Advanced Search

Law No. 82 Of 13 June 2012 (Republished)

Original Language Title:  LEGE nr. 82 din 13 iunie 2012 (*republicată*)

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
LEGE no. 82 82 of 13 June 2012 (* republished *) on the retention of data generated or processed by providers of electronic communications networks and electronic communications service providers for the public as well as for the modification and completion of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector *)
ISSUER PARLIAMENT
Published in OFFICIAL MONITOR no. 211 211 of 25 March 2014



___________ Note * *) Republicated pursuant to art. 107 107 para. ((3) of Law no. 255/2013 for the implementation of Law no. 135/2010 on the Code of Criminal Procedure and for the modification and completion of some normative acts that include criminal procedural provisions, published in the Official Gazette of Romania, Part I, no. 515 515 of 14 August 2013, as amended, giving the texts a new numbering. Law no. 82/2012 was published in the Official Gazette of Romania, Part I, no. 406 406 of 18 June 2012. + Chapter I General provisions + Article 1 (1) This law establishes the obligation of electronic communications network providers and electronic communications service providers intended for the public to retain certain data generated or processed within their business for their making available to prosecution bodies, courts and state bodies responsible for national security for the purposes of their use in the framework of prevention, research, discovery and to prosecute serious crimes or to resolve cases with persons missing or for the execution of a warrant for the arrest or execution of the sentence. (2) This law applies to traffic and location data of natural persons and legal persons, as well as to the data necessary for the identification of a registered subscriber or user. (3) This law applies only to data generated or processed as a result of a communication or a communications service and does not apply with regard to the content of the communication or information consulted during the use of a network of electronic communications, in these cases the provisions of the Code of Criminal Procedure, as well as those of the special laws in the matter, (4) The implementation of the provisions of this Law shall be made in compliance with the Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data, with subsequent amendments and completions, as well as of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, with subsequent amendments and completions, as well as with the amendments and additions made by this law. + Article 2 (1) Within the meaning of the present law, the following terms and expressions have the following meanings: a) data-traffic information, location, and information required to identify a subscriber or user; b) user-natural person or legal person who uses an electronic communications service intended for the public for personal or professional purposes, without necessarily being subscribed to that service; c) subscriber-natural person or legal person who has concluded a contract with a provider of electronic communications services intended for the public, in order to provide such services; d) telephone service-call, including voice, voice mail, teleconference and data transfer, additional services, including redirection and transfer of call and messaging and multimedia services, including messaging services short, improved multimedia services; e) serious crime-the crime that is part of one of the following categories: 1. the offences provided for art. 2 lit. b) of Law no. 39/2003 on the prevention and control of organised crime, as amended, committed or not by an organised criminal group; 2. the offences provided in Head. IV of Law no. 535/2004 on the prevention and combating of terrorism, as amended and supplemented; 3. the following offences provided by Law no. 286/2009 on the Criminal Code, with subsequent amendments and completions: crimes against national security of the state, killing or injury of the newborn committed by the mother, personal injury, rape, robbery and qualified robbery, sexual intercourse with a minor, the destruction and the qualified destruction, the outermost, the escape and the facilitation of escape, the offences of falsehoods in documents, the setting up of an organized criminal group, the qualified theft, the deception and the deception on insurance, falsification of credit securities or payment instruments when it concerns an electronic payment instrument, blackmail and child pornography; 4. corruption offences, crimes assimilated to them, as well as crimes against the financial interests of the European Union, provided by Law no. 78/2000 for the prevention, discovery and sanctioning of corruption, with subsequent amendments and completions; 5. tax evasion offences set out in art. 9 9 of Law no. 241/2005 to prevent and combat tax evasion, as amended; f) the user identifier-the unique identification code assigned to a person who subscribes or registers to an internet access service or an internet communications service; g) the cell identifier-the cell identification code in which a mobile phone call is initiated or completed; h) unsuccessful telephone call-the communication within which the phone call was connected, but did not receive an answer or was the subject of an intervention from the network administrator; i) unconnected call-the call initiated from a telephone terminal or equipment with access to a telephone service, but which was not technically completed, in the sense of establishing a connection between the caller and the call. (2) Throughout the present law are also applicable the definitions provided in art. 3 3 of Law no. 677/2001 , with subsequent amendments and completions, to art. 2 2 of Law no. 506/2004 , with subsequent amendments and completions and with the amendments and additions made by this law, as well as art. 4 4 para. (1) of Government Emergency Ordinance no. 111/2011 on electronic communications, approved with amendments and additions by Law no. 140/2012 . + Chapter II Data retention + Article 3 (1) Public electronic communications network providers and providers of publicly available electronic communications services are required to provide, at their own expense, the creation and administration of databases in electronic form, in to retain the following categories of data, in so far as they are generated or processed by them: a) data necessary for tracking and identifying the source of a communication; b) data necessary to identify the destination of a communication; c) data necessary to determine the date, time and duration of the communication; d) data necessary to identify the type of communication; e) data necessary to identify the communication equipment of the user or devices that serve the user as equipment; f) data necessary to identify the location of the mobile communication equipment. (2) The data provided in par. ((1) shall be retained and kept for 6 months from the date of the communication. ((3) The expenses related to the creation and administration of databases are tax deductible. + Article 4 The data necessary for tracking and identifying the source of a communication shall a) in the case of fixed and mobile telephone networks: the caller telephone number, as well as the name and address of the subscriber or registered user; b) in the case of internet access services, electronic mail and internet telephony: 1. the assigned identifier; 2. the user identifier and the telephone number allocated for carrying out any communication through the public telephone network; 3. the name and address of the subscriber or registered user, who has been assigned an Internet Protocol address, hereinafter referred to as the IP address, a user identifier or a telephone number, at the time of communication. + Article 5 The data necessary to identify the destination of a communication include: a) in the case of fixed and mobile telephone networks: 1. the number formed or called and, in cases including additional services such as redirection or transfer of the call, the number to which the call is directed; 2. the name and address of the subscriber or registered user; b) in the case of internet access services, electronic mail and internet telephony: 1. User identifier or telephone number of the recipient of a telephone call via the internet; 2. the name and address of the subscriber or registered user and the user identifier of the communication recipient. + Article 6 The data necessary for determining the date, time and duration of the communication shall a) in the case of fixed and mobile telephone networks: the date and time of the initiation and the conclusion of a communication; b) in the case of internet access services, electronic mail and internet telephony: 1. the date and time of connection and disconnection from the internet access service, the IP address dynamically or statically allocated to a communication by the internet access service provider, as well as the subscriber or registered user identifier; 2. date and time of connection and disconnection from the electronic mail or telephone service via the internet. + Article 7 The data necessary to identify the type of communication shall include a) in the case of fixed and mobile telephone networks: information on the telephone service used; b) in the case of communications by electronic mail and telephone service: information on the internet access service used. + Article 8 The data necessary to identify the communication equipment of the user or devices that serve the user as equipment include: a) in the case of fixed telephony networks: the caller's telephone number and the telephone number of the caller; b) in the case of mobile networks: 1. the caller's telephone number and the telephone number of the caller; 2. the international identity of mobile subscriber, hereinafter referred to as IMSI, of the caller; 3. the international identity of the mobile equipment, hereinafter referred to as IMEI, of the caller; 4. IMSI identity of the caller; 5. IMEI identity of the caller; 6. in the case of prepaid anonymous services: the date and time of the initial activation of the service, as well as the cell identifier from which the service was activated; c) in the case of internet access services, electronic mail and internet telephony: the caller's telephone number in the case of access by dial-up; the DSL line or other terminal point of the one initiating the communication. + Article 9 The data required to identify the location of the mobile communication equipment shall a) the cell identifier at the beginning of communication; b) the data enabling the establishment of the geographical location of the cells, by reference to their identifier, during which the communication data is retained. + Article 10 (1) Public electronic communications network providers and providers of publicly available electronic communications services, under Romanian jurisdiction, have the obligation to retain data relating to an unsuccessful appeal if these data are generated or processed and stored, in the case of telephone service, or recorded, in the case of the internet access service in the context of the activity of providing those services. (2) Public electronic communications network providers and providers of electronic communications services intended for the public do not have the obligation to retain the data provided in art. 3 3 para. (1) in the case of unconnected calls. + Article 11 (1) Public electronic communications network providers and providers of publicly available electronic communications services, in addition to the data retained under this law, may retain other data necessary for their commercial activity, namely for billing or other payments for interconnection, as well as other data processed according to the law, at the request of customers, for marketing purposes or for the provision of services, only with the prior consent of the person whose data are processed, in compliance with provisions Law no. 506/2004 , with subsequent amendments and completions, as well as with the amendments and additions made by this law. (2) Data retained according to par. (1) are exempted from the provisions of this law. + Article 12 (1) In application of the provisions of this law, the interception and retention of the content of the communication or information consulted during the use of an electronic communications network shall be prohibited, in these cases the provisions Code of criminal procedure and those of special laws in the matter. (2) Public electronic communications network providers and providers of electronic communications services intended for the public are required to retain only those categories of data listed in art. 3 3 para. ((1), which are generated or processed as a result of carrying out their own activities under the law. (3) At the end of the retention period, all data retained exclusively under this law, except for data accessed and retained according to the law, made available to the authorities provided in art. 1 1 para. (1), must be destroyed, by irreversible procedures, at the date of expiry of the term provided in art. 3 3 para. ((2). The procedure of destruction of data retained under this law will be regulated by the methodological norms for the application of this law, approved by Government decision. + Article 13 The data retention activity is carried out in compliance with the following principles: a) the retained data must be of the same quality and must be subject to the same security and protection as the data on the network; b) the retained data must be subject to appropriate technical and organizational measures, in order to protect them against accidental or intentional destruction, alteration or accidental loss, storage, processing, access or unauthorized or unlawful disclosure; c) the retained data must be subject to appropriate technical and organisational measures, in order to ensure that only the authorized personnel in this regard have access to this data; d) the data are destroyed at the expiry of the term provided in 3 3 para. ((2), with the exception of those who have been accessed and detained. + Article 14 (1) If the data referred to in art. 4-9 may be retained by several providers of electronic communications services for the public and public electronic communications networks, the data retention activity is done only with the supplier processing the data provided for in art. 3. (2) The data retention activity referred to in art. 4-9 may be deployed, where technically possible and following a contractual arrangement, by a third party, on behalf of a provider of electronic communications services to the public and public electronic communications networks, with compliance with provisions art. 19 19 and 20 of Law no. 677/2001 ,, as amended and supplemented, the Law no. 506/2004 , with subsequent amendments and completions and with the amendments and completions brought by this law, as well as the present law. (3) The obligation to retain the data provided for in art. 4 4-9 shall apply to providers of publicly available electronic communications services and public electronic communications networks allocating numbering, including in the case of number porting, in the case of fixed and mobile telephony services, respectively IP addresses, in the case of data services. + Article 15 (1) Public electronic communications network providers and providers of publicly available electronic communications services are required to collect and submit annually to the Ministry for Information Society the following data statistical, in order to monitor and control the application of the provisions of this Law a) the number of cases in which the information was provided to the prosecution bodies, the courts and state bodies with attributions in the field of national security, in accordance with the provisions of this law; b) the period of time elapsed between the date on which the data was retained and the date on which the prosecution bodies, the courts or state bodies with attributions in the field of national security requested the transmission of these data; c) the number of cases where data requests could not be met. (2) The terms by which the statistical data must be transmitted shall be established by the methodological norms for the application of this law. (3) The Ministry for Information Society centralizes the statistical data received from the providers of electronic communications networks and providers of electronic communications services for the public and sends annually to the Commission European statistics based on them. The statistics will not contain any personal data or classified information. + Article 16 (1) The providers of electronic communications networks and providers of electronic communications services intended for the public are obliged, at the request of the prosecution bodies, of the courts and state bodies with tasks in the field of national security, formulated in the application of the provisions of the Code of Criminal Procedure, as well as those of the special laws in the matter, to transmit to them, no later than 48 hours from the date of the request, this law. (2) If it is not possible to transmit the requested information within the period provided in par. (1), suppliers are obliged to notify the applicant of the reason for the delay and, in any case, to transmit the requested information no later than 5 days from the date of the initial request. (3) The requests of the prosecution bodies, of the courts and of the state bodies with attributions in the field of national security will be made with the invocation of the existing legal basis and will be transmitted in electronic format, signed with extended electronic signature based on a qualified certificate issued by an accredited certification service provider. (4) Public electronic communications network providers and providers of publicly available electronic communications services are required to ensure the signature of the requested data, using an extended electronic signature based on a certificate qualified issued by an accredited certification service provider. The electronic signing of the data will be done automatically at the time of their extraction from the databases provided in art. 3 3 para. ((1). (5) Any authorized person transmitting data retained under this law is required to sign the transmitted data, using an extended electronic signature based on a qualified certificate issued by a certification service provider accredited, thus assuming responsibility for the integrity of the transmitted data. (6) Any authorized person receiving data retained under this law has the obligation to verify the integrity of the data received and to certify this integrity by signing the data, using an extended electronic signature based on a qualified certificate issued by an accredited certification service provider. (7) Each person certifying the data under the electronic signature shall be responsible for the integrity and security of such data. (8) Application of para. ((3)-(7) shall be made in compliance with the procedures established by the methodological norms for the application of this law. + Article 17 If a solution of ranking or waiver of prosecution has been ordered in the case, the prosecutor is obliged within 5 days of the disposition of the solution to notify about this person whose data was targeted by the request. + Article 18 The prosecution bodies may request the data retained under this law in compliance with the provisions art. 152 152 of Law no. 135/2010 on the Code of Criminal Procedure, with subsequent amendments and completions. + Article 19 (1) If a solution of ranking or waiver of prosecution has been ordered, the support on which the information is stored is archived at the headquarters of the prosecutor's office, in special places, in sealed envelope, with the assurance of confidentiality, and shall be kept until to meet the limitation period of criminal liability for the act that formed the object of the case, when it is destroyed, concluding a report in this regard. (2) If in the case the court has delivered a judgment of conviction, waiver of sentence, postponement of the application of the sentence, acquittal or termination of the criminal proceedings, remaining final, the retained data shall be archived with the case file, at the court, in compliance with the legal provisions on archiving documents in electronic form. + Article 20 The competent authorities to monitor the application of the provisions of this law are the National Supervisory Authority for Personal Data Processing, hereinafter referred to as A.N.S.P.D.C.P. and the National Authority for Administration and Regulation in Communications, hereinafter referred to as ANCOM. + Chapter III Contraventions and penalties + Article 21 (1) It constitutes contraventions and is sanctioned with a fine of 2,500 lei to 500,000 lei the following facts: a) failure to fulfill the obligations provided for in 3 3 para. ((1); b) failure to fulfill the obligations provided for in 3 3 para. ((2); c) failure to fulfill the obligations provided in art 12 12 para. ((2) and (3); d) non-compliance with the principles 13 13; e) failure to fulfill the obligations provided for in 16 16 para. ((1) and (2); f) failure to comply with the obligations provided in 25 25 para. ((4). (2) Finding the contraventions provided in par. ((1) lit. b), c), d) and e), as well as the application of sanctions shall be carried out by the control personnel empowered for this purpose of the A.N.S.P.D.C.P. (3) Finding the contraventions provided in par. ((1) lit. a) and f) and the application of sanctions shall be made by persons empowered to do so within ANCOM. (4) Contraventions provided in par. (1) their provisions are applicable Government Ordinance no. 2/2001 on the legal regime of contraventions, approved with amendments and additions by Law no. 180/2002 , with subsequent amendments and completions. + Article 22 (1) Any intentional access, alteration or transfer of data retained under this law, without authorization, constitutes a crime and is punishable by imprisonment from one to 5 years. (2) The attempt is punishable. + Article 23 Non-compliance with the communication obligation within the period provided in 17 attracts criminal liability, under the law. + Chapter IV Final provisions + Article 24 On the date of entry into force of this Law, Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, published in the Official Gazette of Romania, Part I, no. 1.101 of 25 November 2004, as amended and supplemented, shall be amended and supplemented as follows: 1. In Article 5, paragraphs 1 and 6 shall be amended and shall read as follows: "" Art. 5. -(1) Traffic data relating to subscribers and registered users, processed and retained by the provider of a public electronic communications network or by the provider of an electronic communications service intended for the public, must be deleted or transformed into anonymous data when they are no longer required to transmit a communication, except in the situations provided in par. ((2), (3) and (5). ...................................................................... (6) Provisions of para. ((1)-(3) and (5) shall not affect the possibility of prosecution bodies, courts and state bodies with attributions in the field of national security to have access to traffic data, under the law. " 2. in Article 8, after paragraph 5, a new paragraph (6) is inserted, with the following contents: " (6) The provisions of this Article shall be without prejudice to the possibility of prosecution bodies, courts and state bodies with attributions in the field of national security to access the data generated or processed and kept by providers of public communications networks and providers of publicly available electronic communications services under the law. " + Article 25 (1) The present law shall enter into force 3 days from the date of publication in the Official Gazette of Romania, Part I, except for the provisions of art. 12 12 para. ((3) and art. 16 16 para. (3)-(8), which takes effect 90 days from the date of publication of the present law in the Official Gazette of Romania, Part I, and of the provisions of art. 21 21 para. ((1) lit. a) and e), which takes effect 6 months from the date of publication of the present law in the Official Gazette of Romania, Part I. (2) Within 3 months from the entry into force of this law according to par. (1) sentence I, Government, at the proposal of the Ministry for Information Society, Ministry of Internal Affairs and Ministry of Justice, approve by decision the methodological norms for the application of this law. (3) Public communications network providers and providers of electronic communications services for the public will carry out the obligation provided for in art. 3 3 para. ((1) and (2), at the latest within 6 months after the entry into force of this Law. (4) Until the end of the 6-month period provided in par. (3), providers of public communications networks and providers of electronic communications services intended for the public are required to inform ANCOM, upon request, of the actions taken in order to create the databases provided for in art. 3 3 para. ((1). (5) Until the end of the 90-day period provided in par. (1), the requests of the prosecution bodies, the courts and state bodies with attributions in the field of national security will be made in compliance with the legal provisions in force. _________