May 2023 – As May 2023 marks the fifth anniversary of the implementation of GDPR, we have prepared an overview of the five years of regulatory struggle in Romania since the regulation came into effect. By examining the value of the sanctions and the types of violations, we can identify some regulatory trends of the local practice.
Statistics on fines
In the first year of GDPR (i.e., May 2018–May 2019), the Romanian Data Protection Authority (“the Authority”) did not issue any fines, but only recommendations, even if a significant number of ex-officio investigations were performed (namely 336). This was a year of accommodation.
In the following years (May 2019–end of 2021), the Authority continued to carry out ex-officio investigations, with an average of 385 investigations per year, issuing an average of 14 fines per year.
In particular, in 2020 the Authority carried out the highest number of ex-officio investigations (i.e., 398) while in 2021 the Authority applied the highest number of fines (i.e., 21).
In 2022 we can see a spike in the number of fines, which increased to 50 according to a press release on the Authority’s website.
Generally, Romania was ranked third in the European Union in terms of the number of fines imposed by the Authority from 2018 until early 2022 (i.e., 68 fines). We can only assume that Romania will keep its place or even rank higher considering the increase in the number of fines during 2022.
However, the total value of the fines was only EUR 721,000, resulting in a rather low value of the average fine in Romania, i.e., EUR 10,603. This reflects a continuation of the previous local sanctioning practice, even after the implementation of GDPR.
Trends on the types of violations
Most of the sanctions were imposed for breaching:
- the security and confidentiality measures for the processing of personal data, by failing to adopt adequate technical and organisational measures by data controllers to ensure the security of processing;
- the processing principles, in particular those relating to lawfulness, transparency and proportionality;
- the rights of data subjects (e.g., right of access).
As these seem rather straightforward, it could mean that local data controllers have not yet implemented GDPR and, thus the Authority can easily find a breach when performing an audit.
Activity of the authority before the courts
Recently, the Romanian Data Protection Authority published details and statistics on its activity in front of courts of law. It seems that more than 72% of the Authority’s sanctions in 2019-2022 were challenged by data controllers before the competent courts.
The Authority has also revealed that by 31 March 2023, a total of 23 claims filed by data controllers with the court had been solved. Among these, 18 claims were in favour of the Authority by upholding the infringements. This includes scenarios where the fine was maintained in full (e.g., the EUR 100,000 fine for Banca Transilvania SA, the EUR 20,000 fine for Vreau Credit SRL) or scenarios where the fine was reduced or even replaced with a warning (e.g., Raiffeisen Bank SA, World Trade Center Bucharest SA).
We can only assume that data controllers that succeeded to obtain a reduction of the fine or a change of the fine to a warning are also pleased with the result.
By Oana Grigore, Senior Associate and Gabriela Ion, Associate, Kinstellar