Romania applies the General Data Protection Regulation (GDPR) directly as binding EU law, supplemented by national implementing legislation that creates additional obligations specific to the Romanian legal environment. Businesses processing personal data of Romanian residents - whether established locally or operating remotely - must meet a layered compliance framework enforced by an authority with demonstrated willingness to investigate and sanction. The cost of non-compliance ranges from reputational damage to fines reaching tens of millions of euros. This article covers the legal framework, key obligations, enforcement mechanics, cross-border transfer rules, breach response procedures, and practical strategies for international businesses operating in or entering the Romanian market.
The primary source of data protection law in Romania is Regulation (EU) 2016/679, the GDPR, which applies directly without transposition. Romania supplemented it through Law No. 190/2018 on measures implementing the GDPR (Legea nr. 190/2018 privind măsurile de punere în aplicare a Regulamentului General privind Protecția Datelor), which addresses specific national derogations permitted under Articles 6, 9, 17, 22, 85, 88, and 89 of the GDPR.
Law 190/2018 is not a standalone data protection code. It fills gaps where the GDPR expressly allows member states to legislate - for example, setting the minimum age for children's consent at 16 years under Article 5 of that law, restricting certain automated decision-making in employment contexts, and establishing rules for processing in journalistic and research contexts. International businesses often overlook this layer, focusing exclusively on the GDPR text and missing obligations that exist only at the national level.
The supervisory authority is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), Romania's National Supervisory Authority for Personal Data Processing. ANSPDCP operates under Law No. 102/2005 (Legea nr. 102/2005 privind înființarea, organizarea și funcționarea Autorității Naționale de Supraveghere a Prelucrării Datelor cu Caracter Personal), as amended. It has the full investigative and corrective powers granted to supervisory authorities under GDPR Article 58, including the power to conduct on-site inspections, issue warnings, impose temporary or permanent bans on processing, and levy administrative fines.
Romanian courts also play a role. Civil claims for damages caused by unlawful data processing are brought before ordinary civil courts under GDPR Article 82, read together with the Romanian Civil Code (Codul Civil). Jurisdiction generally lies with the court at the defendant's registered seat or at the claimant's domicile, following the rules of the Romanian Civil Procedure Code (Codul de Procedură Civilă), Articles 107-113.
A non-obvious risk for foreign businesses: Romania applies the GDPR's extraterritorial reach under Article 3(2) aggressively. A company with no Romanian establishment but offering goods or services to Romanian consumers, or monitoring their behaviour, falls within ANSPDCP's jurisdiction. Failure to appoint an EU representative under GDPR Article 27 when required is itself a sanctionable breach.
Every processing activity requires a lawful basis under GDPR Article 6. In Romania, the most frequently invoked bases in commercial contexts are consent, contract performance, legitimate interests, and legal obligation. The choice of basis has significant downstream consequences for data subject rights and enforcement exposure.
Consent under GDPR Article 7 must be freely given, specific, informed, and unambiguous. Romanian practice - shaped by ANSPDCP guidance and enforcement decisions - requires that consent requests be presented separately from other terms and conditions, that withdrawal mechanisms be as easy as the original consent mechanism, and that records of consent be maintained demonstrably. Pre-ticked boxes, bundled consent, and consent obtained as a condition of service where processing is not strictly necessary are treated as invalid.
Law 190/2018, Article 5, sets the age of digital consent at 16 years. Processing children's data below this threshold requires parental or guardian consent. Platforms targeting Romanian minors must implement age verification mechanisms that are proportionate and technically effective - a requirement that creates practical compliance burdens for consumer-facing digital services.
Legitimate interests under GDPR Article 6(1)(f) require a three-part balancing test: identifying the legitimate interest, demonstrating necessity, and confirming that the data subject's interests do not override the controller's. ANSPDCP has scrutinised legitimate interests claims in direct marketing contexts and found them insufficient where controllers failed to document the balancing test. A common mistake is treating legitimate interests as a catch-all basis when consent is difficult to obtain - this approach increases enforcement risk substantially.
Special categories of data under GDPR Article 9 - health, biometric, genetic, racial, religious, political, and trade union data - require an additional condition from Article 9(2). Law 190/2018, Articles 3 and 4, adds national conditions for processing health data in employment and research contexts. Processing biometric data for access control in Romanian workplaces requires explicit consent or a specific legal obligation, and ANSPDCP has investigated employers who implemented biometric attendance systems without adequate legal basis.
To receive a checklist on lawful basis selection and consent documentation for Romania, send a request to info@vlolawfirm.com.
The Data Protection Officer (DPO) is a mandatory role under GDPR Article 37 for three categories of controller and processor: public authorities, organisations whose core activities require large-scale systematic monitoring of individuals, and organisations whose core activities involve large-scale processing of special category or criminal conviction data. In Romania, this obligation applies to both Romanian-established entities and foreign entities with an establishment in Romania.
ANSPDCP requires DPO contact details to be registered with the authority. The registration mechanism is available through ANSPDCP's online portal. Failure to register a mandatory DPO, or failure to appoint one at all, constitutes a direct GDPR violation sanctionable under Article 83(4) with fines up to EUR 10 million or 2% of global annual turnover, whichever is higher.
The DPO must have expert knowledge of data protection law and practice, must be provided with resources to carry out tasks, must be accessible to data subjects, and must not receive instructions regarding the exercise of DPO tasks. Under GDPR Article 38(3), the DPO cannot be dismissed or penalised for performing DPO functions. Romanian employment law (Codul Muncii, Law No. 53/2003) interacts with this protection: a DPO employed under a Romanian employment contract benefits from both GDPR protection and standard Romanian employment protections, creating a complex dismissal framework if the relationship deteriorates.
The DPO's core tasks under GDPR Article 39 include informing and advising the controller, monitoring compliance, advising on data protection impact assessments (DPIAs), cooperating with ANSPDCP, and acting as the contact point for the authority. In practice, ANSPDCP expects DPOs to be genuinely empowered - not merely a compliance title assigned to an existing employee with no real authority or resources.
Many underappreciate the distinction between a mandatory and a voluntary DPO appointment. A voluntarily appointed DPO is subject to the same legal requirements as a mandatory one under GDPR Article 37(4). Once appointed, the organisation cannot simply remove the DPO to avoid obligations - the full protective and functional framework applies.
Accountability under GDPR Article 5(2) requires controllers to demonstrate compliance, not merely assert it. In Romania, ANSPDCP inspections - both announced and unannounced - examine Records of Processing Activities (RoPA) under Article 30, DPIAs under Article 35, data processing agreements under Article 28, and internal policies. Controllers who cannot produce these documents during an inspection face immediate corrective orders and potential fines.
A personal data breach is defined under GDPR Article 4(12) as a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The notification obligations triggered by a breach are among the most time-sensitive in the GDPR framework.
Under GDPR Article 33, a controller must notify ANSPDCP of a breach without undue delay and, where feasible, within 72 hours of becoming aware of it. The 72-hour clock starts when the controller has reasonable certainty that a breach has occurred - not when it begins investigating a potential incident. This distinction matters: a controller that delays internal escalation to avoid starting the clock takes a significant enforcement risk.
The notification to ANSPDCP must contain, at minimum: a description of the nature of the breach including categories and approximate number of data subjects and records affected; the name and contact details of the DPO or other contact point; a description of the likely consequences of the breach; and a description of measures taken or proposed to address the breach, including mitigation measures. Where all information is not available within 72 hours, a phased notification is permissible under Article 33(4), with further information provided without undue delay.
Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, GDPR Article 34 requires direct communication to affected data subjects. ANSPDCP assesses 'high risk' contextually - breaches involving financial data, health data, authentication credentials, or data of vulnerable individuals typically meet this threshold. The communication must be in plain language, describe the nature of the breach, provide DPO contact details, describe likely consequences, and describe measures taken.
Processors under GDPR Article 33(2) must notify the controller without undue delay after becoming aware of a breach. Data processing agreements governed by Romanian law should specify the processor's notification timeline - typically 24-36 hours - to give the controller sufficient time to meet the 72-hour window. A common mistake is drafting processor agreements that require notification 'promptly' without a specific timeframe, leaving the controller exposed.
Practical scenario one: a Romanian e-commerce company discovers that a third-party logistics provider suffered a ransomware attack exposing delivery address data of 50,000 customers. The company must assess whether the breach meets the Article 33 notification threshold, notify ANSPDCP within 72 hours, and evaluate whether the exposure of delivery addresses combined with purchase history creates a high risk requiring Article 34 communication to customers. The logistics provider, as processor, should have notified the company immediately upon discovery.
Practical scenario two: a multinational with Romanian operations discovers that an employee accessed HR records of colleagues without authorisation. Even an internal breach involving a limited number of records triggers the Article 33 assessment obligation. If the accessed data includes salary, health, or disciplinary information, the risk threshold for ANSPDCP notification is likely met.
To receive a checklist on data breach response procedures and ANSPDCP notification requirements for Romania, send a request to info@vlolawfirm.com.
Romania, as an EU member state, applies the GDPR's Chapter V rules on international data transfers. A transfer of personal data to a third country - any country outside the European Economic Area - requires one of the transfer mechanisms listed in Articles 44-49.
The primary mechanism for most commercial transfers is Standard Contractual Clauses (SCCs), adopted by the European Commission through Implementing Decision (EU) 2021/914. These modular clauses cover controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfers. Romanian-established controllers using SCCs must conduct a Transfer Impact Assessment (TIA) to verify that the legal framework of the destination country does not undermine the protections offered by the SCCs - a requirement derived from the Court of Justice of the EU's Schrems II judgment and reflected in ANSPDCP's enforcement approach.
Adequacy decisions under GDPR Article 45 cover a limited list of countries. Transfers to countries on the adequacy list - including the UK under the EU-UK adequacy decision, Japan, Canada (commercial organisations), and others - do not require additional safeguards. Transfers to the United States may rely on the EU-US Data Privacy Framework (DPF) for certified US organisations, but controllers must verify current DPF certification status of the recipient before relying on this mechanism.
Binding Corporate Rules (BCRs) under GDPR Article 47 are available for intra-group transfers within multinational groups. BCRs require approval by a lead supervisory authority. For a Romanian-headquartered group, ANSPDCP would be the approving authority. The BCR approval process is lengthy - typically 12-24 months - and resource-intensive, making it viable primarily for large multinationals with significant intra-group data flows.
Derogations under GDPR Article 49 - including explicit consent, contract performance necessity, and vital interests - are available only for occasional, non-repetitive transfers. ANSPDCP, consistent with the European Data Protection Board's guidance, treats systematic reliance on Article 49 derogations as non-compliant. Controllers that route routine operational transfers through Article 49 consent face enforcement risk.
A non-obvious risk in the Romanian context: cloud service agreements with US or Asian providers often contain data transfer provisions buried in standard terms. Romanian controllers who sign these agreements without reviewing the transfer mechanism, conducting a TIA, and documenting the legal basis for the transfer are in breach of Chapter V from the moment processing begins. ANSPDCP has investigated controllers following complaints from data subjects who discovered their data was processed in jurisdictions without adequate protections.
Practical scenario three: a Romanian software development company outsources customer support to a provider in a non-EEA country. The company must execute SCCs with the provider, conduct a TIA assessing the destination country's surveillance and access laws, implement supplementary technical measures if the TIA reveals gaps, and document the entire process. If the provider is a sub-processor of a larger cloud platform, the chain of data processing agreements must be reviewed to ensure consistent transfer protections throughout.
We can help build a strategy for cross-border data transfer compliance in Romania, including TIA documentation and SCC implementation. Contact info@vlolawfirm.com.
ANSPDCP has demonstrated active enforcement across sectors including telecommunications, banking, healthcare, and e-commerce. The authority conducts both reactive investigations - triggered by complaints from data subjects - and proactive sector-wide investigations initiated on its own motion.
The GDPR's two-tier fine structure applies in Romania. Under Article 83(4), violations of obligations relating to controllers and processors, certification bodies, and monitoring bodies attract fines up to EUR 10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher. Under Article 83(5), violations of the basic principles of processing, conditions for consent, data subjects' rights, international transfer rules, and obligations under national law adopted pursuant to Chapter IX attract fines up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.
ANSPDCP applies the criteria in GDPR Article 83(2) when calculating fines: nature, gravity, and duration of the infringement; intentional or negligent character; actions taken to mitigate damage; degree of responsibility; relevant prior infringements; cooperation with the authority; categories of data affected; manner in which the infringement became known; and whether the controller previously received a warning. Proactive self-disclosure and demonstrated remediation efforts consistently result in lower sanctions.
The enforcement procedure before ANSPDCP begins with an investigation phase, during which the authority may request documents, conduct on-site inspections, and interview staff. Controllers have the right to submit observations and present their defence before a final decision is issued. ANSPDCP decisions are administrative acts subject to challenge before the administrative courts (instanțele de contencios administrativ) under Law No. 554/2004 on administrative litigation (Legea contenciosului administrativ). The competent court for challenging ANSPDCP decisions is the Court of Appeal of Bucharest (Curtea de Apel București), which has specialised administrative chambers.
Civil litigation for data protection damages under GDPR Article 82 is brought before ordinary civil courts. The claimant must prove the damage suffered, the processing violation, and the causal link between them. Romanian courts have awarded damages in cases involving unauthorised disclosure of health data, unlawful credit scoring, and identity theft facilitated by inadequate security measures. The controller bears the burden of proving it was not responsible for the damage under Article 82(3).
A common mistake by international businesses facing ANSPDCP investigations is treating the process as purely administrative and failing to engage legal counsel with both data protection and Romanian administrative law expertise. The procedural rules governing ANSPDCP investigations, the deadlines for submitting observations, and the strategy for challenging decisions in court require specialised knowledge that general GDPR compliance advisors may not possess.
The cost of defending an ANSPDCP investigation - including legal fees, internal resource allocation, and remediation costs - typically starts from the low thousands of euros for straightforward cases and rises significantly for complex multi-jurisdictional matters. The cost of an uncontested fine at the upper end of the Article 83(5) scale can reach tens of millions of euros for large multinationals. The business economics strongly favour proactive compliance investment over reactive enforcement response.
To receive a checklist on ANSPDCP investigation response and enforcement defence strategy for Romania, send a request to info@vlolawfirm.com.
What are the most significant practical risks for a foreign company processing Romanian residents' data without a local establishment?
A foreign company without a Romanian or EU establishment that processes data of Romanian residents under GDPR Article 3(2) must appoint an EU representative under Article 27. Failure to do so is a direct violation sanctionable by ANSPDCP. The authority can investigate and sanction the foreign company through its EU representative or through cooperation mechanisms with other supervisory authorities. Additionally, the company must comply with all GDPR obligations - lawful basis, data subject rights, breach notification, transfer rules - as if it were established in Romania. Many foreign businesses incorrectly assume that the absence of a physical presence shields them from Romanian enforcement; this assumption is legally incorrect and operationally dangerous.
How long does an ANSPDCP investigation typically take, and what are the financial consequences of a finding of violation?
ANSPDCP investigations vary considerably in duration depending on complexity, the volume of documents requested, and the controller's cooperation. Straightforward complaint-based investigations may conclude within three to six months. Complex sector-wide investigations or cases involving multiple violations can extend beyond twelve months. Financial consequences depend on the tier of violation and the Article 83(2) criteria. Fines in Romania have ranged from symbolic amounts for minor procedural violations to substantial sanctions for systemic failures involving large volumes of sensitive data. Beyond the fine itself, controllers face remediation costs, reputational damage, and potential civil claims from affected data subjects - all of which can exceed the administrative fine in aggregate.
When should a business choose to appoint a voluntary DPO rather than relying on existing compliance staff to manage data protection obligations?
A voluntary DPO appointment makes strategic sense when the organisation processes significant volumes of personal data but does not technically meet the mandatory thresholds of GDPR Article 37(1), when the organisation wants to signal accountability to customers, partners, and regulators, or when the complexity of processing activities exceeds the capacity of general compliance staff. However, the decision requires careful analysis: once appointed, the voluntary DPO has the same legal status and protections as a mandatory DPO, and the organisation cannot easily reverse the appointment without triggering employment and GDPR complications. An alternative approach - designating a data protection coordinator without the formal DPO title - preserves operational flexibility while building internal expertise. The right choice depends on the organisation's size, processing profile, and risk appetite.
Data protection compliance in Romania requires engagement with both the GDPR's EU-wide framework and the specific national layer created by Law 190/2018. ANSPDCP is an active enforcement authority with broad investigative powers and a demonstrated record of sanctioning violations across sectors. International businesses must address lawful basis selection, DPO obligations, breach response timelines, cross-border transfer mechanisms, and accountability documentation as integrated compliance priorities - not isolated checklists. The cost of proactive compliance is substantially lower than the combined cost of enforcement, litigation, and reputational damage.
Our law firm VLO Law Firm has experience supporting clients in Romania on data protection and privacy matters. We can assist with GDPR compliance audits, DPO advisory services, ANSPDCP investigation defence, cross-border transfer structuring, and data breach response. To receive a consultation, contact: info@vlolawfirm.com.