Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Romania - Data Protection

History of Data Protection in ROMANIA

In November 2001, the Romanian Parliament enacted Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data. The law closely follows Directive 95/46/EC.

As Romania is seeking to join the EC, providing a level of data protection in line with European requirements is of crucial importance. Indeed, in the very same month as the Personal Data law was passed, the Romanian Parliament also enacted Law No. 676/2001 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector, which closely follows the Telecommunications Privacy Directive.

Summary of Data Protection in ROMANIA

Title of Data Protection Legislation Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data (Click on Legislation)
Name of supervisory authority Romanian Ombusdman
General Powers of supervisory authority Article 21 of the 2001 law sets out the tasks of the supervisory authority. These tasks include: Authorising the processing of data in accordance with the law;
Temporarily suspending or terminating data processing, partially or totally erasing processed data and notification of the criminal prosecution bodies or filing complaints to the court of law in cases where the law is breached;
keeping of the personal data processing register, which is available to public access;
receiving and resolving complaints and requests made by natural persons and communicating the resolution, or the measures which have been taken;
performing investigations either upon its own initiative or upon requests;
commenting on legislative drafts concerning personal data processing;
making proposals concerning the initiation of legislative drafts or amendments to already enforced legislative acts.
Who has standing to notify the supervisory authority of breaches? The data subject.
What are the penalties for data controllers if they breach the law? Article 17(2) of the 2001 law states that the penalty for breaching the law is a fine. In addition, Article 17(4) states that the regulatory authority may suspend or cancel the licence of the controller.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Article 3(a) of the 2001 law defines personal data as "any information referring to a natural person, identified or identifiable; an identifiable person is that person who can be identified, directly or indirectly, particularly with reference to an identification number or to one or more specific details of his physical, physiological, psychical, economical, cultural or social identity". Presumably, then, identification numbers are to be treated as ordinary personal data.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? No, but the Ethical Code of the College of Physicians states that medical information must remain secret even after the patient's death.
Who is able to indirectly identify the data subject? Probably anybody

Laws and Regulations

Institutions