Needless to say, the COVID-19 pandemic has been extremely challenging for organizations worldwide, both experienced and start-ups. The new reality has also compelled a vast majority of entrepreneurs in Romania to quickly adapt to a new economic context – significantly impacting the data protection domain.
Three years have passed since the 25th of May, 2018, the momentous date on which the GDPR’s provisions became mandatory for companies that process personal data in their activity. The first two years were a real challenge for Romanian controllers and processors. Last year, as the dynamics of data protection were rapidly changing during the pandemic, we noticed a substantial interest among businesses in adapting their operations to the new reality formed by the GDPR. In other words, the pandemic may have been the push they needed to make them act.
1. The New Challenges Brought to GDPR Implementation by COVID-19
During the first year of the GDPR’s application, Romanian companies were reluctant to allocate financial resources to their security and legal departments to align their policies with the standards imposed by the GDPR. In the second year, we noticed an increased interest and greater awareness in the data protection field. Then, in the third year, the pandemic struck. The new rules imposed by the legislature for fighting the COVID-19 pandemic caused a large majority of entrepreneurs to re-adapt their new policies to another reality – one with remote work, online meetings, and other digital measures. Challenges and threats arising from the use of new technologies in remote work became numerous and more complex, since companies had to consider, in addition to data protection provisions, new strategies for cybersecurity preparedness and safe teleworking.
2. The Active Role of the Romanian Supervisory Authority During the COVID-19 Crisis
The Romanian Supervisory Authority continues to play an active role in GDPR compliance. In 2020, as a result of intimations received and security breaches it was notified of by the data controllers, nine fines (totalling EUR 139,000), nine reprimands, and eighteen corrective measures were imposed, compared with 2019, when only eleven fines (totalling EUR 445,000), fourteen reprimands, and thirteen corrective measures were imposed. Even if the total amount of fines was lower in 2020, the number of investigations remained constant. This brings us to the conclusion that data protection has been taken more seriously by companies during the pandemic.
3. The Positive Effects of the GDPR During the Pandemic
One of the most unexpected indirect effects of the GDPR is that Romanian citizens are more aware of their rights. The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object, and the right to data portability. The GDPR has empowered individuals to play a more active role in what is happening with their data in the digital age. In this regard, the Report of the Romanian Supervisory Authority states that in the first two years, about 10,000 complaints were submitted, referring, primarily, to: (i) the disclosure of personal data without the subject’s consent; (ii) the receiving of unsolicited commercial messages; (iii) the processing of images through the video surveillance systems, (iv) reporting data to the Credit Office.
Companies went the extra mile to meet the needs of more aware and more demanding customers and employees. Consequently, privacy has become an added value for employees and a competitive aspect that customers increasingly have in mind when choosing services.
Conclusion
The GDPR remains a significant concern for Romanian organizations. Given the new worldwide trend of digitalization at almost every business level, we expect Romanian companies to continue to comply with the GDPR’s provisions, and the Supervisory Authority to play an active role in guiding and monitoring GDPR compliance. In addition, data subjects have a greater level of awareness regarding their rights related to the processing of personal data. The general principles of effectiveness, necessity, and proportionality must continue to guide any measures adopted by both companies and public authorities.
By Adoriana Azoitei-Frumosu, Head of Data Protection, Hategan Attorneys
This Article was originally published in Issue 8.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.