The Parliament of Romania adopts the present law.

Article 1: Purpose

1. The purpose of this law is to guarantee and protect the natural persons’ fundamental rights and freedoms, especially the right to personal, family and private life, concerning the processing of personal data.
2. The exercise of the rights stated by this law shall not be restricted except for the specified and limited cases stated by the law.

1. The present law applies to the processing of personal data, performed, totally or partially, through automatic means, as well as to the processing through means other than automatic, which are part of, or destined to, an evidence system.
2. The present law applies to:

1. the processing of personal data, carried out in the frame of activities effectuated by controllers established in Romania;
2. the processing of personal data, carried out in the frame of activities effectuated by diplomatic missions or consular offices of Romania;
3. the processing of personal data, carried out in the frame of activities effectuated by controllers who are not residents of Romania, by using means of any nature, situated on the territory of Romania, except for the case in which these means are only used for the purpose of transit through Romanian territory of the personal data, which are subject to the respective processing.

3. In the case mentioned at paragraph (2) letter c), the controller will designate a representative who must be a person established in Romania. The provisions of this law applicable to the controller are also applicable to his representative, without infringing the possibility of filing in a complaint before the court of law, directly versus the controller.
4. The present law applies to the processing of personal data, performed by natural and legal persons, Romanian or foreign, of public and private law, regardless of the fact that they take place in the public or the private sector.
5. Within the limits of the present law, it also applies to the processing and transfer of personal data, carried out in the frame of criminal offence prevention, investigation and repressing activities and maintaining public order, and also to other activities performed in the domain of criminal law, within the limits and restrictions stated by the law.
6. The present law does not apply to the processing of personal data, carried out by natural persons exclusively for their own interests, if the data in case are not destined to be revealed.
7. The present law does not apply to the processing and transfer of personal data, carried out in the frame of national defence and security, within the limits and restrictions stated by the law.
8. The provisions of this law do not infringe the obligations assumed by Romania through the ratified international instruments.

In the sense of this law, the following terms are defined as follows:

1. personal data - any information referring to a natural person, identified or identifiable; an identifiable person is that person who can be identified, directly or indirectly, particularly with reference to an identification number or to one or more specific details of his physical, physiological, psychical, economical, cultural or social identity;
2. the processing of personal data - any operation or set of operations that is performed upon the personal data, by automatic or non-automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure to a third party by transmission, dissemination or by any other way, combination or alignment, blocking, erasure or destruction;
3. storage - keeping the collected personal data on any type of support;
4. evidence system of the personal data - any organised structure of the personal data, accessible according to some specified criteria, regardless of the fact that this structure is being organised in a centralised or non-centralised manner, or is being distributed on functional or geographical criteria;
5. controller - any natural or legal person, of private or public law, including public authorities, institutions and territorial structures of these, who establishes the purpose and the ways of processing the personal data; if the purpose and the ways of processing the personal data are established through a legislative act or are based on a legislative act, the controller is the natural or legal person, of public or private law, who is designated as controller by that legislative act or based on that legislative act;
6. person empowered by the controller (processor) - any natural or legal person, of private or public law, including public authorities, institutions and territorial structures of these, who processes personal data on behalf of the controller;
7. third party - any natural or legal person, of private or public law, including public authorities, institutions and territorial structures of these, other than the data subject, other than the controller or the processor or the persons who, under direct authority of the controller or of the processor, is authorised to process data;
8. recipient - any natural or legal person, of private or public law, including public authorities, institutions and territorial structures of these to whom data are disclosed, whether a third party or not; the public authorities which receive data in the frame of a special investigation competence will not be considered recipient;
9. anonymous data - data which, due to the specific origin or manner of processing, cannot be associated to an identified or an identifiable person.

1. Personal data intended to be subject to the processing must be:

1. processed fairly and lawfully;
2. collected for specific, explicit and legitimate purposes; further processing of personal data in statistic or historical research, or to scientific purposes, will not be considered incompatible with the purpose of collecting if it is done according to the provisions of this law, including those referring to the notification addressed to the supervisory authority, and also according to the guarantees regarding the processing of personal data, stated by the provisions that rule the statistic activity or the historical or scientific research;
3. adequate, pertinent and not excessive in relation to the purpose for which they are collected and further processed;
4. accurate and, where necessary, updated; for this purpose, the necessary measures shall be taken in order to erase and rectify the inaccurate or incomplete data having regard to the purpose for which they were collected and for which they will be further processed;
5. stored in such a manner as should allow the identification of the data subject strictly during the time necessary to achieve the purpose for which the data are collected and for which they will be further processed; the storage of the data for a longer period of time than the one mentioned, for statistic, historical or scientific research purposes, may be done while observing the guarantees regarding the processing of personal data, as stated by the legislative acts that rule this domain, and only during the necessary period of time to achieve these purposes.

2. The controllers have the obligation to observe the provisions of paragraph (1) and to ensure the implementation thereof by the processor.

1. Any processing of personal data, except for the processing which refers to the categories mentioned under Article 7 (1), Articles 8 and 10, can be carried out only if the data subject has given his/her express and unequivocal consent for that processing.
2. The consent of the data subject is not required in the following situations:

1. when the processing is necessary in order to carry out a contract or an ante-contract which the data subject is part of, or in order to take some measures, at his request, before signing a contract or an ante-contract;
2. when the processing is necessary to protect life, physical integrity or health of the data subject or of another threatened person;
3. when the processing is necessary to fulfil a legal obligation of the controller;
4. when the processing is necessary to accomplish some measures of public interest or concerns the exercise of public authority prerogatives with which is vested the controller or a third party to whom the data are disclosed;
5. when the processing is necessary to accomplish a legitimate interest of the controller or of a third party to whom the data are disclosed, on condition that this interest is not prejudicial for the interest or the fundamental rights and freedoms of the data subject;
6. when the processing concerns data obtained from documents available to the public, according to the law;
7. when the processing is performed exclusively for statistic purposes, historical or scientific research, and the data remain anonymous during the entire period of the processing;

3. The provisions of paragraph (2) do not override the legal texts that rule the obligation of public authorities to respect and protect intimate, family and private life.

1. At the end of the processing operations, if the data subject has not given his expressive and unequivocal consent for another destination or for another future processing, the personal data will be:

1. destroyed;
2. transferred to another controller, provided that the former controller guarantees the fact that further processing will have similar purposes to the former processing ;
3. transformed into anonymous data and stored exclusively for statistic purposes, historical or scientific research;

2. In case of processing operations performed under the terms stated under Article 5, paragraph (2), letters c) or d), in the frame of activities described under Article 2 paragraph (5), the controller can store the personal data during the necessary period of time, in order to achieve the concrete followed goals, on condition that proper measures are ensured to protect them, and then, he proceeds to their destruction if the legal provisions regarding archive-preservation are not applicable.

1. The processing of personal data linked to ethnic or racial origin, to political, religious or philosophic opinions or of another, similar nature, to trade-union adhesion, and also of personal data referring to state of health or sexual life, is prohibited.
2. The provisions of paragraph (1) do not apply to the following situations:

1. when the data subject has expressly given consent for such processing;
2. when the processing is necessary in order to meet the obligations or specific rights of the controller in the field of labour law, observing the legal guarantees; a possible disclosure of the processed data to a third party can take place only if there is a legal obligation of the controller in this sense, or if the data subject has expressly agreed to the disclosure;
3. when the processing is necessary to protect life, physical integrity or health of the data subject or of another person, when the data subject finds him-/herself in a physical or legal incapacity to give his/her consent;
4. when the processing is carried out as part of the legitimate activities of a foundation, association, or of any other non-profit organisation with a political, philosophic or trade-union profile, provided that the data subject is a member of that organisation or has regular contacts with the organisation in its activity profile, and provided that the data shall not be disclosed to a third party without the consent of the data subject;
5. when the processing refers to data made public in a clear way by the data subject;
6. when the processing is necessary to determine, exercise or protect a right in a court of law;
7. when the processing is necessary to preventive medical care, to establish a medical diagnosis, to provide medical care and treatment in the interest of the data subject, or to administrate health services that are in the best interest of the data subject, on condition that processing of that data is performed by or under supervision of medical staff pledged to the professional secret or by or under the supervision of another person subject to a similar obligation regarding the secrecy;
8. when the law states so in an express manner in order to protect an important public interest, on condition that the processing is carried out in compliance with the rights of the data subject and of other legal guarantees stipulated by the present law.

3. The provisions of paragraph (2) do not override the legal texts that rule the public authority’s obligation to respect and protect intimate, family and private life.
4. The supervising authority can decide, on substantiated grounds, the prohibition of the processing of data belonging to the categories stated in paragraph (1), even if the data subject has given in writing his/her unequivocal consent, and the consent has not been withdrawn, on condition that the prohibition stated in paragraph (1) should not be eliminated through one of the cases referred to in paragraph (2), letters b)-g).

1. The processing of the personal numerical code or of other personal data having a function of identification of general implementation can be carried out only if:

1. the data subject has given in an express manner his/her consent; or
2. the processing is expressly stated by a legal text.

2. The supervising authority may establish other cases in which the processing of data stated in paragraph (1) is possible, only after adequate guarantees have been provided in order to observe the rights of the data subject.

1. Except for the cases stated in Article 7, paragraph (2), the provisions of Article 7, paragraph (1) are not applicable to the processing of health data in the following situations:

1. if the processing is necessary for the protection of public health;
2. if the processing is necessary for the prevention of an imminent danger, the prevention of a criminal act, or for the prevention of the result of such an act or for the removal of the damaging results of such an act;

2. The processing of health data may be carried out only by or under supervision of medical staff who are under pledge of professional confidentiality, except for the case when the data subject has given, in writing, his/her unequivocal consent and as long as the consent has not been withdrawn; also, except for the case when the processing is necessary for the prevention of an imminent danger, the prevention of a criminal act or for the prevention of the result of such an act or for the removal of the damaging results of such an act.
3. The medical staff, health institutions staff, may process personal health data without the authorisation of the supervisory authority only when the processing is necessary to life, physical integrity or health of the data subject. When the mentioned purposes refer to other people or to the general public, and the data subject has not given his written and unequivocal consent, the authorisation of the supervisory authority must first be demanded and obtained. The processing of personal data is forbidden beyond the limits of authorisation.
4. Except for emergency reasons, the authorisation stated under paragraph (3) may be given only after consulting the Romanian Medical College.
5. The personal health data may be collected only from the data subject. There is an exception: these data can be collected from other sources only when necessary in order not to compromise the purpose of the processing and when the person involved does not want to or is unable to give them.

1. The processing of personal data regarding criminal offence committing by the data subject or regarding convictions, security measures or administrative or contravention sanctions applied to the data subject, can be carried out only by or under the control of public authorities, within the limits of their powers given by the law and under the terms established by special laws that rule this field.
2. The supervisory authority may establish other cases in which the processing stated under paragraph (1) might be performed, just under the term of establishing adequate guarantees in order to observe the rights of the data subject.
3. A complete file of criminal convictions can be kept only under the control of a public authority, within its limits stated by the law.

The provisions of Articles 5, 6, 7, and 10 do not apply to the situation in which the processing of data is carried out exclusively for journalistic, literary or artistic purposes, if the processing regards personal data that were made public in a specific manner by the data subject or which are linked to the quality of public person of the data subject or linked to the public character of the facts he/she is involved in.

1. When the personal data are obtained directly from the data subject, it is the controller’s obligation to provide the data subject with the following minimum information, except for the situation in which the above mentioned person already detains the information in case:

1. the identity of the controller or, as the case may be, of the controller’s representative;
2. the purpose of the data processing;
3. more information, such as: the recipients or the categories of recipients; whether the providing of all data requested is obligatory and the consequences of refusal to co-operate; the existence of the data subject’s rights, stated by this law, notably the right of access to, of intervention on data and the right to object, as well as the conditions in which the data subject can benefit by these rights;
4. any other information which may be expressly requested by the supervisory authority and is considered to serve a specific data processing case.

2. When the data is not obtained directly form the data subject, it is the controller’s obligation, at the moment of collecting data or at last until the first disclosure, if he has the intention to disclose the data to a third party, to provide the data subject with the following minimum information, unless the data subject already possesses of this information:

1. the identity of the controller and, as the case may be, of the controller’s representative;
2. the purpose of the data processing;
3. more information, like: categories of data concerned, the recipients or the categories of recipients, the existence of the data subject’s rights as stated by this law, notably the right of access to, of intervention on data and the right to object, as well as the conditions in which the data subject can benefit by these rights;
4. any other information which may be expressly requested by the supervisory authority and is considered to serve a specific data processing case.

3. The provisions of paragraph (2) do not apply when the processing of data is performed exclusively for journalistic, literary or artistic purposes, if the application of these might reveal the source of the information;
4. The provisions of paragraph (2) do not apply when the processing of data is performed for statistic, historical or scientific research, or in any other situations when the supply of such data proves to be impossible or would involve a disproportional effort towards the legitimate interest that might be damaged, and also in the situations in which recording or disclosure of the data is expressively stated by the law.

1. Any data subject has the right to obtain from the controller, upon request and exempt from taxes, one time each year, the confirmation of the fact that the data concerning him/her are or are not being processed by the controller. The controller, in case he has processed any personal data concerning the petitioner, is obliged to communicate to the petitioner, along with the confirmation, at least the following:

1. information regarding the purposes of the processing, the categories of data concerned and the recipients or the categories of recipients to whom the data are disclosed;
2. intelligible communication of the processed data and of available information regarding the origin of the respective data;
3. information on the functioning principles of the mechanism through which any automatic processing of data concerning the person in case is carried out;
4. information concerning the existence of the right of intervention upon the data and the right to object, as well as the conditions in which the data subject can benefit by these rights;
5. information on the possibility of consulting the record book of the processing of personal data, stated under Article 24; information on the possibility to submit a complaint to the supervisory authority, and to contest the controller’s decisions in court, according to the provisions of this law;

2. The data subject can request from the controller the information stated under paragraph (1) through a written, dated and signed petition. The petitioner can underline his desire to be informed at a specific address, which may also be an electronic one, or through a mail service that ensures confidential receipt of the information.
3. It is the controller’s obligation to communicate the requested information, within 15 days of receipt of the petition, while complying with the petitioner’s option as provided in paragraph (2).
4. For the personal health data, the petition mentioned in paragraph (2) may be filled in by the data subject him-/herself, or through medical staff who will mention the person on whose behalf the request has been made. Upon the controller’s or the data subject’s request, such communication as mentioned in paragraph (3) may be carried through by a member of the medical staff, appointed by the data subject.
5. If the personal health data are processed for scientific research purposes, if the risk of infringing the rights of the person involved does not exist and if the data are not to be used in order to take measures against a person, the communication mentioned in paragraph (3) may be dispatched within a longer interval than the one mentioned in this paragraph, in case it might affect the process or the outcome of the research, but it should not be delayed after the research has been completed. Such a situation is only allowed if the data subject must has given his/her express and unequivocal consent for the data to be processed for the purpose of scientific research, as well as for the possible delay of the communication mentioned in paragraph (3);
6. The provisions of paragraph (2) do not apply when the processing of personal data is being carried out exclusively for journalistic, literary or artistic purposes, if their application might affect confidentiality as to the source of information.

1. Any data subject has the right to obtain from the controller, on request and exempt from any tax:

1. rectification, updating, obstruction or elimination of data whose processing does not comply with the provisions of the present law, notably incomplete or inaccurate data;
2. anonymity of data whose processing does not comply with the provisions of the present law;
3. the notification to a third party to whom the data were disclosed, of any operation performed according to letters a) or b), if such notification does not prove to be impossible to be done or if it does not request a disproportionate effort towards the legitimate interest that might thus be violated.

2. In order to exercise the right stated in paragraph (1), the data subject shall fill in a written, dated and signed petition. The petitioner may state his/her wish to be informed at a specific address, which may also be an electronic one, or through a mail service that ensures confidential receipt of the information.

3. The controller has the obligation to communicate the measures taken based on the provisions of paragraph (1), and also, as the case may be, the name of a third party to whom the data concerning the data subject was disclosed, within 15 days from the date of the petition’s arrival, in compliance with the petitioner’s option, according to paragraph (2).

1. The data subject has the right to object at any moment, based on justified and legitimate reasons linked to his particular situation, to a processing of data regarding himself/herself, unless there is a priority of specific legal dispositions.
2. The data subject has the right to object at any moment, freely and without any explanation, to the processing of the data concerning his/her person for overt marketing purposes on behalf of the controller or of a third party, or to be disclosed to a third party for such a purpose.
3. In order to exercise the rights stated under paragraphs (1) and (2), the data subject will fill in a written, dated and signed petition. The petitioner may specify if he/she wishes to be informed at a specific address, which may also be an electronic one, or through a mail service that ensures confidentiality.
4. The controller is obliged to inform the data subject over the measures taken, based on the provisions of paragraph (1) or (2), and also, as the case may be, the name of the third party to whom the data concerning the data subject were disclosed, within 15 days of the date of the petition’s arrival, in compliance with the option of the petitioner, according to paragraph (3).

1. The provisions of Articles 12, 13, Article 14 paragraph (3), and Article 15 do not apply in such activities as mentioned in Article 2 paragraph (5), if their application affects the efficiency of the action or the objective followed in order to accomplish the legal obligations of the public authority.
2. The provisions of paragraph (1) above are applicable solely for the period of time necessary for the achievement of the purpose followed through the accomplishment of the activities mentioned in Article 2 (5).
3. After the finalisation of the situation that justifies the application of paragraph (1) and (2), the controllers who accomplish the activities stated by Article 2 (5) shall take all necessary measures in order to ensure compliance with the data subjects’ rights.
4. Public authorities will make a record of such cases and inform periodically the supervisory authority on the way these cases have been resolved.

1. Any person has the right to demand and receive:

1. the withdrawal or the cancellation of a decision that produces juridical effects concerning him/her, adopted exclusively on a personal data processing basis, carried out through automatic means, destined to evaluate some aspects of his/her personality and/or professional competence, credibility, behaviour or other such aspects;
2. re-evaluation of any decisions regarding him/her, and which affects him/her in a significant manner, if the decision was adopted exclusively on a basis of data processing that meets the conditions stated under letter a).

2. Respecting the other guarantees stated by the present law, a person can be subject to a decision of the nature mentioned in paragraph (1), only in the following situations:

1. the decision is taken in the frame of entering into or performing a contract, on condition that the entering into or performing of the contract’s request, filled in by the data subject, has been satisfied or that some adequate measures have been taken, for example, the possibility of sustaining his point of view in order to guarantee the protection of its own legitimate interest;
2. the decision taken is authorised by a law which states the measures that guarantee the protection of the data subject’s legitimate interest.

Article 18: The right to refer to a court of law

1. Without prejudice to the possibility of applying to the supervisory authority, the data subject has the right to refer to a court of law in defence of any rights guaranteed by the present law.
2. Any person who suffered a prejudice as a consequence of unlawful processing of personal data may address a competent court of law in order to obtain compensation for the prejudice suffered.
3. A competent court of law is one whose territorial jurisdiction covers the complainant’s domicile. The complaint addressed to the court of law is exempt from stamp tax.

Chapter V: Confidentiality and Security of Processing

Article 19: Confidentiality of data processing

Any person who acts under authority of the controller or of the processor, including the processor, and who has access to personal data, may not process them unless on the controller’s specific instructions, except when the above-mentioned person acts on a legal obligation basis.

Article 20: Security of data processing

1. It is the controller’s obligation to apply the adequate technical and organisational measures in order to protect the data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorised access, notably if the respective data are committed to the IT net, as against any other form of illegal processing.
2. These measures must ensure, depending on the costs and the processing means employed, adequate security against processing hazards, considering the nature of the data that must be protected. The minimum security requirements shall be elaborated by the supervisory authority and shall be periodically upgraded, according to the technical progress and the accumulated experience.
3. When appointing a processor, the controller has the obligation to nominate a person who presents enough guarantees regarding technical security and the organisational measures concerning the data to be processed. The controller shall also supervise that the nominated person complies with these measures.
4. The supervisory authority may decide, in individual cases, that the controller should adopt additional security measures, except such measures as might affect the guaranteed security of telecommunication services.
5. Data processing performed by an appointed processor shall be initiated following a written contract which should necessarily contain the following:

1. the obligation of the empowered person to act only while strictly following instructions received from the controller;
2. the fact that the accomplishment of the obligations set out in paragraph (1) also applies to the processor.

Chapter VI: Supervising and Control of Personal Data Processing

Article 21: The supervisory authority

1. The supervisory authority, in the terms of the present law, is the Advocate of the People.
2. The supervisory authority shall act under fully independent and impartial conditions.
3. The supervisory authority shall monitor and control the legal framework of the personal data processing subject to this law. In order to achieve this purpose, the supervisory authority exercises the following attributions:

1. designs the typed forms for notifications and register books;
2. receives and analyses the notifications concerning the processing of personal data, and informs the controller on the results of the previous control;
3. authorises the processing of data in the situations set out by the law;
4. may dispose, in case he notices inconsistency with the provisions of the present law, temporary suspending or termination of the data processing, partial or total erasure of the processed data and may notify the criminal prosecution bodies or may file complaints to the court of law;
5. is responsible for the safe keeping of the personal data processing register, which shall be available to public access;
6. receives and resolves petitions, notices or requests coming from natural persons and communicates the resolution, or the measures which have been taken;
7. performs investigations - ex officio, or upon requests or notification;
8. is consulted when legislative drafts are elaborated, drafts regarding persons’ rights and freedoms concerning personal data processing;
9. may make proposals concerning the initiation of legislative drafts or amendments to already enforced legislative acts in the fields linked to the processing of personal data;
10. collaborates with the public authorities and bodies of the public administration, centralises and analyses their annual activity reports regarding the protection of persons concerning processing of personal data, formulates recommendations and assents over any matter linked to the protection of fundamental rights and freedoms regarding the processing of personal data, on request of any natural person, including the public authorities and bodies of the public administration; these recommendations and assents must mention the reasons that they are based on and must be communicated, in copy, to the Minister of Justice; when the recommendation or the assent is requested by the law, it must be published in the Official Monitor of Romania, Part I;
11. co-operates with similar authorities from abroad in order to accomplish mutual assistance, and with foreign residents to the purpose of guaranteeing the fundamental rights and freedoms that can be affected through the processing of personal data;
12. fulfils the attributions set out by the law.

4. The entire staff of the supervisory authority have the permanent obligation of keeping the professional secret, except for the cases set out by the law, regarding the confidential or classified information they had access to in the exercise of their powers, even after termination of the legal relations with the supervisory authority.

Article 22: The notice addressed to the supervisory authority

1. The controller is obliged to notify the supervisory authority, either personally or through a representative, before initiating any kind of processing having similar or related purposes to previous processing.
2. Notification is not necessary in the event that the sole purpose of the processing is to keep a record available for public reference and open for consultation to the general public and to any person who proves a legitimate interest, provided that the processing is limited to such data as are strictly necessary to the above mentioned record.
3. The notification will contain the following information:

1. the name, or the title, or the domicile, or the seat of the controller and of his empowered person, as the case may be;
2. the purpose(s) of the processing;
3. a description of the category/categories of the data subjects and of the data or the categories of data that are to be processed;
4. the recipient and the categories of recipients the data is intended to be disclosed to;
5. the guarantees accompanying the disclosure of the data to a third party;
6. the manner in which the data subjects are being informed over their rights, the approximate termination date of the processing operations, the future destination of the data;
7. the intended data transfer to other states;
8. a general description that allows a preliminary appreciation of the measures taken in order to ensure processing security;
9. mention of any data record system related to the processing, and of possible relation to other processing or other data record system, irrespective of whether they are to be fulfilled, or if they are situated on Romanian territory or not;
10. the reasons that justify the implementation of the provisions of Articles 11 and 12 paragraph (3) or (4), or of Article 13 paragraph (5) or (6), in case that the data processing is exclusively performed for journalistic, literary, artistic or statistic purposes, or for historical or scientific research.

4. If the notification is incomplete, the supervisory authority will demand its completing.
5. Within its investigative powers, the supervisory authority may demand other information, notably regarding the data origin, the automatic processing technology used and details about security measures. The provisions of the present paragraph do not apply in the situation in which the processing of data is exclusively performed for journalistic, literary, or artistic purposes.
6. If an international transfer of the data is intended, the notification will consist of:

1. the data categories subject to the transfer;
2. the destination country for each data category.

7. The notification is subject to a tax that must be paid by the controller to the supervisory authority.
8. The public authorities that carry out processing of personal data related to the activities described in Article 2, paragraph (5), based on the law or in compliance with the obligations assumed through ratified international agreements, are exempt from the tax set out in paragraph (7). The notification will be sent within 15 days from the entering into force of the legislative act that establishes the obligation in case and will also contain the following elements:

1. the name and the seat of the controller;
2. the purpose and the legal basis of the processing;
3. the personal data categories subject to processing.

9. The supervisory authority may establish other situations in which the notification is not necessary, except for the one set out at paragraph (2), or those situations in which the notification may be fulfilled in a simplified manner, only in the following cases:

1. when taking into consideration the nature of the data to be processed, the processing cannot affect, at least in appearance, the rights of the data subject, provided that the purposes of such a processing are expressly mentioned, as well as the data and categories of data that may be processed, the category/categories of data subjects, the recipients or categories of recipients to whom the data can be disclosed, and also the period of time during which the data may be stored;
2. when the processing is carried out under the terms of Article 7, paragraph (2) letter d).

1. The supervisory authority will establish the categories of processing operations that are suspected to present special risks for the persons’ rights and freedoms.
2. If based on the notification, the supervisory authority shall mention that the processing belongs to one of the categories mentioned in paragraph (1), and shall decide on a preliminary control regarding the processing in case, and accordingly announce the controller.
3. The controllers who were not announced within 5 days of notification upon the fulfilment of a preliminary control may start the processing.
4. In the situation set out in paragraph (2) the supervisory authority is obliged, within no longer than 30 days of notification, to inform the controller on the result of the fulfilled control, and on the decision issued thereupon.

1. The supervisory authority keeps a personal data processing register, drawn up under the terms of the provisions of Article 22. The register contains all the information set out under Article 22 paragraph (3).
2. Each controller is given a registration number. The registration number must be written on every document which relates to data collection, storing or disclosure.
3. Any change affecting accuracy of the registered information will be communicated to the supervisory authority within 5 days. The supervisory authority will dispose immediately that the necessary correction should be inserted in the register.
4. The processing activities of personal data which started before the present law has come into force will be notified in order to be registered within 15 days of the date when the present law entered into force.
5. The register of the processing of personal data is available for public reference. The supervisory authority establishes the access procedure.

1. In defence of the rights set out by the present law, the persons whose personal data are processed under the terms of this law may file in a complaint to the supervisory authority. The complaint may be addressed directly or through a representative. The data subject may empower an association or a foundation to represent his/her interests.
2. The petition addressed to the supervisory authority is invalid if legal prosecution has been already initiated on that same case.
3. Except for the cases in which a delay would cause imminent and irreparable damage, the petition submitted to the supervisory authority must not be addressed earlier than 15 days since filing in a complaint on that same case to the controller.
4. In order to solve the petition the supervisory authority may, if necessary, hear the data subject, the controller, and the empowered person or the association or the foundation that represents the interests of the data subject. These persons have the right to file in petitions, documents and memoirs. The supervisory authority may order an enquiry.
5. If the petition is found to be substantiated, the supervisory authority may decide on any of the measures set out in Article 21 paragraph (3) letter d). Temporary suspension of processing may be ordained only until cessation of the reasons that have determined such measures to be taken.
6. The decision must be motivated and shall be communicated to the parties involved within 30 days of the registering of the petition.
7. The supervisory authority may order, if necessary, the suspending of some or all processing operations till the petition has been resolved under the provisions of paragraph (5).
8. The supervisory authority may appeal to a court of law in order to defend the rights of the data subjects as guaranteed by the present law. The competent court of law is the Court of Bucharest. The complaint addressed to the court of law is exempt from stamp taxes.
9. Upon request of the data subjects, for substantiated reasons, the court may decide the suspending of the processing till the petition addressed to the supervisory authority has been resolved.
10. The provisions of paragraph (4) and (9) also apply to the situation in which the supervisory authority finds out, by any other means, about a violation of the rights of the data subjects as recognised by the present law.

1. The controller or the data subject may formulate an appeal against any decision made by the supervisory authority based on the provisions of the present law, within 15 days of communication, under the sanction of decay, to the competent administrative court of law. The parties shall be subpoenaed and the complaint shall be immediately analysed. The resolution is permanent and irrevocable.
2. The processing of personal data carried out in the frame of such activities as set out in Article 2, paragraph (5) are excepted from the provisions of paragraph (1), and also of Articles 23 and 25.

1. In the course of personal data processing, the supervisory authority may investigate, ex-officio or upon request, any violation of the data subjects’ rights, of the obligations of the controller, and, as the case may be, of the empowered persons, to the purpose of defending the fundamental rights and freedoms of the data subjects.
2. The supervisory authority may not exercise his investigative powers in case a complaint was previously filed to court on the same case of rights violation, opposing the same parties.
3. In the exercise of its investigative powers, the supervisory authority may demand of the controller any information linked to the processing of data and may verify any document or record regarding the processing of personal data.
4. The state secret and the professional one must not be invoked in order to prevent the exercise of the powers of the supervisory authority set out by the present law. When protection of the state or of the professional secret is invoked, the supervisory authority has the obligation to keep the secret.
5. If the supervisory authority in the exercise of his investigative power has as object a processing of personal data, carried out by the public authorities, and in relation to such activities as described under Article 2 paragraph (5) for a concrete case, it is necessary to obtain a preliminary agreement of the prosecutor or of the competent court of law.

1. The professional associations have the obligation to elaborate and submit for approval to the supervisory authority codes of conduct that contain adequate rules in order to protect the rights of persons whose personal data may be processed by the members of the associations.
2. The rules of conduct must contain measures and procedures able to ensure satisfactory protection, taking into account the nature of the data that can be processed. The supervisory authority may dispose specific measures and procedures for the period of time during which the conduct rules are not adopted.

1. The transfer to another state of data that are subject to processing or destined to be processed after the transfer may take place only if the Romanian law is not violated, and the state of destination ensures an adequate protection level.
2. The protection level will be appreciated by the supervisory authority, taking into account all the circumstances in which the transfer is performed, especially the nature of the transferred data, the purpose of the processing and the period of time proposed for the processing, the state of origin and the state of destination, as well as the legislation of the latter state. In case the supervisory authority notices that the protection level offered by the state of destination is unsatisfactory, he may order cancellation of the data transfer.
3. Data transfer to another state shall be always subject to preliminary notification from the supervisory authority.
4. The supervisory authority may authorise the data transfer to another state which does not have at least the same protection level as the one offered by the Romanian legislation, provided that the controller offers enough guarantee regarding the protection of fundamental individual rights. The guarantee must be established through contracts signed by the controllers and the natural or legal person(s) who have ordered the transfer.
5. The provisions of paragraphs (2), (3) and (4) do not apply in case the data transfer is performed based on a special law or on an international agreement ratified by Romania, notably if the transfer is done to the purpose of prevention, investigation or repressing a criminal offence.
6. The provisions of the present article do not apply when the processing of data is performed for exclusive journalistic, literary or artistic purposes, if the data were made public expressly by the data subject or are related to the data subject ‘s public quality or to the public character of the facts he/she is involved in.

The data transfer is always allowed in the following situations:

1. when the data subject has given his/her explicit consent for the transfer; in case the data transfer is linked to any of the data set out at Article 7, 8, and 10, the consent must be written;
2. when it is necessary for the carrying out of a contract signed by the data subject and the controller or for the application of some pre-contractual measures taken upon request of the data subject;
3. when it is necessary for the signing or the carrying out of a contract concluded or about to be concluded between the controller and a third party, in the data subjects’ interest;
4. when it is necessary for the accomplishment of a major public interest, such as national defence, public order or national safety, fluency of proceedings in a criminal trial or the identification, performance or defence of rights in court, on condition that the data is processed to such a purpose only, and without illegitimate delay;
5. when it is necessary to protect the data subjects’ life, physical integrity or health;
6. when it is a consequence of a previous request for access to official documents that are open to the public, or of a request for information that can be obtained from registers or any other documents of public access.

Failure to submit obligatory notification under the terms set out by Article 22 or Article 29 paragraph (3), as well as incomplete notification or one that contains false information, if the respective maladministration falls short of a criminal offence, are considered contraventions liable to a fine of 5 million to 100 million ROL (Romanian currency - lei).

The processing of personal data by a controller or by an empowered person of the controller, while breaching the provisions of Articles 4-19, or while disregarding the rights set out at 12-15 or in Article 17 is considered a contravention, if the respective maladministration falls short of a criminal offence, and is fined from 10 million to 250 million ROL.

The un-fulfilment of the obligations regarding the implementation of the security measures and of the confidentiality keeping of the processing, stated at Article 19 and 20, is a contravention, if not done in such conditions to constitute a criminal offence, and is liable to a fine of 15 millions to 500 millions ROL.

Refusal to supply the requested information or documents to the supervisory authority in the exercise of his investigative powers as set out by Article 27 is considered a contravention, if the respective maladministration falls short of a criminal offence, and is fined between 10 millions to 150 millions ROL.

1. Establishment of a contravention and application of penalties are carried out by the supervisory authority, which is able to delegate these powers on to a person recruited from his staff, and also by the empowered persons of the bodies with supervising or control powers, in legal competence.
2. The provisions of the present law regarding the contraventions are to be completed with those of the Government Ordinance No. 2/2001 concerning the Juridical Frame of Contravention, when the present law does not state otherwise.
3. The minutes that report the contravention and establish the sanctions may be appealed against to the administrative section of a court of law.

The present law enters into force on the date of its issue in the Official Monitor of Romania, Part I, and will be applicable within three months of its entering into force.

The Senate adopted the present law during the session of 15 October 2001, in accordance with the provisions of Article 74 paragraph (2) from the Constitution of Romania.

PRESIDENT OF THE SENATE,

The present law was adopted by the Deputy Chamber in the session of 22 October 2001, in accordance with the provisions of Article 74 paragraph (2) from the Constitution of Romania.

PRESIDENT OF THE DEPUTY CHAMBER,

Published in the Official Monitor of Romania, Part I, No. 790 / 12 December 2001