Compared to the initial version of the draft law, among the most important measures to be rendered, please find the following ones:
The data controllers may process the national identification number (CNP or data from the ID card) in the situations provided by art. 6 par. (1) of the GDPR. The latter operation is possible under the condition that certain safeguards are established in the process, as following:
- (i) establishing certain technical and organizational measures, with the assurance of data confidentiality and security – art. 32 GDPR,
- (ii) appointing a data protection officer within the undertaking – art. 8 GDPR,
- (iii) establishing specific storage terms for the data in consideration of the processing purpose and
- (iv) periodically training the responsible personnel for the data processing operations.
Also, the processing of genetic, biometric or health data performed in order to achieve an automatic decision-making process, as well as of data concerning health issues with the aim of establishing an automated decision-making process for profiling are allowed in the following situations: (i) data subject gives his/her explicit consent and (ii) the data processing is performed under express legal provisions, in both cases the data controller has the obligation to implement appropriate safeguards.
At the same time, the processing of personal data in the context of work relations, regarding monitoring using electronic means of communication and/or video monitoring at work for carrying out the employer’s legitimate interests is permitted only under certain conditions, as herein provided:
- (i) the legitimate interests of the employer prevail over the fundamental interests or rights and freedoms of the data subjects,
- (ii) prior, complete and explicit information of the employee has been done,
- (iii) prior consultation of the trade union or employee representatives regarding the implementation of the monitoring systems is ensured,
- (iv) there is no other forms and less intrusive ways to achieve the processing purpose to be pursued by the employer, and
- (v) proportionality of the data retention period – no more than 30 days regarding data processed via monitoring systems, except the cases where a longer period is required by law or is precisely justified.
Another mention to be made is that in the final version of the legislative proposal, the provisions of the previous national law adopted in June (Law no 129/2018 for the amendment of Law no 102/2005) regarding the sanctioning procedure and the administrative fine limit for public authorities have been maintained, respectively 200.000 RON. On the contrary, for private sector, the maximum limits provided by GDPR are not changed, the law referring to the relevant provisions of GDPR (article 83) which set forth "the administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher".
*Link to draft: Click here