Romania Data Privacy Laws: GDPR Implementation Guide (2026)

Romania was one of the earliest EU member states to adopt GDPR implementing legislation, with Law 190/2018 taking effect just two months after the regulation became directly applicable. This early adoption reflected a proactive approach to data protection compliance, though the law's provisions on public authority penalties have drawn criticism for being too lenient.

The ANSPDCP has built an active enforcement practice, with particular attention to employee monitoring, biometric data, and video surveillance compliance. This guide covers Romania's full data protection framework and what organizations need to know for compliance.

Legal Framework and GDPR Implementation

Romania's data protection system operates under the GDPR as supplemented by Law No. 190/2018 on measures for the implementation of the GDPR. The law was published in the Official Gazette on 26 July 2018 and became applicable on 31 July 2018.

Law 190/2018 addresses specific areas where the GDPR grants member states flexibility to adopt national provisions. These include the processing of genetic, biometric, and health data, the processing of the national identification number (CNP), rules for electronic surveillance of employees in the workplace, and the sanctions framework applicable to public authorities.

Supplementary Legislation

Beyond Law 190/2018, Romania's data protection landscape includes Law No. 506/2004 on personal data processing in electronic communications (implementing the ePrivacy Directive), Law No. 677/2001 (partially superseded by the GDPR but with certain provisions remaining in force), and various sector-specific regulations issued by the ANSPDCP.

Constitutional Foundation

The Romanian Constitution provides a foundation for data protection through Article 26 (right to private, family, and intimate life) and Article 28 (secrecy of correspondence). These constitutional provisions inform the interpretation of data protection rules by Romanian courts and the ANSPDCP.

The ANSPDCP: Romania's Data Protection Authority

The Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) is Romania's independent supervisory authority for data protection. The authority is responsible for monitoring GDPR compliance, handling complaints, conducting investigations, and imposing sanctions.

The ANSPDCP is led by a president appointed by the Romanian Senate for a five-year term. The authority operates independently from other state institutions and reports annually to the Parliament on its activities.

Powers and Functions

The ANSPDCP holds the standard range of GDPR supervisory and enforcement powers. It can conduct investigations both on its own initiative and in response to complaints, carry out audits of data controllers and processors, impose administrative fines, issue warnings, order corrective measures including limitations on processing and data deletion, and provide advisory opinions on legislation.

Enforcement Statistics

The ANSPDCP processes a significant volume of complaints and notifications. In its 2019 annual report, the authority received 6,193 complaints and security incident notifications, opened 912 investigations, and issued 28 fines totaling approximately EUR 468,000, along with 134 warnings and 128 corrective measures.

Fines and Penalties

The GDPR's standard two-tier penalty framework applies to private entities in Romania. Fines of up to EUR 10 million or 2% of worldwide annual turnover apply to certain violations, while more serious infringements can attract fines of up to EUR 20 million or 4% of worldwide annual turnover.

Special Rules for Public Authorities

Romania's treatment of public authorities is notable. Law 190/2018 provides that public authorities must first receive a warning with a remedy plan before any fine can be imposed. Only if the public authority fails to fulfill the remedy plan within ten days after the remedy period expires can the ANSPDCP impose a financial penalty.

Even then, fines for public authorities and bodies are capped at RON 200,000 (approximately EUR 40,000), significantly below the GDPR's standard ceiling. This graduated approach gives government entities opportunities to correct violations before facing financial consequences.

Notable Enforcement Actions

UniCredit Bank S.A. (EUR 130,000): The ANSPDCP sanctioned the bank for disclosing personal identification numbers and payer addresses affecting approximately 337,042 data subjects. This was one of the larger fines in Romanian GDPR enforcement history.

UiPath SRL (EUR 70,000): Romania's automation software company was fined for failing to implement adequate technical and organizational measures, leading to unauthorized disclosure of personal data of approximately 600,000 users of the UiPath Academy Platform. The case demonstrated the ANSPDCP's willingness to fine high-profile technology companies.

Entirely Shipping and Trading S.R.L. (EUR 5,000 per violation): The company received multiple fines for excessive employee image data processing through video cameras and unauthorized processing of biometric data (fingerprints) of employees.

Employee Monitoring Rules

Romania has established specific restrictions on employee monitoring through Article 5 of Law 190/2018.

Video surveillance installed for security purposes and for monitoring public spaces cannot be repurposed for monitoring employees at work. This means that while a company may operate CCTV for building security, it cannot use that footage to track employee productivity, evaluate work performance, or monitor attendance.

Electronic surveillance of employees at the workplace is only permitted under the conditions established by the GDPR and Article 5 of Law 190/2018. Employers must inform employees in advance about the existence and purpose of any monitoring, and the monitoring must be proportionate to the legitimate aim pursued.

Biometric Data Processing

Romania takes a strict approach to biometric data. The ANSPDCP has confirmed that processing biometric data of visitors and employees for building access requires specific legal authorization. In the absence of a law providing adequate guarantees for data protection and data subject rights, the access control purpose alone does not justify biometric data processing.

This means that fingerprint scanners, facial recognition systems, and other biometric access control technologies cannot be deployed in Romanian workplaces simply based on the employer's legitimate interest. Specific legal provisions or other robust legal bases are required.

National Identification Number (CNP)

The processing of Romania's national identification number (Cod Numeric Personal, or CNP) is subject to specific provisions under Law 190/2018. The CNP is a 13-digit number assigned to every Romanian citizen and resident, and its processing carries elevated privacy risks due to its function as a universal identifier.

Law 190/2018 establishes that the CNP may be processed when required by law, when the data subject has given explicit consent, or when processing is necessary for reasons of substantial public interest. Controllers must implement appropriate safeguards when processing CNP data.

Age of Digital Consent

Romania set the age of digital consent at 16 years old, maintaining the GDPR's default threshold. Children under 16 require parental authorization to consent to information society services such as social media platforms and digital services.

Data Breach Notification

Standard GDPR breach notification requirements apply in Romania. Data controllers must notify the ANSPDCP within 72 hours of becoming aware of a personal data breach likely to result in a risk to individuals' rights and freedoms. The ANSPDCP provides notification procedures on its website.

Romania processes a significant volume of breach notifications annually. The ANSPDCP tracks breach trends and uses notification data to inform its enforcement priorities.

International Data Transfers

Romania follows the standard GDPR framework for international data transfers. Transfers outside the EEA require an adequacy decision, appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules, or applicable derogations.

Practical Compliance Tips

Organizations operating in Romania should pay particular attention to employee monitoring compliance. Review any CCTV systems to ensure security cameras are not being used to monitor employee work activities. Ensure employees are properly informed about all monitoring practices.

Biometric data processing for access control requires careful legal analysis. Do not assume that building security justifies fingerprint or facial recognition systems without verifying the legal basis under Romanian law.

Public authorities should not rely on the warning-first approach and reduced fine caps as reasons to deprioritize compliance. The ANSPDCP's corrective powers, including processing restrictions and data deletion orders, can have significant operational impact regardless of the fine amount.

Disclaimer: This article provides general information about Romania's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Romania for guidance on your specific situation.