Publisher: Editura Universitara
Author: Daniel-Mihail Sandru
Edition: I
Pages: 254
Publisher year: 2024
ISBN: 978-606-28-0947-8
DOI: 10.5682/9786062809478
Data protection in Romania. GDPR compliance and sanctions
DownloadAbbreviations/9
Foreword/11
Chapter I. Why data protection?/17
Section 1. Is there a specific Romanian?/17
Section 2. Data protection and private life/21
Section 3. Operators and data subjects/26
Section 4. Compliance and sanctions/29
Section 5. Importance of non-personal data/33
Chapter II. Untying the bonds of legislation/36
Section 1. Legislation and jurisprudence in Europe/36
Section 2. Opinions and guidelines of the European Data Protection Committee/59
Chapter III. The current state of data protection in Romania/65
Section 1. The role of Romanian institutions/65
Section 2. Experiences of the Romanian courts/71
Chapter IV. The principles of data protection/97
Section 1. The role of principles in the application of data protection /98
Section 2. Legality of processing/102
Section 3. The principle of equity/105
Section 4. The principle of transparency/106
Section 5. Principle of purpose-related limitation/108
Section 6. The principle of minimization/110
Section 7. Principle of accuracy/110
Section 8. Principle of limitation related to storage/112
Section 9. Principles of integrity and confidentiality/114
Section 10. The principle of proportionality/116
Section 11. Principle of responsibility/123
Section 12. Principles and rights/126
Chapter V. Basics of data processing/127
Section 1. Determination of the basis for processing/127
Section 2. Consent/135
Section 3. Contract/147
Section 4. Legal obligation/152
Section 5. Vital interests/152
Section 6. Public interest/154
Section 7. Legitimate interest/155
Chapter VI. Rights of data subjects/163
Section 1. Notion of data subject/163
Section 2. Types of rights of the person concerned/165
Section 3. The right to information/168
Section 4. The right of access to data/171
Section 5. The right to rectification/172
Section 6. The right to delete data/174
Section 7. The right to restrict processing/176
Section 8. The right to data portability/177
Section 9. The right to opposition/178
Section 10. The automated individual decision-making process, including the creation of profiles/179
Section 11. Restrictions on the rights of the persons concerned /180
Section 12. The right to file a complaint with a supervisory authority/181
Section 13. Sanctions for non-respect of the rights of the person concerned/183
Chapter VII. Data operators - contractual relations and fundamental rights/184
Section 1. Notion of operator/184
Section 2. Rights and obligations of the operator/186
Section 3. The rights and obligations of the proxy/189
Section 4. The relationship between the operator and authorized representative/190
Section 5. The Data Protection Officer/195
Section 6. Technical and organizational measures/198
Chapter VIII. Appeals, liability and sanctions/215
Section 1. The right to an effective judicial remedy against a supervisory authority/215
Section 2. Sanctions of the data processing supervisory authority/217
Section 3. Typology of sanctions in the application of Law no. 506/2006/225
Section 4. The right to compensation/229
Selective bibliography/231
Index/247
Thanks/252
The author, researcher Mihai Sandru, highlights from the beginning of the volume "Data Protection in Romania" why this field has shone in recent years in practical life, showing that the appearance of bureaucracy is overshadowed by the fact that data protection has value through a structured understanding, based on principles.
The red line or thread of this work is maintained from beginning to end, representing a "compliance tool" that will be, once the volume is published, at the disposal of all operators and persons interested in the knowledge and application of the General Regulation regarding Data Protection. In other words, the author Mihai Sandru expresses in the first chapter entitled "Why data protection", in an original way, the entire experience gained in this field, with the care of those who want to train. As a result, in the first chapter the practical world of data protection is opened to us, showing where the main challenges may appear in complying with the General Data Protection Regulation, where the essential distinctions must be made in order to know how to correctly apply or at least correctly understand the requirements and the meaning of the main rules of this regulation and the legislation with which it interferes at the level of operators in Romania or in relation to the concerned persons in Romania.
Chapter II draws attention to the dynamics of legislation and acts in the field of data protection: all this, says the author, represents an ecosystem that develops year by year. The specificity of data protection in Romania is highlighted especially in relation to the application of legislation at the level of Romanian courts and authorities. From the perspective of the legislation, I think that what is new consists in the proposed way of viewing the documents issued by the European Committee for Data Protection, more precisely documents that, although they do not have recognized legal force, being guidelines, recommendations, instructions, still cannot be seen as "lacking any legal effect". In any case, within this chapter, the general description of the legal ecosystem of data protection is followed, following within the European normative and institutional protection, the general material and territorial framework of the RGPD and the links of this regulation with the other normative acts in the field of data protection.
In chapter IV, some characteristics regarding the actual state of GDPR application in Romania are shown, using in particular two points of reference: the preliminary submissions made before and by the Romanian courts to the Court of Justice of the European Union and the activity of the national supervisory authority . The essential conclusions are not critical, but in some places some criticisms are formulated related to the inconsistency of some courts in terms of the solutions pronounced, the absence of understanding of the scope of either RGPD or Law no. 363/2018 regarding the processing of personal data by law enforcement authorities, or even the difficulty of receiving court practice as a whole, since searching in information sources, such as the rejust.ro website, is difficult. Perhaps at the center of the entire practice is the Bara et al. case, cited both in the practice of the CJEU and in that of some courts in Romania.
In Chapter IV, which deals with the principles of data protection, they are described both narratively and showing the mechanism of interdependence in application to concrete situations. Certainly, this is the most important chapter, if we look at it as a whole. However, unlike the strict limitation to the principles stated in Article 5 of the RGPD, the author adds another principle, namely the principle of proportionality. Most authors consider that this principle is included in the principle of the legality of data processing, but the author shows that this principle is a much broader standard than reducing it to the principle of the legality of personal data processing, influencing including the issue of the size of a sanction applied by a supervisory authority. Chapter V, titled the basics of processing, complements the previous chapter on the principles of processing. Again, the examples from the jurisprudence of the CJEU and the courts, represent the "spices" that make the text pleasant, easy to understand, but especially useful, because each idea is accompanied by such an example. There are also some positions here that provoke debate, an aspect even discussed by the author; such positionings, such as the idea that consent is not the main legal basis used for processing viewed as a whole or that in the presence of a legal basis, others should not be simultaneously added, give a practical character to the work. All these ideas are usually accompanied by recommendations from the guidelines and orientations of the European Committee for Data Protection. A central place in this chapter is represented by consent as the legal basis of data processing. Moreover, consent is also the center of RGPD interests, which is why all its values and reflexes to be validly given are debated, analyzed and exemplified. In reference to the legal bases of personal data processing, the author concludes that they represent the hard legal element, beyond the various procedures necessary to comply with the RGPD. At the same time, the presentation of the notions is accompanied by "warnings" addressed to the reader, or, in other words, the author asks him to remember the "lessons learned".
Chapter VI focuses on the powers offered to the person whose data is processed, powers that manifest themselves by virtue of a solid "shield" of rights that the RGPD has strategically enshrined. The rights of the concerned person are enunciated by the author and ascertained clarifications are made regarding their specifics and how they must be exercised in practice to be effective. In the chapter, implicitly, one of the ideas from the beginning of the work is highlighted: the specificity of the protection of personal data is that, through the corresponding legislation, it manifests itself in public law reports. For this reason, the author presents the set of entities that, together with the operator even if sometimes against him, have obligations corresponding to the realization of the rights of the persons concerned: the supervisory authority, the European Commission, the ECPD, the person in charge of data protection. This presentation is made within a typology of the rights of the persons concerned by referring to the correlative obligations specific to each entity.
Chapter VII presents the main "beneficiary" of the obligations stipulated by the RGPD: the data operator. The presentation is descriptive, making references to its main obligations, to the main instruments by which it can ensure compliance, such as the case of the data protection officer or the conclusion of data protection agreements in its contractual relationships. Also here are presented the possibilities of consulting the supervisory authority, but also the tool for checking the level of intrusion on fundamental rights, namely the impact assessment (DPIA).
In the final chapter, entitled "Appeals, liability and sanctions", the "guarantees" of GDPR compliance by data operators, their proxies, whether they are public or private entities, are stated. The approach is accompanied by examples, especially when it is desired to highlight a more special, more interesting aspect, such as the sanctions applied for improper use of cookies.
I read the volume with interest and I believe that it represents a coherent x-ray of the state of the specific legislation in the field and, at the same time, of the particular aspects related to the protection of personal data in Romania. The style of presenting ideas and information is not theorized, but rather expeditious, informative, often telegraphic. The advantage lies in the fluency of writing and ideas, in the wealth of relevant jurisprudence and in the fact that the author manages to include in a few words, an enormous amount of information, thanks to the practical and theoretical experience he has gained in this field. The work should be addressed especially to everyday practitioners in the field of data protection, especially due to the information condensed within the ideas, the ease of reading and understanding them and the fact that behind each idea is the "proof" offered by jurisprudence and practice supervisory authority.
Nicolae‑Dragos Ploesteanu
Customer Support Monday - Friday, between 8.00 - 16.00
0745 200 718 0745 200 357 vanzari@editurauniversitara.ro