The Parliament of Romania adopts the present law.

Article 1: Purpose

1. The purpose of this law is to guarantee and protect the natural persons’ fundamental rights and freedoms, especially the right to personal, family and private life, concerning the processing of personal data.
2. The exercise of the rights stated by this law shall not be restricted except for the specified and limited cases stated by the law.

1. The present law applies to the processing of personal data, performed, totally or partially, through automatic means, as well as to the processing through means other than automatic, which are part of, or destined to, a filing system.
2. The present law applies to:

1. The processing of personal data, carried out in the context of the activities of data-controllers based in Romania;
2. The processing of personal data, carried out by the diplomatic missions or consular offices of Romania;
3. The processing of personal data, carried out by data controllers not based in Romania, by using any means, unless these means are only used for purposes of transiting the processed personal data through Romanian territory.

1. In the case mentioned at paragraph (2) letter c), the data-controller will delegate a representative who must be a person based in Romania. The provisions of this law applicable to the data-controllers are also applicable to his representative, without infringing the possibility of filing a complaint before a court of law, directly against the data-controller.
2. The present law applies to the processing of personal data, performed by natural or legal persons, Romanian or foreign, under public and private law, regardless of whether the data processing take place in the public or private sector.
3. The present law, within the stated limits, also applies to the processing and transfer of personal data, carried out in the context of crime prevention, , criminal investigation, public order and other activities under criminal law, within the limits and restrictions stated by the law.
4. The present law does not apply to the processing of personal data, carried out by natural persons exclusively for their own interests, if the data in question is not destined to be revealed.
5. The present law does not apply to the processing and transfer of personal data, carried out in the context of national defence and national security, within the limits and restrictions stated by the law.
6. The provisions of this law do not infringe upon the obligations assumed by Romania through ratified international instruments.

In the context of this law, the following terms are defined as follows:

1. Personal data: any information referring to a natural person, identified or identifiable; an identifiable person is a person who can be identified, directly or indirectly, particularly with reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
2. The processing of personal data: any operation or set of operations that is performed upon personal data, by automatic or non-automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure to a third party by transmission, dissemination or by any other means, alignment or combination, blocking, erasure or destruction;
3. Storage - keeping the collected personal data on any type of storage medium;
4. Personal data filing system: Any organised structure of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
5. Data-controller - any natural or legal person, operating under private or public law, including public authorities and institutions and their branches , which determines the purpose and means of processing of personal data. If the purpose and the means of the processing of personal data are determined by a legislative act, or are based on a legislative act, the data-controller is the natural or legal person, operating under public or private law, who is designated as a data-controller by the specific legislation.
6. Person delegated by the data-controller (processor): Any natural or legal person, operating under private or public law, including public authorities/institutions and their territorial bodies, which process personal data on behalf of the data-controller;
7. Third party: Any natural or legal person, operating under private or public law, including public authorities/institutions and their territorial bodies other than the data subject, the controller, the processor or the persons who, under direct authority of the controller or of the processor, is authorised to process data;
8. Recipient - any natural or legal person, operating under private or public law, including public authorities/institutions and their territorial bodies, to whom data is disclosed, whether a third party or not. The public authorities which receive data in the context of a particular inquiry will not be regarded as recipients;
9. Anonymous data - data which, due to its origin or specific manner of processing, cannot be put in connection with an identified or an identifiable person.

1. Personal data which is intended for processing must be:

1. Processed fairly and lawfully;
2. Collected for specific, explicit and legitimate purposes. Further processing of personal data for statistical, historical research, or for scientific purposes, shall not be considered as incompatible with the purpose of their collection if it is done according to the provisions of this law, including those referring to the notification addressed to the supervisory authority, and also according to the guarantees on the processing of personal data, stated by the provisions ruling the statistic activity or the historical or scientific research;
3. Adequate, pertinent and not excessive in relation to the purpose for which they are collected and further processed;
4. Accurate and, where necessary, updated. For this purpose, measures shall be taken to erase and/or rectify all inaccurate or incomplete data, with regard to the purpose for which the data was collected and further processed.
5. Stored in a form which permits identification of data subjects strictly for the timeframe necessary to achieve the purpose for which the data are collected and further processed. ; The storage of data for a longer period than the one mentioned, for statistical, historical or scientific research, is acceptable if the guarantees regarding personal data processing, as stated in the relevant legislation are respected, but only during the necessary period of time to achieve these purposes.

1. The data-controllers have the obligation to observe the provisions of paragraph (1) and to ensure the implementation thereof by the data processor.

1. Any processing of personal data, except for processing which refers to the categories mentioned under Article 7 (1), Articles 8 and 10, may be carried out only if the data subject has given his/her express and unequivocal consent for that processing.
2. The consent of the data subject is not required in the following situations:

1. When the processing is necessary for the performance of a contract or an pre-contract to which the data subject is party, or in order to take steps, at his request, before entering into a contract or a pre contract;
2. When the data-processing is necessary in order to protect life, physical integrity or the health of the data subject, or of a third party who is at risk
3. When the data-processing is necessary in order to fulfil a legal obligation of the data-controller;
4. When the data-processing is necessary for the purposes of a task of public interest or concerns the exercise of official authority prerogatives vested in the controller or in a third party to whom the data are disclosed;
5. When the data-processing is necessary for the purposes of a legitimate interest of the data-controller or of a third party to whom the data is disclosed, on condition that this interest does not prejudice the interests, fundamental rights or freedoms of the data subject;
6. When the data-processing concerns data which is obtained from documents available to the general public, according to the law;

1. g) When the processing is performed exclusively for statistical, historical or scientific research, and the data remain anonymous during the entire processing period The provisions in paragraph (2) do not override the legal texts that govern the obligations of public authorities to respect and protect family and private life.

1. At the end of the data-processing operations, if the data subject has not given his express and unequivocal consent for another destination, or for further processing, the personal data will be:

1. Destroyed;
2. Transferred to another data-controller, provided that the former data-controller guarantees the fact that further processing will have similar purposes to that of the former data-processing ;
3. Transformed into anonymous data and stored exclusively for statistical purposes, historical or scientific research;

1. In the case of processing operations performed under the terms stated under Article 5, paragraph (2), letters c) and d), in the framework of activities described under Article 2 paragraph (5), the data-controller may store personal data during the specified timeframe, in order to achieve the concrete goals, on condition that proper measures are ensured to protect data, and afterwards, they shall be erased if legal provisions on archive-preservation are not applicable.

1. The processing of personal data linked to ethnic or racial origin, to political, religious or philosophical opinions (or similar) to trade-union membership, to state of health or sex life, is prohibited.
2. The provisions of paragraph (1) shall not apply to the following situations:

1. When the data subject has expressly given consent for such data-processing;
2. When the data-processing is necessary in order to meet the obligations or specific rights of the data-controller in the field of labour law, although the legal guarantees must be observed; Disclosure of the processed data to a third party may only take place if the data-controller is legally required to do so, or if the data subject has expressly agreed to the disclosure;
3. When the data-processing is necessary in order to protect the life, the physical integrity or the health of the data subject, or of another person, and the the data subject is physically or legally incapable of giving his/her consent;
4. When the data-processing is carried out in the course of the legitimate activities of a foundation, association, or of any other non-profit organisation with a political, philosophical or trade-union profile, provided that the data subject is a member of that organisation or has regular contacts with the organisation, and that the data shall not be disclosed to a third party without the consent of the data subject;
5. When the data-processing refers to data expressly made public by the data subject;
6. When the data-processing is necessary to determine, exercise or protect a right in a court of law;
7. When the processing is necessary for preventitive medical care, to establish a medical diagnosis, to provide medical care/treatment in the interest of the data subject, or to administer health services that are in the best interest of the data subject, on condition that processing of that data is performed by, or under the supervision of, medical staff pledged to professional secrecy or under the supervision of another person subject to a similar obligation regarding secrecy;
8. When the law expressly provides it, in order to protect an important public interest, on condition that the processing is carried out in compliance with the rights of the data subject and of other legal guarantees stipulated by the present law.

1. The provisions of paragraph (2) do not override the legal texts that govern the public authority’s obligation to respect and protect family and private life.
2. The supervisory authority may decide, on justified grounds, the prohibition of the processing of data belonging to the categories stated in paragraph (1), even if the data subject has given in writing his/her unequivocal consent, and the consent has not been withdrawn, on condition that the prohibition stated in paragraph (1) should not be eliminated by one of the cases referred to in paragraph (2), letters b)-g).

1. The processing of personal numerical codes or other personal data having the function of general identification may be carried out only if:

1. The data subject has given his/her unequivocal consent; or
2. The processing is expressly required by a legal text.

1. The supervisory authority may establish other cases in which the processing of data stated in paragraph (1) is possible, only after adequate guarantees have been provided in order to observe the rights of the data subject.

1. Except for the cases stated in Article 7, paragraph (2), the provisions of Article 7, paragraph (1) are not applicable to the processing of health data in the following situations:

1. If the data-processing is necessary for the protection of public health;
2. If the processing is necessary for the prevention of an imminent danger, the prevention of a criminal act, or for the prevention of the result of such an action or for the removal of the damaging results of such an action;

1. The processing of health data may be carried out only by, or under the supervision of, medical staff who are under a pledge of professional confidentiality, except for the cases when the data subject has given, in writing, his/her unequivocal consent and as long as the consent has not been withdrawn. Except for cases when data-processing is necessary for the prevention of an imminent danger, the prevention of a criminal act or for the prevention of the result of such an act or for the removal of the damaging results of such an act.
2. The medical staff, health institutions staff, may process personal health data without the authorisation of the supervisory authority only when the data-processing is necessary to life, physical integrity or health of the data subject. When the mentioned purposes refer to other people or to the general public, and the data subject has not given his written and unequivocal consent, the preliminary authorisation of the supervisory authority must be obtained. The processing of personal data is forbidden beyond the limits of authorisation.
3. Except for emergency reasons, the authorisation stated under paragraph (3) may be given only after consulting the Romanian Medical College.
4. Personal health data may only be collected from the data subject themselves. In exceptional cases, this data may be collected from other sources only when it is necessary not to compromise the purpose of the processing, and the data subject does not want, or is unable to, give the data.

1. The processing of personal data regarding criminal offences committing by the data subject, or regarding previous convictions, security measures or ,administrative sanctions applied to the data subject, may be carried out only by or under the control of public authorities, within the limits of their powers given by the law and under the terms established by the specific laws in this field.
2. The supervisory authority may establish other cases in which the data-processing stated under paragraph (1) might be permissible, provided that adequate guarantees to observe the rights of the data subject are put in place.
3. A complete file of criminal convictions may be kept only under the control of a public authority, within its limits stated by the law.

The provisions of Articles 5, 6, 7, and 10 do not apply when the data processing is exclusively carried out for journalistic, literary or artistic purposes, if the data-processing regards personal data that was expressly made public by the data subject, or if it is linked to the public persona of the data subject, or to the publicly known events that he/she is involved in.

1. When the personal data is obtained directly from the data subject, it is the data-controller’s obligation to provide the data subject with the following minimum information, except where data-subject already has the required information

1. The identity of the data-controller or, as the case may be, of the data-controller’s representative;
2. The purpose of the data processing;
3. Any further information, such as: the recipients, or categories of recipients of data; whether the provision of all requested data is obligatory, the consequences of refusal to reply; the existence of the data subject’s rights, stated by this law, notably the right of access to, right to rectify, data, and the right to object, as well as the conditions for exercising these rights;
4. Any other information which may be expressly requested by the supervisory authority and considering the specific data processing.

1. When the data is not obtained directly form the data subject, it is the data-controller’s obligation, at the moment of collecting data or at last until the first disclosure, if he has the intention to disclose the data to a third party, to provide the data subject with the following minimum information, unless the data subject already has the respective information:

1. The identity of the data-controller or, as the case may be, of the data-controller’s representative;
2. The purpose of the data processing;
3. Any further information, such as: categories of data required , the recipients or the categories of recipients of the data, the existence of the data subject’s rights as stated by this law, notably the right of access to, rectify of data and, the right to object, as well as the conditions for exercising these rights;
4. Any other information which may be expressly requested by the supervisory authority considering the specific data processing.

1. The provisions of paragraph (2) shall not apply when the processing of data is performed exclusively for journalistic, literary or artistic purposes, if the application of these might reveal the source of the information.
2. The provisions of paragraph (2) shall not apply when the processing of data is performed for statistical, historical or scientific research, or in any other situations when the supply of such data proves to be impossible or would involve a disproportional effort towards the legitimate interest that might be damaged, or when recording or disclosure of the data is expressly laid down by law.

1. Every data subject has the right to obtain from the data-controller, upon request, and free of charge for one time a year, confirmation of the fact that the data concerning him/her are or are not being processed by the data-controller. The data-controller, in case he has processed any personal data concerning the petitioner, is obliged to communicate to the petitioner, along with the confirmation, at least the following:

1. Information regarding the purposes of the data-processing, the categories of data concerned, the recipients or the categories of recipients to whom the data are to be disclosed;
2. Communication in an intelligible form of the processed data and of any other available information on the source of the respective data;
3. Information on the technical principles, mechanisms and logic involved in the automatic data processing with regard to the subject (person);
4. Information concerning the existence of the right to rectify the data, and the right to object, as well as the conditions for exercising these rights;
5. Information on the possibility of consulting the Register of data processing operations, stated under Article 24; information on lodging a complaint to the supervisory authority, and to dispute the data-controller’s decisions in court, according to the provisions of the present law;

1. The data subject may request from the data-controller the information stated under paragraph (1) through a written, dated and signed petition. The petitioner may underline his desire to be informed at a specific address, which may also be an electronic one, or through a mail service that ensures confidential receipt of the information.
2. It is the data-controller’s obligation to communicate the requested information, within 15 days of receipt of the petition, while complying with the petitioner’s option as provided in paragraph (2).
3. Regarding personal health data, the petition mentioned in paragraph (2) may be filled-in by the data subject him/herself, or by medical staff who will show the subject (person)on whose behalf the request has been made. Upon the data-controller or the data subject’s request, such communication as mentioned in paragraph (3) may be carried out by a member of the medical staff, appointed by the data subject.
4. If the personal health data are processed for scientific research purposes, if the risk of infringing the rights of the person involved does not exist and if the data are not to be used in order to take measures against a person, the communication mentioned in paragraph (3) may be dispatched within a longer interval than the one mentioned in this paragraph, in case it might affect the process or the outcome of the research, but it should not be delayed after the research has been completed. Such a situation is only allowed if the data subject has given his/her express and unequivocal consent for the data to be processed for the purpose of scientific research, as well as for the possible delay of the communication mentioned in paragraph (3).
5. The provisions of paragraph (2) shall not apply when the processing of personal data is being carried out exclusively for journalistic, literary or artistic purposes, if their application might affect confidentiality as to the source of the information.

1. Every data subject has the right to obtain from the data-controller, on request, and free of charge:

1. Rectification, updating, blocking or removal of data whose processing does not comply with the provisions of the present law, notably of incomplete or inaccurate data;
2. Anonymity of data whose processing does not comply with the provisions of the present law;
3. The notification to a third party to whom the data were disclosed, of any operation performed according to letters a) or b), unless such notification proves to be impossible or involves a disproportionate effort towards the legitimate interest that might thus be violated.

(2)In order to exercise the right stated in paragraph (1), the data subject shall fill in a written, dated and signed petition. The petitioner may state his/her wish to be informed at a specific address, which may also be an electronic one, or through a mail service that ensures confidential receipt of the information.

(3)The data-controller has the obligation to communicate the measures taken based on the provisions of paragraph (1), and also, as the case may be, the name of a third party to whom the data concerning the data subject was disclosed, within 15 days from the date of the petition’s receipt, while complying with the petitioner’s option, according to paragraph (2).

1. The data subject has the right to object at any moment, based on justified and legitimate reasons linked to his particular situation, to a processing of data regarding himself/herself, unless there are contrary legal dispositions. In case of justified opposition, the processing of data may no longer take place concerning the respective subject (person).
2. The data subject has the right to object at any moment, freely and without any explanation, to the processing of data concerning his/her person for overt marketing purposes on behalf of the controller or of a third party, or to be disclosed to a third party for such a purpose.
3. In order to exercise the rights stated under paragraphs (1) and (2), the data subject will fill in a written, dated and signed petition. The petitioner may specify if he/she wishes to be informed at a specific address, which may also be an electronic one, or through a mail service that ensures confidentiality.
4. The controller is obliged to inform the data subject about the measures taken, based on the provisions of paragraph (1) or (2), and also, as the case may be, the name of the third party to whom the data concerning the data subject were disclosed, within 15 days of the date of the petition’s arrival, in compliance with the option of the petitioner, according to paragraph (3).

1. The provisions of Articles 12, 13, Article 14 paragraph (3), and Article 15 do not apply in such activities as mentioned in Article 2 paragraph (5), if their application affects the efficiency of the action or the goal related to the fulfilment of legal obligations of the public authority.
2. The provisions of paragraph (1) above are applicable solely for the period of time necessary for the achievement of the goal intended by the of the activities mentioned in Article 2 (5).
3. As soon as the reasons that justified the application of paragraph (1) and (2) no longer exist, controllers who accomplish the activities stated by Article 2 (5) shall take all necessary measures in order to ensure compliance with the data subjects’ rights.
4. Public authorities will make a record of such cases and inform periodically the supervisory authority on the way these cases have been resolved.

1. Any person has the right to demand and receive the following:

1. The withdrawal or the cancellation of a decision that produces juridical effects concerning him/her, adopted exclusively on a personal data processing basis, carried out through automatic means, destined to evaluate some aspects of his/her personality and/or professional competence, credibility, behaviour or other such aspects;
2. Re-evaluation of any decisions regarding him/her, and which affects him/her in a significant manner, if the decision was adopted exclusively on a basis of data processing that meets the conditions stated under letter a).

1. Respecting the other guarantees stated by the present law, a person may be subject to a decision of the nature mentioned in paragraph (1), only in the following situations:

1. The decision is taken in the context of entering into or carrying out a contract, on condition that the entering into or performing of the contract’s request, filled in by the data subject, has been satisfied or that some suitable measures to safeguard his/her legitimate interest have been taken, such as arrangements allowing him/her to put his point of view;
2. The decision taken is authorised by a law which states how the data subject’s legitimate interests will be guaranteed and protected.

1. Without prejudice to the possibility of applying to the supervisory authority, the data subject has the right to refer to a court of law in defence of any rights guaranteed by the present law.
2. Any person who suffered a prejudice as a consequence of unlawful processing of personal data may address a competent court of law in order to obtain compensation for the prejudice suffered.
3. A competent court of law is one whose territorial jurisdiction covers the complainant’s domicile. The complaint addressed to the court of law is exempt from stamp tax.

Any person who acts under authority of the data-controller or of the data-processor, including a data-processor who has access to personal data, may not process them unless on the data-controller’s specific instructions, except when the above-mentioned person acts on the basis of a legal order .

1. It is the data-controller’s obligation to apply the adequate technical and organisational measures in order to protect the data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorised access, notably if the respective data are committed to the IT net, as against any other form of illegal processing.
2. These measures must ensure, depending on the costs and the processing means employed, adequate security against processing hazards, considering the nature of the data that must be protected. The minimum security requirements shall be elaborated by the supervisory authority and shall be periodically upgraded, according to the technical progress and the accumulated experience.
3. When appointing a data-processor, the data-controller has the obligation to nominate a person who presents enough guarantees regarding technical security and the organisational measures concerning the data to be processed. The controller shall also ensure that the nominated person complies with these measures.
4. The supervisory authority may decide, in individual cases, that the data-controller should adopt additional security measures, except such measures as might affect the guaranteed security of telecommunication services.
5. Data processing performed by an appointed data-processor shall be initiated following a written contract which should necessarily contain the following:

1. The obligation of the empowered person to act only while strictly following instructions received from the data-controller;
2. The obligations set out in paragraph (1) also applies to the processor.

1. The supervisory authority, in the terms of the present law, is the Ombudsman .
2. The supervisory authority shall be fully independent and impartial .
3. The supervisory authority shall monitor and control the legal framework concerning the processing of personal data according to this law. In order to achieve this purpose, the supervisory authority has the following rights:

1. Designs the standard forms for notifications and registry books;
2. Receives and analyses the notifications concerning the processing of personal data, and informs the data-controller of the results of the previous control;
3. Authorises the processing of data in the situations set out by the law;
4. In case the authority notices inconsistency with the provisions of the present law, may partially or totally delete, suspend or terminate the data being processed, and may notify the criminal prosecution bodies or may file complaints to a court of law;
5. Is responsible for the safe keeping of the personal data processing register, which shall be available to the general public;
6. Receives and resolves petitions, notices or requests coming from natural persons and communicates their resolution, or the measures which have been taken;
7. Performs investigations - ex officio, or upon request or notification;
8. Is consulted when legislative drafts are being developed, drafts regarding persons’ rights and freedoms concerning personal data processing;
9. May make proposals concerning the initiation of legislative drafts or amendments to existing legislation regarding the processing of personal data;
10. Collaborates with the public authorities, centralises and analyses their annual activity reports regarding the protection of persons personal data, formulates recommendations and comments on any matter linked to the protection of fundamental rights and freedoms regarding the processing of personal data, on request of any natural person, including public authorities; these recommendations and comments must mention the reasons they are based on and must be copied , to the Minister of Justice. When the recommendation or assent is requested by the law, it must be published in the Official Monitor of Romania, Part I;
11. Co-operates with similar authorities from abroad in order to organise mutual assistance projects, and with foreign residents for the purpose of guaranteeing the fundamental rights and freedoms that can be affected through the processing of personal data;
12. Fulfils the obligations set out by the law.

1. The entire staff of the supervisory authority have the permanent obligation of keeping professional secrecy, except for the cases set out by the law, regarding confidential or classified information they have access to in the carrying out of their duties, even after termination of their employment with the supervisory authority.

1. The data-controller is obliged to notify the supervisory authority, either personally or through a representative, before initiating any kind of data-processing which has a similar or related purpose to previous data processing activities.
2. Notification is not necessary in the event that the sole purpose of the data-processing is to keep a record available for public reference, and is (or will be) open for consultation to the general public or to any person who proves a legitimate interest, provided that the data-processing is limited to such data as are strictly necessary to the above mentioned record.
3. The notification will contain the following information:

1. The name, the title, domicile, or the office of the data-controller and of his empowered person, as the case may be;
2. The purpose(s) of the data-processing;
3. A description of the category/categories of the data subjects and of the data, or the categories of data, that are to be processed;
4. The recipient and the categories of recipients the data is intended to be disclosed to;
5. The guarantees accompanying the disclosure of the data to a third party;
6. The manner in which the data subjects will be informed about their rights, the approximate end date of the data-processing operations, the future destination of the data;
7. Any intended data transfer to other nation states;
8. A preliminary assessment of the measures taken to ensure data-processing security;
9. Mention of any data recording system related to the processing, and of possible relation to other processing or data recording systems, irrespective of whether they are to be fulfilled, or if they are situated on Romanian territory or not;
10. The justification of the provisions of Articles 11 and 12 paragraph (3) or (4), or of Article 13 paragraph (5) or (6), in cases that the data processing is exclusively performed for journalistic, literary, artistic or statistical purposes, or for historical or scientific research.

1. If the notification is incomplete, the supervisory authority will demand its completion.
2. Within its investigative powers, the supervisory authority may demand other information, notably regarding the data’s origin, the automatic processing technology used and details about security measures. The provisions of the present paragraph do not apply in situations in which the processing of data is exclusively performed for journalistic, literary, or artistic purposes.
3. If an international transfer of the data is intended, the notification will consist of:

1. The data categories subject to the transfer;
2. The destination country for each data category.

1. The notification is subject to a tax that must be paid by the data-controller to the supervisory authority.
2. The public authorities that carry out processing of personal data related to the activities described in Article 2, paragraph (5), based on the law or in compliance with the obligations assumed through ratified international agreements, are exempt from the tax set out in paragraph (7). The notification will be sent within 15 days from the legislative act entering into force, and will also contain the following elements:

1. The name and address of the controller;
2. The purpose and legal basis of the data being processed;
3. The personal data categories subject to processing.

1. The supervisory authority may establish other situations in which notification is not necessary, except for the one set out at paragraph (2), or those situations in which the notification may be fulfilled in a simplified manner, only in the following cases:

1. When taking into consideration the nature of the data to be processed, the rights of the data subject cannot be affected, provided that the purposes of such data processing are clearly mentioned, as well as the definition of the data and categories of data that may be processed, the category/categories of data subjects, the recipients or categories of recipients to whom the data can be disclosed, and also the period of time in which the data may be stored;
2. When the processing is carried out under the terms of Article 7, paragraph (2) letter d).

1. The supervisory authority will establish the categories of processing operations that may represent special risks for the persons’ rights and freedoms.
2. If based on the notification, the supervisory authority shall mention that the data-processing belongs to one of the categories mentioned in paragraph (1), and shall decide on a preliminary control regarding the data-processing in case, and accordingly announce the controller.
3. Data-controllers who have not been informed within 5 days of notification of a preliminary control may start the data-processing.
4. In the situation described in paragraph (2) the supervisory authority is obliged, within 30 days notice , to inform the data-controller about the results of control, and on the decisions issued thereupon.

1. The supervisory authority will keep a personal data processing registry, drawn up under the terms of Article 22. The registry will contain all the information set out under Article 22 paragraph (3).
2. Each data-controller will be given a registration number. The registration number must be written on every document which relates to data collection, storage or disclosure.
3. Any change affecting accuracy of the registered information will be communicated to the supervisory authority within 5 days. The supervisory authority will decide immediately that the necessary correction should be inserted in the register.
4. The processing activities of personal data which started before the present law has come into force will be notified in order to be registered within 15 days of the date when the present law entered into force.
5. The registry of personal data is available for public reference. The supervisory authority will establish the accessibility procedures.

1. In defence of the rights set out by the present law, persons whose personal data are processed under the terms of this law may file a complaint to the supervisory authority. The complaint may be addressed directly or through a representative. The data subject may empower an association or a foundation to represent his/her interests.
2. The petition addressed to the supervisory authority is invalid if legal prosecution has been already initiated on that same case.
3. Except for the cases in which a delay would cause imminent and irreparable damage, the petition submitted to the supervisory authority must not be addressed earlier than 15 days since filing in a complaint on that same case to the data-controller.
4. In order to solve the petition the supervisory authority may, if necessary, hear the data subject’s view, the data-controller’s view, and the views of the the association or foundation that represents the data subject. These persons have the right to file petitions, documents and memoirs. The supervisory authority may order an enquiry.
5. If the petition is found to be substantiated, the supervisory authority may decide on any of the measures set out in Article 21 paragraph (3) letter d). Temporary suspension of data-processing may be ordained only until cessation of the reasons that have determined such measures are taken.
6. The decision must be communicated to the parties involved within 30 days of the registering of the petition.
7. The supervisory authority may order, if necessary, the suspension of some or all data-processing operations till the petition has been resolved, under the provisions of paragraph (5).
8. The supervisory authority may appeal to a court of law in order to defend the rights of the data subjects as guaranteed by the present law. The competent court of law is the Court of Bucharest. The complaint addressed to the court of law is exempt from stamp taxes.
9. Upon request of the data subjects, for substantiated reasons, the court may suspend the data-processing until the petition addressed to the supervisory authority has been resolved.
10. The provisions of paragraph (4) and (9) also apply to the situation in which the supervisory authority finds out, by any other means, about a violation of the rights of the data subjects as recognised by the present law.

1. The data-controller or the data subject may submit an appeal against any decision made by the supervisory authority based on the provisions of the present law, within 15 days of communication, under the sanction of the loss of right, to the competent administrative court of law. The parties shall be subpoenaed and the complaint shall be immediately analysed. The resolution is irrevocable.
2. The processing of personal data carried out in the framework of such activities as set out in Article 2, paragraph (5) are excepted from the provisions of paragraph (1), and also of Articles 23 and 25.

1. In the course of personal data processing, the supervisory authority may investigate, ex-officio or upon request, any violation of the data subjects’ rights, of the obligations of the controller, and, as the case may be, of the empowered persons, to the purpose of defending the fundamental rights and freedoms of the data subjects.
2. The supervisory authority may not exercise his investigative powers in a case where a complaint was previously filed in a court on the same basis of rights violation, opposing the same parties.
3. In the exercise of its investigative powers, the supervisory authority may demand of the data-controller any information linked to the processing of data and may verify any document or record regarding the processing of personal data.
4. State and professional secrets must not be invoked in order to prevent the exercise of the powers of the supervisory authority set out by the present law. When protection of state or professional secrets is invoked, the supervisory authority has the obligation to keep the respective secrets.
5. If the supervisory authority in the exercise of its investigative power has the objective of processing personal data, carried out by the public authorities, and in relation to such activities as described under Article 2 paragraph (5) for a concrete case, it is necessary to obtain a preliminary agreement of the prosecutor, or of the competent court of law.

1. The professional associations are obliged to submit for approval, to the supervisory authority, codes of conduct that contain adequate rules in order to protect the rights of persons whose personal data may be processed by the members of the associations.
2. The rules of conduct must contain measures and procedures able to ensure satisfactory protection, taking into account the nature of the data that can be processed. The supervisory authority may impose other measures and procedures for the period of time during which the conduct rules are not adopted.

1. The transfer to another state of data that are subject to processing or destined to be processed after the transfer may take place only if the Romanian law is not violated, and the destination state ensures an adequate level of protection.
2. The protection level will be evaluated by the supervisory authority, taking into account all the circumstances in which the transfer is to be performed: the nature of the data to be transferred , the purpose, and the period of time proposed for processing, the state of origin and the state of destination, as well as the legislation of the latter state. In case the supervisory authority notices that the protection level offered by the state of destination is unsatisfactory, he may order cancellation of the data transfer.
3. Data transfer to another state shall be always subject to preliminary notification from the supervisory authority.
4. The supervisory authority may authorise the data transfer to another state which does not have at least the same protection level as the one offered by the Romanian legislation, provided that the data-controller offers enough guarantees regarding the protection of fundamental individual rights. The guarantee must be established through contracts signed by the data-controllers and the natural or legal person(s) who have ordered the transfer.
5. The provisions of paragraphs (2), (3) and (4) do not apply in case the data transfer is based on a special law or on an international agreement ratified by Romania, notably if the transfer is done to the purpose of prevention, investigation or repressing a criminal offence.
6. The contents of the present article do not apply when the processing of data is performed for exclusive journalistic, literary or artistic purposes, if the data were made public expressly by the data subject or are related to the data subject ‘s public quality or to the public character of the facts he/she is involved in.

The data transfer is always allowed in the following situations:

1. When the data subject has given his/her explicit consent for the transfer. In case the data transfer is linked to any of the provisions set out at Article 7, 8, and 10, the consent must be written;
2. When it is necessary for the carrying out of a contract signed by the data subject and the data-controller, or for the application of some pre-contractual measures taken upon request of the data subject;
3. When it is necessary for the signing or the carrying out of a contract concluded or about to be concluded between the controller and a third party, in the data subjects’ interest;
4. When public interest is at stake, such as national defence, public order or national safety; fluency of proceedings in a criminal trial or the identification, performance or defence of rights in court, on condition that the data is processed to such a purpose only, and without unreasonable delay;
5. When it is necessary to protect the data subjects’ life, physical integrity or health;
6. When it is a consequence of a previous request for access to official documents that are open to the public, or of a request for information that can be obtained from registers or any other documents of public access.

Failure to submit obligatory notification under the terms set out by Article 22 or Article 29 paragraph (3), as well as incomplete notification or one that contains false information, if the respective maladministration falls short of a criminal offence, are considered contraventions liable to a fine of 5 million to 100 million ROL (Romanian currency - lei).

The processing of personal data by a data-controller or by a delegate of the data-controller, which breach the provisions of Articles 4-19, or disregard the terms in 12-15 or in Article 17, is considered a contravention. If the offence falls short of a criminal offence, the fine can be from 10 million to 250 million ROL.

The non -fulfilment of the obligations regarding the implementation of the security measures, and of confidentiality, , stated in Article 19 and 20, is a contravention, if not considered a criminal offence, and is liable to a fine of 15 million to 500 million ROL.

Refusal to supply the requested information or documents to the supervisory authority in the exercise of his investigative powers as set out by Article 27 is considered a contravention, if the respective offence falls short of a criminal offence, and is liable to a fine between 10 million to 150 million ROL.

1. Establishment of a contravention and the application of penalties are carried out by the supervisory authority, which can delegate these powers to a member of staff, and also by those empowered by the supervisory or control bodies.
2. The provisions of the present law regarding the contraventions are complementary with those of Government Ordinance No. 2/2001 concerning the legal framework of Contravention, when the present law does not state otherwise.
3. The minutes that report the contravention and establish the sanctions may be appealed against in the administrative section of a court of law.

The present law enters into force on the date of its publication in the Official Monitor of Romania, Part I, and will be applicable within three months of its entering into force.

The Senate adopted the present law during the session of 15 October 2001, in accordance with the provisions of Article 74 paragraph (2) from the Constitution of Romania.

PRESIDENT OF THE SENATE,

The present law was adopted by the Deputy Chamber in the session of 22 October 2001, in accordance with the provisions of Article 74 paragraph (2) from the Constitution of Romania.

PRESIDENT OF THE DEPUTY CHAMBER,

Published in the Official Monitor of Romania, Part I, No. 790 / 12 December 2001