Decision no. 161/09/10/2018 of The National Supervisory Authority for Personal Data Processing ("ANSPDCP"), on the approval of the Investigations Procedure entered into force on the 23rd of October 2018, in accordance with the powers given by the General Data Protection Regulation to the supervisory authorities.
According to the new procedure, investigations can be carried out by ANSPDCP upon prior complaint or ex officio. The latter case means that ANSPDCP may perform investigations in response to data and information published in mass-media or obtained from other national public entities or from foreign supervisory authorities. Any of these investigations may be performed in order to verify the accuracy of such information without prior notification, at the headquarters of the investigated entity, at the headquarters of the supervisory authority or simply through written interrogatories.
In case of written interrogatories, a notification should be sent to the investigated entity, requesting the relevant information / data and documents (e.g. the technical and organizational measures implemented by the data controller and the documents or other evidence proving their implementation). The ANSPDCP request should also mention the obligation of the data controller (or investigated entity) to respond in writing and to attach any evidence in certified copies, within the established deadline.
Within any investigation, ANSPDCP is entitled to verify or secure any document, equipment or storage media, or to ask for judiciary authorization if ANSPDCP representatives are prevented in any way from performing their investigation. The Court's authorization may be appealed within 72 hours but such an appeal will not suspend the enforcement of the Court's decision.
In order to avoid the risk of destroying relevant documents, ANSPDCP representatives may seal the location/documents if they don't finalize the investigation within one day or if any other situations arise which would justify such a measure. The inspectors may also question any person whose statement may be relevant.
Following the investigation, ANSPDCP may issue a warning sanction or apply a fine if the allegations which are the subject of the investigation are confirmed. It may also take other corrective measures or make recommendations.
Corrective measures may consist of temporary or permanent limitations, processing prohibitions, rectification or deletion of personal data, processing restrictions, notification of these actions, withdrawing a data protection certification or requiring the certification body to withdraw an issued certificate or to not issue a certification if the requirements for certification have not or no longer are being met.
According to the Investigation Procedure and Law no. 129/2018 that amends Law no. 102/2005 regarding the organization of the ANSPDCP, if the fine is lower or equal to Euro 300,000, then it may be applied directly by the ANSPDCP investigators. If the fine is higher than Euro 300,000, it must be imposed by the President of the ANSPDCP, on the basis of the investigator's reports.
The sanctions applied by ANSPDCP can be appealed within fifteen (15) days to the administrative division of the Tribunal Court. The contestation will not suspend the execution of the corrective measure (only the payment of the fine is suspended). Any corrective measures may be suspended based only based upon a separate request and favorable court decision.
For further details on the above, you may consult the full content of the Investigation procedure at www.dataprotection.ro.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.