Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy and data protection framework

The Romanian Constitution1 adopted in 1991 recognises under Title II (Fundamental Rights, Freedoms, and Duties) the rights of privacy, inviolability of domicile, and freedom of conscience and expression. Article 26 of the Constitution states, "(1) Public authorities shall respect and protect the intimate, family and private life. (2) Any natural person has the right to freely dispose of himself unless by this he causes an infringement upon the rights and freedoms of others, on public order or morals." Article 27 states, "(1) The domicile and the residence are inviolable. No one may enter or remain in the domicile or residence of a person without consent. (2) Derogation from provisions under paragraph (1) is permissible by law, in the following circumstances: for carrying into execution a warrant for arrest or a court sentence; to remove any danger against the life, physical integrity, or assets of a person; to defend national security or public order; to prevent the spread of an epidemic. (3) Searches may be ordered only by a magistrate and carried out exclusively under observance of the legal procedure. (4) Searches at night time shall be prohibited, except in cases of flagrante delicto." Article 28 states, "Secrecy of the letters, telegrams, and other postal communications, of telephone conversations, and of any other legal means of communication is inviolable." According to Article 30, "(6) Freedom of expression shall not be prejudicial to the dignity, honour, privacy of person, and the right to one's own image."

The Romanian Constitutional Court had two important decisions taken in 2009 and 2010 regarding the interpretation of the right to privacy, as enshrined by the Constitution. The first is Decision No. 1258 of 8 October 20092 that considered unconstitutional the national implementation of the Data Retention Directive.3

The second decision is the Constitutional Court ruling 415 of 14 April 20104 regarding the unconstitutionality of the law establishing the National Agency of Integrity5 that obliged all the interest and income declarations of certain public servants to be published on the Internet. In this case, the Court considered that "the obligation stipulated by the law to publish the declarations of assets and interests on the Web pages of the entities where the persons, according to the legal provisions, have to submit them, as well as their transmission to the Agency to be published on its website, breach the right to respect and protection of private life ensured by Article 26 of the Fundamental Law as well as by article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms, by the unjustified exposure, in an objective and sensible way, on the Internet page, of the data related to the assets and interests of people who, according to the law, have the obligation to submit declarations of assets and interests."

Privacy and data protection laws and regulations

Comprehensive law

In November 2001, the Parliament enacted Law No. 676/2001 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector6 and Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data.7 These laws follow very closely the European Union Telecommunications Privacy (1997/66/EC) and Data Protection (1995/46/EC) Directives respectively. Romania joined the European Union on 1 January 2007.8

Law No. 676/2001 provides for specific conditions under which privacy is protected with respect to the processing of personal data in the telecommunications sector. In 2004, Law No. 676/2001 was, practically speaking, replaced by Law No. 506/2004,9 which closely follows Directive 2002/58/EC of the European Parliament and the Council on personal data processing and privacy protection in the electronic communications sector. This directive repealed and replaced Directive 1997/66/EC.10

Law No. 506/2004 divides the task of enforcing the personal data protection laws between two institutions: the National Regulatory Authority for Communication (later renamed the National Authority for Management and Regulations in Communications – Romania, or ANCOM11) for issues related to electronic communications and the People's Advocate Office (later renamed the Data Protection Authority, or ANSPDCP), which handles issues related to privacy. In this sense, ANCOM has competence in relation to: security measures for electronic communication; non-compliance with invoice issuing conditions; infringement of the obligations regarding the presentation and restriction of calling; and connected line identification.

Law No. 677/2001applies to the processing of personal data, that is carried out totally or partially through automatic means, as well as to the processing of personal data through other means that are part of, or destined for, an evidence system.

A new civil code was approved in July 2010 by the Romanian Parliament.12 The Code has not come into force, and it is unclear when this will happen – the Parliament needs to issue a new law to establish it. The code's new text includes provisions relating to private life and a series of articles stating the respect to private life, the right to dignity, the interdiction against public use of images, voice recordings, manuscripts, correspondence, or other personal documents without the owner's consent (except in cases where the use is legally allowed by the law because the material is of justified public interest). The new text also defines that a breach of someone's private life (Article 74 – "Breaches of private life") includes: capturing or using a person's image or voice in a private space without the person's consent; broadcasting images representing private space interiors without the consent of the legal occupant; placing private life under observation by any means, except for the express cases provided by the law; broadcasting news, debates, inquiries, or written and audio-visual coverage of a person's private, personal or family life, without the person's consent; broadcasting materials including images of a person under treatment in medical assistance units as well as personal data related to health, diagnosis, prognosis, treatment, or other circumstances and facts related to the disease including autopsy results, without the consent of the person involved or, in case of the person's death, of that of his family or authorised persons; using, with malice, the name, image, voice, or likeness of another person; broadcasting or using correspondence, manuscripts, or other personal documents including data relating to the domicile, residence, or phone numbers of a person or his (her) family members, without the person's consent.13

Some of these provisions were criticised by several mass-media organisations14 as limiting freedom of expression, especially where there is a public interest for a specific case. The government's reply was to present a proposal in 2009 to add another, rather vague article to the draft. This would make all the above-mentioned privacy provisions concerning inapplicable if interfering with the right were "allowed by the law or international conventions and agreements regarding human rights to which Romania is part". It also says: "Exercising the constitutional rights and freedoms in good faith and by observing the international conventions and agreements Romania is part of, is not an infringement of the rights provided for by this section."

The civil code has not yet come into force. It may enter into force on 1 October 2011 if the law establishing this date, as suggested by the Ministry of Justice, is adopted by Parliament.15

Sector-based laws

In 2002, the National Audiovisual Council16 issued regulations regarding privacy and television and radio programs in Decision No. 80 of 13 August 2002, Regarding the Protection of Human Dignity and the Right to Protect One's Own Image. These established a few privacy principles. Article 6 states, "(1) Any person has a right to privacy, privacy of his family, his residence and correspondence. (2) The broadcasting of news, debates, inquiries, or audio-visual reports on a person's private and family life is prohibited without that person's approval." According to Article 7, "It is forbidden to broadcast images of a person in his or her own home or any other private place without that person's approval; (2) It is forbidden to broadcast images of a private property, filmed from the inside, without its owner's approval."17

In 2009 the Parliament adopted a new Penal code18 that includes a new crime called "Breaching privacy". Article 226 states: "(1) The harm unlawfully brought to private life by photographing, capturing, or recording images, listening in by technical means or audio recording a person within a home, a room, or an out-building related to it, or a private conversation, is punished with imprisonment from six months to a year or a fine. (2) Revealing, broadcasting, presenting, or transmitting  unlawfully the sounds, conversations, or images covered by paragraph (1), to another person or to the public, is punished with imprisonment from three months to two years or a fine. (3) The criminal case starts at the complaint of the harmed person."19

Data protection authority

The new authority for protecting personal data, the National Authority for the Supervision of Personal Data Processing (ANSPDCP), was created by Law No. 102/2005,20 which replaced the previous supervisory authority (called "The People's Advocate").21 The law regulates the transfer of the database from the People's Advocate Office to the ANSPDCP. Due to the delay in creating the ANSPDCP, the Romanian Government issued Emergency Ordinance No. 131/2005, which delayed the authority's creation date until 31 December 2005.22 The new authority's internal regulations were adopted on 2 November 2005.23 The ANSPDCP opened in February 2006, and the new institution began to provide advice and help with respect to infringements of the personal data legislation.24 Starting with 21 January 2008, the authority of ANSPDCP was extended25 to include monitoring the implementation of Law No. 298/2008 on data retention.

The budgetary cuts of 2009 have significantly affected the activity of the Authority. The  budget allocated for the year 2009 was insufficient to provide payment for the 50 people  the ANSPDCP was supposed to hire. In fact, by August 2009, only 35 positions had been filled.26 The budget for 2009 did not allow the Authority to do any investigations outside Bucharest.27

Since June 2006, four decisions have been issued by the ANSPDCP regarding the application of the personal data legislation. These decisions establish standard notification forms (modified in 2008),28 categories of sensitive personal data processing operations,29 notification exemptions,30 and situations in which the simplified notification form for personal data processing may be used.31 In 2007, the ANSPDCP issued several orders. One order, for example, implemented the online registry of controllers; another abolished the notification fee.32 In 2007 the ANSPDCP also issued a decision regulating the transfer of personal data to third countries.33 In 2008 and 2009 the ANSPDCP continued to regulate the personal data processing notification regime34 by issuing a decision concerning the standard notification form and the procedure for the authorisation of health-related data processing.35 The decision also mandates that, in the absence of the subject's express written consent, an operator must first obtain authorisation from ANSPDCP before processing such data.

In 2008, the ANSPDCP applied sanctions against a legal firm for unlawful processing of personal data (they didn't respect an individual's right to be informed that his/her data are being processed) and against a financial private company for not having observed a client's right of intervention.

In 2009, ANSPDCP36 fined two mobile phone companies for sending SMS to their subscribers despite the fact that the subscribers had not opted to receive them37 as well as a financial company that sent unsolicited SMS messages to a former client.38 A private company was fined for having used video cameras to monitor access to public/private areas without having previously notified the authority. Furthermore, the company was fined for having used the images for other purposes than just surveillance.39

The Authority has made it clear several times that the practice, common to several commercial companies, of asking for the client's CNP (Personal numerical code – a unique identifier for each physical person) on invoices is not supported by any legislation. The legislation covering the content of invoices40 does not imagine the introduction of the CNP on the invoice. And, according to the ANSPDCP, there are no provisions requiring the CNP for any other tax.41

The ANSPDCP also fined a local company that provided Internet Street View services because it did not notify the Authority or blur the collected personal data (faces, car numbers, etc.).42

In 2010, another telecommunications company was fined for having disclosed its subscribers' personal data to an insurance company without first asking for their consent.43

The ANSPDCP issued a decision in 2009 that established a framework for the processing of health-related personal data.44 In 2010, the Authority sanctioned Health Insurance House in Brasov county for posting its list of debtors on its website, some 30,000 local individuals along with their personal data (name, address, the number of their contracts).45

The Authority may be asked for its opinion on normative acts. For example, in 2008 it was consulted for 17 normative acts. However, such requests are not obligatory for an institution/body,  and such opinions are not published on the ANSPDCP's website or in any official newspaper, not even Monitorul Oficial.

Between 2006 and 2009, the Authority carried out a series of activities in to elevate personal data protection awareness, most of them directed at the local public authorities. These awareness activities also included a joint conference with the Romanian Banks' Association regarding personal data protection and processing within the financial and banking sectors.46 The ANSPDCP has also been involved in awareness activities, usually in partnership with the public sector (Prefects' offices in several counties, Police Inspectorates), the private sector (professional associations in real estate, notaries public, Chambers of Commerce), and the educational sector (universities in Sibiu and Tg. Jiu).47

The ANSPDCP has also organised the "Open Doors Event" and several other events on the occasion of the European Data Protection Day (28 January).

According to a 2008 EU report on the citizens' perception regarding the protection of their personal data, Romanian citizens were poorly informed and educated about data protection issues.48 Only 42 percent of Romanians were concerned about giving their personal data online, about 36 percent answered they did not know whether legislation in the domain was enough to solve online personal data issues, 47 percent had no idea they had the right of access to their personal data retained by others and 79 percent did not know of the existence of the Romanian data protection authority.

Major privacy and data protection case law

At the beginning of 2010, the Bucharest Tribunal confirmed the decision of a local Bucharest court imposing upon the town hall of one of the Bucharest districts damages of €10,000 damages to a an individual whose personal data had been posted on the town hall's website identifying him as someone who had the right to free local transport. The website showed not only individuals' names, but also addresses, identification numbers, details of certain social cases, and details of medical conditions such as HIV infection.49

In 2009, the Bucharest Tribunal ruled that two publications50 had to pay moral and material damages to an actress for having infringed her right to private life and image by posting incorrect, unverified information about her in their publications. The decision was not final, however, and the publications decided to appeal.

Also in 2009, a famous couple obtained an interim judicial restraining order against a local tabloid, requiring it to take down photos taken by paparazzi during their holiday in France and prohibiting it from publishing photos of the couple during their private moments.51