
years and shall be made available to the supervisory authority upon request.
ARTICLE 46
(1) By exception from the provisions of art. 45 para. (1) and if they cannot be
fulfilled the conditions provided in art. 44 , a transfer or a category of
transfers of personal data to a third country or organization
can only take place if the transfer is necessary
to achieve one of the following goals:
a) the protection of the vital interests of the data subject or of another person,
such as preventing an imminent danger at least to life, integrity
bodily or their health;
b) the protection of the legitimate interests of the data subject, if there is a
express legal provision in this regard;
c) prevention of an immediate and serious threat to order and safety
of a Member State or a third country;
d) in individual cases for the purposes established in art. 1 ;

Page 28

e) in an individual case for the discovery, exercise or defense of a
right in court regarding the purposes established in art. 1 .
(2) It is prohibited the transfer of personal data under the conditions of par. (1) lit.
d) and e) if following the evaluations performed by the competent authority
Romanian who transfers personal data it is established that the rights and
the fundamental freedoms of the data subject prevail over the interest
public.
(3) In the situation of transfers made under the conditions of par. (1), the provisions of art. 45
para. (4) and (5) shall apply accordingly.
ARTICLE 47
(1) In specific individual cases, if all conditions are met
regarding the transfer of personal data provided by this law,
the operator may transfer personal data to recipients in the States
third parties that are not competent authorities within the meaning of this law, only if
the following conditions are cumulatively met:
a) the transfer is strictly necessary for the exercise of an attribution provided by
law in charge of the Romanian competent authority, in order to carry out the activities
provided in art. 1 ;
b) the Romanian competent authority establishes that none of the rights and
the fundamental freedoms of the person concerned do not prevail
the public interest which requires the transfer in that case;
c) from the evaluations performed by the Romanian competent authority it results that
transfer to a competent third country authority
performing the activities provided in art. 1 , is inefficient or inadequate,
in particular because the transfer cannot be made in a timely manner;
d) the authority of the third country, which is competent for the purpose of fulfillment
the activities provided in art. 1 , is informed without undue delay, with
unless this measure is ineffective or inadequate;
e) the Romanian competent authority informs the recipient about the purpose
or the exclusive determined purposes for which the latter may process
personal data, provided that such processing is necessary.
(2) The transfer under the conditions of par. (1) is possible only if the recipient
undertakes in writing not to process personal data for any purpose other than
the one for which they were transmitted, limited to the fulfillment of the purposes provided in
art. 1 .
(3) The provisions of par. (1) does not affect transfers of personal data
established by treaties concluded in the field of judicial cooperation in criminal matters
or international police cooperation.
(4) The Romanian competent authority shall inform periodically, at least once on
year, the supervisory authority in respect of transfers made under
this article.
(5) In the case of transfers made under the conditions of par. (1), the provisions of art. 43
para. (4) and (5) shall apply accordingly.

Page 29

ARTICLE 48
With regard to third countries and international organizations, the authorities
competent authorities shall take appropriate measures to:
a) development of international cooperation mechanisms to facilitate
ensuring effective compliance with data protection legislation
personal;
b) providing mutual international assistance in ensuring compliance
legislation in the field of personal data protection, including through
notifications, transfer of complaints, investigation assistance and exchange of information,
subject to adequate safeguards for the protection of personal data
and other fundamental rights and freedoms;
c) involvement of relevant stakeholders in the discussions and activities that have as
aim to strengthen international cooperation in order to ensure compliance
legislation in the field of personal data protection;
d) promoting exchanges of legislation and practices on protection a
personal data and documentation thereon, including in
regarding possible conflicts of jurisdiction with third countries.
ARTICLE 49
(1) In order to carry out the activities of investigation and fight against crimes,
personal data recording systems or, as the case may be, the means
automatic processing of personal data held by operators,
for different purposes, they can be interoperable.
(2) For the purpose provided in par. (1), interoperability of evidence systems a
personal data or automatic means of data processing
with a personal character it can also be done with the evidence systems or with the means
automatic processing of personal data held by other operators,
national public authorities and institutions.
(3) The interoperabilities provided in par. (1) and (2) are possible only with
prior consultation of the supervisory authority.
(4) For the purpose provided in par. (1), interoperability of evidence systems a
personal data or automatic means of data processing
with a personal character can also be achieved with the record systems or with
automatic means of processing personal data held by others
operators, private law entities.
(5) The interoperabilities provided in par. (4) are allowed only for the purpose
conducting the criminal investigation, based on an ordinance issued by the prosecutor
competent to carry out or supervise the criminal investigation in a case
determined, or, in case of trial of a crime, by the full court
invested with solving the case.
(6) Direct access or through an electronic communications service to a
system for recording personal data that is the subject
interoperability, according to par. (1), is allowed only under the conditions of the law and with
compliance with the provisions of art. 1 .

Page 30

ARTICLE 50
(1) In the case of crime prevention, maintenance and enforcement activities
ensuring public order and safety, data recording systems with
personal data or automatic means of processing personal data
personnel can be interoperable with:
a) The National Register of Persons;
b) The national register of simple passports;
c) National register of driving licenses and vehicles
registered.
(2) In the case of the activities provided in par. (1), data recording systems
personal data or, as the case may be, automatic means of data processing
personal data held by operators, for similar purposes or
correlated, can be interoperable.
(3) The interoperabilities provided in par. (1) and (2) are brought to the notice
the supervisory authority.
(4) In the case of the activities provided in par. (1) systems can be interoperable
evidence of personal data or, where appropriate, automatic means of data
processing of personal data held for different purposes,
only with the prior consent of the supervisory authority.
ARTICLE 51
(1) Supervision of the processing of personal data carried out in
under this law, in order to protect fundamental rights and freedoms
of natural persons, in terms of processing and for facilitation
free movement of personal data within the European Union,
performed by the supervisory authority.
2. The supervisory authority shall cooperate with similar authorities in other States
Member States, as well as with the Commission, in accordance with art. 56 .
ARTICLE 52
1. The supervisory authority shall monitor and control in this respect
the legality of the processing of personal data falling within the scope
of this law.
(2) By exception from par. (1), the supervisory authority is not
competent to supervise the processing operations of the courts then
when they act in the exercise of their judicial function.
3. To this end, the supervisory authority shall carry out the tasks provided for
the art. 57 para. (1) lit. b), c) and t) of Regulation (EU) 2016/679, as well as
next:
a) promotes awareness actions among operators and
to the persons empowered by them in respect of their obligations in
under this law;
b) provide information, upon request, to any data subject in connection with
exercise of its rights under this law and, where appropriate,
cooperate with the supervisory authorities of other Member States to this end;

Page 31

c) receives complaints lodged by a data subject or body, o
organization or association, in accordance with art. 55 or 57 , investigate
an appropriate measure the subject of the complaint and inform the person who filed it
the complaint regarding the evolution and the result of the investigation, in a term
reasonable, especially if further investigation is required
or coordination with another supervisory authority;
d) verifies the legality of the processing in accordance with art. 20 and inform
the data subject, within a reasonable time, on the result of the verification in
pursuant to art. 20 para. (3) or on the reasons for which it did not take place
verification;
e) cooperate, including through the exchange of information, with other authorities of
supervision and provide mutual assistance to ensure consistency of application
and compliance with this law;
f) conducts investigations regarding the application of this law, including on the basis
information received from another supervisory authority or authority
publishes;
g) monitors the relevant developments, insofar as they have an impact
on the protection of personal data, in particular the evolution of technologies
information and communications;
h) provides advice on the processing operations mentioned in art. 33
and 34 .
ARTICLE 53
(1) In exercising the powers of investigation, the supervisory authority
has access to all personal data processed by the operator and the person
authorized by the operator, as well as all information necessary for
fulfilling its tasks.
2. The supervisory authority shall have the following powers:
a) to issue warnings to the attention of an operator or a person
empowered by the operator regarding the probability that the operations of
processing intended to violate the provisions of this law;
b) to order the operator or the person empowered by the operator to
ensure the conformity of processing operations with the provisions of this law,
specifying, as appropriate, the manner and deadline for this, in particular
ordering the rectification or deletion of personal data or
restricting their processing, in accordance with art. 18 ;
c) to order the temporary or definitive limitation or the interdiction of the processing.
3. The supervisory authority shall advise the operator accordingly
with the prior consultation procedure mentioned in art. 33 and 34 and issue opinions,
on its own initiative or at the request of Parliament, the Government or other institutions
and bodies, as well as the public, on any aspect of protection
personal data.
ARTICLE 54

Page 32

Competent authorities shall establish effective mechanisms to encourage
confidential denunciation of infringements of this Directive.
ARTICLE 55
The supervisory authority shall draw up an annual report on
its activities, which may include a list of reported infringements and
the nature of the sanctions applied. The reports shall be forwarded to Parliament and the Government.
The reports shall be made available to the public, the Commission and the European Committee
for Data Protection.
ARTICLE 56
1. The supervisory authority shall cooperate with similar institutions in
abroad and provide representation on the European Committee for
Data Protection.
(2) The provisions of Law no. 102/2005 , with subsequent amendments and completions,
regarding the cooperation of the National Processing Supervisory Authority
Personal Data with similar institutions from abroad are applicable
suitably.
ARTICLE 57
1. If the data subject considers that the processing of data with
personal data concerning her violates the provisions of this law, she has the right to
to complain to the supervisory authority.
(2) The provisions of the General Data Protection Regulation are
applicable accordingly.
ARTICLE 58
Without prejudice to the possibility of appealing to the
supervision, data subjects have the right to apply to the court for
the defense of any rights guaranteed by this law, which have been violated.
ARTICLE 59
In order to protect his rights, the data subject has the right to mandate a
non - profit - making body, organization or association established in
the conditions of the law, whose statutory objectives are of public interest and which is
active in the field of protection of the rights and freedoms of data subjects
regarding the protection of personal data, to file the complaint on behalf of
and to exercise on its behalf the rights provided by this law.
ARTICLE 60
(1) Any person who has suffered material or moral damage as a result of
an illegal processing operation or any infringing action
the provisions of this law has the right to obtain compensation, in accordance with the law,
for damage caused by the operator or another competent authority.
(2) If, in the case of automatic processing of personal data, no
it is possible to determine the personal data controller who caused it
damage, each of the personal data controllers involved in
the processing operation is considered to be responsible.
ARTICLE 61

Page 33

(1) The infringement by the operator or, as the case may be, by
the person empowered by the operator of their obligations in accordance with art.
11 and 22 - 42 of this law.
(2) The violation by the operator or, as the case may be, by
the person empowered by the operator of the provisions of art. 10 of this law.
(3) The contraventions provided in par. (1) and (2) shall be sanctioned with a fine from
10,000 lei to 100,000 lei.
(4) The violation by the operator or, as the case may be, by
the person empowered by the operator of the norms provided in art. 5 .
(5) The violation by the operator or, as the case may be, by
the person empowered by the operator of the rights of the persons concerned in
in accordance with art. 12 - 21.
(6) It is a contravention the violation by the operator or, as the case may be, by
the person empowered by the operator of the provisions relating to transfers of
personal data to a recipient in a third country or organization
international, in accordance with art. 44 - 49.
(7) The violation by the operator or, as the case may be, by
the person empowered by the operator of the provisions issued by the competent authority
supervision pursuant to art. 53 para. (2) or failure to grant access to the
supervision, by violating the provisions of art. 53 para. (1).
(8) The contraventions provided in par. (4) - (7) shall be sanctioned with a fine from
20,000 lei to 200,000 lei.
ARTICLE 62
(1) In case of finding the violation of the provisions of the present law by the operator
or, as the case may be, by the person empowered by the operator, the authority of
supervision concludes a report of finding and sanctioning of
the contravention by which the sanction of the warning is applied, according to art. 58 para.
(2) lit. b) of the General Regulation on data protection, and to which it annexes
a remediation plan.
(2) The remediation term is established according to the associated risks
processing, as well as the steps necessary to be performed for insurance
conformity of processing.
(3) Within 10 days from the date of expiry of the remediation period,
the supervisory authority may regain control.
4. If the operator or, as the case may be, the person empowered by
operator finds that it cannot meet the deadline, for reasons
substantiated, part of the measures ordered by the remediation plan, notifies
the supervisory authority on this matter at least 10 days in advance
of the expiration of the term, being able to request at the same time the extension of the initial term.
(5) The supervisory authority shall examine the request for extension of
the deadline and communicate the response to the operator or, as the case may be, to the person
authorized by the operator, within 7 days from the receipt of the request.

Page 34

(6) If the supervisory authority considers the operator's request to be justified
or, as the case may be, of the person empowered by the operator, may extend
the remediation period of up to 30 days. Otherwise, the provisions apply
from para. (3).
(7) The responsibility for carrying out the remedial measures lies with the operator
or, as the case may be, to the person authorized by the operator, who, according to the law, wears
the contravention liability for the ascertained facts.
(8) The model of the remediation plan which is annexed to the minutes of
finding and sanctioning the contravention is provided in the annex to this law.
ARTICLE 63
If, on resumption of control, the supervisory authority finds that
the operator has not fully implemented the measures provided for in the plan
remedy, this, depending on the circumstances of each case, may
apply the contravention sanction of the fine.
ARTICLE 64
On the date of entry into force of this law, Law no. 238/2009 regarding
regulation of the processing of personal data by
structures / units of the Ministry of Administration and Interior in the activities of
preventing, investigating and combating crime, and maintaining and
ensuring public order, republished in the Official Gazette of Romania, Part
I, no. 474 of July 12, 2012, is repealed.
ARTICLE 65
The provisions of art. 61 shall enter into force 30 days after the date of publication of this Agreement
laws in the Official Gazette of Romania, Part I.
*
This law transposes into national legislation Directive (EU) 2016/680 a
European Parliament and of the Council of 27 April 2016 on protection
natural persons regarding the processing of personal data by
competent authorities for the purpose of prevention, detection, investigation or prosecution
criminal offenses or the execution of sentences and on the free movement of
these dates and repealing Council Framework Decision 2008/977 / JHA,
published in the Official Journal of the European Union, L series, no. 119/89 of 4 May
2016.
This law was adopted by the Romanian Parliament, in compliance with
the provisions of art. 75 and of art. 76 para. (2) of the Romanian Constitution, republished.
p. THE PRESIDENT OF THE CHAMBER OF DEPUTIES,
CARMEN-ILEANA MIHĂLCESCU
PRESIDENT OF THE SENATE

Page 35

CĂLIN-CONSTANTIN-ANTON POPESCUTĂRICEANU
Bucharest, December 28, 2018.
Nr. 363.
attached
REMEDY PLAN
day ............ month ............ year ......
How to carry out remedial measures
______________________________________________________________
________
| No. | The act committed Remedial measures Term of | Way
fulfillment
||
|
| remedy |
|
| ___ | _________________ | _______________________ | ___________ | ___________
_________ |
||
|
|
|
| ___ | _________________ | _______________________ | ___________ | ___________
_________ |
||
|
|
|
| ___ | _________________ | _______________________ | ___________ | ___________
_________ |
||
|
|
|
| ___ | _________________ | _______________________ | ___________ | ___________
_________ |
||
|
|
|
| ___ | _________________ | _______________________ | ___________ | ___________
_________ |
Other mentions
.................................................. ..................
.......
.................................................. ..................
.......
_______________________________
________________________________
| Detecting agent /
|
| Competent person
............................. |
| ............................. |
signature)

|

| Offender,

|

|
| (name, surname,

Page 36

| (name, surname, signature)
|
| _______________________________ |
| __________________________________ |

---------------

| Stamp

|

|

|

|

