Home » Procedures » Complaints
 Română | English | Francais

Procedure for handling complaints

 

CHAPTER I: General provisions

Article 1

(1) For exercising its legal competences, the National Supervisory Authority for Personal Data Processing, hereinafter ANSPDCP, receives, analysis and solves complaints related to the processing of personal data falling within the scope of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR, or other legal provisions applicable to the protection of intimate, family and private life through the processing of personal data, including in the electronic communication and e-commerce sector.

(2) This Procedure applies only to the complaint handling activity which falls within the competence of the specialised compartment/compartments in this respect according to the Regulation on the organization and functioning of the National Supervisory Authority for Personal Data Processing, approved by the Decision of the Standing Bureau of the Senate no. 16/2005, as amended and supplemented.

(3) Other petitions and requests other than those mentioned in paragraph (2) shall be settled by the compartments or persons designated as having attributions in this respect, in accordance with the applicable legal provisions. Any other correspondence sent to ANSPDCP, which does not meet the requirements of a petition within the meaning of Government Ordinance no. 27/2002 on regulating the activity of solving petitions, approved with amendments and completions by Law no. 233/2002, with the subsequent amendments, shall be classified without a response.

Article 2

The complaints may be addressed by any data subject identified according to the provisions of the Procedure who considers that the processing of his or her personal data violates the legal provisions in force, especially if his or her habitual residence, place of work or alleged violation is or, as the case may be, takes place on the territory of Romania.

CHAPTER II: Procedural conditions for submitting an admissible complaint

Article 3

(1) The complaints addressed to ANSPDCP must be made in writing, in Romanian or English, subject to the terms of the RGPD, of other applicable legal provisions, as well as the terms of this Procedure.

(2) The complaints may be filed at the general registry at ANSPDCP’s headquarters or may be sent by post, including electronic mail, or by using the electronic form available on ANSPDCP’s website. The complaints received are recorded in the ANSPDCP general registry, by receiving the number and date of the registrations and are distributed to the specialised compartment/compartments.

(3) The complaints shall be submitted personally or by a representative, with the attachment of the power of attorney issued according to the law or of a notary proxy, as the case may be.

 

(4) The complaints may also be filed by the representative of the data subject who is a spouse or relative up to second degree inclusive. In the case of spouses or relatives up to the second degree inclusive, a declaration on own responsibility signed by the petitioner is attached, and in the case of other persons, the notary proxy is attached.

(5) Where the complaint is filed through a body, organization, association or foundation without patrimonial purpose, they must prove that they have been legally constituted, with a statute providing for public interest objectives, and that they are active in the field of the protection of the rights and freedoms of data subjects with regard to the protection of their personal data. In this case, the complaint shall also include the power of attorney or the notary proxy of representation, as the case may be, according to paragraph (3) in order to show the limits of the mandate given by the data subject and the statute of the body/organization/association/foundation, as well as the evidence of their activity in the field of the protection of the data subjects’ rights and freedoms with regard to the protection of their personal data.

Article 4

(1) For valid receipt and registration of complaints, it is mandatory to provide the following data of the petitioner: name, surname, postal address of domicile or residence. If the complaint is submitted electronically, it is mandatory to provide the petitioner’s e-mail address.

(2) In the case of complaints submitted by a representative, beside the data of the petitioner referred to in paragraph (1), it is also mandatory to provide the following data of the representative: name and surname/name, postal address of correspondence/headquarters, e-mail address, telephone number, registration number in the register of associations and foundations, if applicable.

(3) For valid receipt and registration of complaints, it is mandatory to provide the identification data of the complainant data controller or processor, such as name and surname/name, address/headquarters, or at least the available information held by the petitioner for identification.

(4) The submitted complaints shall be signed by handwriting or by electronic means, and, in the case of electronically submitted petitions that can not be signed, ANSPDCP may request the confirmation of the correctness of the data transmitted electronically.

Article 5

(1) When filing in the complaints, it is mandatory to specify in detail the subject matter, the actions taken by the petitioner at the level of the complainant data controller or processor, as the case may be, the information available to support the allegations, as well as to attachment of conclusive evidence to the extent that he or she holds.

(2) If, prior to filing the complaint to ANSPDCP, the petitioner has brought an action with the same object and the same data controller or processor before the court, he or she notifies this aspect to ANSPDCP. If this is the case, the name of the court and the file number of the case are mentioned in the complaint.

Article 6

(1) In the case of complaints concerning the violation of the right to intimate, family and private life in the field of electronic communications and e- commerce, in addition to the data provided in Article 4, it is mandatory to mention the telephone or fax number(s), the e-mail address(s) or IP address related to the subject of the complaint, as the case may be.

(2) In the case of complaints concerning the violation of intimate, family and private life by sending unsolicited commercial communications through publicly available electronic communications services, it is mandatory to attach the original messages received by the petitioner by a method that permits the identification of the sender of that communication, messages that should be kept as far as possible in the electronic system used by the petitioner.

Article 7

(1) The petitioners and, where appropriate, their representatives assume the responsibility that all the information provided by the filing of complaints is real and correct.

(2) The petitioners may request the confidentiality of certain expressly mentioned personal data provided through the complaint, except for the cases where, for the proper solving of the subject matter of the complaints submitted, the petitioner’s identification data must be disclosed to the complainant entity.

(3) The petitioners have the possibility to use the complaint templates provided by ANSPDCP.

(4) Receiving complaints by ANSPDCP and analysing them is, as a rule, free of charge.

(5) If the complaints are manifestly unfounded or excessive, in particular because of their repetitive nature, ANSPDCP may charge a reasonable fee based on administrative costs or may refuse to treat them. The task of demonstrating the manifestly unfounded or excessive nature of the claim lies with ANSPDCP.

Article 8

(1) Without prejudice to the possibility of submitting a complaint to ANSPDCP, the data subjects have the right to address the competent court for the protection of the rights guaranteed by the applicable law which have been infringed.

(2) If an appeal has been filed with the same object and with the same parties, ANSPDCP may order the suspension and/or to class the complaint, as the case may be.

(3) The competent court shall be the one where the data controller or processor has its headquarters or where the data subject has his or her habitual residence. The application is exempt from stamp duty.

CHAPTER III: Conditions for analysing and solving complaints

Article 9

(1) If the petitioner fails to provide the data, information and documents required under the applicable legal provisions and this Procedure, ANSPDCP notifies the petitioner in writing, within 45 days of registration, according to the law, that the complaint submitted does not meet the conditions set out in this Procedure in order to be qualified as an admissible complaint.

(2) If it is found that the information in the complaint or the documents submitted is incomplete or insufficient, ANSPDCP requires the data subject to complete the complaint in order for it to be considered admissible in order to conduct an investigation. A new deadline of no more than 45 days shall run from the date of completing the complaint.

(3) ANSPDCP shall inform the data subject about the progress or outcome of the investigation, within three months from the date on which it was notified that the complaint is admissible in accordance with paragraph (1) or (2). The information will also include the remedy against ANSPDCP.

(4) Where a more detailed investigation or coordination with other supervisory authorities is required in accordance with Article 57 paragraph (1) letter f) of the General Data Protection Regulation, ANSPDCP shall inform the data subject about the progress of the investigation, every three months, until it is finalized.

(5) The outcome of the investigation shall be brought to the attention of the data subject within 45 days from the finalisation of the investigation. Article 11 of this Procedure shall apply accordingly.

Article 10

(1) The complaints that do not specify the identification data of the petitioners, mandatory according to Article 4, are considered anonymous and are classified with this mention without any reply to the petitioners.

(2) The complaints that do not have a clearly determined object, as well as complaints that do not meet the conditions provided by Article 3 are rejected as inadmissible. The petitioners are informed in writing of the need to comply with the conditions for the admission of the complaint, within the time limit provided in Article 9 paragraph (1) or (2).

(3) If the complaints concern issues that do not fall within the scope of ANSPDCP’s material or territorial jurisdiction, they are rejected as inadmissible. The petitioners are informed in writing, within the time limit provided in Article 9 paragraph (1).

Article 11

(1) If a petitioner addresses more than one complaint, with the same subject matter, they are linked and the petitioner will receive a single reply referring to all the petitions received.

(2) If the petitioner submits a new complaint referring to the same issues raised in a previous petition received, the complaint is attached to the first petition and ranked, without any further reply to the petitioner.

Article 12

In case of non-compliance by ANSPDCP with the provisions of Article 9, the data subject may address to the administrative section of the competent court after the preliminary procedure provided by the Law no. 554/2004 of the contentious administrative, as amended and supplemented. The appeal is heard by the competent court of appeal. In all cases, the competent courts are those in Romania.

Article 13

(1) If the provisions of GDPR on cooperation and consistency mechanisms become relevant for handling the complaints received, the provisions of the GDPR and the documents issued by the European Data Protection Board shall apply accordingly.

(2) In the cases provided in paragraph (1) it is possible to transmit personal data, information and evidence submitted by the petitioner to other supervisory authorities and/or the European Data Protection Board in order to solve the complaint under the applicable legal provisions.

Article 14

The investigations for solving complaints are carried out in accordance with the investigation Procedure, approved by Decision of the president of ANSPDCP, which is published in the Official Journal of Romania, Part I.