Tue, Jun
60 New Articles

Five Years of GDPR: An Overview of GDPR Implementation in Romania

Five Years of GDPR: An Overview of GDPR Implementation in Romania

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

May 2023 – As May 2023 marks the fifth anniversary of the implementation of GDPR, we have prepared an overview of the five years of regulatory struggle in Romania since the regulation came into effect. By examining the value of the sanctions and the types of violations, we can identify some regulatory trends of the local practice.

Statistics on fines

In the first year of GDPR (i.e., May 2018–May 2019), the Romanian Data Protection Authority (“the Authority”) did not issue any fines, but only recommendations, even if a significant number of ex-officio investigations were performed (namely 336). This was a year of accommodation.

In the following years (May 2019–end of 2021), the Authority continued to carry out ex-officio investigations, with an average of 385 investigations per year, issuing an average of 14 fines per year.

In particular, in 2020 the Authority carried out the highest number of ex-officio investigations (i.e., 398) while in 2021 the Authority applied the highest number of fines (i.e., 21).

In 2022 we can see a spike in the number of fines, which increased to 50 according to a press release on the Authority’s website.

Generally, Romania was ranked third in the European Union in terms of the number of fines imposed by the Authority from 2018 until early 2022 (i.e., 68 fines). We can only assume that Romania will keep its place or even rank higher considering the increase in the number of fines during 2022.

However, the total value of the fines was only EUR 721,000, resulting in a rather low value of the average fine in Romania, i.e., EUR 10,603. This reflects a continuation of the previous local sanctioning practice, even after the implementation of GDPR.

Trends on the types of violations

Most of the sanctions were imposed for breaching:

  • the security and confidentiality measures for the processing of personal data, by failing to adopt adequate technical and organisational measures by data controllers to ensure the security of processing;
  • the processing principles, in particular those relating to lawfulness, transparency and proportionality;
  • the rights of data subjects (e.g., right of access).

As these seem rather straightforward, it could mean that local data controllers have not yet implemented GDPR and, thus the Authority can easily find a breach when performing an audit.

Activity of the authority before the courts

Recently, the Romanian Data Protection Authority published details and statistics on its activity in front of courts of law. It seems that more than 72% of the Authority’s sanctions in 2019-2022 were challenged by data controllers before the competent courts.

The Authority has also revealed that by 31 March 2023, a total of 23 claims filed by data controllers with the court had been solved. Among these, 18 claims were in favour of the Authority by upholding the infringements. This includes scenarios where the fine was maintained in full (e.g., the EUR 100,000 fine for Banca Transilvania SA, the EUR 20,000 fine for Vreau Credit SRL) or scenarios where the fine was reduced or even replaced with a warning (e.g., Raiffeisen Bank SA, World Trade Center Bucharest SA).

We can only assume that data controllers that succeeded to obtain a reduction of the fine or a change of the fine to a warning are also pleased with the result.

By Oana Grigore, Senior Associate and Gabriela Ion, Associate, Kinstellar

Romanian Knowledge Partner

Țuca Zbârcea & Asociații is a full-service independent law firm, employing cross-disciplinary teams of lawyers, insolvency practitioners, tax consultants, IP counsellors, economists and staff members. It also operates a secondary law office in Cluj-Napoca (Romania), and has a ‘best-friend’ agreement with a leading law firm in the Republic of Moldova. In addition, thanks to the firm’s dedicated Foreign Desks, the team provides the full range of services to international investors seeking to gain a foothold or expand their existing operations in Romania. Since 2019, the firm and its tax arm are collaborating with Andersen Global in Romania.

Țuca Zbârcea & Asociaţii is providing legal services in every aspect of business, covering all major areas of practice: corporate and M&A; litigation and international arbitration; corporate tax; public procurement; TMT; employment; insurance; banking and finance; capital markets; competition; healthcare and pharmaceutical; energy and natural resources; environmental; intellectual property; real estate; regulatory legal services.

Țuca Zbârcea & Asociaţii is a First-Tier law firm in all international legal directories and a multiple award-winning law firm both locally and internationally. It received the CEE Deal of the Year Award (DOTY Awards 2021) and the Law Firm of the Year Award: Romania (IFLR Europe Awards 2021). 

Firm's website.

Our Latest Issue