Decision No. 200/2015 of the National Supervisory Authority for Personal Data Processing (ANSPDCP) (
“Decision 200/2015”
) regulates the issue of notifications concerning personal data processing
Essentially, according to Article 1 of Decision 200/2015, except in certain cases of processing that are expressly and exhaustively detailed in the decision, it is unnecessary to notify ANPSDCP when processing personal data. Moreover, in accordance with Article 2 of the Decision 200/2015, personal data transfer to countries outside the European Union or the European Economic Area (EEA), and to countries that are not recognised by the European Commission as providing adequate protection, on the basis of a decision, must be notified (if the personal data transfer is based on the consent of the data subject, or in any of the other cases allowing for such transfer, provided at Article 30 of Law No. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data - “Law No. 677/2001”) to or, as the case may be, authorised by ANSPDCP (if the controller provides sufficient guarantees to ensure the protection of the fundamental individual rights, in accordance with Article 29(4) of Law No. 677/2001).
As arising from the preamble to Decision 200/2015, it was targeted at avoiding “inadequate” administrative formalities (which is a politically correct way of saying “useless”), by reference to the nature of the processing, and the actual risks that it entails for the data subjects. Surely, releasing the controllers from the obligation to notify all personal data processing operations is by all means welcome and well-timed. However, as we shall be discussing below, the manner of regulating such an exemption is debatable as regards its compliance with the provisions of Law No. 677/2001 and of the relevant European regulations. In accordance with Article 22(1) of Law No. 677/2001, data controllers are obliged to notify ANSPDCP in relation to any such operation they are carrying out. Nonetheless, while Article 22(2) lists a series of processing operations that need not be notified to ANSPDCP, paragraph (9) of the same article provides that the supervisory authority may establish other situations where the notification is not required (other than those under paragraph (2)).
On that account, as a rule, personal data processing operations need to be notified to ANSPDCP in accordance with Law No. 677/2001; by way of exception, notification is not required for the processing provided at Article 22(2) of Law No. 677/2001, and for other processing operations expressly set out by ANSPDCP, on a case-by-case basis. Besides, the notification system set forth under Law No. 677/2001 was taken over from Directive 95/46/EC (Article 18). With respect to the notification system for the processing of personal data, set forth by law No. 677/2001, Decision No. 200/2015 all but switched the rule with the exception. Thus, according to the Decision, the processing of personal data need not be notified to ANSPDCP, where the controllers are obliged to notify solely for the cases expressly and exhaustively provided in the decision. Nevertheless, according to the hierarchy of legislative acts, the secondary legislation issued by the central and local public administration authorities must comply with the laws enacted by the Parliament. A secondary piece of legislation (such as Decision No. 200/2015) cannot derogate from, supplement or amend a law (such as Law No. 677/2001).
Along the same lines, the compliance of the data processing notification system established under Decision No. 200 with the European provisions is also questionable. Directive 95/46/EC (Article 18) regulates in exhaustive terms two options meant to ensure the control of personal data processing, namely (a) notification-based control, and respectively (b) control through a specialised entity (the so-called data protection official). Certain EU Member States (e.g. Germany, France, and Portugal) chose to implement the control through a data protection official, and therefore the obligation to notify does not apply at all. Since Romania opted for the notification-based control system (as per Article 22 of Law No. 677/2001), our opinion is that, in accordance with the current laws, this system could only be regulated in the manner envisaged by Directive 95/46/EC (Article 18). Or, Article 18 provides a notification system similar to the one regulated under Article 22 of Law No. 677/2001. Namely, in principle, the processing of personal data must be notified to the competent authority, who is however entitled to set forth exceptions from the obligation to notify, on a case-by-case basis.
To conclude, the change in paradigm as regards the notification of personal data processing could only be implemented by a legislative act with at least the same legal power as Law No. 677/2001 (i.e. by law or emergency ordinance, as the case may be). From this perspective, we could argue that Decision No. 200/2015 does not comply with Law No. 677/2001. Regardless, we do not foresee any particular consequences on a practical level, from the perspective of data controllers.
As a matter of principle, data controllers would not be interested in challenging the legality of the provisions under Decision No. 200/2015 (setting forth a more permissive notification system). Besides, it is highly unlikely that ANSPDCP should sanction a personal data controller for failing to notify according to the provisions of Law No. 6777/2001 (although such processing did not require notification, in accordance with Decision No. 200/2015). Conversely, the notification mechanism set forth by Decision 200/2015 might prove to be more vulnerable and more likely to create loopholes in the main objective of the relevant legislation, namely protecting the rights of data subjects.
For instance, although significantly risky, certain personal data processing operations which were not provided under Decision No. 200/2015 could go below the radar of ANSPDCP. Likewise, it is possible that future processing operations might be carried out, that could entail significant risks for the data subjects’ private life (for instance, processing performed by particularly intrusive means, further to the accelerated development of technology), which were not covered under Decision 200/2015. Or, until the express regulation thereof, such data processing (susceptible of posing particular risks for the data subjects’ interests) would not be subject to the obligation to notify (although, according to the relevant regulations, data processing likely to raise particular risks should be notified to ANSPDCP).
However, we would point out that Decision 200/2015, as it currently stands, shall be applicable until the entry into force of the European Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (foreseen to enter into force in 2018). This EU Regulation shall fully remove the obligation to notify, setting forth other alternative mechanisms to ensure the protection of data subjects. But let us discuss these alternatives on another occasion.
This article was first published in Just in Case, an electronic magazine by Țuca Zbârcea & Asociații (http://www.tuca.ro). To read the entire article, please go to: http://www.tuca.ro/just_in_case/