Decision No. 200/2015 of the National Supervisory Authority for Personal Data Processing (ANSPDCP) (“Decision 200/2015”) regulates the issue of notifications concerning personal data processing.
Essentially, according to Article 1 of Decision 200/2015, except in certain cases of processing that are expressly and exhaustively detailed in the decision, it is unnecessary to notify ANPSDCP when processing personal data. Moreover, in accordance with Article 2 of the Decision 200/2015, personal data transfer to countries outside the European Union or the European Economic Area (EEA), and to countries that are not recognised by the European Commission as providing adequate protection, on the basis of a decision, must be notified to or, as the case may be, authorised by ANSPDCP. As arising from the preamble to Decision 200/2015, it was targeted at avoiding “inadequate” administrative formalities (which is a politically correct way of saying “useless”), by reference to the nature of the processing, and the actual risks that it entails for the data subjects. Surely, releasing the controllers from the obligation to notify all personal data processing operations is by all means welcome and well-timed. However, as we shall be discussing below, the manner of regulating such an exemption is debatable as regards its compliance with the provisions of Law No. 677/2001 and of the relevant European regulations. In accordance with Article 22(1) of Law No. 677/2001, data controllers are obliged to notify ANSPDCP in relation to any such operation they are carrying out. Nonetheless, while Article 22(2) lists a series of processing operations that need not be notified to ANSPDCP, paragraph (9) of the same article provides that the supervisory authority may establish other situations where the notification is not required (other than those under paragraph (2)).
This article was first published in Just in Case, an electronic magazine by Țuca Zbârcea & Asociații. To read the entire article, please go to: http://www.tuca.ro/just_in_case/