Romanian Data Defense Laws

The relevant Romanian data protection laws are:

Law no. 677 of 2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, as further modified (” Law no. 677″).

Law no. 506 of 2004 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.


Applicability of the Law no. 677.

The provisions of the Law no. 677 apply when the data controller (i) is domiciled in Romania, or (ii) uses equipment or means to process personal data located in Romania, (unless the equipment or means are utilized only for purposes of transit data through Romania). If the information controller utilizes ways and equipment in Romania, however is not domiciled in Romania, the information controller should designate a representative in Romania.

Information Controllers.

The processing of personal data is defined by Law no. 677 as any operation or set of operations that involving personal data, carried out by automatic or non-automatic methods, such as collection, recording, storage, adaptation or modification, retrieval, consultation, use, disclosure to a third party by transmission, dissemination or by any other ways.

The personal data controller is a natural, or legal person, which picks the purpose and ways of the personal information processing, and runs a recording system of personal data collection and processing which supplies particular criteria for accessing the particular information.

Alert of the Data Processing.

According to Law no. 677, the information controllers should notify the personal data processing to the National Authority for the Supervision of Personal Data Processing (the “DPA”).

The Notification is sent out to the DPA before beginning any processing or transfer of personal information. All the documents to be filed with the DPA should be in Romanian. No filing charges should be paid when filing a Notification.

If the information controller processes personal data for 2 or more unassociated functions, then it has the commitment of filling out different Notifications for each of these functions. The information controller need to inform the DPA prior to starting any processing of the personal information.


The failure to notify, in the events in which the Notification is obligatory, as well as the incomplete Notification or the Notification which contains false information, are violations punishable by fines, supplied that they are not committed in such situations that will make them subject to criminal law.

The data controller should first get the DPA’s confirmation that the Notification is legitimate and was assigned a registration number in the Register of Recording of the Personal Data Processing. After invoice of the above mentioned confirmation, the information controller might begin processing and/or transferring the data.

Sensitive Data.

Sensitive data are the information associated with racial or ethnical origin, political, spiritual, philosophical viewpoint, criminal offences, small offences or other convictions, trade union membership, in addition to data concerning health or sex life. In addition to these information, under the Law no. 677, personal identification numbers, or other personal information with a basic recognition function i.e., nationwide ID/passport details are considered delicate information. The collection and processing of delicate data need the prior and reveal authorization of the owner of the information.

Transfer of the personal information abroad.

The transfer of information does not have to be authorized by the DPA if the data are moved to an EU/EEA nation, or to a non-EU/EEA nation for which the European Commission has actually issued an adequacy decision or other systems are in location to ensure an adequate level of protection. As an effect, currently the transfer of the personal information to the USA might be done based on the Standard Contractual Clauses authorized by the European Commission, or based on the authorization of the data subject.

Computer registry for Recording for the Personal Data Processing.

The Registry of Recording of the Personal Data Processing has the role of assuring the transparence relating to the information controllers’ activities and may be sought advice from by any interested person, such being offered online on the DPA’s website.