Romania GDPR Implementation Law

Overview

Law no. 190 of July 18, 2018, represents Romania's primary national legislation for implementing the provisions of Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation (GDPR). Adopted by the Romanian Parliament and published in the Official Gazette no. 651 on July 26, 2018, the law entered into force on July 31, 2018. Its fundamental purpose is to establish the necessary national measures for the effective application of key GDPR articles, particularly those concerning the lawful basis for processing, special categories of personal data, data protection officers, certification, and the powers of supervisory authorities.

The historical context for this law is rooted in the European Union's comprehensive reform of data protection rules, aiming to harmonize data privacy laws across Europe, protect EU citizens' data privacy, and reshape the way organizations across the region approach data privacy. Prior to GDPR, data protection in Romania was governed by national laws derived from Directive 95/46/EC. Law no. 190/2018 thus serves as a critical update, ensuring that Romania's legal framework aligns with the heightened standards and broader scope of the GDPR. It addresses areas where Member States are permitted to legislate differently or provide further specifications, thereby tailoring the GDPR's application to the Romanian context.

While the user's request is framed around pay equity and employment law, it is crucial to clarify that Law no. 190/2018 is fundamentally a data protection statute. Its key innovations lie in strengthening individual data rights, imposing stricter obligations on data controllers and processors, and establishing robust enforcement mechanisms within Romania for personal data processing. Although it does not directly regulate pay equity or wage transparency, it significantly impacts how employers handle all forms of employee personal data, including remuneration-related information, by setting stringent rules for its collection, storage, processing, and protection. This indirect impact on employment data management is the closest nexus to the requested topics, particularly 'pay data collection' and 'enforcement remedies' in the context of data protection.

Definitions

Law no. 190/2018 does not introduce new definitions for core data protection terms but rather explicitly states that the definitions provided in Article 4 of the General Data Protection Regulation (GDPR) are applicable and have the same meaning within the context of this national law. This ensures consistency and avoids ambiguity in the interpretation and application of data protection principles across the European Union. Key terms, therefore, include 'personal data,' 'processing,' 'controller,' 'processor,' 'data subject,' 'consent,' 'personal data breach,' and 'supervisory authority,' among others. The comprehensive nature of these definitions means that virtually any information relating to an identified or identifiable natural person, including details pertaining to their employment, performance, and financial compensation, falls under the scope of 'personal data' when processed by an employer.

Specifically, 'personal data' is broadly defined as any information relating to an identified or identifiable natural person. This encompasses a wide array of information that employers collect and process about their employees, such as names, addresses, national identification numbers, bank account details, salary information, performance reviews, and health data. The law also addresses 'special categories of personal data,' such as genetic, biometric, or health data, for which stricter processing conditions apply. 'Processing' refers to any operation performed on personal data, from collection and storage to disclosure and erasure. This means that every step an employer takes with employee data, including the collection of pay-related information, is subject to the provisions of Law no. 190/2018 and the GDPR.

It is important to note that while the user's request focuses on pay equity, Law no. 190/2018 does not provide specific definitions for terms like 'equal pay,' 'comparable work,' 'wage,' or 'remuneration' in the context of pay equity principles. These terms fall under the purview of specific labor and anti-discrimination laws in Romania, which are distinct from data protection legislation. However, the law's broad definitions of 'personal data' and 'processing' mean that any data related to an employee's pay, benefits, or compensation, when collected and managed by an employer, is subject to the data protection requirements outlined in this law. Therefore, while not directly regulating pay equity, it establishes the framework for the secure and lawful handling of data that might be relevant to pay equity analyses or discussions, should such activities be undertaken under other legal obligations.

Covered Employers

Law no. 190/2018, by implementing the GDPR, applies to virtually all employers in Romania that process personal data of their employees. The scope is broad and does not typically include specific size thresholds for applicability, meaning both small and large enterprises, as well as public authorities and bodies, are subject to its provisions when acting as data controllers. The law defines 'authorities and public bodies' to include a wide range of governmental and public institutions, which are explicitly covered. This comprehensive coverage ensures that data protection standards are uniformly applied across various sectors and organizational types within Romania, impacting how employee data, including pay-related information, is handled.

The law's applicability extends to any entity that determines the purposes and means of processing personal data, thereby acting as a 'data controller.' In the employment context, the employer is almost always the data controller for its employees' personal data. This includes data collected during recruitment, throughout the employment relationship (e.g., payroll, performance management, benefits administration), and even after employment termination. The law makes specific mention of the processing of personal data in the context of employment relationships, highlighting its relevance to employers.

There are no general exemptions for specific sectors or phase-in periods for employers based on their size or industry under Law no. 190/2018 regarding the core data protection obligations. However, the law does provide for certain derogations or special rules for processing specific categories of data, such as genetic, biometric, or health data, and for processing in the public interest or for journalistic purposes. While these derogations are not exemptions from the law itself, they provide specific conditions under which certain types of processing can occur. For instance, the law outlines additional obligations and conditions for processing employee personal data through electronic monitoring, emphasizing the need for thorough justification, prior information to employees, and consultations with trade unions or employee representatives.

Employee Rights

Under Law no. 190/2018, employees, as data subjects, are afforded a comprehensive set of rights concerning their personal data, mirroring those established by the GDPR. These rights are fundamental to ensuring individuals have control over their personal information, including data processed by their employers. Key rights include the right to information, the right of access, the right to rectification, the right to erasure ('right to be forgotten'), the right to restriction of processing, the right to data portability, and the right to object to processing. These rights apply to all personal data held by an employer, which would encompass any data related to an employee's pay, benefits, and overall compensation, as such information constitutes personal data.

To exercise these rights, employees typically submit a request to their employer, who, as the data controller, is obligated to respond within specific timeframes, usually one month, which can be extended under certain conditions. For example, an employee has the right to request access to all personal data an employer holds about them, including their salary history, bonuses, and other remuneration details, to verify its accuracy and lawfulness of processing. If the data is inaccurate, the employee has the right to request its rectification. If the data is no longer necessary for the purposes for which it was collected, or if the processing is unlawful, the employee may request its erasure.

While Law no. 190/2018 does not specifically grant 'pay comparison rights' in the context of equal pay, the general data subject rights can indirectly facilitate such comparisons. For instance, an employee's right of access to their own personal data, including salary information, allows them to obtain this information. However, the law does not grant a right to access the salary data of other employees for comparison purposes, as that would infringe upon the data protection rights of those other individuals. Any such comparison would need to be conducted in a manner compliant with data protection principles, typically through anonymized or aggregated data, or with the explicit consent of the other data subjects. The law's provisions on electronic monitoring in the workplace also grant employees rights regarding transparency and justification for such surveillance, which could indirectly relate to data collected about work performance that might influence pay.

Pay Transparency Requirements

It is important to clarify that Law no. 190/2018, being a data protection law implementing the GDPR, does not impose specific 'pay transparency requirements' in the sense of mandating salary range disclosures in job postings, publishing pay scales, or requiring employers to disclose aggregated pay gap data. These types of requirements typically fall under dedicated labor laws, equal pay legislation, or specific pay transparency directives, which are distinct from data protection regulations. The primary focus of Law no. 190/2018 is on the transparent and lawful processing of personal data, rather than the transparency of remuneration structures themselves.

However, the principle of transparency, as a cornerstone of GDPR and thus Law no. 190/2018, does apply to how employers inform employees about the processing of their personal data, including data related to their pay. Employers are obligated to provide clear, concise, and easily accessible information to employees about what personal data is collected, the purposes for which it is processed, the legal basis for processing, the retention periods, and the recipients of the data. This includes informing employees about how their salary data is collected, stored, and used, for example, for payroll, tax purposes, or performance evaluations.

Therefore, while the law does not mandate the disclosure of pay ranges to promote pay equity, it does require transparency regarding the data processing activities that involve pay-related information. This means employees must be informed about the 'who, what, why, and how' of their pay data handling. Any internal policies or procedures related to pay data collection and processing must be communicated transparently to employees. Failure to provide such transparency regarding data processing could lead to non-compliance with data protection principles, even if the underlying pay structure itself is not directly regulated by this law. This distinction is crucial for understanding the scope and limitations of Law no. 190/2018 in relation to pay-related matters.

Reporting & Audit Obligations

Law no. 190/2018, in conjunction with the GDPR, establishes several key reporting and audit obligations for data controllers, including employers, to ensure compliance with data protection principles. A significant obligation is the designation of a Data Protection Officer (DPO) in specific circumstances, such as when the processing is carried out by a public authority or body, or when the core activities of the controller involve large-scale, regular, and systematic monitoring of data subjects or large-scale processing of special categories of data. The DPO's role includes informing and advising the controller, monitoring compliance, and acting as a contact point for the supervisory authority and data subjects. This is particularly relevant for employers who process extensive employee data, including sensitive information.

Another crucial obligation is the requirement to conduct Data Protection Impact Assessments (DPIAs) when a type of processing, in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. For employers, this could apply to new systems for managing employee performance, benefits, or even advanced payroll systems that involve complex data processing. The DPIA helps identify and mitigate data protection risks before processing activities commence. Furthermore, controllers are generally required to maintain records of processing activities, detailing the purposes of processing, categories of data subjects and personal data, recipients, retention periods, and security measures.

Regarding reporting, data controllers are obligated to notify the National Supervisory Authority for Personal Data Processing (ANSPDCP) of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In cases where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subjects themselves must also be notified without undue delay. While these obligations are centered on data protection, they indirectly impact the management of pay data by ensuring that any breaches involving such sensitive financial information are promptly identified, reported, and addressed, thereby safeguarding employee privacy. The law does not, however, mandate specific 'equal pay audits' or 'pay gap reporting' as a direct obligation; rather, it focuses on the auditing of data processing practices for compliance with data protection rules.

Governance & Enforcement Bodies

The primary governance and enforcement body for Law no. 190/2018 in Romania is the National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, ANSPDCP). This independent public authority is responsible for monitoring the application of the GDPR and Law no. 190/2018, ensuring the protection of fundamental rights and freedoms of natural persons in relation to data processing, and facilitating the free flow of personal data within the European Union.

The ANSPDCP is vested with a wide range of investigative, corrective, advisory, and authorization powers. Its roles include conducting investigations into alleged infringements, imposing administrative fines and other corrective measures, providing advice to data controllers and data subjects, and handling complaints lodged by individuals. The Authority also plays a crucial role in promoting public awareness and understanding of data protection risks, rules, safeguards, and rights. It acts as the national contact point for data subjects who wish to lodge a complaint regarding the processing of their personal data, including any data related to their employment or remuneration.

Individuals, including employees, can file complaints with the ANSPDCP if they believe their data protection rights have been violated by their employer or any other data controller. The complaint filing process typically involves submitting a written complaint detailing the alleged infringement and providing supporting evidence. The ANSPDCP then investigates the complaint and may take appropriate action, which can range from issuing warnings and reprimands to imposing substantial administrative fines. The Authority's decisions are subject to judicial review, providing an avenue for appeal. This robust enforcement framework ensures that the provisions of Law no. 190/2018 are actively monitored and upheld, thereby safeguarding the privacy of employee data, including sensitive financial information.

Monitoring & Evaluation

The monitoring and evaluation of compliance with Law no. 190/2018 are primarily carried out by the National Supervisory Authority for Personal Data Processing (ANSPDCP). The ANSPDCP employs various mechanisms to ensure adherence to data protection regulations, including conducting inspections, investigating complaints, and performing audits. These activities are crucial for verifying that data controllers, including employers, are processing personal data lawfully, fairly, and transparently, and that they have implemented appropriate technical and organizational measures to protect data subjects' rights.

Inspection procedures can be initiated by the ANSPDCP either proactively, based on its own assessment of risks or specific sectors, or reactively, in response to complaints received from data subjects or other sources. During an inspection, the Authority's representatives have the power to access premises, examine documents, and interview personnel to gather evidence of compliance or non-compliance. The investigation of complaints involves a thorough review of the facts presented by the complainant and the data controller, often leading to requests for additional information and, if necessary, on-site inspections. The ANSPDCP's role extends to evaluating the effectiveness of data protection measures implemented by organizations, including those related to employee data.

While Law no. 190/2018 does not specify a frequency for 'equal pay audits,' it mandates that data processing activities, including those involving employee data, are subject to ongoing monitoring and potential audits by the ANSPDCP for data protection compliance. The evaluation criteria for these audits focus on adherence to GDPR principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. This includes assessing whether employers have a valid legal basis for collecting and processing employee data, whether the data collected is proportionate to the purpose, and whether adequate security measures are in place to protect it. Any processing of pay-related data, as a form of personal data, would fall under this monitoring and evaluation framework, ensuring its handling meets the stringent data protection standards.

Enforcement & Penalties

Law no. 190/2018 establishes a robust framework for enforcement and penalties for infringements of data protection provisions, aligning with the corrective measures and administrative fines stipulated in Article 83 of the General Data Protection Regulation. The National Supervisory Authority for Personal Data Processing (ANSPDCP) is the body empowered to impose these sanctions. The main administrative sanctions include warnings and fines. The severity of penalties depends on various factors, such as the nature, gravity, and duration of the infringement, the intentional or negligent character of the infringement, the categories of personal data affected, and the measures taken by the controller or processor to mitigate damage to data subjects.

For public authorities and bodies, the law specifies that violations of certain provisions can be sanctioned with fines ranging from 10,000 lei to 100,000 lei, and in some cases, up to 200,000 lei. For other data controllers, the GDPR's tiered fine structure applies, meaning fines can be substantial. Less severe infringements can lead to fines of up to €10 million or 2% of the undertaking's total worldwide annual turnover of the preceding financial year, whichever is higher. More severe infringements, such as violations of the basic principles for processing, data subjects' rights, or transfers of personal data to a third country or international organization, can result in fines of up to €20 million or 4% of the total worldwide annual turnover, whichever is higher.

Beyond administrative fines, the ANSPDCP can also impose other corrective measures, such as ordering the controller to comply with the data subject's requests to exercise their rights, ordering the rectification or erasure of personal data, imposing a temporary or definitive ban on processing, or ordering the suspension of data flows to a recipient in a third country. Data subjects who have suffered material or non-material damage as a result of an infringement of the GDPR or Law no. 190/2018 have the right to receive compensation from the controller or processor for the damage suffered. Decisions issued by the ANSPDCP, including those imposing fines, can be appealed in Romanian courts, ensuring a judicial review process. While these penalties are not specific to pay equity violations, they are directly applicable to any unlawful processing of employee data, including pay-related information, thereby providing a strong deterrent against data protection infringements in the employment context.

Relationship to Other Laws

Law no. 190/2018 operates in direct conjunction with Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR). As an implementing law, its primary function is to provide national measures and specific clarifications for the application of the GDPR within Romania, particularly in areas where the GDPR allows Member States to legislate further. This means that the GDPR's provisions are directly applicable, and Law no. 190/2018 complements them by addressing specific national contexts, such as the processing of national identification numbers, genetic data, biometric data, or health data, and data processing in employment relationships.

The law also interacts with other national legislation, particularly labor laws and anti-discrimination laws, although it does not supersede them in their respective domains. For instance, while Law no. 190/2018 governs the processing of personal data, including pay data, the principles of equal pay and non-discrimination in remuneration are established and enforced by specific Romanian labor codes and anti-discrimination legislation. This data protection law does not introduce new pay equity principles or enforcement mechanisms; rather, it ensures that any data collected and used in the context of employment, including for pay-related decisions, is handled in a manner compliant with data privacy standards.

In cases of potential conflict, the GDPR, as a directly applicable EU regulation, generally takes precedence over conflicting national laws, unless the GDPR explicitly allows for national derogations. Law no. 190/2018 is designed to be consistent with the GDPR, providing the necessary national framework without contradicting the core principles of the EU regulation. It also interacts with laws governing the establishment and operation of the National Supervisory Authority for Personal Data Processing (ANSPDCP), such as Law no. 102/2005, which defines the ANSPDCP's organizational structure and powers. Therefore, while Law no. 190/2018 is a crucial piece of legislation for data protection, it forms part of a broader legal ecosystem, complementing and interacting with other national and EU laws, particularly in the complex area of employment and personal data.

International Context

Law no. 190/2018 is intrinsically linked to the broader international context of data protection, primarily through its role in implementing Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR). The GDPR is a landmark piece of legislation that has significantly influenced data privacy standards globally, setting a high benchmark for the protection of personal data. As a Member State of the European Union, Romania is obligated to ensure that its national laws are fully compliant with and effectively implement EU regulations. Law no. 190/2018 serves precisely this purpose, translating the overarching principles and requirements of the GDPR into specific national measures.

The GDPR itself was developed with consideration for international data flows and the need for consistent data protection standards across the EU and beyond. It includes provisions for data transfers to third countries, ensuring that personal data transferred outside the EU remains protected to a standard essentially equivalent to that offered within the Union. Law no. 190/2018, by adopting the GDPR's framework, contributes to this international consistency, particularly for Romanian organizations that engage in cross-border data processing.

While Law no. 190/2018 does not directly reference ILO Conventions such as C100 (Equal Remuneration Convention) or C111 (Discrimination (Employment and Occupation) Convention), its existence as a data protection law indirectly supports the broader principles of fair and non-discriminatory treatment in employment. By regulating the lawful and transparent processing of employee data, including potentially sensitive information that could be used in discriminatory ways, the law provides a foundational layer of protection. Although its focus is on data privacy rather than pay equity, the robust handling of personal data, including pay-related information, can contribute to a more transparent and accountable employment environment, which aligns with the spirit of international labor standards promoting fairness and equality in the workplace.

Implementation Timeline

Compliance Checklist

Sources and References