Five Years Of GDPR: An Overview Of GDPR Implementation In Romania

• Jurisdiction: European Union
• Law Firm: Kinstellar
• Subject Matter: Privacy, Data Protection
• Author: Ms Oana Grigore and Gabriela Ion
• Published date: 12 May 2023

As May 2023 marks the fifth anniversary of the implementation of GDPR¹, we have prepared an overview of the five years of regulatory struggle in Romania since the regulation came into effect. By examining the value of the sanctions and the types of violations, we can identify some regulatory trends of the local practice.

Statistics on fines

In the first year of GDPR (i.e., May 2018-May 2019), the Romanian Data Protection Authority ("the Authority") did not issue any fines, but only recommendations², even if a significant number of ex-officio investigations were performed (namely 336). This was a year of accommodation.

In the following years (May 2019-end of 2021), the Authority continued to carry out ex-officio investigations, with an average of 385 investigations per year, issuing an average of 14 fines per year.

In particular, in 2020 the Authority carried out the highest number of ex-officio investigations (i.e., 398)³ while in 2021 the Authority applied the highest number of fines (i.e., 21)⁴.

In 2022 we can see a spike in the number of fines, which increased to 50 according to a press release on the Authority's website.

Generally, Romania was ranked third in the European Union in terms of the number of fines imposed by the Authority from 2018 until early 2022 (i.e., 68 fines)⁵. We can only assume that Romania will keep its place or even rank higher considering the increase in the number of fines during 2022.

However, the total value of the fines was only EUR 721,000, resulting in a rather low value of the average fine in Romania, i.e., EUR 10,603. This reflects a continuation of the previous local sanctioning practice, even after the implementation of GDPR.

Trends on the types of violations

Most of the sanctions were imposed for breaching:

• the security and confidentiality measures for the processing of personal data, by failing to adopt adequate technical and organisational measures by data controllers to ensure the security of processing;
• the processing principles, in particular those relating to lawfulness, transparency and proportionality;
• the rights of data subjects (e.g., right of access).

As these seem rather straightforward, it could mean that local data controllers have not yet implemented GDPR and, thus the Authority can easily find a breach...