Romanian Data Protection Authority's Practice For 2023 And Beyond: 10 Key-focus Areas

• Published date: 12 July 2023
• Subject Matter: Privacy, Compliance, Data Protection, Privacy Protection
• Law Firm: SIMION & BACIU SCA
• Author: Mr Petruș Partene

During the first half of this year, the activity of the Romanian data protection authority (ANSPDCP or the Authority) has been significant, and sanctions for non-compliance with the applicable legislation on personal data protection, and in particular for non-compliance with the provisions of the General Data Protection Regulation (GDPR) have not been uncommon.

Based on the information published by ANSPDCP (press release available here, in Romanian), in the first four months of 2023, 1565 complaints, referrals and notifications of security incidents were received (registered). Consequently, 199 investigations were opened. In addition, 36 fines, 40 warnings and 39 corrective measures were applied as a result of investigations carried out during the same period.

According to ANSPDCP, complaints, referrals and notifications on security incidents mainly concerned the following issues: (i) disclosure of personal data to third parties or on the Internet, (ii) use of video surveillance means in the workplace or at the level of homeowners' associations, (iii) non-compliance of data subjects' rights, (iv) non-compliance with the data subjects information requirements, (v) sending unsolicited commercial messages via electronic communication means, (vi) cyber-attacks, (vii) disclosure of minors' data, respectively (viii) violation of data processing principles.

Analysing the issues investigated by the Authority, we compiled a list of 10 key areas of interest to which any controller must pay close attention to ensure that its personal data processing activities are carried out in full observance of the applicable legislation.

The 10 key areas can be translated into concrete initiatives for the operators, respectively:

• Take extra care when sending commercial or non-commercial e-mail communications. Sending such communications to a large number of recipients by inserting all e-mail addresses in the field "TO: ..." instead of "BCC: ..." has been a breach leading to unauthorized disclosure and unauthorized access to personal data as per the Authority's practice;
• Ensure that the measures implemented as a result of the exercise of data subjects' rights are genuinely effective. Where a data subject requests the deletion of personal data and you are able to comply with such a request ensure that such data is deleted from all company systems. In an investigation conducted on this subject, further processing of personal data by sending commercial communications by SMS after...