Summary of ANSPDCP’s activity - 2019
In order to achieve the objective of the National Supervisory Authority to ensure the information of controller, data subjects and the general public, we present a summary of the most significant aspects of the activity of the National Supervisory Authority during the year 2019.
Thus, in 2019, the National Supervisory Authority received a total of 6193 complaints, intimations and notifications concerning the personal data breaches, based on which 912 investigations were opened.
As a result of the investigations, 28 fines were imposed in a total amount of 2,339,291.75 lei.
Also, 134 reprimands were applied and 128 corrective measures were ordered.
In 2019, regarding the activity of handling the complaints, the Supervisory Authority received a total number of 5808 complaints, on the basis of which 527 investigations were initiated.
In 2019, with regard to the personal data breaches, the controllers submitted, both under the GDPR and Law no. 506/2004, a number of 233 notifications, and a number of 152 intimations regarding possible non-compliance with the provision of the GDPR was received.
As a result of the intimations received and the security breaches notified by the data controllers, during the year of 2019, within the Supervisory Authority, a number of 385 ex officio investigations were opened.
Also, in the context of cooperation with other supervisory authorities in order to ensure mutual assistance, about 30 requests were handled regarding the application and enforcement of Regulation (EU) 679/2016.
At the same time, during the year 2019, a number of 1106 requests for the point of views on various aspects regarding the interpretation and application of Regulation (EU) 679/2016 were received by the National Supervisory Authority from controllers and processors acting in the public and private sector, from other entities, as well as from individuals.
In addition, the controllers, the public and the data subjects were also informed through more than 80 responses provided to citizens and the media, both from Romania and from abroad, according to Law no. 544/2001.
Concerning the activity of representation in court, the National Supervisory Authority has managed a number of 207 files that are pending in the courts in different procedural stages.
Throughout 2019, the controllers continued to declare the data protection officers, registering with the National Supervisory Authority a number of 4318 officers appointed by controllers from the public and private sectors.
During 2019, the National Supervisory Authority continued the communication activities aimed at informing the general public about the specific rules for the processing of personal data, in the context of Regulation (EU) 2016/679.
Thus, in order to celebrate the European Data Protection Day, the National Supervisory Authority organised the Conference on “Ensuring compliance with the European Regulation on data protection and applicable national regulations”, at the Palace of Parliament, on the 28th of January 2019.
The event provided the opportunity for debates on the application of the new requirements of the General Data Protection Regulation, of Law no. 129/2018 and of Law no. 190/2018 regarding some measures to implement the General Data Protection Regulation, also in relation to the Authority's competences.
In order to highlight this event, the Supervisory Authority prepared and made available to the public some informative materials (brochures, leaflets) dedicated to the European Data Protection Day.
Also, with the occasion of the celebration of one year since the application of Regulation (EU) 679/2016, the National Supervisory Authority organised, in May 2019, a series of events in order to increase the degree of informing the general public about the new rules for ensuring the protection of personal data and the specific rights of individuals.
In this regard, an anniversary debate – 1 year of GDPR – was organized on the 24th of May 2019, at the premises of the institution, in which representatives of professional associations and unions participated (Romanian Association of Direct Marketing – ARMAD, Union of Lawyers’ Colleges in Romania – UCCJR, Romanian Association of Banks – ARB, Association of Commercial Asset Management – AMCC, Romanian Transmedia Audit Bureau – BRAT, Association of Romanian Mobile Operators – AOMR, National Union of Insurance-Reinsurance Companies of Romania – UNSAR, Association for Good GDPR practices, Association of Communes.
During the discussions, issues of practical applicability regarding, in particular, the data protection officer, the rights of data subjects, the data protection impact assessment, the codes of conduct and the notification of personal data breaches data were addressed.
Also, to mark this event, the Supervisory Authority has also launched a Guidelines on questions and answers regarding the application of Regulation (EU) 679/2016.
In addition, a message of public interest regarding the main issues regulated by Regulation (EU) 2016/679 was disseminated in the means of public transport for these events, with the support of the Bucharest Transport Company – STB SA, and, at the premises of the Authority, “Open Doors Day” was organised.
The same message was also broadcast through the television system available in the subways and at the Henri Coandă International Airport.
Throughout 2019, our institution has actively participated in the most important events in the field of data protection, organised by various public institutions or private entities, including non-governmental organizations.
At these meetings, the representatives of the National Supervisory Authority clarified certain aspects concerning the conditions for the use of data, observing the rights of the data subjects and ensuring the confidentiality of the processing of personal data, which reflects the continuity of the Authority’s openness to the civil society.
In this context, we mention that the Supervisory Authority participated in a series of conferences, symposia and seminars, in Bucharest and in the country, such as:
- in Cluj-Napoca, Iași, Constanța and Timișoara, at meetings organised by the Expert Forum Association, to hold lectures on data processing by NGOs;
- at the Institution of the Prefect of Timiș County and the Institution of the Prefect of Mehedinți County, for supporting seminars with the theme “Data protection in the local public administration”;
- in Sinaia, for the participation in the conference “Training program for national minority organizations – financial assistance and the use of amounts from the state budget”;
- in Bucharest, at the Bucharest Chamber of Commerce and Industry, to hold a lecture at the conference “Data protections Solutions and Responsibilities”;
- in Bucharest, at the National Union of Public Notaries (UNNP) to hold a lecture on data protection within the Colloquium organized by this professional forum;
- in Bucharest, at the European Institute of Romania (IER) for a lecture entitled “Protection of personal data within the employment relationships”;
- in Bucharest, at the conference entitled “GDPR Talks”, to hold a lecture, as well as at other conferences organised by public or private institutions;
- in Bucharest, at the conference dedicated to GDRP, organised by a law firm to hold a lecture.
On the other hand, we emphasize that several controllers from the public and private environment have been advised on the way of implementing into practice the provisions of Regulation (EU) 2016/679, by explaining and clarifying a series of measures that the controllers are obliged to implement in order to comply with the provisions of this regulation.
Thus, the Supervisory Authority participated in the meetings of inter-institutional working groups in order to discuss on draft normative acts initiated by some ministries, but also on various complex issues regarding the protection of personal data.
Therefore, meetings were held with public authorities and institutions, both at their premises and at the premises of the Supervisory Authority, such as: National Authority for Consumer Protection, Inspectorate for Emergency Situations, Ministry of Justice, Superior Council of Magistracy, National Authority for Administration and Regulation in Communications, Ministry of Health, National Office for Preventing and Combating Money Laundering, National Health Insurance House, Permanent Electoral Authority, Ministry of Foreign Affairs, including Government Agent for CJEU, National Security Council.
At the same time, the Supervisory Authority also participated in the specialised parliamentary committees in order to support the proposals or draft laws regarding aspects of personal data protection.
Concerning the controllers from the private sector, there were working meetings at the premises of the Supervisory Authority, during which discussions were held on issues regarding the legal conditions of data processing in different fields of activity, as well as on the drafting of the codes of conducted by some controllers’ associations.
Thus, meetings were held with the Romanian Association of Banks (ARB), SC Biroul de Credit SA, Romanian Transmedia Audit Office (BRAT), Vodafone Romania SA, Telekom, Romanian Mobile Operators Association (AOMR), Romanian-American Chamber of Commerce (AmCham), Foreign Investors Council (FIC), National Union of Insurance and Reinsurance Companies of Romania (UNSAR), Raiffeisen Bank, as well as law firms representing the controllers, Romanian Accreditation Association – RENAR, Association of Specialists in Confidentiality and Data Protection (ASCPD), Expert Forum.
Prompt and efficient information of the natural persons, as well as of the controllers, was also achieved through the Authority’s website, both in terms of the 48 press releases posted in the “News” section, as well as the information in the special section dedicated to the Regulation Data Protection General.
In this context, we recommend consulting the brochure dedicated to the European Data Protection Day – 2020, available in the section “General information/Information of public interest/Information materials”.
Legal and Communication Department
A.N.S.P.D.C.P.