Four years of GDPR
By Mugurel Olariu, RPD protectie date
May 25, 2022 marks the fourth anniversary of the direct application of the General Data Protection Regulation – GDPR at EU level.
The European Data Protection Board – EDPB posted*1 a video presentation of the European institution on the importance of processing personal data.
At the national level, the National Supervisory Authority for Personal Data Processing – ANSPDCP organized a Debate / Conference attended by associations and representative professional unions in specific fields of activity. During this event, issues related to developments in the effective applicability of the new rules on the protection of personal data, mainly on the person responsible for personal data protection, impact assessment, respect for the rights of data subjects, were addressed in an interactive manner, ensuring data security and notifying security breaches.
The National Supervisory Authority also posted on its website a presentation of the activity carried out in the first four months of 2022, of which we mention:
✔ received 1345 complaints, notifications and notifications regarding security incidents, based on which 129 investigations were opened.
✔ as a result of the investigations carried out during this period, 17 fines were applied in a total amount of 169,158 lei (equivalent to 35,100 euros).
✔ in the control activity, 34 more warnings were applied and 23 corrective measures were ordered.
✔ received in the first four months of this year 1235 complaints, on the basis of which 80 investigations were initiated.
✔ data operators sent 48 notifications regarding data security breaches and 62 notifications regarding possible non-compliances with the provisions of the GDPR. As a result, 49 ex officio investigations were initiated.
✔ the complaints, notifications and notifications regarding security incidents received by the National Supervisory Authority during this period mainly concerned the following aspects:
• image processing through video surveillance systems,
• violation of the rights of data subjects,
• violation of the principles provided by the GDPR,
• receiving unsolicited commercial messages,
• disclosure of data without the consent of data subjects,
• violation of security and confidentiality measures,
• data processing without legal basis.
✔ a number of 338 requests for points of view were addressed on various issues related to the interpretation and application of the GDPR and other incidental regulations.
✔ issued during this period opinions on 40 draft normative acts submitted by public institutions and authorities, which involved the analysis of complex aspects regarding the processing of personal data.
✔ requests for approval of BCRs (Binding Corporate Rules) submitted by 8 multinational companies were analyzed. Also, the National Supervisory Authority acted as co-auditor to the BCRs approval requests submitted by 2 companies during this period.
✔ carried out in the first four months of 2022, a series of information actions aimed at popularizing the rules of personal data protection.
✔ continued to inform the general public by publishing 21 press releases, by participating in online conferences and events, by attending inter-ministerial and institutional meetings.
Thus, several events were organized to celebrate the European Day of Data Protection, including a Conference, and also launched the “Guide to data processing carried out by owners’ associations”, which includes clarifications on the proper application of data protection regulations with personal character by the owners’ associations, posted on the website of the National Supervisory Authority www.dataprotection.ro. Also, a brochure was posted containing relevant elements from the activity of the National Supervisory Authority in 2021, in Romanian and English.
In conclusion, we emphasize that during the four years of application of the GDPR, economic operators – from the public and private spheres have continued to implement the rules of personal data processing, in particular those regarding the information of individuals, compliance rights of individuals (right of access, right of rectification, right of erasure – “right to be forgotten”, right to restrict processing, right to data portability, right to object, right not to be subject to an on automatic processing, the right to lodge a complaint with a supervisory authority), to ensure the confidentiality and security of the processing of personal data.
