The first action plan for the application of the GDPR has been published by the Romanian Data Protection Authority. What is to be done by data controllers?
Category: Opinion
September 25, 2017 16:23
Maria Maxim, Partner and Daniela Dosan, Associate at Wolf Theiss, Bucharest Office

by Maria Maxim, Partner and Daniela Dosan, Associate at Wolf Theiss, Bucharest Office

On September 21st, 2017, the National Supervisory Authority for Personal Data Processing ("RDPA") published on its website a Guidance regarding the application of the General Data Protection Regulation (the "Guidance"), for the benefit of the data controllers performing personal data processing activities that fall under the jurisdiction of the Romanian law.

The Guidance essentially provides a summary roadmap that must be followed by such controllers in order to ensure their compliance with the GDPR requirements of the personal data processing operations which they perform.

A first benchmark in such roadmap consists of the appointment of a Data Protection Officer ("DPO"). Even though the GDPR expressly provides an obligation to appoint a DPO only in certain situations or to certain data controllers, RDPA recommends that any entity should appoint such DPO, as it represents a major advantage for the data controller in view of understanding and fulfilling the GDPR requirements.

Moreover, the Guidance recommends that data controllers and data processors should proceed with the identification of the personal data processing operations they effectively perform, and the drawing up and keeping records of the results thereof. The actions to be performed in view of complying with the GDPR requirements must be identified and prioritized based upon the risks that the processing operations raise in relation to data subjects rights and liberties. Furthermore, depending upon the results of the above data processing identification process, the need to perform a Privacy Impact Assessment must be assessed on a case by case basis.

The RDPA also made recommendations regarding the internal data privacy related documentation of data controllers. Thus, in order to permanently ensure a high level of protection for the personal data they process, data controllers must draft and implement adequate internal procedures covering all the potential data breach incidents that may occur during the performing of the data processing activities. Among those particularly noteworthy aspects that should be regulated by such procedures are: (i) the privacy by design and privacy by default requirements; and (ii) procedures for handling data subject requests made in the exercising of their data protection rights or changes to ensure the confidentiality and the security of the processing activities.

Opinion News more
“Your (private) life or your money” - the risks and realities of ‘Consent or Pay’ Models under GDPR
December 20, 2024 12:13
Article By Adela Nuță, Managing Associate, BACIU PARTNERS The rules of...more »
Standalone BESS: PUZ or Pause
November 14, 2024 11:44
Article written by Mihaela Nyerges, Managing Partner and Paraschiv Sandu, Asso...more »
 
MiCA - The cryptocurrency revolution. Draft ordinance under debate
August 30, 2024 15:49
 Article by Adela Nuță, Baciu Partners Romania stands on the verge of ...more »
Preparing for the Future: Romania's National AI Strategy and the EU AI Act
July 29, 2024 09:53
Article by Flavius Florea, Counsel, TMT, IP & Data Protection practic...more »
*
Govnet Next Events