Since the General Data Protection Regulation came into force in May 2018, GDPR has become one of the most discussed and least understood pieces of legislation in European business. Many companies in Romania responded to GDPR by adding a cookie banner to their website and publishing a privacy policy, and considered themselves compliant.
They are not.
GDPR compliance is a continuous system of legal obligations, not a project with a completion date. This guide explains what GDPR compliance means in practice, which documents and procedures are mandatory, what risks exist, and how to prepare for a potential ANSPDCP investigation.
1. What is GDPR and who does it apply to in Romania
GDPR, Regulation (EU) 2016/679, is a European regulation with direct applicability in all EU member states, including Romania. Unlike directives, it does not require national transposition, it applies directly and uniformly across the EU.
In Romania, the supervisory authority responsible for enforcing GDPR is the National Supervisory Authority for Personal Data Processing — ANSPDCP.
Who GDPR applies to
GDPR applies to any organisation that processes personal data of individuals located in the European Union, regardless of the organisation’s size, sector, or where it is established.
In practice, GDPR applies to:
-any Romanian company processing data of customers, employees, or individual partners
-companies outside the EU offering goods or services to EU individuals or monitoring their behaviour
-non-profit organisations, associations, and foundations
-freelancers and sole traders processing data in their professional activity
What constitutes personal data
Personal data is any information relating to an identified or identifiable natural person. This definition is extremely broad and includes name and surname, email address, phone number, postal address, national identification number, IP address, location data, identifying cookies, photographs and video images, biometric data, and any other information that allows direct or indirect identification of a person.
2. The 6 fundamental principles of GDPR
GDPR is built on six fundamental principles that govern every personal data processing activity. Failure to comply with these principles is the basis for most sanctions imposed by supervisory authorities.
Lawfulness, fairness, and transparency: you process data only on a valid legal basis, fairly towards data subjects, and with transparent information about the processing.
Purpose limitation: you collect data for specified, explicit, and legitimate purposes and do not process it further in a way incompatible with those purposes. You cannot collect data for one purpose and use it for another.
Data minimisation: you collect only data that is adequate, relevant, and limited to what is necessary for the processing purpose. You do not collect data you do not use.
Accuracy: personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be rectified or erased without delay.
Storage limitation: personal data is kept only for as long as necessary for the purpose for which it was collected. You do not store data indefinitely without justification.
Integrity and confidentiality: you process data with appropriate security, protecting against unauthorised access, accidental loss, or destruction.
3. Legal basis for processing — the fundamental condition many ignore
One of the most frequent GDPR compliance errors is processing personal data without a valid legal basis. GDPR provides six possible legal bases for processing ordinary personal data and additional conditions for special categories of data.
The six legal bases
Consent: the data subject has given freely, specific, informed, and unambiguous consent to the processing of their data for the specified purpose. Consent must be as easy to withdraw as it is to give.
Contract performance: processing is necessary for the performance of a contract to which the data subject is party or to take pre-contractual steps at their request. This is the basis for processing customer data to deliver products or provide services.
Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject. This is the basis for processing employee data for payroll and tax reporting purposes.
Vital interests: processing is necessary to protect the vital interests of the data subject or another natural person.
Public task: processing is necessary for the performance of a task in the public interest or in the exercise of official authority.
Legitimate interests: processing is necessary for the legitimate interests pursued by the controller or a third party, except where those interests are overridden by the data subject’s rights and freedoms. This is the most flexible but also most complex legal basis, it requires a balancing assessment before it can be invoked.
Why the choice of legal basis matters
The legal basis chosen determines the rights the data subject can exercise against you. For example, if you process on the basis of consent, the person can withdraw consent at any time. If you process on the basis of legitimate interests, the person can object to the processing. Choosing the wrong legal basis or having no legal basis at all is one of the most frequently identified issues in ANSPDCP investigations.
4. Mandatory documents and procedures
GDPR compliance does not end with a cookie banner and a privacy policy on your website. Here is the complete list of mandatory documents and procedures for most companies.
Record of processing activities
The record of processing activities is mandatory for organisations with more than 250 employees and for any organisation whose processing is likely to result in risks for data subjects, that processes special categories of data, or that processes data relating to criminal convictions.
In practice, the vast majority of companies with real commercial activity should maintain a record of processing activities, even if not strictly legally required, because it is the fundamental instrument for demonstrating compliance.
The record must contain for each processing activity: the purpose of processing, categories of data processed, categories of data subjects, recipients of the data, retention periods, and security measures implemented.
Privacy policy
The privacy policy, or processing notice, is the document through which you inform data subjects about the processing of their data. It must be clear, accessible, and contain all the information required by Articles 13 and 14 of GDPR.
A compliant privacy policy must include the identity and contact details of the controller, the DPO’s contact details if one has been appointed, the purposes and legal basis of each processing activity, recipients or categories of recipients, transfers outside the EU and applicable safeguards, retention periods, data subjects’ rights and how to exercise them, and the right to lodge a complaint with ANSPDCP.
Data Processing Agreements — DPA
Any external supplier that processes personal data on your behalf, a software provider, an email marketing platform, an external accountant, a cloud services provider, is a processor under GDPR. The relationship with them must be formalised through a data processing agreement compliant with Article 28 GDPR.
The absence of DPA agreements with suppliers is one of the most frequently identified issues in ANSPDCP investigations and can generate significant fines.
Data subject request procedure
You must have a clear internal procedure for receiving and handling data subject requests, access, rectification, erasure, portability, or objection requests. The response deadline is one month, extendable by a further two months in complex cases.
Security incident response procedure
Any security incident involving personal data must be immediately assessed to determine whether it generates a risk for data subjects. If it does, ANSPDCP must be notified within 72 hours of discovery. If the risk is high, affected data subjects must also be notified.
The 72-hour deadline is absolute, it cannot be extended and runs from the moment the organisation became aware of the incident.
Data Protection Impact Assessment — DPIA
A DPIA is mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons. Typical situations requiring a DPIA include large-scale processing of special categories of data, systematic monitoring of a publicly accessible area, systematic profiling of individuals, and processing of biometric data for unique identification purposes.
5. Data subject rights — your practical obligations
GDPR grants individuals whose data you process a set of concrete rights that you are obliged to respect. Failure to respect these rights is a frequent source of complaints to ANSPDCP.
Right of access: the data subject can request a copy of the personal data you process about them and information about the processing. You must respond within one month.
Right to rectification: the data subject can request correction of inaccurate data or completion of incomplete data. You must act without undue delay.
Right to erasure: also known as the right to be forgotten, this allows the data subject to request erasure of their data under certain conditions — when data is no longer necessary for the purpose for which it was collected, when consent has been withdrawn and there is no other legal basis, or when data has been unlawfully processed.
Right to data portability: the data subject can request receipt of their data in a structured, commonly used, machine-readable format and transmission to another controller.
Right to object: the data subject can object to processing based on legitimate interests or public task, including profiling. You must cease processing unless you demonstrate compelling legitimate grounds.
Right not to be subject to automated decision-making: the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them.
6. Data transfers outside the EU
Transferring personal data to countries outside the European Economic Area is permitted only under strict conditions set out in GDPR.
Adequacy decision: the European Commission has determined that the destination country provides an adequate level of protection. Examples include the United Kingdom, Switzerland, Canada, and Japan.
Standard contractual clauses: sets of contractual clauses approved by the European Commission, included in contracts with recipients in third countries.
Binding corporate rules: for transfers within a multinational group.
Explicit consent: the data subject has given explicit consent to the proposed transfer after being informed of the risks.
Transfers to the United States remain a significant risk area following the invalidation of Privacy Shield in 2020. If you use American services, Google, Meta, Amazon Web Services, Mailchimp, Salesforce, you must verify that valid legal transfer mechanisms exist and document them.
7. ANSPDCP Fines — how large are they and what do they sanction
ANSPDCP has become significantly more active in recent years in enforcing GDPR. Fines imposed in Romania range from a few thousand euros to hundreds of thousands of euros, depending on the severity of the infringement and the specific circumstances.
Fine categories
GDPR provides for two levels of administrative fines.
Fines up to €10 million or 2% of global annual turnover: for infringements of obligations of controllers and processors, conditions applicable to children’s consent, and obligations of certification and monitoring bodies.
Fines up to €20 million or 4% of global annual turnover: for the most serious infringements, including failure to comply with the basic principles of processing, failure to respect data subjects’ rights, and unlawful transfers of data outside the EU.
What ANSPDCP most frequently sanctions
From ANSPDCP’s public investigations, the most frequent grounds for sanction are the absence or inadequacy of DPA agreements with suppliers, incomplete or incorrect privacy policies, failure to respond to data subject requests within the legal deadline, absence of adequate technical and organisational security measures, late or omitted notification of security incidents, and processing data without a valid legal basis.
Factors influencing the fine amount
ANSPDCP takes into account when setting the fine: the nature, gravity, and duration of the infringement, the number of data subjects affected, the damage suffered, whether the infringement was intentional or negligent, measures taken to mitigate damage, the degree of cooperation with the authority, and any prior infringements.
Challenging ANSPDCP fines
A fine imposed by ANSPDCP can be challenged before the administrative courts. Many sanctions are reduced or annulled in court, either for procedural defects in the conduct of the investigation or because the sanction imposed is disproportionate to the gravity of the infringement. Specialised legal representation at this stage is essential.
8. How to prepare for an ANSPDCP investigation
ANSPDCP can conduct investigations of its own motion, following complaints from data subjects, or as a result of publicised security incidents. Here is how to prepare.
Documentation you must have readily available
An up-to-date record of processing activities. Privacy policies in force for all categories of data subjects, customers, employees, partners. DPA agreements with all suppliers that process data on your behalf. An internal incident response procedure. A data subject request management procedure and records of requests received and resolved. Evidence of employee training on GDPR obligations.
How to respond to an investigation notice
Contact a GDPR specialist lawyer immediately. Do not send documents or statements to ANSPDCP without prior legal analysis, responses given during the investigation phase can significantly influence the outcome. Cooperate with the authority within the limits of your legal obligations, cooperation is a mitigating factor for fines, but does not mean self-incrimination.
The best time for compliance
It is before the investigation. The cost of a GDPR audit and implementing a compliance system is incomparably lower than the cost of a fine, litigation, and the reputational damage associated with a public ANSPDCP investigation.
Frequently Asked Questions
Am I required to appoint a DPO? The obligation to appoint a Data Protection Officer exists for public authorities and bodies, for operators carrying out large-scale systematic monitoring, and for those processing special categories of data at large scale. If you do not fall into any of these categories, appointing a DPO is voluntary, but recommended if you process significant volumes of personal data.
Is a cookie banner sufficient for GDPR compliance? No. The cookie banner is just one component of compliance, and often one that is incorrectly implemented. GDPR compliance involves the record of processing activities, correct privacy policies, DPA agreements with suppliers, internal procedures and, in certain cases, impact assessments. A cookie banner without the rest of the system provides no real protection.
How long can I keep customer data? There is no universal retention period, it depends on the purpose of processing and applicable legal obligations. Data necessary for contract performance can be kept for the duration of the contract and the limitation period for contractual claims. Tax records must be kept in accordance with tax legislation, typically 5 or 10 years. Marketing data is kept until consent is withdrawn. You must document retention periods in the record of processing activities.
What do I do if an employee accidentally sends an email with personal data to the wrong address? This is a security incident and must be assessed immediately. If the incident generates a risk for data subjects, for example, the email contained sensitive data and reached an unauthorised person, ANSPDCP must be notified within 72 hours. Document the incident internally regardless of the conclusion on notification.
Does GDPR apply to employee data? Yes. Employee data is personal data under GDPR and the employer is the controller. You must have a processing notice for employees, have a legal basis for each processing activity, and respect employees’ rights as data subjects.
We only have customers in Romania. Does GDPR still apply? Yes. GDPR applies to any processing of personal data of individuals located in the EU, regardless of the organisation’s size or the number of customers. There is no minimum threshold of customers or data processed below which GDPR does not apply.
Want to know whether your company is genuinely GDPR compliant or have you received a notification from ANSPDCP?
Request a Legal Assessment : we respond within 24 hours on business days.
[ Request Legal Assessment ] [ +40 720 530 400 ]
