Interview with Cristina BOJICA, Partner, GRUIA DUFAUT LAW OFFICE, Certified Information Privacy Professional/Europe (CIPP/E)
Romanian data protection legislation finally complied with GDPR, what type of investigations is the National Supervisory Authority for the Processing of Personal Data (ANSPDCP) authorized to start?
First of all, the General Data Protection regulation n° 679/2016 (GDPR) is a Romanian law, because Regulations (as opposed to Directives) are of direct application in the UE states, without the need for a law transposing them into the local / national legislation .
The Law n° 190/2018 was adopted based on chapter IX of the GDPR which gave the UE states the possibility to adopt local legislation for specific situations.
ANSPDCP may start investigations ex oficio or following a complaintlodged by a data subject. The performance procedure of such investigations is detailed in ANSPDCP’s decisions no. 161/09.10.2018, respectively 133/03.07.2018.
Investigations can be performed on the field, at the authority’s headquarters or in a written form, according to the proceedings detailed in the decision of ANSPDCP 161/09.10.2018. Nevertheless, an investigation started up in a written form can be extended to an on the field investigation should there be reasons to call upon such an investigation.
Are ex officio investigations conducted on the basis of notifications or information provided by another supervisory or public authority?
They may be. But ex officio investigations may also start in order to verify certain information obtained by ANSPDCP from other sources such as mass media, internet, other investigations.
Also, it is important to know that ANSPDCP shall start ex officio investigations following a data breach notification sent to the supervisory authority. Therefore, in case of a breach fulfilling the conditions to be notified to ANSPDCP, the latter shall automatically start investigation on any aspect related to personal data processing. And this is not only a possibility given by the law, but also an actual and confirmed ANSPDCP practice.
Therefore, in this context I need to emphasize that it is important for the companies to take seriously their obligations under GDPR and to take all the necessary measures in order to prevent security breaches. But this is another topic which deserves to be treated separately.
When can the ANSPDCP inspectors request the issuance of a judicial authorization?
The judicial authorization may be requested by ANSPDCP when it is prevented in exercising its tasks.
And as regards the tasks of ANSPDCP you need to know that their scope is very wide and various . Thus, ANSPDCP can verify any document, equipment, data storage device , it can take documents or registrations which are relevant for the respective control or it can proceed to sealing. The supervisory authority has also the right to request surveys , to hear the persons considered relevant, to refer to the police for assistance..
Therefore, any time that ANSPDCP is not allowed to perform its tasks by the controlled entity it can request to the Bucharest Court of Appeal the issuance of a judicial authorization. The controlled entity can contest the Court of Appeal’s decision, but such contestation shall not suspend the effects of the judicial authorization.
Apart the judicial authorization, ANSPDCP is also entitled to apply a fine of RON 3,000/ day in case the controlled entity should refuse to provide the information or documents requested during the investigation procedure.
What penalties can be applied by the ANSPDCP?
The sanctions that ANSCPDCP can apply are various – from warnings to the already well known administrative fines.
Apart from the fines, ANSCPDCP may order the controller or processor to bring processing operations into compliance with the provisions of GDPR, and in this case it shall specify the manner and the deadline for such conformity.
It is important to know that ANSCPDCP may order that the controller or processor rectifies or erases personal data, may impose restriction of processing, temporary or definitive limitation including a ban on processing. It is obvious that these measures that ANSPDCP can apply may in some cases be more important than a potential administrative fine.
Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, the measures referred to above. The sanctions applied by ANSCPDCP do not follow a certain sequence (as it is the case for public authorities).
ANSCPDCP has to insure that the imposition of administrative fines shall in each individual case be effective, proportionate and dissuasive. Therefore, when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to certain criteria, such as: nature, gravity and duration of the infringement, intentional or negligent character of the infringement, action taken by the controller or processor to mitigate the damage suffered by data subjects, any relevant previous infringements and other similar criteria.
Anyhow, it is important to know that the most important fine – up to up to EUR 20 000 000, or up to 4 % of the total worldwide annual turnover of the preceding financial year (whichever is higher) are triggered in case the basic principles for processing the data subjects' rights, the transfers of personal data to a recipient in a third country are infringed. Therefore, such fine may be widely applied.
The national law however, derogates from GDPR with regards the amount of the fines that can be applied to public authority (such possibility is given by the GDPR). Thus, in case of infringement by public authorities, ANSCPDCP shall first give a warning together with a remedy plan. In case the public authority does not implement the remediation measures, the maximum fine that ANSCPDCP can apply is up to RON 200,000.