Summary of ANSPDCP’s activity – 2020
In order to achieve the objective of the National Supervisory Authority to ensure the information of the controllers, data subjects and the general public, we present a summary of the most significant aspects of the activity of the National Supervisory Authority during 2020.
Thus, in 2020, the National Supervisory Authority received a total of 5,480 complaints, intimations and notices concerning personal data breaches, based on which 694 investigations were opened.
As a result of the investigations, 29 fines in total amount of Lei 892,115.95 have been imposed.
Also, 64 reprimands and 65 corrective measures have been ordered.
In 2020, regarding the activity of complaints’ handling, the Supervisory Authority received a total number of 5,082 complaints, on the basis of which 296 investigations were initiated.
Regarding the personal data breaches, in 2020 the controllers submitted, both under the GDPR and Law no. 506/2004, a number of 194 notifications, and a number of 204 intimations regarding possible non-compliance with the provision of the GDPR was received.
As a result of the intimations received and the data breaches notified by the data controllers, during 2020, within the Supervisory Authority, a number of 398 ex officio investigations were opened.
Also, in the context of cooperation with other supervisory authorities in order to ensure mutual assistance, about 56 requests regarding the application and enforcement of Regulation (EU) 679/2016 were handled.
At the same time, during the year 2020, a number of 1151 requests for the opinion on various aspects regarding the interpretation and application of Regulation (EU) 679/2016 were received by the National Supervisory Authority from controllers and processors acting in the public and private sector, from other entities, as well as from individuals.
In addition, the controllers, the public and the data subjects were also informed through more than 62 responses provided to citizens and the media, according to Law no. 544/2001.
Concerning the activity of representation before the courts, the National Supervisory Authority has managed a number of 127 files that are pending before the courts in different procedural stages.
Throughout 2020, the controllers continued to declare the data protection officers, a number of 2081 officers appointed by controllers from the public and private sectors being registered with the National Supervisory Authority.
During 2020, the National Supervisory Authority continued the communication activities aimed at informing the general public about the specific rules for the processing of personal data, in the context of Regulation (EU) 2016/679.
Thus, in order to celebrate the European Data Protection Day, the National Supervisory Authority organised the Conference with the topic “Practical aspects for applying the General Data Protection Regulation and the applicable national regulations”, at the Palace of Parliament, on the 31st of January 2020.
The event provided the opportunity for debates on the application of the new requirements of the General Data Protection Regulation, of Law no. 129/2018 and of Law no. 190/2018 regarding some measures of implementation of the General Data Protection Regulation, also in relation to the Authority's competences.
In order to highlight this event, the Supervisory Authority prepared and made available to the public on its website www.dataprotection.ro some informative materials (brochures, leaflets) dedicated to the European Data Protection Day.
Also, on the national television channel TVR and in the STB transportation means in 2020 the informative clip dedicated to the General Data Protection Regulation - public interest message regarding the main aspects regulated by the Regulation (EU) 2016/679, developed by our institution was broadcasted and, at the premises of the Authority, “Open Doors Day” was organised.
With the occasion of the 2 years’ anniversary from the entry into force of the Regulation (EU) 2016/679, the National Supervisory Authority organized, during May 2020, an online drawings contest for children up to 14 years, with the subject “What means the personal data/protection of personal data”.
Also, in order to mark this event, the National Supervisory Authority posted on the institution’s website a press release. It has also posted the video prepared at the level of the European Data Protection Board.
In relation to the specific problem of 2020, the National Supervisory Authority published a press release named “The processing of personal data in the context of the elections for the local public administration”, considering the obligation of the entities involved in this process to pay an increased attention to the observance of the legislation regarding the protection of personal data, in order to ensure that the personal data are used responsibly and that the data subjects’ rights are observed.
Also, the National Supervisory Authority has issued a press release named “The processing of personal data by the tenants associations” that explains the manner of processing of the data by the tenants’ associations and the obligations incumbent on them according to the provisions of GDPR and to the specific own regulations.
Throughout 2020, our institution has actively participated in reunions in the field of data protection, organised by various public institutions or private entities, including remote.
At these events, the representatives of the National Supervisory Authority clarified certain aspects concerning the conditions for the use of data, the observance of the rights of the data subjects and for ensuring the confidentiality of the processing of personal data, which reflects the continuity of the Authority’s opening to the civil society.
In this context, we mention that the Supervisory Authority participated in a series of conferences, symposiums and seminars, inclusively online, such as:
- the National GDPR Conference “Data Protection – Solutions and responsibilities”, organised online by the Universul Juridic editorial group and the Romanian Journal for the Protection and Security of the Personal Data (RRPSDCP), by holding a lecture regarding the role and powers of the National Supervisory Authority:
- at the National Agency of Civil Servants, at the seminars organised within the project „Training in the field of personal data for the structures from the coordination, management and control system of FESI in Romania”;
- at the National Agency for Civil Servants, at the reunion regarding the protection of data within the European funds from 02.10.2020;
- at the Ministry for Public Works, Development and Administration, at the workshop with the topic „The debate of the aspects highlighted during the analysis process of the applicable legislation, of the situations and difficulties encountered in practice by the public authorities and institutions regarding the main categories of administrative contracts and acts” organised within the project „Systematization tools of the legislation, of monitoring and evaluation in the public administration”;
- at the workshop „Mobility, a challenge for the enforcement of GDPR”, by giving a lecture on the practical and theoretical aspects regarding the problem of securing the information containing personal data at the level of the mobile devices;
- at the European webinar „The DPO in times of Covid 19”, organized by the Association of Specialists in the confidentiality and protection of data (ASCPD) together with the Confederation of the European Organisations for Data Protection (CEDPO);
- at the reunion of the Dapix Working Group, together with representatives of the Ministry for Administration and Internal Affairs;
- at a videoconference with members of the American Chamber of Commerce in Romania (AmCham Romania), occasion on which aspects regarding the manner of enforcement of the General Data Protection Regulation provisions (GDPR) regarding the transfer of personal data to countries outside the European Union, following the Decision of the European Court of Justice in cause Schrems I (C-311/18) were discussed.
On the other hand, we underline that phone assistance was given to various controllers from the public and private sector, regarding the manner of implementation of the provisions of Regulation (EU) 2016/679, a series of measures that the controllers shall implement in order to observe the provisions of this regulation being explained and clarified, given that the audiences activity at the premises was suspended in the context of the pandemic started in March 2020.
The Supervisory Authority participated at the reunions of some inter-institutional working groups in order to discuss in relation to certain draft legal acts initiated by some ministries, but also in relation to some complex issues related to the data protection.
Also, the Supervisory Authority participated at meetings with public authorities and institutions, including remote, such as: the Directorate for Personal Records and Database Management, the National Office for Prevention and Control of Money Laundering, the National Bank of Romania, the Ministry of Education and Research, the Ministry of Regional Development and Public Administration, the Ministry for Administration and Internal Affairs, the Authority for the Digitalisation of Romania.
The Supervisory Authority also participated at the special parliamentary commissions, including remote, in order to sustain some proposals or draft law that envisaged personal data protection aspects.
Regarding the controllers from the private sector, within some videoconferences but also within working meeting held at the headquarters of the Supervisory Authority, there have been discussions on aspects regarding the legal conditions for the processing of personal data in various activity fields, including transfer of personal data to countries outside European Union, following the Decision of the European Court of Justice in cause Schrems II (C-311/18).
Thus, meetings with the American Chamber of Commerce in Romania (AmCham Romania), The Romanian Banks Association (ARB), the Romanian Audit Office Transmedia (BRAT), the Council of Foreign Investors (FIC), the Association for Technology and Internet (ApTI)), the Privacy International Association were also held.
Also, in order to increase the acknowledgement degree regarding the obligation incumbent on the controller, according to the provisions of Regulation (EU) 2016/679, the National Supervisory Authority sent two letters to the Association of Municipalities from Romania and the Association of Villages from Romania through which it requested their support in order to announce all members of the associations on the obligation to notify to the National Supervisory Authority the data protection officer appointed at the level of each local public authority, according to Article 37 from Regulation EU 2016/679.
Also, the representatives of our institution have participated at the EDPB Plenaries, held remote starting with March 2020.
A prompt and efficient information of the natural persons, but also of the controllers, was performed also on the website of the Authority, both through the 60 press releases posted under section „News”, as well as through the information from the special section dedicated to the General Data Protection Regulation.
In this context, we also recommend the consultation of the brochure dedicated to the European Data Protection Day 2021, available under section General Information/ Public interest Information/Informative materials.
Legal and Communication Department