Romania Data Privacy Laws: GDPR, Law 190/2018 and ANSPDCP Guide (2026)

Romania enforces data privacy through the GDPR and Law No. 190/2018, which adds national rules on employee surveillance, biometric data, and the national identification number (CNP). The ANSPDCP supervises compliance and may fine private entities up to EUR 20 million under Article 9 GDPR.

Romania was among the earliest EU member states to pass GDPR implementing legislation. Law No. 190/2018 entered the Official Gazette on 26 July 2018 and became applicable five days later on 31 July 2018, just two months after the GDPR itself became enforceable across the EU.

The country's data protection framework is now mature enough that the ANSPDCP has built a substantial enforcement dossier spanning financial services, technology, retail, events, and individual politicians. This guide covers the full Romanian regime: constitutional foundations, the Law 190/2018 supplements, ANSPDCP structure and powers, legal bases, data subject rights, DPO rules, breach notification, cross-border transfers, the public-authority fining regime, the EU AI Act overlay, recent 2024-2025 developments, and practical compliance guidance.

For EU-wide context, see our overview of EU data privacy laws. For Romania's recording consent rules, see Romania recording laws.

Quick Answer

Romania follows the GDPR directly and supplements it with Law No. 190/2018. The ANSPDCP enforces both instruments. The most distinctive national rules are: a mandatory warning-first procedure before any fine can be imposed on a public authority; a RON 200,000 (approximately EUR 40,000) cap on public-authority fines; additional consent or legal-provision requirements for genetic, biometric, and health data used in automated decision-making; strict limits on workplace surveillance CCTV; and a DPO designation obligation whenever a controller processes the national identification number (CNP) under the legitimate-interest basis.

Constitutional Basis

Romania's data protection framework rests on constitutional soil. Article 26 of the Romanian Constitution (right to intimate, family, and private life) requires public authorities to respect and protect privacy. Article 28 (secrecy of correspondence) reinforces this by covering electronic communications. These provisions do not themselves create a freestanding right to data protection, but they inform how Romanian courts and the ANSPDCP interpret ambiguous provisions in the GDPR and national law. Constitutional challenges to data-retention laws have been decided partly on Article 26 grounds by the Romanian Constitutional Court.

GDPR as the Primary Law

The GDPR applies directly as EU law in Romania. There is no separate comprehensive data protection statute equivalent to the GDPR; instead, Law 190/2018 fills in the spaces the GDPR expressly left for member-state regulation. This means most GDPR provisions, including definitions, lawfulness grounds, data subject rights, controller and processor obligations, data protection by design, and the main penalty tiers, apply in Romania without any national modification.

Law 190/2018 is comparatively short. Its operative provisions address:

• Processing of genetic, biometric, and health data for automated decision-making or profiling
• Rules for the national identification number (CNP)
• Electronic surveillance of employees at the workplace
• The DPO designation trigger tied to CNP processing on a legitimate-interest basis
• The sanctions regime for public authorities and bodies

Supplementary Legislation

Law No. 506/2004 implements the ePrivacy Directive and governs personal data processing in electronic communications, including cookie consent rules. The Calin Georgescu enforcement case in 2025 (discussed below) was decided partly under Law 506/2004 alongside the GDPR. GEO 155/2024, approved as Law 124/2025, transposes the NIS2 Directive and adds cybersecurity incident-notification obligations that run parallel to GDPR breach-notification duties for entities in critical sectors.

The ANSPDCP: Structure and Powers

The Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal is Romania's independent data protection supervisory authority. It was established before the GDPR era and was designated as the competent GDPR supervisory authority under Article 51.

The ANSPDCP is led by a president appointed by the Romanian Senate for a renewable five-year term. The authority reports annually to Parliament and operates independently from the executive branch. It participates in the European Data Protection Board (EDPB) as Romania's national representative.

Investigative and Corrective Powers

The ANSPDCP holds the full range of GDPR Article 58 powers. On the investigative side, it can demand access to premises, require controllers and processors to provide any information it needs, and conduct audits. On the corrective side, it can issue warnings, reprimands, orders to comply with data subject requests, processing limitations, and bans on processing. It can order rectification or erasure of data and suspend data flows to third countries. It can also impose administrative fines directly.

Enforcement Statistics

The authority handles a high volume of complaints relative to Romania's population. In 2019 alone it received over 6,000 complaints and incident notifications. Between 2019 and 2023, the ANSPDCP issued 235 GDPR fines, of which only 63 were challenged in court. Of the 28 cases finalised by courts as of the available data, 23 upheld the ANSPDCP's position. This high confirmation rate reflects a judiciary comfortable applying GDPR doctrine and an enforcement authority with a well-grounded practice.

Legal Bases for Processing

Romania applies all six GDPR Article 6 lawfulness grounds without national modification:

Consent (Article 6(1)(a)) must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and silence do not constitute consent. Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent.

Contract (Article 6(1)(b)) covers processing necessary for performance of or steps prior to entering a contract with the data subject.

Legal obligation (Article 6(1)(c)) applies to processing required by EU or Romanian law.

Vital interests (Article 6(1)(d)) is a narrow ground for emergency situations.

Public task (Article 6(1)(e)) applies to controllers exercising official authority or a task in the public interest.

Legitimate interests (Article 6(1)(f)) requires a balancing test and is unavailable to public authorities acting in their official capacity.

Consent: The Orange Romania Precedent

Romanian practice has produced notable guidance on consent. The Orange Romania case (CJEU C-61/19) involved a Romanian operator inserting a tick box in paper contracts for copy-of-ID consent. The CJEU ruled that a pre-checked box in a paper contract did not constitute freely given, unambiguous consent. While an older case, it remains authoritative guidance on what valid consent looks like in Romania and across the EU.

Special Categories of Personal Data

The GDPR's Article 9 prohibition on processing sensitive data applies in Romania. Law 190/2018 adds a specific rule for automated processing: processing genetic data, biometric data, or health data for the purpose of automated decision-making or profiling is permitted only with the data subject's explicit consent, or if processing is carried out under an explicit legal provision with appropriate protective measures.

This means a controller cannot rely on the standard Article 9(2)(b) through (j) derogations for automated profiling of sensitive categories in Romania without either explicit consent or a statutory provision that establishes adequate safeguards. The restriction is significant for insurers, healthcare platforms, and HR technology providers using algorithmic tools.

Health data processed for public health purposes cannot subsequently be used for other purposes by third-party entities.

National Identification Number (CNP)

The Cod Numeric Personal, or CNP, is Romania's 13-digit national identifier assigned to every citizen and resident. Law 190/2018 treats it as a special processing category because of its function as a universal identifier that creates linkage risk across datasets.

CNP processing is permitted when required by law, when the data subject has given explicit consent, or when processing is necessary for substantial public interest purposes with appropriate safeguards. For legitimate-interest processing specifically, Law 190/2018 triggers a mandatory DPO designation obligation (see below). Controllers must implement guarantees such as access restrictions, audit trails, and storage limitation to protect CNP data.

Any document containing a CNP, such as an identity card copy, falls within this regime. Businesses that routinely copy customer identity documents for Know Your Customer or other compliance purposes should ensure they have a valid legal basis and appropriate safeguards for the CNP data within those documents.

Data Subject Rights

Romania applies all GDPR data subject rights without derogation. Data subjects have the right to access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection (Article 21). Rights relating to automated individual decision-making under Article 22 also apply in full.

The ANSPDCP's enforcement record shows active use of Articles 15 and 17. In the Untold SRL case (September 2024), the authority fined the festival organiser RON 49,741 (EUR 10,000) for failing to respond to a data subject access request and an additional RON 24,870.5 (EUR 5,000) for failing to handle a related erasure request. In the Orange Romania case (December 2024), the ANSPDCP fined the telecoms operator RON 199,020 (EUR 40,000) for violating the right to erasure under Articles 12 and 17 of the GDPR and for breaches of Articles 5, 6, and 7.

Response deadlines follow the GDPR: one month from receipt of the request, extendable to three months for complex or numerous requests.

Data Protection Officer Requirements

The standard GDPR Article 37 DPO designation triggers apply in Romania: mandatory for public authorities, for controllers engaging in large-scale systematic monitoring, and for large-scale processing of special-category data.

Law 190/2018 adds a national trigger: a DPO must also be designated whenever a controller processes the CNP under the legitimate-interest basis (Article 6(1)(f)), including by collecting or disclosing documents that contain the CNP. This is a meaningful expansion because many private-sector controllers, including banks, insurers, landlords, and employers, routinely process CNP data on a legitimate-interest basis. Failure to designate a DPO in these circumstances can attract fines of up to EUR 10 million or 2% of worldwide annual turnover.

DPOs must have expert knowledge of data protection law and practices. The role can be outsourced to an external service provider. Controllers must notify the ANSPDCP of their DPO appointment using the templates and procedures published on the authority's website.

Breach Notification

Standard GDPR breach notification rules apply. A personal data breach likely to result in a risk to individuals' rights and freedoms must be notified to the ANSPDCP within 72 hours of the controller becoming aware of it. Romania has no national derogations from this obligation.

The ANSPDCP uses Decision No. 128/2018 as the template format for breach notifications. If notification cannot be made within 72 hours, the controller must provide a reasoned explanation alongside the notification.

Where a breach is likely to result in a high risk to individuals, affected data subjects must also be notified directly without undue delay.

Entities also in scope of the NIS2 regime (Law 124/2025) face parallel incident-notification duties to the DNSC, which operates on a 24-hour initial reporting timeline for significant incidents, distinct from the GDPR's 72-hour window.

Employee Monitoring

Article 5 of Law 190/2018 establishes Romania's distinctive restrictions on employee surveillance.

First, CCTV installed for building security or public space monitoring cannot be repurposed to monitor employees at work. A camera at a warehouse entrance can capture entry and exit, but cannot be repositioned or software-reconfigured to track employee productivity, movement patterns, or compliance with work instructions.

Second, electronic surveillance of employees in the workplace is only permitted under the conditions set out in the GDPR together with Article 5 of Law 190/2018. Employers must inform workers in advance about the existence and purpose of any monitoring. The monitoring must be proportionate to the legitimate aim pursued and must not infringe on worker dignity.

The ANSPDCP has enforced these rules directly. The Global Ports Services SRL case (September 2024) resulted in a EUR 2,000 fine for GPS monitoring of employees without a proper legal basis. The Entirely Shipping and Trading case resulted in fines for excessive employee image data processing through video cameras and for unauthorized biometric fingerprint data processing.

Biometric Data Processing

Biometric data processing for access control receives heightened scrutiny in Romania. The ANSPDCP has confirmed that the access-control purpose alone is not a sufficient legal basis for processing biometric data of employees and visitors. An explicit legal provision providing adequate guarantees, or explicit consent, is required.

This affects fingerprint readers, palm-vein scanners, facial recognition gates, and iris scanners deployed for building access. Employer legitimate interest in controlling premises access is not enough to justify these systems under Romanian law. Organizations that have deployed biometric access control should assess whether they have a qualifying legal basis and consider whether less-intrusive alternatives could achieve the same security objective.

Age of Digital Consent

Romania maintained the GDPR's default age of digital consent at 16 years. Children under 16 require verifiable parental or guardian consent to use information society services, including social media platforms, online games, and subscription digital services.

Cross-Border Data Transfers

Romania applies the standard GDPR Chapter V framework for transfers of personal data outside the EEA. Transfers require one of the following:

• An adequacy decision by the European Commission confirming the third country's equivalent protection level
• Appropriate safeguards such as Standard Contractual Clauses, Binding Corporate Rules, or approved codes of conduct
• One of the specific derogations in Article 49, such as explicit consent or necessity for contract performance

There are no Romanian national derogations or additional restrictions on international transfers beyond the GDPR framework. The updated 2021 SCCs issued by the European Commission are in use. The ANSPDCP can suspend or prohibit transfers where it finds that adequate protection cannot be ensured.

Penalties and the Enforcement Record

Standard Fines for Private Entities

The GDPR's two-tier penalty structure applies in full for private-sector controllers and processors:

• Up to EUR 10 million or 2% of worldwide annual turnover for violations of the less serious category (Articles 8, 11, 25-39, 42, 43)
• Up to EUR 20 million or 4% of worldwide annual turnover for violations of the most serious category (Articles 5-7, 9, 12-22, 44-49)

The Public-Authority Fining Regime

Law 190/2018 creates a materially different regime for public authorities and bodies. Before any fine can be imposed, the ANSPDCP must first issue a written warning specifying the violation, setting out a remedy plan, and giving a defined remedy period. Only if the authority fails to complete the remedy plan within ten calendar days after the remedy period expires may the ANSPDCP then impose a financial sanction.

Even then, the maximum fine for a public authority is RON 200,000, approximately EUR 40,000. This cap is far below the GDPR's standard maximum. Critics argue the graduated approach combined with the low cap reduces incentives for government bodies to invest in compliance. The ANSPDCP retains its full corrective powers, including processing restrictions and deletion orders, regardless of the fine amount, and these operational consequences can be more disruptive than a fine.

Notable Enforcement Actions

UniCredit Bank S.A. (EUR 130,000, 2019): One of Romania's largest early GDPR fines. The bank disclosed national identification numbers and payer addresses affecting approximately 337,042 data subjects.

Raiffeisen Bank S.A. (EUR 150,000) and Vreau Credit S.R.L. (EUR 20,000) (2019): Two Raiffeisen Bank employees used client identification data provided by Vreau Credit staff through WhatsApp to run 1,194 unauthorized credit-history simulations on 1,177 individuals. Raiffeisen was fined for inadequate security measures; Vreau Credit was additionally fined for failing to notify the ANSPDCP of the breach.

UiPath SRL (EUR 70,000, 2023): The Romanian automation software company failed to implement adequate technical and organizational measures (GDPR Articles 25 and 32), leading to unauthorized disclosure of personal data of approximately 600,000 UiPath Academy Platform users.

Untold SRL (EUR 15,000 combined, September 2024): The organiser of Romania's major music festival was fined RON 49,741 for failing to respond to a data subject access request and RON 24,870.5 for failing to handle a related erasure request, despite receiving the data subject's contact details.

Orange Romania SA (EUR 40,000 total, December 2024): The telecoms operator received two fines totaling RON 199,020 for violating the right to erasure under Articles 12 and 17 GDPR and for breaches of Articles 5, 6, and 7 relating to lawfulness, fairness, and consent.

Alior Bank SA Romanian Branch (EUR 17,000, January 2024): Fined for sending commercial messages to a former customer by email and SMS after the customer had requested data deletion and the contractual relationship had ended, in breach of Articles 5 and 6 GDPR.

Global Ports Services SRL (EUR 2,000, September 2024): Fined for GPS monitoring of employees without a proper legal basis under Articles 5 and 6 GDPR.

Calin Georgescu (RON 50,000+, 2025): The former Romanian presidential candidate was fined RON 30,000 under Law 506/2004 and approximately EUR 4,000 under the GDPR after his website installed cookies without consent and failed to inform contact-form users about data processing. The Ilfov Tribunal upheld the ANSPDCP's sanctions.

EU AI Act Overlay

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 with a phased application schedule. Prohibitions on unacceptable-risk AI practices became enforceable on 2 February 2025. Obligations for general-purpose AI models took effect on 2 August 2025.

Romania is navigating implementation with mixed results. The government approved a National AI Strategy for 2024-2027 in July 2024. However, Romania missed the 2 August 2025 deadline for designating a single national market-surveillance authority.

The ANSPDCP has been notified to the European Commission as one of nine Romanian public authorities responsible for protecting fundamental rights in the context of high-risk AI systems, alongside the Ombudsman, the National Council for Combating Discrimination, the National Audiovisual Council, and the Permanent Electoral Authority.

For AI systems that process personal data, controllers must satisfy both AI Act requirements and GDPR obligations simultaneously. The ANSPDCP is already positioned to exercise oversight over AI-driven automated decisions affecting personal data, using its existing GDPR Article 22 powers alongside any future AI Act enforcement role.

Romania's pending Draft Law Pl-x nr. 184/2025 on responsible use of artificial intelligence would require AI systems in public administration to be transparent and subject to regular audits, and would prohibit AI use for judicial decisions without human oversight. As of mid-2025 the draft remained under legislative review and faced criticism for potential conflicts with the AI Act's definitions and sanctions framework.

NIS2 and Cybersecurity Developments

Law 124/2025 (approving GEO 155/2024) transposed the NIS2 Directive into Romanian law, entering full force on 10 July 2025. The National Cyber Security Directorate (DNSC) is the designated enforcement authority.

Essential and important entities in critical sectors, including energy, finance, transport, health, and digital infrastructure, face heightened obligations: technical and organizational cybersecurity measures, regular staff training, and incident notification to the DNSC within 24 hours of a significant incident. This timeline is stricter than the GDPR's 72-hour breach-notification window and runs concurrently with it.

Entities in scope must register with the DNSC using the NIS2@RO Platform. DNSC Order No. 1/2025 and Order No. 2/2025 set out registration rules and risk-management criteria. Penalties under Law 124/2025 are separate from GDPR sanctions.

Business Compliance Guidance

Organizations processing personal data in Romania should address the following areas.

GDPR fundamentals apply in full. Romania has no derogations from the core data subject rights. Ensure all access, rectification, erasure, restriction, and portability requests are handled within the one-month deadline. The ANSPDCP actively enforces the right to erasure, as the Orange Romania and Untold SRL cases demonstrate.

Audit CNP processing. If your organization processes national identification numbers under a legitimate-interest basis, including by copying identity documents, you must designate a DPO. Verify the legal basis, implement appropriate safeguards, and document them.

Review employee monitoring. Security cameras cannot serve as productivity monitors. Any electronic surveillance of employees requires prior notification to workers, a proportionate purpose, and a lawful basis under both Law 190/2018 and the GDPR. GPS tracking of company vehicles or employees requires the same analysis.

Do not deploy biometric access control without a legal basis. Employer legitimate interest is insufficient. You need explicit legal authorization or explicit consent, with appropriate safeguards, before using fingerprint readers, facial recognition, or other biometric systems for access control.

Appoint a DPO if required. The standard GDPR triggers apply, plus the additional Romanian trigger for CNP processing under legitimate interest. Register the DPO with the ANSPDCP using the authority's published templates.

Prepare for AI Act compliance. If you use AI systems that process personal data, map both GDPR and AI Act obligations. High-risk AI systems require a conformity assessment, and the ANSPDCP may exercise oversight over automated decisions affecting data subjects.

Critical-sector entities: check NIS2 scope. If you operate in energy, finance, transport, health, or digital sectors, verify whether you fall within the Law 124/2025 scope and register with the DNSC.

Public authorities: do not treat the low fine cap as permission to deprioritize compliance. The ANSPDCP's corrective powers, including processing bans and deletion orders, apply regardless of the fine cap. A processing ban affecting a government database can have far greater operational consequences than a fine.

Disclaimer: This article provides general information about Romania's data privacy laws and is not legal advice. Data protection rules change frequently. Consult a qualified attorney licensed in Romania for guidance on your specific situation.