- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation”);
- Law no. 102 of May 3, 2005 on the establishment, organization and functioning of the National Authority for the Supervision of Personal Data Processing (hereinafter referred to as “Law no. 102/2005”);
- Law no. 190 of 18 July 2018 on measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and repealing Directive 95/46/EC (hereinafter referred to as “Law no. 190/2018”);
- Law no. 363 of 28 December 2018 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, detecting, investigating, prosecuting and combating crime or the execution of punishments, educational and security measures, and on the free movement of these data (hereinafter referred to as “Law no. 363/2018”).
For the purposes of the Regulation, the operator is the natural or legal person, public authority, agency or other body which, alone or together with others, sets out the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law.
The person empowered by the operator is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the operator.
In the process of processing personal data, the operator must comply with the principles of legality, fairness, transparency, accuracy, integrity, confidentiality, liability, purpose limitation and storage limitation.
Given the nature, scope, context, purposes of the processing, as well as the risks to the rights and freedoms of individuals, the operator is required to implement and, where appropriate, to review and update appropriate technical and organizational measures (eg, pseudonymization, adherence to codes of conduct or certification mechanisms) to ensure that processing is carried out in compliance with the requirements of the Regulation.
The operator must ensure that the data processing, the volume of data collected, the degree of processing thereof, their storage period and their accessibility are necessary for the specific purpose of the processing.
Where two or more operators jointly establish the purposes and means of processing, they shall be associated operators. They shall establish by agreement and in a transparent manner the responsibilities of each, mainly with regard to the exercise of the rights of data subjects and the fulfillment of the obligations of the operators to provide information. The agreement may also designate a contact point for the data subjects.
The agreement concluded between the associated operators must reflect the roles and relationships of each person with the data subject and must be brought to the attention of the data subject. Irrespective of the provisions of the agreement, the data subject may exercise his rights with respect to any of the operators.
OPERATORS WHO DO NOT HAVE THEIR HEADQUARTERS IN THE EUROPEAN UNION
The provisions of the Regulation shall apply even if the operator or the person empowered by the operator is not established in the European Union, but only where the processing activities are related to:
- the supply of goods or services to data subjects in the European Union, whether or not a payment is requested by the data subject;
- monitoring the behavior of data subjects in the European Union, if it manifests itself within the European Union.
In either of the above two cases, the operator or the person empowered by the operator shall be required to appoint a representative in one of the Member States in which the data subjects are located. There are, however, two exceptions to this obligation:
- the processing of data is occasional, does not include the processing of special categories of data or the processing of personal data relating to criminal convictions and offenses and is not likely to pose a risk to the rights and freedoms of data subjects;
- data processing is done by a public authority or body.
Even if the operator or the person empowered by the operator offers a mandate to the representative, the right of the data subjects to address the operator directly (and) as well as to bring (directly) legal action against the operator is not affected.
PERSON EMPOWERED BY THE OPERATOR
Where the processing is to be carried out on behalf of an operator, he shall use only authorized persons who provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of the Regulation and ensures the protection of rights of the person concerned.
The person empowered by the operator shall not be entitled to recruit another person empowered by the operator without the prior written authorization of the operator.
The authorization may be specific or general, specifying that in the case of the general one, the person empowered by the operator must inform the operator of the recruitment or replacement of other persons empowered by the operator in order to give the latter the opportunity to object.
General provisions of the agreement between the operator and the person empowered by the operator
The agreement between the operator and the person empowered by the operator shall establish the object, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights / obligations of the operator.
Specific provisions of the agreement between the operator and the person empowered by the operator
The agreement between the operator and the person empowered by the operator provides in particular that the latter:
- process personal data only on the basis of documented instructions from the operator, including transfers of personal data to a third country or an international organization, unless this obligation is incumbent on the person empowered under the Union or national law applicable to it; in this case, it shall notify this legal obligation to the operator before processing, unless that right prohibits such notification for important reasons of public interest;
- ensure that persons empowered to process personal data have undertaken to respect confidentiality or have an appropriate statutory obligation of confidentiality;
- adopt all security measures for processing;
- complies with the conditions regarding the recruitment of another person empowered by the operator;
- provide assistance to the operator through appropriate technical and organizational measures, as far as possible, to fulfill the operator’s obligation to respond to requests for the exercise of rights by the data subject;
- help the operator to ensure compliance with his obligations, taking into account the nature of the processing and the information available to the operator;
- at the choice of the operator, delete or return to the operator all personal data after the cessation of the provision of processing services and delete existing copies, unless Union or national law requires the storage of personal data;
- provide the operator with all the information necessary to demonstrate compliance with its obligations, allow audits, including inspections, carried out by the operator or another mandated auditor and contribute to them.
The terms of the agreement between the operator and the person empowered by the operator must be complied with by both the parties to the agreement and any other persons recruited as the operator’s representative.
According to art. 14 para. (2) and (4) of Law no. 190/2018, non-compliance with the obligations of the operator and the person empowered by the operator constitutes a misdemeanor and is sanctioned with a fine between 10.000 and 100.000 RON.
Violation by public authorities / bodies of the provisions of the Regulation regarding the basic principles for data processing constitutes a misdemeanor and is sanctioned with a fine between 10.000 and 200.000 RON.
The ascertainment of the contraventions and the application of the contravention sanctions, as well as of the other corrective measures provided by the Regulation on data protection are made by the National Authority for Supervision of Personal Data Processing established in accordance with the provisions of the Regulation and Law no. 102/2005.