Senior management and organisation
Please identify the authority’s senior management, a brief description of their role and responsibilities, and contact details. If you have an internal organogram of senior management, please provide it.
Ancuța Gianina is the president of the National Supervisory Authority For Personal Data Processing.
What is the process for nominating the head of the authority?
Article 7 of Law no. 102/2005 stipulates that:
“(1) The proposals for candidates for the position of president or vice-president of the National Supervisory Authority shall be made by the Standing Bureau of the Senate upon recommendation of the parliamentary groups of the two Chambers of Parliament.
(2) The candidates submit to the Senate’s Legal, Appointment, Discipline, Immunities and Validation Committee the documents proving that they fulfil the conditions provided by the law in order to act as president or vice-president of the National Supervisory Authority. The candidates will be heard by the Legal, Appointment, Discipline, Immunities and Validation Committee. The Senate decides on their appointment after the plenary.
(3) The appointment of the president and the vice-president of the National Supervisory Authority shall be by majority vote of the Senators.”
What was the authority’s budget for the most recently available financial year?
The annual budget of the national supervisory authority for 2017 was 4.287 million lei.
How many data protection/privacy-focused staff does the authority employ?
Contacting the authority
How and where should companies or their advisers contact the authority to start the binding corporate rules approval process? Please specify individuals, email addresses, URLs for online forms, etc.
By regular post or by email [email protected].
What other contact information should companies and their advisers be aware of?
The contact details of the Romanian Data Protection Authority are available on its website: http://www.dataprotection.ro/?page=contact.
Legal and enforcement framework
What are your investigative powers?
The Romanian Data Protection Authority has the investigative powers provided by article 58 of the General Data Protection Regulation.
Can you search premises or force the disclosure of information without having to approach the courts?
Article 141 of Law no. 102/2005 provides that control personnel shall be entitled to carry out investigations, including unannounced ones, to request and to obtain from the data controllers and the data processor and, where appropriate, from their representatives, on site and within the time limit set, any information and documents, regardless of the storage medium, to take copies, to have access to any of the premises of the data controllers and data processor, and to have access and to verify any equipment, data storage means or support required for the deployment of the investigation, under the law.
In the event that the control personnel are prevented in any way from performing the duties above, the national supervisory authority may request the judicial authorisation given by the President of the Bucharest Court of Appeal or by a judge delegated by the President. A copy of the judicial authorisation shall be communicated to the audited entity before the commencement of the investigation.
What fines can you impose on companies that breach data protection rules?
Again, Article 141 of Law no. 102/2005 stipulates that, in the control activity, the national supervisory authority may order the corrective measures provided for in article 58(2) of the General Data Protection Regulation, including sanctions for minor offences, may make recommendations and can refer the matters to other competent authorities as appropriate.
Priorities and the future
What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?
The annual plan for investigations is drawn up at the end of each year for the next year. Therefore, we cannot provide you with an answer at this moment.
What data protection/privacy-related guidelines have you issued to date?
The supervisory authority’s website contains a specific section dedicated to GDPR where you can find the Guidelines issued by article 29 Working Party and endorsed by the European Data Protection Board, the Guideline issued by our authority, “The Guidelines for the application of the General Data Protection Regulation by the data controllers”, as well as other useful information for data controllers and data subjects.