Download presentation
Presentation is loading. Please wait.
Published byLaurel Blake Modified over 5 years ago
1
Report on data protection legislation Case of Romania
Brussels, March 2011
2
A. Romanian national legislation on data protection
In view of aligning the national legislation to the EU acquis, Romania adopted Law no. 677/2001 on the Protection of Individuals on Processing of Personal Data and the Free Movement of Such Data (amended and completed at a later stage), as well as a number of regulations aiming at the personal data processing and the private life protection: Law no. 682/2001 on the ratification of the Convention on the protection of individuals with regard to automatic processing of personal data, adopted at Strasbourg on 28th January 1981; Law no. 102/2005 regarding the setting up, organisation and functioning of the National Supervisory Authority for Personal Data Processing, Law nr. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector; Law no. 298/2008 on the retention of data generated or processed in connection with the provisions of publicly available electronic communications services or public communications networks and for the amendment of; Law nr. 506/2004 on the processing of personal data and the protection of private life within the electronic communication sector.
3
Romania fully transpose the EU legislation:
Directive 95/46/CE on the protection of individuals with regard to the processing of personal data and on the free movement of such data; Directive no. 2002/58/CE concerning the processing of personal data and the protection of privacy in the electronic communications sector.
4
The provisions of the Law no
The provisions of the Law no. 677/2001 applies to personal data processing, performed in full or in part, by automatic means, as well as to the processing by other means than the automatic ones, which are part of or destined to a personal data filling system. Art.3 of Law no.677/2001 obviously and unambigously defines the essential terms employed by the legal act (for example, personal data, personal data processing, storage, personal data filing system, data controller, data processor, third party, recipient, anonymous data).
5
B. Basic principle of the law and its exemptions
The terms of legitimacy regarding the data processing are mainly relied on the intentional and unequivocal consent for the data processing by the person in question.
6
Exemptions – consent not required
a) carry out a contract or an agreement previous to that contract to which the data subject is party of, or in order to take some measures, at his request, before signing that contract or previous agreement; b) protect the data subject’s life, physical integrity or health or that of a threatened third party; c) fulfill a legal obligation of the data controller; d) accomplish some measures of public interest or regarding the exercise of public official authority prerogatives of the data controller or of the third party to wich the date are disclosed; e) accomplish a legitimate interst of the data controller or of the third party to which the date are disclosed, on the condition that this interest does not prejudice the interests, or the fundamental rights and freedoms of the data subject; or when the processing f) concerns data which is obtained from publicly accesible documents, according to the law; g) is performed exclusively for statistical purposes, historical or scientific research and the data remains anonymous throughout the entire processing.
7
C. Special Rules on Personal Data Processing
Processing personal data regarding ethnic or racial origin, political, religious or philosophical beliefs or those of similar nature, trade-union allegiance, as well as personal data regarding the state of health or sex life, is prohibited.
8
Derogations 1. when the data subject has expressly given her/his consent for such data processing; 2. when the processing is required in order to meet the obligations or specific rights of the data controller in the field of labor law, in accordance with the legal guarantee; a possible disclosure to third party of the processed data may take place only if the data controller is legally required to do so, or if the data subject has expressly agreed to the disclosure. According to the law the data controller is any natural or legal person, including public authorities, institutions and their legal bodies, that establishes the means and the purpose of the personal data processing.
9
The processing of personal data with an identification function:
we encounter again the principle of express and unequivocal consent of the concerned subject for the processing of the personal identification number or other personal data with a general identification function. The processing personal data regarding the state of health: the same principle applies but the interdiction of processing does not apply: if the processing is necessary for the protection of public health; if the processing is necessary for the prevention of an imminent danger, the prevention of a criminal offence or the prevention of the result of such an action; for the removal of the damaging results of such an action.
10
3. Ending the processing operations
If the data subject has not given his/her express and unequivocal consent for another destination: the personal data should be destroyed; transferred to another data controller; transformed into anonymous data and stored exclusively for statistical, historical or scientific research. The data controller may store the personal data for the required period of time, in order to achieve the specific goals.
11
D. Current status. Participation in ESF supported activities
The Romanian legislation about the personal data protection is not a factor limiting the monitoring and the reporting of participants in ESF supported activities. The data connected with the race or ethnicity or the ones about the health state may be processed in all the necessary purposes such as collection, recording, organizing, storing, retrieval, consultation, use, disclosure to third parties by transmission etc.
12
Ministry of Labor through the Managing Authority for the Sectoral Operational Programme for Human Resources Development implemented secondary legislation (implementing legislation) according to which : the beneficiaries of the projects funded through ESF must take the measures required for the legal registration as a personal data operator; the beneficiaries must require the consent of the participants regarding the personal data processing (applicant’s instruction and guide published on the official website –www. fseromania.ro).
13
The declaration of ethnicity or disabled or other disadvantaged people:
the difficulty does not consist in the legal regime required by the legislation about personal data processing; but in the reticence shown by the persons themselves.
14
Data transfer Is always permitted when the data subject has explicitly given her/his consent for the transfer. In sensitive cases the consent must be written. The beneficiaries of the projects do not practically encounter special problems on this issue regarding the data reporting to the monitoring system of the managing authorities.
15
Conclusions From the legal point of view, both managing authorities and the project beneficiary have no restriction for obtaining the personal data belonging to the subjects participating in an ESF project, after the end of the activities from that project. Still in practice this is not always the case and it is difficult to follow up on such aspects. Further improvements in this matter are therefore needed, mainly from the project beneficiaries themselves.
16
The Romanian legislation on personal data protection contains the necessary elements for harmonizing the principle to know with data protection principles. There is a need for additional administrative efforts from the project providers for collecting/storing/monitoring the personal microdata with a higher accuracy in order to be able to provide a true picture of the social segment targeted by ESF supported activities. Further measures are recommended with the view to improve guidance line addressed to the applicants/beneficiaries of projects by establishing as accurate as possible parameters to be collected from the project participants. As a concluding remark, implementation of programs of training, education and awareness among project beneficiaries are needed in order to foster a better understanding of the processing of personal data in order to avoid incomplete/incoherent/not sustainable data information.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.