FORLOPD FAQ

Protection of natural persons with regard to the processing of personal data is a fundamental right. The article 8 Article (1) from the Charter of Fundamental Rights of the European Union („Carta”) and the article 16 Article (1) from the Treaty on the Functioning of the European Union (TFEU) establish that any person has the right to the protection of personal data concerning him.

It is considered personal data any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is any person whose identity can be determined, directly or indirectly, especially by an identifier, such as a name, an identification number, location data, an online identifier or one or more elements specific to physical identity, physiological, GENETIC, MENTAL, ECoNoMIC, cultural or social of the respective person.

As a general rule in Romania, we must consult:

• Regulation (UE) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
• Law no. 190 FROM 18 July 2018 regarding measures to implement the Regulation (UE) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

However, the specialty principle must be taken into account and the sectoral rules applicable to each individual case, as well as the opinions or reports issued by committee or control authorities, among others.

The data operator is the natural or legal person, public authority, the service or other body which, alone or with others, determines the purposes and means of processing.

For example, the entity that owns the personal data and processes it for its own purposes.

The person authorized by the operator is the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller. The authorized person cannot use the personal data provided by the operator for his own purposes.

Ex. The entity contracted by the data controller to provide a service for which the use of personal data is inherent. Some entities that generally act as fiduciaries are those that provide services of: consultant, IT maintenance, security/video surveillance, destruction of documents…

They are considered special categories of personal data which discloses ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, of biometric data intended for the unique identification of a natural person, of data relating to health or data relating to the sex life or sexual orientation of a natural person.

Data protection regulations allow citizens to exercise a number of rights, namely the right of acces, rectification, opposition, CLEAR ("the right to be forgotten"), restriction of processing, portability and the right not to be subject to individualized decisions.

Exercising these rights is free (except for unfounded or excessive requests), the operator is obliged to inform you about the means of exercising these rights (these means must be accessible) and must respond within a maximum of one month, these being some of its characteristics.

International data transfers involve a flow of personal data from the Romanian territory to recipients established in countries outside the European Economic Area (European Union countries plus Liechtenstein, Iceland and Norway).

The image is a personal date, because it identifies or makes identifiable a person.

In this sense, installation of cameras, for various purposes, such as security, labor control, access to restricted areas by capturing the car's registration number and the driver's image, or even monitoring an intensive care unit, would involve the processing of personal data and, accordingly, data protection rules would apply.

A security breach (or security breach) is one security incident affecting personal data. This incident may be of accidental or intentional origin and may affect data processed digitally or in hard copy. In general, it is an event that causes destruction, the loss, the modification, unauthorized communication or access to personal data.

And, insofar as they process personal data of natural persons.

Thus, in owner communities there is treatment derived from the management of the community itself, which includes the personal data of the owners, such as the name, first name, address or email address. There may be other types of treatments, such as "video surveillance" or "security cameras".

And, subject to compliance with the provisions of the General Data Protection Regulation.

When the collection and processing of minors' data is based on consent, it must be borne in mind that it must be express and that, in the case of minors under the age of 16 years, consent must be given by parents or guardians. People aged over 16 years can themselves consent to the collection of their data, except in cases where the law requires that they be assisted by parents or guardians.

The assessment of the impact on the protection of personal data is a tool that allows the anticipated assessment of the potential risks to which personal data are exposed depending on the processing activities carried out with them.

This is mandatory where the processing is likely to present a high risk to the rights and freedoms of natural persons.

Regarding the execution of the DPIA, this can be done by internal or external staff of the organization, without this exempting the data operator from fulfilling its obligations, who must ensure that this is carried out adequately and that the controls and control measures resulting from the assessment are implemented.