Advanced Search

Law No. 81 Of 13 June 2012

Original Language Title:  LEGE nr. 81 din 13 iunie 2012

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
LEGE no. 81 81 of 13 June 2012 to amend and supplement Law no. 238/2009 on the regulation of the processing of personal data by the structures/units of the Ministry of Administration and Interior in the activities of prevention, research and combating crime, as well as maintaining and ensuring order public
ISSUER PARLIAMENT
Published in OFFICIAL MONITOR no. 400 400 of 14 June 2012



The Romanian Parliament adopts this law + Article I Law no. 238/2009 on the regulation of the processing of personal data by the structures/units of the Ministry of Administration and Interior in the activities of prevention, research and combating crime, as well as maintaining and ensuring order public, published in the Official Gazette of Romania, Part I, no. 405 of 15 June 2009, shall be amended and supplemented as follows: 1. in Article 1, after paragraph 2, a new paragraph (3) is inserted, with the following contents: " (3) This law does not apply to the processing and transfer of personal data carried out in the performance of legal duties by M.A.I. structures/units in the field of national defence and national security, within the limits and with the restrictions established by law. " 2. After Article 1, a new article is inserted, Article 1 ^ 1, with the following contents: "" Art. 1 1 ^ 1. -Within the meaning of the present law, the following terms and expressions have the following meaning: a) interconnection-the operation to put in touch the personal data contained in a file, database or system of automatic record with those contained in one or more files, databases or automatic recording systems that they are managed by different operators or by the same operator, but having different, similar or correlated purposes, as the case may be; b) signage-the set of data entered in a system of record of personal data relating to persons or goods with regard to which some measures were ordered, under the law, in order to achieve a public interest, compliance with the regime of free movement of persons and goods or insurance or maintenance of public order and security; c) blocking-the marking of stored personal data, in order to limit the processing in the future; d) the assignment of references-the marking of stored personal data, without being aimed at limiting their further processing; e) transformation into anonymous data-modification of personal data, so that details of personal or material circumstances no longer allow their assignment to an identified or identifiable natural person or its assignment only possible under the conditions of a disproportionate investment of time, costs and labour; f) the consent of the data subject-any manifestation of will, free, specific and informed, whereby the data subject accepts to be processed the personal data concerning him; g) passive record-file or database of personal data constituted for the purpose of limited access and subsequent deletion of the data stored from the system of record. " 3. After Article 5, two new articles are inserted, Articles 5 ^ 1 and 5 ^ 2, with the following contents: "" Art. 5 5 ^ 1. -(1) Personal data shall be blocked when there are reasonable grounds to consider that their erasure could affect the rights, freedoms and legitimate interests of the data subject. (2) The blocked data shall be processed only for the purpose that prevented their deletion. (3) The blocked data shall be deleted as soon as the purpose referred to in paragraph is no longer required. ((2). Article 5 ^ 2. -The structures/units of M.A.I. additionally process personal data, for a purpose other than the one for which the data was collected, if the following conditions are met: a) the processing is compatible with the purpose in which the data was collected; b) the purpose in which the personal data are to be further processed by the M.A.I. structures/units or the entities to whom the data is to be communicated falls under the duties or, as the case may be, the obligations the law; c) processing is necessary and proportionate in relation to the new purpose. " 4. Article 7 is amended and shall read as follows: "" Art. 7. -(1) Personal data held by M.A.I. structures/units according to the purposes provided in art. 1 1 para. (1) may be transferred to the following recipients: a) to the police, judicial or other competent authorities of the Member States or to the bodies or institutions of the European Union responsible for police or judicial cooperation in criminal matters; b) the International Criminal Police Organization-Interpol or other similar international institutions; c) to police bodies in third countries. (2) Transfer of personal data provided in par. (1) is carried out in one of the following situations: a) there is an express legal provision in national law or in a treaty ratified by Romania; b) there are legal provisions governing police cooperation or international judicial cooperation in criminal matters; c) when the transfer is necessary to prevent a serious and imminent danger to the life, bodily integrity or health of a person or its property, as well as to combat a serious crime provided by law, with compliance with Romanian law. " 5. In Article 8, paragraph 3 shall be amended and shall read as follows: " (3) If incorrect or unupdated data were transmitted, the structures/units of M.A.I. have the obligation to inform the recipients of the respective data on their non-compliance, with the mention of the data that have been modified or, if applicable, stating that the data transmitted must be rectified, deleted or blocked. " 6. In Article 8, after paragraph 3, three new paragraphs are inserted, paragraphs 4 to 6, with the following contents: " (4) If it is found that personal data have been transmitted illegally, the structures/units of M.A.I. have the obligation to inform the recipients of these data, with the stipulation that the transmitted data must be deleted immediately. (5) If it is found that the structures/units of M.A.I. have been transmitted incorrect or unupdated personal data, the data is rectified, deleted or, as the case may be, blocked, under the law. If the structures/units of M.A.I. are erroneously or illegally transmitted to them such data, they shall be deleted or, as the case may be, shall be blocked immediately. The entity that transmitted the data shall be informed of the measure taken and the reason for its adoption. (6) If the structures/units of M.A.I. are transmitted to them, according to the law, personal data unsolicited, they have the obligation to verify that the data is necessary for the purpose for which they were transmitted. The data that is not necessary for the purpose shall be deleted or, where appropriate, shall be blocked immediately. The entity which transmitted the data shall be informed of the measure taken and the reason for its adoption. ' 7. In Article 9, paragraph 1 shall be amended and shall read as follows: "" Art. 9. -(1) When communicating personal data to other public authorities or institutions, private law entities operating on or off the territory of Romania, or to the recipients referred to in art. 7 7 para. (1), the structures/units of M.A.I. warn the recipients of the prohibition to process the data communicated for purposes other than those specified in the communication request. " 8. In Article 9, after paragraph (1), two new paragraphs are inserted, paragraphs 1 ^ 1 and 1 ^ 2, with the following contents: " (1 ^ 1) When communicating personal data according to par. (1) shall be indicated to the addressee limitations of the processing, if applicable, and appropriate retention periods and shall specify the obligation to delete the personal data transmitted at the expiry of the indicated period or, if applicable, to proceed to blocking them. The retention periods communicated may not exceed the deadlines established by legal provisions or, as the case may be, those established by the structures/units M.A.I. by own rules, according to the provisions of 14 for those categories of personal data that they hold and are to be subject to communication. (1 ^ 2) If personal data are communicated to the recipients referred to in art. 7 7 para. ((1) lit. a), limitations of the processing may be communicated only if they are established by law, and the retention periods are those established by legal provisions or, as the case may be, by the structures/units M.A.I. by own rules, according to the provisions of art. 14 14. " 9. in Article 9, after paragraph 2, a new paragraph (3) is inserted, with the following contents: " (3) The structures/units of M.A.I. may request the recipients provided in par. ((1), to whom personal data have been communicated, information on how they have been processed. " 10. After Article 9, five new articles are introduced, Articles 9 ^ 1-9 ^ 5, with the following contents: "" Art. 9 9 ^ 1. -(1) For personal data communicated by other competent authorities or private law entities outside the territory of Romania, if a data retention period is specified, the structures/units of M.A.I. have the obligation to delete, as appropriate, to block the data at the expiry of the data retention period indicated. If a data retention period is not specified, the terms of storage of personal data, established for those categories of data, by the structures/units of M.A.I., according to the provisions of art. 14. (2) In the case of personal data provided in par. (1), the structures/units of M.A.I. have the obligation to periodically check, every 3 years, the need to store them. (3) The personal data whose storage is no longer necessary shall be deleted or, as the case may be, shall be blocked, even if the period specified by the entity that transmitted them or the one provided by the rules established according to the provisions of art. 14. (4) Provisions of para. (1) shall not apply if at the time of expiry of the data retention period, indicated by the competent authority or private entity outside the territory of Romania, the personal data are still necessary for the performance of prior acts for the commencement of prosecution, for the conduct of the prosecution or for the execution of Article 9 ^ 2. -The personal data communicated by the competent authorities of a Member State of the European Union, hereinafter referred to as a Member State, may be further processed by the structures/units of M.A.I., for a purpose other than that for which have been transmitted in one of the following situations: a) for the prevention, detection, investigation or prosecution of crimes or the execution of penalties, other than those for which they were communicated; b) for the conduct of other judicial or administrative proceedings directly related to the prevention, finding, investigation or prosecution of crimes or execution of penalties; c) to prevent an imminent and serious danger to public order and security; d) for any other purpose, with the prior consent of the Member State transmitting or with the consent of the data subject, according to the law Art. 9 ^ 3. -(1) The personal data communicated by the competent authorities of another Member State may be transferred by the structures/units of M.A.I. to the competent authorities of a State which is not a member of the European Union, continued third State, or to international bodies, only if the following conditions are met, cumulatively: a) it is necessary for the prevention, detection, investigation or prosecution of crimes or the execution of penalties; b) personal data are communicated to the international body or to the authority of the third state competent in the prevention, detection, investigation or prosecution of criminal offences or for the execution of penalties; c) there is the agreement of the Member State which communicated the data for d) the third State or the international body concerned shall ensure an appropriate level of protection for the processing of data. (2) Personal data may be communicated under the conditions provided in par. ((1), without the consent of the Member State, only if the transfer of data is strictly necessary for the prevention of a serious and imminent danger to the public order and security of a Member State or a third State or the fundamental interests of a Member State and the prior agreement cannot be obtained in due time. (3) In the situation referred to in par. ((2), the unit/structure of M.A.I. which carries out the communication of personal data is required to immediately inform the competent authority of the Member State which provided the data. (4) By exception to the provisions of par. ((1) lit. d) personal data may be communicated to the competent authorities of a third country or international bodies, in compliance with the provisions of art. 30 lit. d) or e) of Law no. 677/2001 , with subsequent amendments and completions. Article 9 ^ 4. -(1) The personal data communicated by the competent authorities of another Member State may be transferred to private entities in a Member State other than that which provided the data, only if they are met, cumulatively, a) the competent authority of the Member State which communicated the data has given its consent to the processing; b) no specific specific interest of the data subject shall prevent transmission; c) in specific situations, communication is essential for the competent authority which transmits data to a private entity. (2) The specific cases for which the condition referred to in par. ((1) lit. c) are determined by the following situations: a) the fulfilment of an obligation provided by law to the private entity; b) prevention, detection, investigation or prosecution of crimes or execution of penalties; c) preventing an imminent and serious danger to public order and security; d) preventing a serious injury to the rights of the person. (3) The structures/units of M.A.I. have the obligation to inform the private law entities to whom the data according to par. (1) with regard to the purposes for which, exclusively, the personal data communicated may be used. Article 9 ^ 5. -On request, the structures/units of M.A.I. shall inform the competent authorities of another Member State that have transmitted personal data on the way in which they have been processed, within 15 days of the registration of the request. " 11. In Article 10, paragraph 2 shall be amended and shall read as follows: " (2) For the purpose provided in par. (1), the interconnection of systems of record of personal data or automatic means of processing personal data, constituted according to art. 2, it can also be carried out with the recording systems or with the automatic means of processing personal data held by other operators, authorities and national public institutions. " 12. In Article 10, after paragraph 2, two new paragraphs are inserted, paragraphs 2 ^ 1 and 2 ^ 2, with the following contents: " (2 ^ 1) Interconnections provided in par. ((1) and (2) are possible only with the prior consent of the National Supervisory Authority. In case of obtaining the prior agreement, the structure/unit M.A.I. shall notify the processing of the National Supervisory Authority, under the conditions provided in 3. (2 ^ 2) For the purpose provided in par. (1), the interconnection of systems of record of personal data or automatic means of processing personal data, constituted according to art. 2, can also be carried out with the evidence systems or automatic means of processing personal data held by other operators, entities of private law. " 13. In Article 10, paragraph 3 shall be amended and shall read as follows: " (3) Interconnections provided in par. (2 ^ 2) are allowed only in the case of carrying out the prior acts, the prosecution or the trial of a crime on the basis of an authorization issued by the competent prosecutor to carry out or supervise, in a determined case, the performance of the acts prior to or the prosecution or, in the case of the trial of a crime, by the particular judge appointed from the court to which the jurisdiction of the case for which the data is processed shall be processed. " 14. Article 10 (5) shall be repealed. 15. After Article 10, five new articles are inserted, Articles 10 ^ 1-10 ^ 5, with the following contents: "" Art. 10 10 ^ 1. -(1) In the case of activities to prevent crimes, maintain and ensure public order, the systems of record of personal data or automatic means of processing personal data, constituted according to art. 2, can be interconnected with: a) National Register of Persons; b) National register of simple passports; c) National register of driving licences and registered vehicles. (2) In case of activities referred to in par. (1), the structures/units of M.A.I. may interconnect the systems of record of personal data or, as the case may be, the automatic means of processing personal data that they hold for similar or correlated purposes. (3) Interconnections provided in par. ((1) and (2) shall be notified to the National Supervisory Authority by amending/supplementing the notification or filing a new notification. (4) In case of activities referred to in par. (1), the structures/units of M.A.I. may interconnect the systems of record of personal data or, as the case may be, the automatic means of processing personal data that they hold for different purposes, only with the prior consent of the National Supervisory Authority. In case of obtaining the agreement, the structures/units of M.A.I. notify the processing of the data of the National Supervisory Authority by amending/completing the notification or submitting (5) Provisions of para. (1)-(4) are also applicable to border control activities, executed, under the law, by the specialized structure of M.A. I, which require the interconnection of systems of record of personal data or automatic means of processing of personal data, constituted according to the provisions of art. 2. Article 10 ^ 2. -(1) The structures/units of M.A.I. may configure the systems of record of personal data or, as the case may be, the automatic means of processing personal data that they hold for correlated or different purposes, so that alerts on persons or goods to be accessible in any system or means of processing. (2) The systems of record of personal data or, as the case may be, the automatic means of processing personal data held by the structures/units of M.A.I. shall be configured so that no user has access only to the personal data strictly necessary to carry out the duties. The structures/units of M.A.I. have the obligation to determine the categories of data to which each user has access, in order to perform their duties. Art. 10 ^ 3. -(1) In the case of filing systems established according to the purposes provided in art. 1 1 para. (1), the structures/units of M.A.I. may allow the authorities, institutions or organizations provided in art. 7 direct access to managed systems, only in conditions to ensure the security of personal data, in the following situations: a) on the basis of a treaty ratified by Romania; b) in the framework of the police and judicial cooperation in criminal matters carried out within the European Union. (2) Preworks carried out according to par. (1) shall be notified to the National Supervisory Authority under the conditions of 3. (3) In the situation referred to in par. ((1), the processing of personal data by the authorities, institutions or organizations provided in art. 7 7 is permitted only for the purpose established by the Treaty or, where appropriate, by a legal instrument of the European Union. Article 10 ^ 4. -(1) In the situations provided in art. 10 10 para. (1), the structures/units of M.A.I. have the necessary measures for all processing of personal data to be registered in the system in an access file, in order to monitor the legality of the processing. (2) The obvious systems or automatic means of processing personal data managed by the M.A.I. structures/units must be configured so as to generate the access files and in the situation where the structures/units of M.A.I. are allowed direct access to the records managed by the authorities, institutions or organizations provided in art. 7. (3) The access files must contain at least the date, the exact time, the reason for the processing, the identification data of the authority, the institution or, where applicable, the organization that carried out the processing, as well as the identification code of the user who performed the processing. If applicable, the access files may also contain the personal data that have been the subject of the processing. (4) Access files may only be used for the purpose of verifying the lawfulness of the processing or for ensuring the security of personal data. Article 10 ^ 5. -On request, the structures/units of M.A.I. communicate, within 15 days, to the competent authorities in the field of personal data protection outside the territory of Romania, the records regarding the processing carried out in the evidence managed by the entities of the State whose authority has made the request. ' 16. in Article 11, after paragraph 6, a new paragraph (7) is inserted, with the following contents: " (7) If the structures/units of M.A.I. cannot comply with the requests made in the exercise of the right of intervention for the purpose of rectification, deletion or, as the case may be, the blocking of personal data, written in which the reasons for the impossibility of the resolution of the request are mentioned, and the fact that it has the right to appeal to the national supervisory authority or, where appropriate, to the court. ' 17. After Article 11, four new articles are inserted, Articles 11 ^ 1-11 ^ 4, with the following contents: "" Art. 11 11 ^ 1. -(1) If the structures/units of M.A.I. make requests for the communication of personal data addressed to competent authorities or private law entities outside the territory of Romania, they may request that the data subject should not be informed of the processing only if the provisions of art. 11 11 para. ((2). Upon termination of the reasons for which such a request was made, the structures/units of M.A.I. shall inform in writing the competent authority or the private law entity outside the territory of Romania regarding the fact that the data subject, whose personal data have been communicated, may be informed of such processing. ((2) If the competent authorities of a Member State request, on the occasion of the communications of personal data by the structures/units of M.A.I., that the data subject should not be informed, the structures/units of M.A.I. shall have the information data subject only with the consent of the requesting competent authority. Article 11 ^ 2. -If the request of the data subject in the context of the processing of personal data refers to a processing carried out by a competent authority or entity of private law outside the territory of Romania in the records managed by M.A.I. structures/units, by way of derogation from the provisions of art. 13 13 para. (3), of art. 14 14 para. ((3) and the art. 15 15 para. ((4) of Law no. 677/2001 , with subsequent amendments and completions, shall be answered to the applicant as soon as possible, but no later than 60 days after the date of receipt of the request. Within this period, the structures/units of M.A.I. request information to the competent authority or to the private law entity outside the Romanian territory that carried out the processing Article 11 ^ 3. -(1) If the accuracy of personal data is challenged by the data subject, and the accuracy or inaccuracy of the respective data cannot be established with certainty, they may be assigned references. At the request of the data subject, the assignment of references is (2) The personal data to which references have been assigned can only be communicated for the purpose of establishing their correctness. (3) References assigned according to par. (1) may be removed in one of the following cases: a) at the request or with the consent of the data subject, when the accuracy or, as the case may be, the inaccuracy of the personal data has been established; b) where there is a judgment of the court or the authorization of the National Supervisory Authority. Article 11 ^ 4. -(1) The structures/units of M.A.I., as operators, are responsible for the damage caused to the data subject following a processing of personal data, even if the damage was caused by the processing, under the conditions the law, inaccurate personal data provided by a competent authority of a Member State. (2) If the structures/units of M.A.I. are obliged, under the law, to pay compensation for damages caused to the data subject as a result of the processing of inaccurate personal data provided by an authority the competence of a Member State, they are obliged to have the necessary measures to recover the amounts paid as compensation from the authority which provided the data. (3) In order to ensure the fulfilment of the obligation provided in par (2), the structures/units of M.A.I., which have paid compensation for the damage caused to the data subject as a result of the processing of inaccurate personal data, shall inform the competent authority of the Member State which provided such data and request reimbursement of the amount paid as compensation On this occasion, the structures/units of M.A.I. communicate that the damage was caused solely as a result of the processing, under the law, of inaccurate data provided by the competent authority of the Member State, and not at fault the structure/unit of M.A.I. that received the personal data, and annexes documents showing: a) that the structure/unit M.A.I. was obliged to pay the compensation for the damages caused to the data subject and that he paid a sum of money; b) that the personal data of the data subject comes from that competent authority of the Member State; c) the identification data of the account in which the amounts of money are to be transferred. ((4) If the structures/units of the M.A.I. are required, by competent authorities of the Member States, the reimbursement of sums paid by them as compensation for damages caused to the persons concerned as a result of the processing of certain inaccurate personal data provided by M.A.I. structures/units, before payment of the requested amounts, M.A.I. structures/units must verify whether: a) the damage was caused exclusively as a result of the processing of inaccurate data provided under the conditions indicated by the structure/unit M.A.I., and not at fault of the requesting competent authority; b) the request is accompanied by documents showing that the competent authority of the Member State was obliged to pay compensation for damages caused to the data subject as a result of the provision by the structures/units M.A.I. inaccurate information and that he paid a sum of money. " 18. In Article 12, paragraph 1 shall be amended and shall read as follows: "" Art. 12. -(1) Personal data stored in the performance of the activities referred to in art. 1 1 para. (1) shall be deleted or converted into anonymous data when no longer necessary for the purposes for which it was collected or, as the case may be, shall be blocked, under the law. In justified situations, the data may be passed into the passive and stored records, for a period that may not be higher than the storage period initially established according to the purpose in which they were collected. " 19. the following entry shall be inserted after Article 15: "" * This law transposes into national law Framework Decision 2008 /977/JHA of the Council of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, published in the Official Journal of the European Union L no. 350 350 of 30 December 2008 and creates the legal framework necessary to apply art. 24 24-32 of Decision 2008 /615/JHA of the Council of 23 June 2008 on the intensification of cross-border cooperation, in particular in the field of combating terrorism and cross-border crime, published in the Official Journal of the European Union L no. 210 210 of 6 August 2008. ' + Article II Law no. 238/2009 on the regulation of the processing of personal data by the structures/units of the Ministry of Administration and Interior in the activities of prevention, research and combating crime, as well as maintaining and ensuring order public, published in the Official Gazette of Romania, Part I, no. 405 of June 15, 2009, with the amendments and completions brought by this law, will be republished in the Official Gazette of Romania, Part I, giving the texts a new numbering. This law was adopted by the Romanian Parliament, in compliance with the provisions of art. 75 75 and art. 76 76 para. (2) of the Romanian Constitution, republished. CHAMBER OF DEPUTIES PRESIDENT ROBERTA ALMA ANASTASE SENATE PRESIDENT VASILE BLAGA Bucharest, June 13, 2012. No. 81. --------