On 24 June Law no. 129/2018 entered into force. It had been published in the Romanian Official Gazette no. 503 of June 19, 2018, and it amends and supplements Law no. 102/2005 on the setting up, organization and functioning of the National Supervisory Authority for Personal Data Processing, as well as repealing Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

Law no. 102/2005 on the setting up, organization and functioning of the National Supervisory Authority for Personal Data Processing was completed with new chapters, detailing the control duties and procedures for resolving complaints by the authority and also the relevant judicial remedies available in relation to data subjects and controllers/processors.

Among the most important amendments made were the following:

Regarding the control powers of the National Supervisory Authority, control personnel are now entitled to carry out investigations (including unannounced ones), requesting and obtaining any information and documents, (regardless of the storage support), from the data controller/processor or their representatives.  They are also entitled to take copies of these documents, to have access to any of the premises of the data controller/processer and to have access to and verify any equipment, storage means or support of personal data for the purpose of the investigation.

If the data controller or data processor under investigation opposes the control by the authority, a judicial order can be obtained from the Court of Appeal within a maximum of 48 hours. Also, in case the entity under investigation does not transmit the required information to the inspectors, the President of the National Supervisory Authority can impose daily fines of 3000 lei (around 800 Euro/day) for each day of delay.

In order to conduct their investigation, the National Supervisory Authority may order expert opinions and hearings of those persons whose statements are considered relevant and necessary for the investigation.

Any fines below or equal to 300,000 Euro can be imposed through the Minutes concluded by the inspectors, while those fines above this amount, are subject to a decision of the President of the National Supervisory Authority, adopted based on the Minutes concluded by the inspectors of the authority. The authority has the possibility to apply corrective measures as well, including the suspension of the data processing. The Minutes/Decision may be appealed within 15 days from the date of its communication to the sanctioned entity. The appeal only suspends the payment of the fine (the execution of the corrective measures is not suspended).

If following the exercise of its legal duties, the National Supervisory Authority considers that any of the rights of the data subject under the legal regulations in the field of personal data protection have been violated, it may refer the matter to the competent court. The data subject has standing as the plaintiff in the trial, and shall be summoned as such.

If the claim is upheld, the National Supervisory Authority ceases its role in the judicial proceedings. If the data subject decides not to pursue the claim of the National Supervisory Authority, the court must annul the claim in accordance with the Civil Procedure Code. Such a law suit, as well as the cases submitted to the courts by the data subjects, are free of any judicial tax.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.