- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation”);
- Law no. 102 of May 3, 2005 on the establishment, organization and functioning of the National Authority for the Supervision of Personal Data Processing (hereinafter referred to as “Law no. 102/2005”);
- Law no. 190 of 18 July 2018 on measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and repealing Directive 95/46/EC (hereinafter referred to as “Law no. 190/2018”);
- Law no. 363 of 28 December 2018 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, detecting, investigating, prosecuting and combating crime or the execution of punishments, educational and security measures, and on the free movement of these data (hereinafter referred to as “Law no. 363/2018”).
According to art. 4 point 1 of the Regulation, the data subject is the natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity.
The data subject cannot be confused with the recipient, who is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
According to art. 8 of the Regulation, if the data processing is done on the basis of the consent, the data subject may also be a child of the age established at the level of Member State law of at least 13 years, respectively, at the level of the Regulation of at least 16 years, for which the consent is granted / authorized by the legal representative.
The category of information that may be processed also includes:
- genetic data, related to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
- biometric data, resulting from specific technical processing related to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
- data concerning health, related to the physical or mental health of a natural person, including the provision of health care services.
RIGHTS OF THE DATA SUBJECT
1. Right to information
The data subject has the right to be provided with the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- the legitimate interests pursued by the controller or by a third party, where the processing is based on them;
- the recipients or categories of recipients of the personal data;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organization;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal, where the processing is based on the consent of the data subject;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- the existence of automated decision-making, including profiling, as well as, meaningful information about the logic involved, the significance and the envisaged consequences of such processing for the data subject.
The above information must be communicated to the data subject in a concise, transparent, intelligible and easily accessible manner, using clear and simple language, in particular for any information specifically addressed to a child. The way of transmitting the information can be written, electronic or even orally, if there is a request from the data subject.
2. Right of acces
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
3. Right to rectification
The data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
4. Right to erasure
In the specific cases provided by the Regulation, which we will return to during another study, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her, and the controller has the obligation to erase them without undue delay.
5. Right to restriction
Because this issue will also be treated separately, the data subject has the right to obtain from the controller the restriction of processing if one of the cases provided for in the Regulation is incidental.
6. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided initially, where the processing is based on consent or on a contract and the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
7. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. As an effect, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
According to art. 2 para. (1) lit. f) of Law no. 190/2018, the performance of a task that serves a public interest includes the activities of political parties or citizens’ organizations belonging to national minorities, non-governmental organizations, which serve to achieve the objectives of constitutional law or public international law or the functioning of the democratic system, including encouraging citizen participation in the decision-making process and in the preparation of public policies, respectively the promotion of the principles and values of democracy.
8. Right to automated individual decision-making
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests or is based on the data subject’s explicit consent.
According to art. 14 para. (5) and (6) of Law no. 190/2018, the violation by the public authorities / bodies of the provisions of the Regulation regarding the rights of the data subject constitutes a misdemeanor and is sanctioned with a fine between 10.000 and 200.000 RON.