Key takeaways from 3 years of GDPR application in Romania

25.05.2021 - On the 3rd anniversary of GDPR’s application, it is only natural to look back at what happened during this period in an attempt to guess what is coming. So what are the key takeaways of the last 3 years of GDPR in Romania?

Basic RGB

Roxana Ionescu and Iurie Cojocaru

If you are to look at the numbers (see table below), the situation does not seem very dire:

  • the number of complaints and related investigations is down;
  • the number of notified personal data breaches is down, although only slightly (194 in 2020 compared to 233 in 2019);
  • the total amount of fines applied is down, interestingly enough, by 2,6 times in 2020 by comparison to 2019, even though the number of fines remains almost the same;
  • the number of warnings and corrective measures is pretty constant;
  • the number of investigations is slightly higher (398 in 2020 as compared to 385 in 2019);
  • only the number of notices of GDPR breaches seems to increase significantly from year to year (204 in 2020 compared with 152 in 2019).
Romanian DPA activity in numbers(1) 2018 2019 2020 2021 – to date
Complaints received from data subjects 4,822 5,808 5,082 1,600
Investigations opened to address complaints 1,021 (630 after GDPR became applicable) 527 296 155
Notified data breaches 312 233 194 84
Notices of GDPR breaches 24 152 204 49
Investigations opened to address data breaches notifications and notices received 396 (336 after GDPR became applicable) 385 398 133
Sanctions No. of fines 56 28 29 15
Amount of fines (in aggregate) RON 408,500

EUR(2) 84,226.80

RON 2,339,291.75

EUR(2) 482,328.19

RON 892,115.95

EUR(2) 183,941.43

RON 110,545.7

EUR(2) 22,792.92

No. of warnings 124 134 64 37
No. of corrective measures 57(3) 128 65 30
No. of court cases Info not provided 207 127 98 + 5
No. of codes of conducts approved 0 0 0 0
No. of DPOs notified to the DPA info not provided 4,318 2,081 713

(1) Based on statistical data and yearly reports published by the DPA on

(2) At an exchange rate of EUR 1 = RON 4,85

(3) The number is provided for the full 1st year of GDPR application, hence it may include measures imposed in 2019 as well)

But these numbers tell only half the story. Let’s take a deeper look:

Data subjects are becoming more educated on GDPR topics

The SARS-CoV-2 pandemic has impacted the DPA’s activity in 2020, especially on the investigation side. Even so, what is interesting to note is that data subjects’ interest in raising concerns about GDPR compliance remains high. This should come as a warning to data controllers who hope that the worst is over. If anything, it seems that data subjects are becoming more and more educated about their rights under GDPR and are not shy about using such rights in a broad range of contexts. More often than not, GDPR becomes a topic of discussion when tensions arise in the relationship between controllers and data subjects, be them commercial or employment relationships. This may seem unfair to controllers, as their position on the commercial or employment side is often justifiable, but they still need to deal with data subjects’ requests. If they fail to do so, they run a greater risk of coming into the Romanian DPA’s crosshairs, as this authority initiates most investigations further to receiving data subject complaints.

Key takeaway: Controllers, keep focus on managing data subjects’ rights management solutions within your organization.

Data security is still a key GDPR compliance issue

Looking at the almost constant number of data breach notifications filed yearly, one may think that compliance is improving when it comes to data security. However, one cannot stop wondering whether the low number of data breach notifications compared with other EU member states is, in part, the result of the DPA’s enforcement actions in the previous years, when 3 out of the top 4 highest fines to that date have been applied as a result of data breaches. In this context, controllers may think twice when assessing data breaches when notifications are required, as such will automatically trigger DPA investigations and, in turn, may lead to sanctions.

Things are for sure evolving in this area, with numerous cases where personal data breaches involved multiple actions (controllers, processors, third parties), with the DPA taking different position depending on the facts of the case. In one instance, the DPA opted to fine only the processor that failed to take the necessary measures to ensure data confidentiality in relation to its own employees.

Key takeaway: Data security should still be high on the list of GDPR compliance tasks, with an eye to what processors do with the personal data.

Data transfers and outcome of the Schrems II judgement

For those of us having worked on data protection topics for the last 15 years or so, data transfers seem to have become a recurring concern, especially in the last years. Few remember the scramble after the 2015 Schrems I judgement, when the European Court of Justice invalidated the Safe Harbor framework. On the other hand, surely many controllers still have on their to-do list actions related to their data transfers in the wake of the July 2020 Schrems II judgement. This is since this ruling not only invalided the Privacy Shield, hence impacting significantly data flows to the US, but it raised questions about the possibility to use Standard Contractual Clauses as an alternative. In particular, the court’s ruling leading to the conclusion that controllers must individually assess aspects regarding any access by the public authorities of third countries to the personal data transferred continue to seem unreasonable, especially since the court deemed insufficient the actions taken at institutional level for the Privacy Shied framework.

In Romania, to date the DPA has refrained from being very active in this area, but we are seeing an increased attention from data subjects in respect of the final destination of their personal data.

Codes of conduct may be a solution for greater transparency and guidance in this area, but at least at national level, industry associations and the DPA has yet to complete works on any such code (albeit many are in progress).

Key takeaway: Controllers should try to seek more guidance from the DPA on data transfers and expected diligence efforts in assessing the elements highlighted by the Schrems II judgment.

Difficult topics are still to come

For controllers, efforts to ensure GDPR compliance are not a past issue, but a constant one. If we were to name only some of the challenges facing controllers in the next period, these would include:

  • the new rules under the e-Privacy Regulation, when works on this enactment will be completed;
  • continued efforts to ensure correlation between GDPR and their specific industry norms;
    • The banking sector, with its Romanian National Bank’s requirements for banks to verify data, for anti-money laundering purposes (AML), with information contained in public databases, is a good example of upcoming challenges. In the absence of clear rules on granting access to such databases, controllers in the public sector are refusing such access. On the other hand, under the data minimization and storage limitation principles of GDPR, any such access, when finally granted, needs to be clearly regulated in order to ensure a proper balance between the public interests protected by the AML norms and the rights under GDPR.
  • 2021 should be the year when codes of conducts finally start to be approved in Romania as well. But this will come with specific reporting and compliance monitoring requirements for controllers adhering to the codes. It is, therefore, important for such controllers to focus not only on getting the codes approved, via their industry associations, but also to their internal processes in order to ensure they can achieve that compliance.

and the list can go on and on.

So a final key takeaway would be this: do not lose focus on GDPR compliance, as things are only going to get more varied and complex.