Romanian Personal Data Authority inspection - Procedure and how to challenge the sanctions

Romanian Personal Data Authority inspection - Procedure and how to challenge the sanctions

GDPR has been applicable in Romania for 6 years. This period was marked by significant compliance efforts for data controllers and numerous sanctions imposed by the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (hereinafter, for ease of reference, Romanian Data Authority).

In this article, we will briefly review the inspection procedure, the timeframe for appealing sanctions and other corrective measures imposed, the effects of an appeal, and conclude with some recommendations for operators to ensure the control process proceeds smoothly and without sanctions/increased chances in case of an appeal.

 

On what grounds is a GDPR investigation initiated in Romania?

• the Supervisory Authority’s initiative (ex officio)

 For instance, when the authority's representatives identify non-compliant online activities (e.g., failure to inform data subjects about data processing conducted through the website), signals of non-compliance during inspections at the operator’s business partners, or after the operator reports a personal data security breach (recently, the Romanian Data Authority initiated two investigations on this premise, resulting in significant fines).

• As part of the personal data subject’s complaint resolution procedure

  Therefore, it is crucial to ensure internal mechanisms to ensure the exercising of data subjects' rights and actually respecting these rights,  resolving their requests and complaints within a reasonable time frame.

 

What is the scope of the GDPR investigation in Romania?

Although the complaint or the issues noted by the Romanian Data Authority as the premise for initiating the investigation generally target specific/limited aspects, ANY ASPECTS REGARDING COMPLIANCE WITH PERSONAL DATA PROCESSING RULES may be checked during investigations.

 

Who conducts the GDPR investigation in Romania?

The Romanian Data Authority's control personnel – who must identify themselves and, for on-site investigations, present an AUTHORIZATION indicating the NAME OF THE ENTITY SUBJECT TO THE CONTROL.

 

Who must participate in the GDPR investigation?

The investigation must be conducted in the presence of the person being investigated or their legal representative. If they cannot be present, they must appoint a representative. The representative can also be the entity’s Data Protection Officer.

 

Is the data operator notified about the inspection? When can the GDPR  inspection take place?

The control can be announced in advance or unannounced.

Investigations must be conducted between 8:00 AM and 6:00 PM. They can continue after 6:00 PM only with the consent of the person being investigated or their representative.

 

Where can the GDPR control take place?

Investigations can be conducted ON-SITE, at the AUTHORITY’S HEADQUARTERS, or IN WRITING. ON-SITE investigations are not limited to the headquarter or workplaces of the entity being controlled but can target ANY LOCATIONS RELATED TO THE PROCESSING in question.

 

What are the obligations of the inspected entity during the GDPR inspection?

Throughout the procedure, the inspected entity must maintain a collaborative attitude with the inspection team:

• Allow the initiation and conduct of the procedure,
• Grant access to their premises and any equipment, means, or support for data processing/storage, grant any information, documents, or records necessary for the investigation,
• Provide the control team with complete and certified documents, as well as any requested information, records, and evidence.
• Support the control personnel and provide any requested clarifications.

The controlled entity cannot oppose confidentiality to refuse access or handover of requested materials!

During the control, the control team:

• May order expert examinations,
• May interview individuals whose statements are considered relevant, and
• For on-site investigations extending over several days, may seal documents deemed relevant to the investigation, the controlled entity being obligated to ensure their integrity until seals are removed.
• May use audio/video/photo recording and storage equipment,
• May request remote access to IT systems and databases.

All these translate into specific corelative obligations for the controlled entity.

 

 Can the data operator oppose to the GDPR control?

No, it cannot simply refuse the inspection. The control can proceed even without its consent, with PRIOR judicial authorization and police support.

The Authority may also impose coercive fines of up to 3,000 RON per day for each day of delay in fulfilling the obligations.

However, for justified reasons, the controlled entity  may request the suspension or postponement of a control.

 

 Completion of GDPR Control. GDPR Control/Sanction Report. Sanction Decision

Following the control, the ANSPDCP issues a control or sanction report and the Sanction Decision (if is the case) - fines under the RON equivalent of 300,000 EUR may be applied by the control team. The fines over this limit require a Sanction Decision issued by the ANSPDCP president.

In any case, the sanction act must contain all legally required mentions and be accompanied by all legally required documents. Otherwise, deficiencies may constitute grounds for absolute or relative nullity of the sanctioning act.

The report and the sanction shall be communicated in copy to the entity in question.

For on-site controls, before imposing any sanction, the controlled entity must be given the opportunity to express a viewpoint / objections to the findings.

 

GDPR fines in Romania. Other GDPR corrective measures in Romania. Recommendations for GDPR inspections in Romania

Following the control, the authority may issue a warning or apply a fine, along with other corrective measures and/or recommendations.

 

The fine must be paid within 15 days of receiving the sanctioning act, i.e., within the same period in which it can be appealed. Appealing the sanction suspends the obligation to pay the fine until a final court decision is rendered.

An unchallenged control/sanction report within the legal term becomes an enforceable title.

Unfortunately, in this field, the possibility of paying only half of the minimum legal fine within 15 days of receiving the report is recognized only for public authorities.

Corrective measures may include, for example, obligating the operator to comply with data subject requests for exercising their rights, ensuring the compliance of processing operations with applicable legal provisions, obligating the operator to inform the data subject about a data protection breach, prohibiting processing, rectifying, or deleting personal data, withdrawing a certification, or suspending data flows to a recipient in a third country.

Within the timeframe set by the authority, proof of implementing the corrective measures must be provided. Otherwise:

• A new investigation may be initiated.
• A coercive fine of up to 3,000 RON per day of delay, calculated from the date set by the decision, may be imposed.

Appealing the sanction and/or measures does NOT suspend the obligation to implement these measures within the timeframe set by the authority.

 

GDPR Recommendations – are not mandatory but should not be ignored. The highlighted issues may be the premise for sanctions during future controls. Concrete measures according to the recommendations will prove the entity's concern for compliant processing and provide a favourable argument in case of future sanctions.

 

Appealing the GDPR fine and GDPR corrective measures in Romania

The sanctioning act must be appealed within 15 days of handover/receipt. Within this period, all reasons for illegality and ungroundedness must be invoked. The competent court is the administrative litigation section of the Tribunal.

The term is a forfeiture period. After the term expires, the right to appeal is extinguished.

 

Recommendations in case of GDPR inspection in Romania

1. The main recommendation is, obviously, to implement a set of technical, IT, administrative, and legal measures, to ensure the lawfulness of processing and the security and confidentiality of personal data. These measures must be proportional but appropriate in the context of your activity.
2. Regularly or whenever necessary, reassess the impact of processing and the security measures in place, and improve them (e.g., in case of  workflow expansion, increased data volume or categories, especially in case of security breaches or if you identify additional risks over time).
3. Pay attention to requests and complaints received from data subjects, resolve them adequately and in time and keep evidence of resolution.
4. Compile a compliance file (preferably both physical and electronic) – centralizing and organizing all relevant GDPR compliance documents for your company.
5. In case of an inspection, appoint a representative with relevant knowledge of the applicable laws and the specific flows, policies, and procedures in your organization. Early-stage support from an experienced lawyer is advisable. Usually, the processors seek specialised help just when is too late – to challenge the fines.
6. Maintain a collaborative attitude with the authority's representatives.
7. Provide any clarifications you deem favourable and submit objections to the control/sanction report within the legal timeframe – those controlled legally have this right, whether it is an on-site control/at the authority's headquarters/remote control. For the latter two cases, the objection period is the same as the sanction appeal period.