- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as the “Regulation”);
- Law no. 102 of May 3, 2005 on the establishment, organization and functioning of the National Authority for the Supervision of Personal Data Processing (hereinafter referred to as “Law no. 102/2005”);
- Law no. 190 of 18 July 2018 on measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and repealing Directive 95/46 / EC (hereinafter referred to as “Law no. 190/2018”);
- Law no. 363 of 28 December 2018 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, detecting, investigating, prosecuting and combating crime or the execution of punishments, educational and security measures, and on the free movement of these data (hereinafter referred to as “Law no. 363/2018”).
According to the Regulation, the presence of the data subject’s consent to the processing of personal data is only one of the independent conditions for the personal data processing procedure to be legal.
Thus, consent given in accordance with the law is sufficient per se, even if the processing of personal data is not necessary in the performance of a contract, in fulfillment of a legal obligation of the controller, to protect the vital interests of the data subject, to perform a task that serves a public interest or to defend the legitimate interests of the operator or a third party.
CONDITIONS OF CONSENT
According to art. 7 of the Regulation, if the processing of personal data is based on the consent of the data subject, he must comply with the following conditions:
- the consent must be freely expressed, it must be given knowingly and for a specific purpose;
- the controller must be able to demonstrate the existence of the data subject’s consent;
- the request for consent must be in an intelligible and easily accessible form and include clear and simple language, when the consent is to be given by a written statement which also covers other matters;
- informing the data subject of the right to withdraw his / her consent, bearing in mind that the exercise of this right does not affect the lawfulness of the processing carried out before the withdrawal of the consent.
Art. 8 of the Regulation also provides the specific conditions in case the data processing is done based on the consent given by a child, in the sense that it links the legality of such a procedure to the age of the child who must be at least 16 years old. If the child is under the age of 16, such processing is lawful only to the extent that the consent is given or authorized by the holder of parental responsibility over the child.
The regulation gives states the freedom to set the minimum age from which a person is presumed to be able to give legal consent, but stipulates that this age cannot be less than 13 years.
In Romania, in accordance with the applicable legal provisions, the collection and processing of personal data of minors under the age of 18 is consented to on their behalf by parents, guardians or legal guardians, who give their consent to the purposes for which they are agree to the processing of personal data. In this sense, the parent / guardian / legal guardian of the minor under 18 years of age may be required to prove his / her status of parent / guardian / legal guardian.
The processing of personal data is not absolute and has limitations. Thus, according to art. 3 of Law no. 190/2018, the processing of genetic, biometric or health data, in order to carry out an automated decision-making process or to create profiles, is permitted with the explicit consent of the data subject or if the processing is carried out under express legal provisions, with the establishment appropriate measures to protect the rights, freedoms and legitimate interests of the data subject.
Another limitation is found in art. 10 of Law no. 363/2018, which provides that personal data revealing racial or ethnic origin, political opinions, religious denominations or philosophical beliefs, trade union affiliation, processing of genetic data, processing of biometric data for the unique identification of a natural person, processing of health data or data on the sexual life and sexual orientation of an individual may be processed only if they are strictly necessary in a particular case, if adequate safeguards are established for the rights and freedoms of the data subject and if one of the following conditions is met:
- the processing is expressly provided by law;
- the processing is necessary to prevent at least an imminent danger to the life, bodily integrity or health of the data subject or another natural person;
- the processing refers to personal data that are manifestly made public by the data subject.
According to art. 14 para. (5) and (6) of Law no. 190/2018, the violation by the operator / person authorized by the operator of the provisions regarding the legality and validity of the consent constitutes a misdemeanor and is sanctioned with a fine between 10.000 and 200.000 RON.
The ascertainment of the misdemeanor and the application of the sanctions, as well as of the other corrective measures provided by the Regulation on data protection are made by the National Authority for Supervision of Personal Data Processing established in accordance with the provisions of the Regulation and Law no. 102/2005.