Advanced Search

Law No. 677 Of 21 November 2001 On The Protection Of Individuals With Regard To The Processing Of Personal Data And The Free Movement Of Such Data

Original Language Title:  LEGE nr. 677 din 21 noiembrie 2001 pentru protecţia persoanelor cu privire la prelucrarea datelor cu caracter personal şi libera circulaţie a acestor date

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
LEGE no. 677 677 of 21 November 2001 (* updated *) for the protection of individuals with regard to the processing of personal data and the free movement of such data ((updated until 22 October 2007 *)
ISSUER PARLIAMENT




---------------- *) The initial text was published in the OFFICIAL GAZETTE no. 790 790 of 12 December 2001. This is the updated form of S.C. "Territorial Center of Electronic Computing" S.A. Piatra-Neamt until October 22, 2007, with the amendments and additions made by: LAW no. 102 102 of 3 May 2005 ; LAW no. 278 278 of 15 October 2007 . The Romanian Parliament adopts this law + Chapter I General provisions Purpose + Article 1 (1) The present law aims at guaranteeing and protecting the fundamental rights and freedoms of individuals, in particular the right to intimate, family and private life, with regard to the processing of personal data. (2) The exercise of the rights provided for in this law can only be restricted in express and limiting cases provided by law. Scope of application + Article 2 (1) This law applies to the processing of personal data, carried out, in whole or in part, by automatic means, as well as to the processing by other means. than the automatic ones of personal data that are part of a system of evidence or intended to be included in such a system. (. This Law shall apply to: a) processing of personal data, carried out within the activities carried out by operators established in Romania; b) processing of personal data, carried out within the activities carried out by the diplomatic missions or consular offices of Romania; c) processing of personal data, carried out within the activities carried out by operators not established in Romania, by the use of means of any nature located on the territory of Romania, unless these means are used only for the purpose of transiting on the territory of Romania the personal data subject to the respective processing. (3) In the case provided in par. ((2) lit. c) the operator will designate a representative who must be a person established in Romania. The provisions of this law applicable to the controller are also applicable to its representative, without prejudice to the possibility of bringing legal action directly against the controller. (4) This law applies to the processing of personal data carried out by natural or legal persons, Romanian or foreign, by public or private law, whether they take place in the public sector or in the private sector. (5) Within the limits provided by this law, it shall also apply to the processing and transfer of personal data, carried out in the framework of the activities of prevention, research and repression of crimes and of maintaining public order, such as and other activities carried out in the field of criminal law, within and with the restrictions established by law. (6) This law does not apply to the processing of personal data, carried out by individuals exclusively for their personal use, if the data in question are not intended to be disclosed. (7) The present law does not apply to the processing and transfer of personal data, carried out within the activities in the field of national defense and national security, carried out within the limits and with the restrictions established by law. (8) The provisions of this law are without prejudice to the obligations assumed by Romania through legal instruments ratified. Definitions + Article 3 For the purposes of this Law, the following terms shall be defined as follows: a) personal data-any information relating to an identified or identifiable natural person; an identifiable person is that person who can be identified, directly or indirectly, in particular by reference to a number of identification or to one or more factors specific to its physical, physiological, mental, economic, cultural or social identity; b) processing of personal data-any operation or set of operations that are carried out on personal data, by automatic or non-automatic means, such as collection, recording, organization, storage, adaptation or the modification, extraction, consultation, use, disclosure to third parties by transmission, dissemination or in any other way, joining or combining, blocking, erasure or destruction; c) storage-keeping on any kind of support of personal data collected; d) system of record of personal data-any structure organized by personal data, accessible according to determined criteria, regardless of whether this structure is organized centrally or decentralized or is distributed according to functional or geographical criteria; e) operator-any natural or legal person, private or public law, including public authorities, institutions and their territorial structures, which establishes the purpose and means of processing personal data; if the purpose and means of processing personal data are determined by a normative act or on the basis of a normative act, the controller is a natural or legal person, public or private law, who is designated as an operator by that normative act or on the basis of that normative act; f) the person empowered by the controller-a natural or legal person, by private or public law, including the public authorities, their institutions and territorial structures, who process personal data on account the operator; g) third party-any natural or legal person, private or public law, including public authorities, their institutions and territorial structures, other than the data subject, the controller or the person empowered or persons who, under the direct authority of the controller or processor, are authorised to process data; h) recipient-any natural or legal person, by private or public law, including public authorities, institutions and their territorial structures, to whom data is disclosed, whether or not it is third party; the authorities the public to whom data are communicated in the context of a special investigation competence shall not be considered as recipients; i) anonymous data-data which, due to the specific origin or modality of the processing, cannot be associated with an identified or identifiable person. + Chapter II General rules on the processing of personal data Characteristics of personal data in the processing + Article 4 (. The personal data intended to be subject to processing shall be: a) processed in good faith and in accordance with the legal provisions in force; b) collected for determined, explicit and legitimate purposes; further processing of personal data for statistical purposes, historical or scientific research will not be considered incompatible with the purpose of collection if carried out with compliance with the provisions of this law, including those concerning the performance of the notification to the supervisory authority, as well as the compliance with the guarantees concerning the processing of personal data, laid down by the regulates statistical activity or historical or scientific research; c) adequate, relevant and non-excessive by reference to the purpose in which they are collected and subsequently processed; d) accurate and, if applicable, updated; for this purpose the necessary measures will be taken so that inaccurate or incomplete data from the point of view of the purpose for which they are collected and for which they will subsequently be processed, be deleted or rectified; e) stored in a form that allows the identification of data subjects strictly for the duration necessary to achieve the purposes in which the data is collected and in which it will subsequently be processed; the storage of data for a duration longer than that mentioned, in statistical purposes, historical or scientific research, will be done in compliance with the guarantees regarding the processing of personal data, provided in the rules governing these fields, and only for the period necessary to achieve these purposes. (2) Operators shall comply with the provisions of par. (1) and to ensure the fulfilment of these provisions by the authorized persons. Conditions of legitimacy regarding data processing + Article 5 (1) Any processing of personal data, except for processing aimed at data from the categories referred to in art. 7 7 para. ((1), art. 8 and 10, can only be carried out if the data subject has given his/her consent expressly and unequivocally for that processing. (2) The consent of the data subject is not required in the following cases: a) when the processing is necessary for the performance of a contract or the antecontract to which the data subject is part or in order to take measures, at its request, before the conclusion of a contract or antecontract; b) when processing is necessary in order to protect the life, physical integrity or health of the data subject or another person threatened; c) when the processing is necessary in order to fulfill a legal obligation of the controller; d) when the processing is necessary in order to comply with measures of public interest or aimed at the exercise of the prerogatives of public authority with which the operator or third party to whom the data is disclosed is invested; e) when the processing is necessary in order to carry out a legitimate interest of the controller or third party to whom the data is disclosed, provided that this interest does not damage the interest or fundamental rights and freedoms of data subject; f) when processing concerns data obtained from publicly accessible documents, according to the law; g) when the processing is done exclusively for statistical purposes, historical or scientific research, and the data remain anonymous for the duration of the processing. (3) The provisions of par. ((2) are without prejudice to the legal provisions governing the obligation of public authorities to respect and protect intimate, family and private life. Conclusion of processing operations + Article 6 (1) At the conclusion of the processing operations, if the data subject has not expressly and unequivocally given his consent to another destination or for further processing, the personal data will be: a) destroyed; b) transferred to another operator, provided that the original operator guarantees that subsequent processing has similar purposes to those in which the original processing was made; c) transformed into anonymous data and stored exclusively for statistical purposes, historical or scientific research. (2) In the case of processing operations carried out under the conditions provided in art. 5 5 para. ((2) lit. c) or d), within the activities described in art. 2 2 para. (5), the controller may store the personal data for the period necessary to achieve the concrete goals pursued, provided that appropriate measures are ensured to protect them, after which they will proceed to their destruction if they are not applicable to legal provisions regarding the preservation of archives + Chapter III Special rules on the processing of personal data Processing of special categories of data + Article 7 (1) Processing of personal data related to racial or ethnic origin, political, religious, philosophical or similar beliefs, trade union membership, as well as personal data on the state of health or Sex life is forbidden. (2) Provisions of para. ((1) shall not apply in the following cases: a) when the data subject has expressly given his consent to such processing; b) when the processing is necessary in order to comply with the specific obligations or rights of the operator in the field of labor law, in compliance with the guarantees provided by law; carried out only if there is a legal obligation of the controller to do so or if the data subject has expressly consented to this disclosure; c) when the processing is necessary for the protection of the life, physical integrity or health of the data subject or of another person, if the data subject is in physical or legal incapacity to give his consent; d) when the processing is carried out within the framework of its legitimate activities by a foundation, association or by any other non-profit organization and with specific political, philosophical, religious or trade union, provided that the data subject is member of this organization or to maintain with it, on a regular basis, relationships that concern the specific activity of the organization and that the data are not disclosed to third parties without the consent of the data subject; e) when the processing relates to data made public in a manifest manner by the data subject; f) when processing is necessary for the establishment, exercise or defence of a right of justice; g) when processing is necessary for the purposes of preventive medicine, the establishment of medical diagnoses, the administration of medical care or treatments for the data subject or the management of health services acting in the interest of the data subject, provided that the processing of that data is carried out by or under the supervision of a health professional subject to professional secrecy or by or under the supervision of another person subject to an obligation equivalents in terms of secrecy; h) when the law expressly provides for it in order to protect an important public interest, provided that the processing is carried out in compliance with the rights of the data subject and the other guarantees provided by this law. (3) The provisions of par. ((2) are without prejudice to the legal provisions governing the obligation of public authorities to respect and protect intimate, family and private life. (4) The supervisory authority may order, for good reasons, to prohibit the performance of a data processing from the categories referred to in par. (1), even if the data subject has given in writing and unequivocally his consent, and this consent has not been withdrawn, provided that the prohibition provided in par. ((1) not to be removed by one of the cases referred to in paragraph 1. ((2) lit. b)-g). Processing of personal data with identification function + Article 8 (1) The processing of the personal numerical code or of other personal data having an identification function of general applicability may be carried out only if: a) the data subject has expressly given his consent; or b) the processing is expressly provided by a legal provision. (2) The supervisory authority may establish other cases in which the processing of the data referred to in par. ((1), provided that adequate safeguards are in place to respect the rights of the data subjects. Processing of personal data on the state of health + Article 9 (1) In addition to the cases provided in art. 7 7 para. (2), provisions of art. 7 7 para. ((1) shall not apply to the processing of health data in the following cases: a) if processing is necessary for the protection of public health; b) whether the processing is necessary for the prevention of imminent danger, to prevent the commission of a criminal act or to prevent the result of such a fact or to remove the injurious consequences of such a facts. (2) The processing of health data can only be carried out by or under the supervision of a health professional, provided that professional secrecy is respected, unless the data subject has given in writing and in a manner unequivocal consent as long as this consent has not been withdrawn, as well as unless the processing is necessary to prevent imminent danger, to prevent the commission of a criminal act, to prevent the result of such a fact or the removal of its consequences prejudicial. (3) Medical staff, health institutions and their medical staff may process personal data relating to the state of health, without the authorization of the supervisory authority, only if the processing is necessary to protect the person's life, physical integrity or health. When the said purposes refer to other persons or to the public in general and the data subject has not given his/her consent in writing and unequivocally, the authorization of the supervisory authority must be requested and obtained in advance. The processing of personal data outside the limits provided for in the authorization is prohibited. ((4) Except for emergency reasons, the authorization provided in par. (3) may be granted only after the Romanian College of Physicians has been consulted. (5) Personal data on the state of health may be collected only from the data subject. By way of exception, this data may be collected from other sources only to the extent necessary to not compromise the purposes of the processing, and the data subject does not want or cannot provide them. Processing of personal data relating to criminal acts or contraventions + Article 10 (1) The processing of personal data related to the commission of crimes by the data subject or to criminal convictions, safety measures or administrative or contravention sanctions, applied to the data subject, can be carried out only by or under the control of public authorities, within the limits of the powers conferred on them by law and under the conditions laid down by the special laws governing these matters. (2) The supervisory authority may establish other cases in which the processing of the data referred to in par. ((1), provided that adequate safeguards are in place to respect the rights of the data subjects. (3) A full register of criminal convictions can be kept only under the control of a public authority, within the limits of the powers conferred on it by law. Exceptions + Article 11 Art. 5, 6, 7 and 10 shall not apply if the data processing is done exclusively for journalistic, literary or artistic purposes, if the processing concerns personal data that have been made public in a manifest manner by the data subject or which are closely related to the quality of the person concerned or the public nature of the facts in which he is involved. + Chapter IV Rights of the data subject in the context of personal data processing Informing the data + Article 12 (1) If personal data is obtained directly from the data subject, the controller is obliged to provide the data subject with at least the following information, unless this person already possesses the information a) the identity of the operator and its representative, if applicable; b) the purpose of processing the data; c) additional information, such as: recipients or categories of recipients of the data; whether the provision of all the required data is mandatory and the consequences of the refusal to provide them; the existence of the rights provided by this law for the person targeted, in particular, of the right of access, of intervention on the data and of the opposition, and of the conditions under which it may be exercised; d) any other information the supply of which is imposed by the supervisory authority, taking into account the specifics of the processing. (2) If the data is not obtained directly from the data subject, the controller is obliged, at the time of collecting the data or, if it is intended to reveal them to third parties, at the latest by the time of the first disclosure, to provide the data subject with at least the following information, unless the data subject already possesses that information: a) the identity of the operator and its representative, if applicable; b) the purpose of processing the data; c) additional information, such as: the data categories concerned, the recipients or categories of recipients of the data, the existence of the rights provided by this law for the data subject, in particular the right of access, the intervention on the data and the opposition, as well as the conditions under which they may be exercised; d) any other information the supply of which is imposed by the supervisory authority, taking into account the specifics of the processing. (3) The provisions of par. ((2) does not apply when the data processing is carried out exclusively for journalistic, literary or artistic purposes, if their application would give clues to the sources of information. (4) The provisions of par. ((2) does not apply where the processing of data is done for statistical purposes, historical or scientific research, or in any other situations where the provision of such information proves impossible or would imply an effort disproportionate to the legitimate interest that could be harmed, as well as in situations where the registration or disclosure of the data is expressly provided for by law. Right of access to data + Article 13 (1) Any data subject shall have the right to obtain from the controller, upon request and free of charge for a request per year, confirmation that the data concerning him or her are not processed by him. The operator shall be obliged, if he processes personal data concerning the applicant, to communicate to him, together with the confirmation, at least the following: a) information on the purposes of the processing, the categories of data envisaged and the recipients or categories of recipients to whom the data is disclosed; b) communication in an intelligible form of the data subject to the processing, as well as any available information on the origin of the data; c) information on the principles of operation of the mechanism by which any automatic data processing aimed at that person is carried out; d) information on the existence of the right of intervention on the data and the right of opposition, as well as the conditions under which it may be exercised e) information on the possibility to consult the register of processing of personal data, provided in art. 24, to file a complaint to the supervisory authority, as well as to address the court for attacking the operator's decisions, in accordance with the provisions of this law. (2) The data subject may request from the controller the information provided in par. (1), by a request drawn up in written form, dated and signed. In the request the applicant can show whether he wants the information to be communicated to him at a certain address, which can also be electronic mail, or through a correspondence service to ensure that the handover will only be done to him personally. ((3) The controller is obliged to communicate the requested information, within 15 days from the date of receipt of the request, in compliance with the possible option of the applicant expressed according to par. ((2). (4) In the case of personal data related to the state of health, the request provided in par. ((2) may be introduced by the data subject either directly or by means of a medical professional who will indicate in the request the person on whose behalf he is introduced. At the request of the operator or the data subject referred to in paragraph ((3) may be made by means of a health professional designated by the data subject. (5) If personal data related to the health status are processed for scientific research purposes, if there is not, at least apparently, the risk of prejudice to the rights of the data subject and if the data is not used to make decisions or measures towards a specific person, the communication provided in par. ((3) may also be made within a period greater than that provided for in that paragraph, in so far as it could affect the smooth running or the results of the research, and no later than the time when the research is completed. In this case the data subject must have expressly and unequivocally given his consent for the data to be processed for scientific research purposes, as well as on the possible postponement of the communication provided in par. ((3) for this reason. (6) Provisions of para. ((2) does not apply when the data processing is carried out exclusively for journalistic, literary or artistic purposes, if their application would give clues to the sources of information. Right of intervention on data + Article 14 (. Any data subject shall have the right to obtain from the controller, upon request and free of charge: a) where applicable, the rectification, updating, blocking or erasure of data whose processing is not in compliance with this law, in particular incomplete or inaccurate data; b) as the case may be, the transformation into anonymous data of the data whose processing is not in conformity with the c) notification to third parties to whom the data of any operation carried out according to lit. a) or b), if this notification does not prove impossible or does not entail a disproportionate effort towards the legitimate interest that could be harmed. (2) For the exercise of the right provided in par (1) the data subject shall submit to the controller a request drawn up in written form, dated and signed. In the request the applicant can show whether he wants the information to be communicated to him at a certain address, which can also be electronic mail, or through a correspondence service to ensure that the handover will only be done to him personally. ((. The controller shall be obliged to communicate the measures taken pursuant to paragraph 1. ((1), as well as, if applicable, the name of the third party to whom the personal data relating to the data subject have been disclosed, within 15 days from the date of receipt of the request, in compliance with the possible option of the applicant according to para. ((2). Right of opposition + Article 15 (1) The data subject has the right to object at any time, for legitimate and legitimate reasons related to his particular situation, as data aimed at him to be the subject of a processing, except in cases where there are legal provisions to the contrary. In case of justified opposition the processing can no longer target the data in question. (2) The data subject has the right to object at any time, free of charge and without any justification, that the data intended to be processed for direct marketing purposes, on behalf of the controller or a third party, or be disclosed to third parties for such purpose. (3) In order to exercise the rights provided in par. ((1) and (2) the data subject shall submit to the controller a request drawn up in written form, dated and signed. In the request the applicant can show whether he wants the information to be communicated to him at a certain address, which can also be electronic mail, or through a correspondence service to ensure that the handover will only be done to him personally. ((. The controller shall be obliged to communicate to the data subject the measures taken under par. ((1) or (2), as well as, if applicable, the name of the third party to whom the personal data relating to the data subject have been disclosed, within 15 days from the date of receipt of the request, in compliance with the applicant's possible option expressed according to para. ((3). Exceptions + Article 16 (1) The provisions of art. 12, 13, of art. 14 14 para. ((3) and art. 15 shall not apply to the activities referred to in art. 2 2 para. ((5), if the effectiveness of the action or the objective pursued in carrying out the legal duties of the public authority is damaged by their application (2) Provisions of para. ((1) are strictly applicable for the period necessary to achieve the objective pursued by carrying out the activities referred to in 2 2 para. ((5). (. After cessation of the situation justifying the application of paragraph ((1) and (2) the operators carrying out the activities referred to in art. 2 2 para. (5) take the necessary measures to ensure that the rights of the data subjects are respected (. Public authorities shall keep records of such cases and shall regularly inform the supervisory authority of the manner of their settlement. The right not to be subject to an individual decision + Article 17 (1) Everyone has the right to ask and obtain: a) the withdrawal or cancellation of any decision that produces legal effects in respect of itself, adopted solely on the basis of a processing of personal data, carried out by automatic means, intended to assess some aspects of its personality, such as professional competence, credibility, conduct or other such matters; b) the reassessment of any other decision taken in respect of it, which affects it significantly, if the decision has been adopted exclusively on the basis of a data processing meeting the conditions laid down in lett. a). (2) Compliance with the other guarantees provided by this law, a person may be subject to a decision of the nature of the one referred to in paragraph (1), only in the following situations: a) the decision is taken within the framework of the conclusion or execution of a contract, provided that the request for conclusion or performance of the contract, introduced by the data subject, has been satisfied or that some appropriate measures, such as the possibility of supports the view, to guarantee the defence of its own legitimate interest; b) the decision is authorized by a law specifying the measures guaranteeing the protection of the legitimate interest of the data subject. Right to address justice + Article 18 (1) Without prejudice to the possibility to address the complaint to the supervisory authority, the persons concerned have the right to address the judiciary for the protection of any rights guaranteed by this law, which have been violated. ((2) Any person who has suffered damage from a processing of personal data, carried out illegally, may address the competent court for its repair. (. The competent court shall be the one in whose territorial area the applicant resides. The application for appeal is exempt from stamp duty. + Chapter V Confidentiality and security of processing Confidentiality of processing + Article 19 Any person acting under the authority of the controller or processor, including the person empowered, who has access to personal data, can only process them on the basis of the instructions of the controller, except the case in which it acts pursuant to a legal obligation. Processing security + Article 20 (1) The controller is obliged to apply the appropriate technical and organisational measures for the protection of personal data against accidental or unlawful destruction, loss, modification, disclosure or unauthorised access, in particular if that processing carries data transmissions within a network, as well as against any other form of unlawful processing. (2) These measures must ensure, according to the stage of the technique used in the process of processing and costs, an adequate level of security with regard to the risks posed by the processing as well as in relation to the nature of the data to be protected. The minimum security requirements will be developed by the supervisory authority and will be regularly updated, corresponding to technical progress and experience gained. ((3) The controller, when designating an empowered person, is obliged to choose a person who presents sufficient guarantees with regard to technical and organisational security measures with regard to the processing to be carried out, as well as to ensure compliance with these measures by the designated person. (. The supervisory authority may decide, in individual cases, on the obligation of the controller to adopt additional security measures, with the exception of those concerning the guarantee of the security of telecommunications services. (5) The carrying out of processing by authorized persons must be carried out on the basis of a contract concluded in written form, which will necessarily include: a) the obligation of the authorized person to act only on the instructions received from the controller; b) that the fulfilment of the obligations provided in par. (1) also returns to the person empowered. + Chapter VI Supervision and control of personal data processing Supervisory authority + Article 21 (1) The supervisory authority, for the purposes of this law, is the National Supervisory Authority for Personal Data Processing. ------------ Alin. ((1) of art. 21 21 has been amended by section 1 1 of art. 22 of LAW no. 102 102 of 3 May 2005 , published in MONITORUL OFFICIAL no. 391 391 of 9 May 2005. (. The supervisory authority shall operate under conditions of complete independence and impartiality. (3) The supervisory authority shall monitor and control in terms of legality the processing of personal data falling within the scope of this law. For this purpose the supervisory authority shall exercise the following tasks: a) develop the typified forms of notifications and registers of their own; b) receives and analyzes notifications regarding the processing of personal data, announcing to the operator the results of the prior control; c) authorizes the data processing in the situations provided by law; d) may order, if it finds the violation of the provisions of this law, the provisional suspension or termination of the data processing, partial or full deletion of the processed data and may notify the prosecution bodies or bring legal action; d ^ 1) informs individuals or/and legal entities operating in these areas, directly or through their associative structures, on the need to comply with the obligations and to perform the procedures provided for by the present law; ------------ Letter d ^ 1) a par. ((3) of art. 21 21 was introduced by section 4.2. 2 2 of art. 22 of LAW no. 102 102 of 3 May 2005 , published in MONITORUL OFFICIAL no. 391 391 of 9 May 2005. e) keep and make available to the public the record of processing of personal data; f) receives and settles complaints, referrals or requests from individuals and communicates the solution once or, as the case may be, due diligence; g) carry out investigations ex officio or upon receipt of complaints or complaints; h) is consulted when developing draft normative acts related to the protection of the rights and freedoms of persons, regarding the processing of personal data; i) may make proposals regarding the initiation of draft normative acts or the modification of normative acts in force in areas related to the processing of personal data; j) cooperate with public authorities and public administration bodies, centralize and analyze their annual activity reports on the protection of individuals with regard to the processing of personal data, recommendations and opinions on any matter relating to the protection of fundamental rights and freedoms with regard to the processing of personal data, at the request of any person, including public authorities and the bodies of the administration public; these recommendations and opinions must make mention of the grounds on supporting and communicating in copy and to the Ministry of Justice; when the recommendation or opinion is required by law, it shall be published in the Official Gazette of Romania, Part I; k) cooperate with similar authorities abroad for mutual assistance, as well as with persons residing or residing abroad, for the purpose of defending the fundamental rights and freedoms that may be affected by processing personal data; l) performs other duties provided by law. m) the organization and functioning of the National Supervisory Authority for Personal Data Processing is established by law. ------------ Letter m) a par. ((3) of art. 21 21 was introduced by section 4.2. 3 3 of art. 22 of LAW no. 102 102 of 3 May 2005 , published in MONITORUL OFFICIAL no. 391 391 of 9 May 2005. (4) The entire staff of the supervisory authority has the obligation to keep professional secrecy, with the exceptions provided by law, indefinitely, on confidential or classified information to which it has or had access to the exercise duties, including after the termination of legal relations with the supervisory authority. Notification to the supervisory authority + Article 22 ((1) The controller shall be obliged to notify the supervisory authority, personally or through the representative, before any processing is carried out or of any processing assembly with the same purpose or related purposes. (2) Notification is not necessary if the processing has as sole purpose the keeping of a register intended by law to inform the public and open to public consultation in general or to any person who proves a legitimate interest, with the condition that the processing is limited to the data strictly necessary for the young registrar. (. The notification shall include at least the following information: a) the name or the name and domicile or the seat of the controller and its designated representative, if applicable; b) the purpose or purposes of processing c) a description of the category or categories of data subjects and data or categories of data to be processed; d) the recipients or categories of recipients to whom the data is intended to be disclosed; e) guarantees accompanying the disclosure of data to third parties; f) how the data subjects are informed of their rights; the estimated date for the completion of the processing operations, as well as the subsequent destination of the data; g) data transfers that are intended to be made to other states; h) a general description allowing the preliminary assessment of the measures taken to ensure the security of the processing; i) the specification of any system of record of personal data, which relates to the processing, as well as possible links with other data processing or other systems of record of personal data, whether or not perform, respectively, whether or not they are located on the territory of Romania j) the reasons justifying the application of 11 11, art. 12 12 para. ((3) or (4) or of art. 13 13 para. ((5) or (6), in a situation where data processing is done exclusively for journalistic, literary or artistic purposes or for statistical purposes, historical or scientific research. (. If the notification is incomplete, the supervisory authority shall require it to be completed. ((. Within the limits of the powers of investigation available to it, the supervisory authority may request other information, in particular on the origin of the data, the automatic processing technology used and details of the security measures. The provisions of this paragraph shall not apply where data processing is done exclusively for journalistic, literary or artistic purposes. (6) If the data which is processed is intended to be transferred abroad, the notification shall also include the following elements: a) the categories of data subject to the transfer; b) the country of destination for each category of data. -------------- Alin. ((7) art. 22 22 has been repealed by section 6.6. 2 2 of the single article of LAW no. 278 278 of 15 October 2007 , published in MONITORUL OFFICIAL no. 708 708 of 19 October 2007. (8) Public authorities carrying out personal data processing in relation to the activities described in art. 2 2 para. (5), pursuant to the law or in fulfilling the obligations assumed by international agreements ratified, are exempt from the tax provided in par. ((7). The notification will be sent within 15 days from the entry into force of the normative act establishing the respective obligation and will include only the following elements: a) the name and seat b) the purpose and legal basis of processing; c) the categories of personal data subject to processing. (9) The supervisory authority may determine other situations in which the notification is not necessary, except for the one referred to in paragraph 1. ((2), or situations in which the notification may be made in a simplified form, and its content, only in one of the following cases: a) when, taking into account the nature of the data intended to be processed, the processing cannot, at least apparently, affect the rights of the data subjects, provided they expressly specify the purposes in which such processing can be done, the data or the categories of data that may be processed, the category or categories of data subjects, recipients or categories of recipients to whom the data may be disclosed and the period for which the data may be stored; b) when processing is carried out under the conditions of art. 7 7 para. ((2) lit. d). Prior control + Article 23 (. The supervisory authority shall determine the categories of processing operations which are likely to pose particular risks to the rights and freedoms of persons. (. If on the basis of notification the supervisory authority finds that the processing falls within one of the categories referred to in paragraph 1. (1), it will be mandatory to carry out a prior control to start the respective processing, with the announcement ((3) Operators who have not been notified within 5 days from the date of notification about carrying out a prior control may start processing. (4) In the situation referred to in par. (2) the supervisory authority shall be obliged, no later than 30 days after the date of notification, to bring to the attention of the operator the result of the control carried out, and the decision issued thereon. Register of data processing of personal data + Article 24 (1) The supervisory authority shall keep a register of processing of personal data, notified in accordance with the provisions of art. 22. The register will include all the information provided in art. 22 22 para. ((3). (. Each operator shall receive a registration number. The registration number must be mentioned on any act by which the data is collected, stored or disclosed. ((3) Any change likely to affect the accuracy of the recorded information will be communicated to the supervisory authority within 5 days. The supervisory authority shall immediately dispose of the relevant entries in the register. (4) The processing activities of personal data, started before the entry into force of this Law, shall be notified for registration within 15 days from the date of entry into force of this Law. (5) The register of personal data processing is open to public consultation. The method of consultation shall be determined by the supervisory authority. Complaints to the supervisory authority + Article 25 (1) In order to defend the rights provided by this law, persons whose personal data are subject to a processing that falls under the present law may submit a complaint to the supervisory authority. The complaint can be made directly or through the representative. The injured person can empower an association or foundation to represent his interests. ((2) The complaint to the supervisory authority cannot be filed if a claim in the judiciary, having the same object and the same parties, was previously introduced. ((3) In addition to cases where a delay would cause imminent and irreparable damage, the complaint to the supervisory authority may not be filed earlier than 15 days after the submission of a complaint with the same content to the controller. ((4) In order to resolve the complaint, if it considers that it is necessary, the supervisory authority may hear the data subject, the controller and, if applicable, the person empowered or the association or the foundation representing the interests of the data subject. These persons have the right to submit applications, documents and memoirs. The supervisory authority may order expertise to be carried out. (. If the complaint is found to be established, the supervisory authority may decide on any of the measures provided for in art. 21 21 para. ((3) lit. d). The temporary prohibition of processing may only be imposed until the grounds have been terminated which have led to this measure. (6) The decision must be reasoned and communicated to interested parties within 30 days of the date of receipt of the complaint. (7) The supervisory authority may order, if it considers necessary, the suspension of some or all processing operations until the complaint is resolved under the conditions of par. ((5). (8) The supervisory authority may address the judiciary for the protection of any rights guaranteed by this law to the persons concerned. The competent court is the Bucharest Court. The application for appeal is exempt from stamp duty. (9) At the request of the data subjects, for good reasons, the court may order the suspension of the processing until the supervisory authority is resolved. (10) Provisions of para. ((4)-(9) shall apply accordingly and in the event that the supervisory authority finds out in any other way about the commission of a violation of the rights recognized by this law to the persons concerned. Challenge of supervisory authority decisions + Article 26 (1) Against any decision issued by the supervisory authority under the provisions of this law the controller or the data subject may appeal within 15 days of communication, under penalty of forfeiture, to the court of litigation administrative competence. The request is adjudicated urgently, with the citation of The solution is final and irrevocable. (2) I take exception to the provisions of par. (1), as well as from those of art. 23 and 25 processing of personal data, carried out within the framework of the activities provided for in art. 2 2 para. ((5). Exercise of investigative powers + Article 27 (1) The supervisory authority may investigate, ex officio or upon receipt of a complaint, any infringement of the rights of the data subjects, namely the obligations incumbent upon the operators and, where applicable, the persons empowered, in carrying out processing of personal data, for the purpose of defending the fundamental rights and freedoms of data subjects. (2) The powers of investigation may not be exercised by the supervisory authority if a previously introduced legal claim has as its object the same infringement of rights and opposes the same parties. (3) In the exercise of investigative powers the supervisory authority may request the controller any information related to the processing of personal data and verify any document or record relating to the processing of data personal character. (4) The state secret and professional secrecy cannot be invoked in order to prevent the exercise of the powers granted by this law to the supervisory authority. When the protection of state secrecy or professional secrecy is invoked, the supervisory authority shall have the obligation to keep the secret. ------------ Alin. ((5) of art. 27 27 has been repealed by section 6.6. 4 4 of art. 22 of LAW no. 102 102 of 3 May 2005 , published in MONITORUL OFFICIAL no. 391 391 of 9 May 2005. Rules of conduct + Article 28 (1) Professional associations are required to develop and submit for approval to the supervisory authority codes of conduct containing appropriate rules for the protection of the rights of persons whose personal data may be processed by their members. ((. The rules of conduct should provide for measures and procedures to ensure a satisfactory level of protection, taking into account the nature of the data to be processed. The supervisory authority may order specific measures and procedures for the period during which the rules of conduct referred to above are not adopted. + Chapter VII Transfer abroad of personal data Conditions for the transfer abroad of personal data + Article 29 (1) The transfer to another state of personal data subject to a processing or intended to be processed after the transfer may take place only if the Romanian law is not violated and the state to which it is intends the transfer to ensure adequate protection. (2) The level of protection will be assessed by the supervisory authority, taking into account the totality of the circumstances in which the data transfer is carried out, in particular in view of the nature of the data transmitted, the purpose of the processing and the duration for processing, the State of origin and the State of final destination, and the legislation of the requesting State If the supervisory authority finds that the level of protection offered by the receiving State is unsatisfactory, it may order a ban on the transfer of data. (3) In all situations the transfer of personal data to another State will be subject to prior notification of the supervisory authority. (4) The supervisory authority may authorise the transfer of personal data to a state whose legislation does not provide for a level of protection at least equal to that offered by the Romanian law when the operator provides sufficient guarantees with protection of fundamental rights of persons. These guarantees must be established by contracts concluded between the operators and the natural or legal persons in whose disposal the transfer is made. (5) Provisions of para. (2), (3) and (4) shall not apply if the transfer of the data is based on the provisions of a special law or an international agreement ratified by Romania, in particular if the transfer is made for the purpose of preventing, researching or repressing a felonies. (6) The provisions of this Article shall not apply when data processing is done exclusively for journalistic, literary or artistic purposes, if the data has been made publicly available by the data subject or closely linked to the quality of the person concerned or the public nature of the facts in which he is involved. Situations in which the transfer is always allowed + Article 30 Data transfer is always allowed in the following situations: a) when the data subject has explicitly given his consent to the transfer; if the data transfer is made in relation to any of the data referred to in art. 7, 8 and 10, consent must be given in writing; b) when necessary for the performance of a contract concluded between the data subject and the controller or for the execution of pre-contractual measures ordered at the request of the c) when it is necessary for the conclusion or performance of a contract concluded or ending, in the interest of the data subject, between the controller and a third party; d) when necessary for the satisfaction of a major public interest, such as national defence, public order or national security, for the proper conduct of the criminal proceedings or for the establishment, exercise or defence of a right of justice, with the condition that the data are processed in relation to this purpose and no longer than necessary; e) when necessary to protect the life, physical integrity or health of the data subject; f) when it intervenes as a result of a previous request for access to official documents that are public or a request for information that may be obtained from the registers or through any other documents accessible to the public. + Chapter VIII Contraventions and penalties Failure to notify and notice in bad faith + Article 31 Failure to carry out the notification under the conditions of art. 22 22 or art. 29 29 para. (3) in situations where such notification is mandatory, as well as incomplete notification or containing false information constitutes contraventions, if not committed under such conditions as to constitute crimes, and shall be sanctioned with fine from 5,000,000 lei to 100,000,000 lei. Unlawful processing of personal data + Article 32 Processing of personal data by an operator or a person empowered by him, in violation of the provisions of art. 4-10 or with the disregard of the rights provided in art. 12 12-15 or in art. 17, constitutes contravention, if it is not committed in such conditions as to constitute a crime, and is sanctioned with a fine of 10,000,000 lei to 250,000,000 lei. Failure to fulfil obligations regarding confidentiality and enforcement of security measures + Article 33 Failure to comply with obligations regarding the application of security measures and to preserve the confidentiality of processing, provided in art. 19 and 20, constitute contravention, if it is not committed in such conditions as to constitute a crime, and is sanctioned with a fine of 15,000,000 lei to 500,000,000 lei. Refusal to provide information + Article 34 Refusal to provide the supervisory authority with the information or documents required by it in the exercise of the investigative powers provided for in art. 27 constitutes contravention, if it is not committed in such conditions as to constitute a crime, and is sanctioned with a fine of 10,000,000 lei to 150,000,000 lei. Finding of contraventions and application of sanctions + Article 35 (1) The finding of contraventions and the application of sanctions shall be carried out by the supervisory authority, which may delegate these duties to persons recruited from among its staff, as well as by authorized representatives of the bodies with supervisory and control tasks, ability according to the law. (2) The provisions of this Law on contraventions shall be supplemented by the provisions Government Ordinance no. 2/2001 on the legal regime of contraventions, in so far as this law does not have otherwise. (3) Against the minutes of finding and sanctioning one can complain to the administrative departments of the courts. + Chapter IX Final provisions Entry into force + Article 36 This Law shall enter into force on the date of its publication in the Official Gazette of Romania, Part I, and shall be implemented within 3 months of its entry into force. This law was adopted by the Senate at the meeting of October 15, 2001, in compliance with the provisions of art 74 74 para. (2) of the Romanian Constitution. SENATE PRESIDENT NICOLAE VACAROIU This law was adopted by the Chamber of Deputies at the meeting of October 22, 2001, in compliance with the provisions of 74 74 para. (2) of the Romanian Constitution. PRESIDENT CHAMBER OF DEPUTIES VALER DORNEANU ---------------