September 25, 2017 16:23 
by Maria Maxim, Partner and Daniela Dosan, Associate at Wolf Theiss, Bucharest Office
On September 21st, 2017, the National Supervisory Authority for Personal Data Processing ("RDPA") published on its website a Guidance regarding the application of the General Data Protection Regulation (the "Guidance"), for the benefit of the data controllers performing personal data processing activities that fall under the jurisdiction of the Romanian law.
The Guidance essentially provides a summary roadmap that must be followed by such controllers in order to ensure their compliance with the GDPR requirements of the personal data processing operations which they perform.
A first benchmark in such roadmap consists of the appointment of a Data Protection Officer ("DPO"). Even though the GDPR expressly provides an obligation to appoint a DPO only in certain situations or to certain data controllers, RDPA recommends that any entity should appoint such DPO, as it represents a major advantage for the data controller in view of understanding and fulfilling the GDPR requirements.
Moreover, the Guidance recommends that data controllers and data processors should proceed with the identification of the personal data processing operations they effectively perform, and the drawing up and keeping records of the results thereof. The actions to be performed in view of complying with the GDPR requirements must be identified and prioritized based upon the risks that the processing operations raise in relation to data subjects rights and liberties. Furthermore, depending upon the results of the above data processing identification process, the need to perform a Privacy Impact Assessment must be assessed on a case by case basis.
The RDPA also made recommendations regarding the internal data privacy related documentation of data controllers. Thus, in order to permanently ensure a high level of protection for the personal data they process, data controllers must draft and implement adequate internal procedures covering all the potential data breach incidents that may occur during the performing of the data processing activities. Among those particularly noteworthy aspects that should be regulated by such procedures are: (i) the privacy by design and privacy by default requirements; and (ii) procedures for handling data subject requests made in the exercising of their data protection rights or changes to ensure the confidentiality and the security of the processing activities.
