A lot to watch out for by data controllers this year


Cyber security and information network protection. Future technology network for business and internet concept. Earth element furnished by Nasa
Author: Lavinia Lungeanu, Roxana Ionescu

Recently, the European Data Protection Board (“EDPB”) has set out its priorities and published the Work Programme for 2023-2024 (“Work Programme”). For Romanian controllers and processors alike, it is important to match the priorities announced by EDPB with the ones highlighted by the Romanian DPA in its recent activity.

Below we have looked at some of the main actions announced by EDPB and correlated the same with the Romanian DPA’s activity:

Topic EDPB focus Romanian DPA focus
International data transfers to third countries Perhaps this is one of the issues of highest interest for many controllers this year.

The Work Programme announced by EDPB highlighted the awaited guidance, opinion, and review on:

  • adequacy decisions for international transfers of personal data to third countries
    On 28 February 2023, EDPB published its opinion on the draft adequacy decision regarding the EU-U.S. Data Privacy Framework.
    The EDPB welcomes the improvements compared to the previous framework but raised some points of clarification related to certain concerns with the European Commission.
    The controllers must watch out for the final form of the EU-US Data Privacy Framework and the practical implications thereof.
  • referential for the approval of BCR Controller, respectively of BCR Processor
  • Article 48 GDPR (“Transfers or disclosures not authorized by Union law”)
  • Article 37 LED (“Transfers subject to appropriate safeguards”).

Recently, EDPB published two guidelines with significant relevance for international transfers, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR and Guidelines 07/2022 on certification as a tool for transfers.

Even if the Romanian DPA has not been very active in these areas so far, we expect an increase in investigations cases regarding compliance with the requirements applicable to international data transfers.

The Romanian DPA announced that 40 multinational companies made requests for the approval of binding corporate rules – BCRs in 2021, and 69 companies in 2020.

The usage of new technologies In its Work Programme, EDPB sets out that one of the objectives is to reinforce the application of data protection principles and individual rights in the context of new technologies and establish common positions and guidance on:

  • The use of facial recognition by law enforcement authorities
  • Anonymization
  • Pseudonymization
  • Blockchain
  • Telemetry and diagnostic data
  • Interplay between the AI Act and the GDPR.
Last year, the Romanian DPA conducted investigations related to non-compliance with data processing principles in the context of using cookies and similar technologies or using biometric data.

The sector of new technologies is anticipated to be among those that will register significant growth in Romania in the upcoming years.


Handling Data subjects’ requests, mainly the right of access and the right to erasure. One of the EDPB priorities reflected in the Work Programme is to develop further guidance on data subject rights, especially related to the right of access.


Multiple complaints directed to the Romanian DPA in the last years were related to the violation of the data subject rights, especially the right of access, the right to object, and the right to erasure.

These are the most frequent cases of notices and complaints in 2021 according to the Romanian DPA Activity Report, and we can anticipate that this topic will continue to remain one of interest for the Romanian DPA activity.

Processing personal data of children A guideline on children’s data is expected to be developed within the Work Programme announced by EDPB for 2023-2024. During the last public conference of this year, the Romanian DPA representatives pointed out processing minors’ data as one of the main topics to watch out for.
Data Breach Notifications A targeted update of the data breach notification guidelines is expected within EDPB Work Programme.


The practice of the Romanian DPA after GDPR revealed extensive work around breaches of data security and confidentiality. The recent activity reports show several investigations due to the complaints or data breach notifications for which sanctions were applied (mainly fines and corrective measures).

The last activity report of the Romanian DPA showed that 372 notices and data breach notifications were received in 2021, and based on them, investigations were opened for each one.

We expect this subject to remaining a top priority for the Romanian DPA. Hence, controllers need to continue their efforts on improving the security measures and the management of data breach notifications.

Use of social media Guidelines on the use of social media by public bodies are expected to be developed by EDPB considering the practical experience of stakeholders.

Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognize and avoid them following public consultation were adopted by EDPB on 24 February 2023. This document also includes practical aspects in annexes, such as a checklist of deceptive design pattern categories and best practices.

Publishing/disclosing personal data online, especially on social networks was one of the most frequent cases of notices and complaints with the Romanian DPA according to its Activity Report for 2021.


EDPB also announced in its Work Programme other guidelines and practical tools. Some of them are listed below:

  • legitimate interests
  • processing of data for medical and scientific research purposes
  • effective enforcement and cooperation
    On 15 March 2023, EDPB launched coordinated enforcement on the role of data protection officers. In the upcoming months, participating DPAs will scrutinize the designation and position of DPOs. For these purposes, DPOs could be asked to provide certain information either as part of a questionnaire or as a part of an investigation (i.e., new, or ongoing national investigations). The DPAs will decide on possible further national supervision and enforcement actions. A report of EDPB will be expected after the conclusion of the set actions.
  • administrative fines
  • compliance mechanisms for controllers.

It is worth mentioning that Guidelines and recommendations developed by EDPB are not binding by themselves, but in its practice, the Romanian DPA agrees to apply them consistently.