top of page

ROMANIA - Data Protection and GDPR Review

History of Data Protection in Romania

The history of data protection in Romania is intertwined with the country's evolving legal landscape, technological changes, and membership in the European Union. Here's a look at the key milestones:

Pre-2000: Early Years and EU Aspirations

Before Romania began the process of joining the European Union, there was little in the way of formal data protection legislation. However, as Romania started its journey towards EU membership, aligning with EU directives and norms became critical.

2001: National Supervisory Authority

Romania took an important step by establishing the National Supervisory Authority for Personal Data Processing (ANSPDCP), laying down the foundation for institutional data protection oversight.

2005: Law 677/2001 Revisions

Romania had initially adopted Law 677/2001, but substantial amendments were made in 2005 to align the legislation with EU standards. This law laid the groundwork for data protection principles such as data subject rights, data processor responsibilities, and data transfer guidelines.

2007: EU Membership

Romania joined the European Union in 2007, which led to further scrutiny and alignment of data protection laws in compliance with the EU legal framework. This paved the way for Romania to adapt its legislation to future EU data protection changes.

2010-2016: Incremental Changes

During this period, the Romanian government made several incremental changes to its data protection laws to keep pace with technological advancements and emerging challenges. The ANSPDCP became more active in monitoring and enforcing data protection regulations.

2018: GDPR Implementation

On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect across the EU, including Romania. The GDPR replaced national data protection laws and provided a harmonized set of rules for all EU member states.

2018-2019: National Law No. 190/2018

Romania passed a national law to implement GDPR provisions and particularities in the Romanian legal context. Law No. 190/2018 was enacted to supplement GDPR regulations and guide its local implementation.

Present and Future: Ongoing Compliance and Challenges

ANSPDCP continues to be the main regulatory body ensuring GDPR compliance in Romania. The authority is more active than ever, with penalties for GDPR violations being enforced rigorously.

Challenges and Innovations

Like many other countries, Romania faces challenges posed by emerging technologies such as Artificial Intelligence, the Internet of Things, and blockchain. These technologies are likely to shape future updates to Romania's data protection framework.

Romania has made significant strides in data protection, particularly in alignment with EU regulations like GDPR. Today, Romanian organizations must comply with robust data protection standards, both from the GDPR and national legislation. This reflects Romania's commitment to protecting individual privacy in an increasingly digital world.

Romania, as an EU member state, falls under the jurisdiction of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. This comprehensive guide aims to provide an understanding of data protection principles and practices in Romania as they relate to GDPR.

Guide of Contents

1. Regulatory Bodies

2. Key Principles

3. National Legislation

4. Rights of Data Subjects

5. Consent Requirements

6. Data Breach Reporting

7. International Data Transfers

8. Compliance for Businesses

9. Penalties and Enforcement

10. FAQs

11. Future Outlook

1. Regulatory Bodies

- National Supervisory Authority for Personal Data Processing (ANSPDCP)**: Romania's national data protection authority responsible for implementing and overseeing data protection laws.

2. Key Principles

Romania adheres to GDPR's key principles:

- Lawfulness, fairness, and transparency

- Purpose limitation

- Data minimization

- Accuracy

- Storage limitation

- Integrity and confidentiality

3. National Legislation

- National Law No. 190/2018: This Romanian law complements GDPR, addressing particular aspects relevant to Romania, such as certain exemptions and conditions for data processing.

4. Rights of Data Subjects

Individuals in Romania have the following rights under GDPR:

- Right to Access: Can request a copy of personal data held.

- Right to Rectification: Can correct inaccurate or incomplete data.

- Right to Erasure (“Right to be Forgotten”): Can request deletion of data under specific circumstances.

- Right to Object: Can object to data processing under certain conditions.

- Right to Data Portability: Can receive and transfer personal data in a machine-readable format.

5. Consent Requirements

- **Informed and Unambiguous**: Consent must be specific, freely given, and clear.

- **Minors**: Parental consent is required for data subjects below the age of 16.

6. Data Breach Reporting

- 72-Hour Rule**: Data breaches must be reported to ANSPDCP within 72 hours of discovery.

- Notification to Data Subjects: Individuals must be notified directly if there is a high risk to their rights and freedoms.

7. International Data Transfers

- Adequate Safeguards: Data transfers outside the EU are permitted only if adequate protections are in place, as specified by GDPR.

8. Compliance for Businesses

- Data Protection Officer (DPO): Required for public authorities or organizations processing large volumes of sensitive data.

- Data Protection Impact Assessment (DPIA): Mandatory for high-risk data processing activities.

- Record-Keeping: Records of data processing activities must be maintained.

9. Penalties and Enforcement

- Fines: Up to €20 million or 4% of global annual turnover, whichever is higher.

- Enforcement: Conducted by the ANSPDCP.

10. FAQs

- Does Romanian law complement GDPR?: Yes, National Law No. 190/2018 serves this purpose.

- **Who is the regulatory authority?: ANSPDCP is responsible for overseeing data protection in Romania.

11. Future Outlook

Emerging technologies like Artificial Intelligence, Internet of Things (IoT), and blockchain are likely to shape Romania's data protection landscape, requiring updates to existing legislation.


GDPR serves as the foundational regulation for data protection in Romania, supplemented by national laws that specify the framework’s application within the country. Businesses and organizations operating in Romania must be compliant with these regulations to avoid stringent penalties.

Note: This guide is for informational purposes and should not be considered as legal advice. Always consult with legal experts for advice tailored to your specific circumstances.


bottom of page