According to the GDPR "the data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract"1. In other words, companies may choose to appoint an internal DPO, who is already a member of the company's staff, or an external DPO (e.g. lawyers, data privacy specialists).

Particularly the possibility to appoint an existing employee as DPO has led to numerous discussions and debates in the business field on the necessity of including the DPO occupation in the Romanian COR or not.

Although there were voices against the above proposal, the majority of interested persons found this approach to be both necessary and welcome, not only for data privacy purposes, but mainly from an employment law perspective.

In this context, the Minister of Labor and Social Justice decided to update the COR to expressly provide for the DPO occupation, by Order no. 1786/5384/2017 on the amendment and completion of the Classification of Operations in Romania ("Order no. 1786/5384/2017"). Thus, the "DPO occupation" – in Romanian "responsabil cu protecția datelor" - is now provided for in the COR under code 242231.

Order no. 1786/5384/2017 was published on 21 November 2017 in the Romanian Official Gazette no. 909, Part I and entered into force on the same day.

For the full content of the COR, please refer to Order no. 1832/856/2011 of the Minister of Labor, Family and Social Protection and of the President of the National Institute of Statistics on the approval of the Classification of Occupations in Romania - as amended and completed.


1 Article 37 (6) GDPR

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.