During the first half of this year, the activity of the Romanian data protection authority (ANSPDCP or the Authority) has been significant, and sanctions for non-compliance with the applicable legislation on personal data protection, and in particular for non-compliance with the provisions of the General Data Protection Regulation (GDPR) have not been uncommon.

Based on the information published by ANSPDCP (press release available here, in Romanian), in the first four months of 2023, 1565 complaints, referrals and notifications of security incidents were received (registered). Consequently, 199 investigations were opened. In addition, 36 fines, 40 warnings and 39 corrective measures were applied as a result of investigations carried out during the same period.

According to ANSPDCP, complaints, referrals and notifications on security incidents mainly concerned the following issues: (i) disclosure of personal data to third parties or on the Internet, (ii) use of video surveillance means in the workplace or at the level of homeowners' associations, (iii) non-compliance of data subjects' rights, (iv) non-compliance with the data subjects information requirements, (v) sending unsolicited commercial messages via electronic communication means, (vi) cyber-attacks, (vii) disclosure of minors' data, respectively (viii) violation of data processing principles.

Analysing the issues investigated by the Authority, we compiled a list of 10 key areas of interest to which any controller must pay close attention to ensure that its personal data processing activities are carried out in full observance of the applicable legislation.

The 10 key areas can be translated into concrete initiatives for the operators, respectively:

  • Take extra care when sending commercial or non-commercial e-mail communications. Sending such communications to a large number of recipients by inserting all e-mail addresses in the field "TO: ..." instead of "BCC: ..." has been a breach leading to unauthorized disclosure and unauthorized access to personal data as per the Authority's practice;
  • Ensure that the measures implemented as a result of the exercise of data subjects' rights are genuinely effective. Where a data subject requests the deletion of personal data and you are able to comply with such a request, ensure that such data is deleted from all company systems. In an investigation conducted on this subject, further processing of personal data by sending commercial communications by SMS after the data subject has submitted a request for deletion of personal data has been sanctioned by the Authority. The same principle applies to requests for rectification of personal data. In such a situation, ANSPDCP considered that the further processing of the e-mail address for which the data subject had requested to be updated was carried out without a lawful basis for processing, pointing out that the "reactivation" of this e-mail address could only be carried out with the consent of the data subject.
  • Implement an effective system for managing the opt-out mechanism in commercial communications. The transmission of commercial messages after unsubscribing/exercising the right to object/exercising the right to be forgotten by the persons concerned by this type of communications is one of the incidents which has attracted the most sanctions from the Authority.
  • Make sure that the terms and conditions and/or privacy policy of the managed website are up to date and contain all the necessary elements that need to be conveyed to the data subjects. The lack of such information has led to fines applied by ANSPDCP, in addition to corrective measures to bring the information reflected in line with the requirements of the applicable personal data protection legislation.
  • Create an easy and uniform system for exercising the rights of data subjects. For example, requiring the submission of a "written, dated and signed" request to exercise GDPR rights via email services, as well as requesting a copy of ID for the purpose of exercising GDPR rights has been considered excessive in an investigation by the Authority. It is also important to ensure that the systems in place exclude, as far as possible, the risk of rejecting emails through which data subjects exercise their rights on the grounds that these emails come from untrusted email addresses. In such a case, ANSPDCP pointed out that the establishment of a single and exclusive communication channel that data subjects can use, as well as the lack of adequate information about certain technical limitations, may lead to unjustified restrictions of data subjects' rights.
  • Take extra care when implementing GPS monitoring systems for company vehicles. In an investigation on this subject, the Authority considered that the controller, by processing its employee's location data outside working hours, carried out excessive processing without having demonstrated that it had previously exhausted other less intrusive methods of achieving the processing and without providing evidence of fully informing the employee of the GPS data processing. ANSPDCP also found problematic the storage of data in the GPS system after the expiry of the storage period, without providing evidence that the exceeding of the 30-day period provided for by Law No 190/2018 on measures implementing the GDPR was based on justified grounds.
  • When implementing audio/video surveillance systems, ensure that these measures are truly proportional. In an investigation carried out on this topic, ANSPDCP concluded that a controller, by means of a video surveillance system installed in the offices and the canteen, processed personal data in breach of the processing principles, in the absence of a legal basis justifying such an intrusion into the privacy of employees. In its analysis, the Authority stressed that the purposes stated by the controller, namely (i) monitoring access of individuals, (ii) ensuring the security of premises and assets, and (iii) the safety of individuals, can be achieved by less intrusive means on the privacy of employees.
  • Make sure you have a plan in place that includes a process for testing, evaluating and regularly updating the security of the technical systems you use. In several investigations concerning personal data breach issues, the Authority has ordered as a corrective measure the development of such a plan to allow the controller to regularly monitor the security level of the technical systems used precisely to ensure compliance with the obligation to implement technical and organisational measures to ensure the security of the processing of personal data.
  • Pay particular attention to the way in which documents containing personal data are transmitted. For example, in one investigation, ANSPDCP found that the controller had unlawfully disclosed personal data of a customer and other data subjects to a court of law without first taking steps to verify the legitimacy of such disclosure. As a corrective measure, the Romanian data protection Authority required the controller to establish clear procedures for the transmission of personal data to courts and/or litigants whereby appropriate security and confidentiality measures are applied - for example, pseudonymisation of data.
  • Ensure that staff are trained at regular intervals on the subject of personal data protection. According to ANSPDCP, simply training staff at the time of hiring, followed by training sessions held only in specific situations and tailored at departmental level is not sufficient to demonstrate compliance with GDPR requirements.

The issues highlighted above are not an exhaustive list of the obligations and responsibilities of controllers in relation to personal data processing activities. They are, however, some of the major issues that ANSPDCP has addressed and that controllers need to consider. As the digital environment and data processing modalities are evolving rapidly, it is essential that controllers pay close attention and ensure data protection from the moment of conception and by default, as clearly regulated in the GDPR.

The importance of the above issues is also justified from a commercial perspective. The context is given, among others, by the results of the IAPP Privacy and Consumer Trust Report, a summary of which is available here, published in March 2023. According to this report (which purpose has been to identify how consumers around the world perceive the importance of privacy issues) 64% of consumers said that organisations that provide clear information about their privacy policies increase their trust. At the same time, 33% of consumers said they would lose trust in an organisation that uses their data to offer them products or services from another organisation. Last but not least, more than 80% of consumers said they would be likely to stop using the services of an organisation after it has been the victim of a cyber-attack.

The immediate conclusion is that controllers need to be aware of the importance of respecting the principles of confidentiality, transparency and security in all processing activities carried out, from the collection and storage of data to their use for specific purposes and transfer to third parties.

In light of practical experience, our recommendation is that each stage of data processing activities should be approached with particular care, especially in the broader context of the entire economic activity carried out by the controller.

In addition, constant monitoring and review of data processing policies and procedures is essential to keep up to date with evolving legislation and the ever-increasing expectations of data subjects.

In this way, operators can ensure that they have implemented an operational framework that ensures that they avoid a negative impact generated both by the sanctions applied as a result of the finding of non-compliance with the applicable provisions (note that in the first half of 2023 alone, the top three sanctions in terms of the amount of the fines applied reached (i) EUR 40,000 (details HERE), (ii) EUR 18,000 (details HERE) and (iii) EUR 11,000 (details HERE)), as well as the possible negative reputational consequences that an operator may suffer as a result of non-compliance with the provisions protecting personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.