Privacy Laws

Romania's data protection in comparison to the GDPR

The flag of Romania with a city in the background showing busy streets. — © agcreativelab / stock.adobe.com | #258606096

General overview

Romania's data protection landscape is primarily governed by Law No. 190/2018, which serves as the country's implementing legislation for the General Data Protection Regulation (GDPR). The National Supervisory Authority for Personal Data Processing (ANSPDCP) further regulates specific areas of the GDPR, such as Data Privacy Impact Assessments (DPIA), certification bodies, and security breaches.

GDPR opening clauses

The GDPR became effective in Romania, like other EU Member States, in May 2018. To supplement the GDPR and address specific national concerns, Romania enacted Law No. 190/2018. This law was published in the Official Gazette No. 651 on July 26, 2018, and provides special rules and derogations from the GDPR.

Key differences and national specifics

Special categories of personal data: Law No. 190/2018 includes special rules for the processing of certain types of personal data, such as genetic and biometric data.
Data Protection Officers (DPO) and Certification Bodies: The law also provides specific provisions regarding DPOs and the accreditation of certification bodies.
Sanctions: The law outlines the applicable sanctions for both public and private entities in case of GDPR violations.
Law No. 363/2018: This law, which came into force in January 2019, deals with the processing of personal data by competent authorities for criminal offenses and sanctions.
ANSPDCP Decisions: Several decisions have been issued by the ANSPDCP to further clarify and implement the GDPR and Law No. 190/2018. These decisions cover a wide range of topics, from DPIAs to the standard form for the notification of personal data breaches.
Guidelines: The ANSPDCP has a GDPR resource center and has issued guidance on frequently asked questions regarding the implementation of the GDPR and Law No. 190/2018.

Conclusion

Romania has a comprehensive data protection framework that not only aligns with the GDPR but also addresses specific national concerns through Law No. 190/2018 and various ANSPDCP decisions. While the ANSPDCP's guidelines may be considered scarce and generic, they serve to reiterate the main principles and standards of the GDPR, ensuring a harmonized approach to data protection within the country.

Write email

Group	external media
Name	Calendly
Technical name	_cf_bm,__cfruid,OptanonConsent
Provider	Calendly LLC
Expire in days	365
Privacy policy	https://calendly.com/privacy
Use	To arrange appointments via the provider Calendly.
Allowed
Group	essential
Name	Contao CSRF Token
Technical name	csrf_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Serves to protect the website from being falsified by cross-site requests. The cookie is deleted again after the browser is closed.
Allowed
Name	Contao HTTPS CSRF Token
Technical name	csrf_https_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Used to protect the encrypted website (HTTPS) from being falsified by cross-site requests. The cookie is deleted again after the browser is closed.
Allowed
Name	PHP SESSION ID
Technical name	PHPSESSID
Provider	Contao
Expire in days	0
Privacy policy
Use	Cookie from PHP (programming language), PHP data identifier. Contains only a reference to the current session. No information is stored in the user's browser and this cookie can only be used by the current website. This cookie is mainly used in forms to increase user-friendliness. Data entered in forms is stored for a short time, for example, if the user makes an input error and receives an error message. Otherwise, all data would have to be entered again.
Allowed
Name	FE USER AUTH
Technical name	FE_USER_AUTH
Provider	Contao
Expire in days	0
Privacy policy
Use	Saves a visitor's information as soon as they log in to the frontend.
Allowed