National Regulations Aimed at Applying the GDPR in Romania

The Personal Data Protection Regulation (EU) 2016/679 (GDPR), which entered into force on the 25th of May 2016, provided a two-year deadline for implementation so that the member states, competent authorities and officers, can take steps and, where appropriate, adopt the necessary legislative, technical and organisational measures for the implementation of the new European regulation. This deadline expired on the 25th of May 2018. While it is not usual for a regulation, which is of general application, binding in its entirety and directly applicable in all member states, to require national implementing laws, this general regulation contains several grounds under which the member states have competence to regulate various aspects, by national law, especially regarding the sanctioning regime. The competent authorities in Romania adopted two such laws to regulate some of the issues that the GDPR provides in the member states’ competence. Within this study we analyse these proposals as well as other national measures for the implementation of the Regulation, which concern not only the sanctioning regime, in general, but also the competence of the national data protection authority, the exercise of legal remedies, some special categories of data, certain derogations, the data protection officer, certification bodies or the application of corrective measures to public authorities and institutions.