Both public and private organisations processing the personal data of EU citizens are directly affected by the implementation of the General Data Protection Regulation.

In the light of this regulation, natural persons have the right to receive compensation from controllers, whether or not the damage resulting from an infringement of their right to the protection of their personal data is material or non-material.

The dissemination of personal data, whether or not used for other purposes, constitutes a breach of the Regulation and is subject to penalties.

The GDPR sets out detailed requirements for companies and organisations as regards the collection, storage and management of personal data.

Pursuant to Article 4 of the General Data Protection Regulation, ‘controller’ means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for nomination thereof may be provided for by EU or Member State law. ‘Processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The obligations of personal data controllers are provided for in Regulation (EU) 2016/679. The controller’s main obligations in the application of the Regulation include:

• designating a data protection officer pursuant to Articles 37 to 39 of the Regulation;
• mapping personal data processing activities (Article 30 of the Regulation);
• ensuring data security (Articles 25 and 32 of the Regulation);
• notifying personal data breaches pursuant to Article 33 of the Regulation;
• assessing data protection impact and ensuring respect for natural persons’ rights (Article 35 of the Regulation).

You can find more information in the Guidelines for the implementation of the General Data Protection Regulation issued by the National Supervisory Authority for Personal Data Processing (ANSPDCP), posted on the home page of this authority.

A data protection officer must be designated when:

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
• the core activities of the controller or the processor consist of processing, on a large scale, special categories of data or personal data relating to criminal convictions and offences.

You can find more information in the Guidelines on Data Protection Officers issued by the European Data Protection Board, which may be accessed here.

The data protection officer is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and an ability to perform the tasks involved. The necessary level of expert knowledge must be determined according to the data processing operations carried out and the protection required for the personal data processed.

Regulation (EU) 2016/679 allows a group of undertakings to appoint a single data protection officer provided that they are ‘easily accessible from each establishment’.

The controller or the processor must publish the contact details of the data protection officer and report them to the supervisory authority.

Such reporting is made by filling in the Data Protection Officer Form under the Data Protection Officer section of the ANSPDCP website.

Where a group of undertakings or several public authorities or bodies appoint a single data protection officer, each controller or processor will fill in the Data Protection Officer form under the Data Protection Officer section of the ANSPDCP website.

When data processing is needed in order to fulfil a legal requirement that lies with the controller, it is no longer necessary to obtain the consent of data subjects.

Each controller or processor must keep a record of processing activities, both in writing and in electronic format. This record must include all the information specified in Article 30(1) of Regulation (EU) 2016/679 on data protection.

It is up to controllers to choose how to keep a record of the data processing taking place, taking into account the work to date in the area of personal data processing.

The record of processing activities must include all of the following information:

• name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
• the purpose of the processing;
• a description of the categories of data subjects and the categories of personal data;
• the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
• where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;
• where possible, the envisaged time limits for erasure of the different categories of data;
• where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the controller has the obligation to notify any personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.

Under its Decision No 128 of 22 June 2018, the Chair of the ANSPDCP adopted the standard form for notification of a personal data breach in accordance with Regulation (EU) 2016/679.

You can find more information in the ‘Guidelines on personal data breach notification under Regulation 2016/679’ issued by the European Data Protection Board, which may be accessed here.

In order to ensure a proper level of security, the controller implements the appropriate technical and organisational protection measures, including:

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
• the pseudonymisation and encryption of personal data, where applicable.

Considering the significance of ensuring compliance with Regulation (EU) 2016/679 on data protection, public institutions in Romania provide information on their own websites.