HomeAnalyticsAlertsData Protection Enforcement in Romania: Recent Regulatory Actions

Data Protection Enforcement in Romania: Recent Regulatory Actions

Romania's data protection authority has intensified its enforcement activity. Investigations are now targeting a broader range of organisations, and fines under data protection legislation have increased in both frequency and scale. International companies operating in Romania – or processing the personal data of Romanian residents – face direct exposure if their GDPR compliance programmes are not current.

Romania's Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP. the Romanian Data Protection Authority. Alternatively, DPA) has escalated its supervisory actions across multiple sectors. With particular focus on consent mechanisms, cross-border data transfer arrangements. Additionally, the documentation obligations of data controllers and data processors. Organisations subject to Romanian data protection law should review their compliance posture before the end of the current supervisory cycle. Any organisation that processes personal data of Romanian residents and has not conducted a full GDPR compliance audit within the past twelve months is at measurable risk.

This alert identifies which organisations are directly affected, sets out the threshold criteria for regulatory exposure, and lists the immediate actions required to reduce enforcement risk.

What has changed: the current enforcement environment

The ANSPDCP has shifted from a largely reactive posture to proactive, sector-led investigations. Historically, the DPA acted primarily on complaints. The current approach involves the authority opening investigations on its own initiative, drawing on signals from public sources, data breach notifications, and cross-border referrals from other EU supervisory authorities.

Several enforcement trends are now clearly established. First, the authority is paying close attention to the adequacy of consent mechanisms on websites and mobile applications. Cookie banners that do not meet the conditions set out under EU data protection legislation – freely given, specific, informed, and unambiguous consent – are a frequent trigger for investigation.

Second, the DPA is scrutinising cross-border data transfer arrangements. Transfers to third countries outside the European Economic Area must rest on a valid legal basis. Standard contractual clauses remain the most commonly used instrument, but the authority has issued findings against organisations that adopted these clauses without conducting the required transfer impact assessments.

Third, the boundary between a data controller and a data processor is under examination in joint-processing arrangements. Organisations that have not updated their processing agreements to reflect the actual allocation of responsibilities face a heightened risk of findings of non-compliance.

For technology companies operating across borders, understanding how Romanian data protection rules interact with AI-related processing is increasingly relevant. Our analysis of AI and technology law in Romania sets out the current regulatory position for automated decision-making and algorithmic systems.

Who is affected: threshold criteria and business categories

The ANSPDCP's recent enforcement actions have not been confined to large enterprises. Small and medium-sized businesses, non-profit organisations, and foreign companies with no physical establishment in Romania are all within the authority's remit if they process personal data of individuals located in Romania.

The following categories face the highest immediate exposure:

  • E-commerce operators and digital platforms collecting personal data from Romanian users
  • Healthcare providers and wellness applications processing special categories of data
  • Financial services firms subject to both data protection legislation and sectoral financial regulation
  • HR technology providers and employers processing employee data across multiple EU jurisdictions
  • Marketing and advertising companies relying on behavioural profiling and targeted communications

Foreign companies not established in Romania but offering goods or services to Romanian residents are required under EU data protection legislation to designate a representative in the EU. Failure to do so is itself a ground for enforcement. Organisations that process data at scale – or that handle sensitive personal data categories – must also maintain records of processing activities and, where applicable, appoint a data protection officer.

To receive an expert assessment of your organisation's data protection exposure in Romania, contact us at info@ferrazwhitmore.com.

What to do now: immediate actions for international companies

Organisations with Romanian data exposure should treat the following as priority actions in the current supervisory cycle.

Audit consent mechanisms. Review all consent collection points – website cookie banners, registration forms, marketing opt-ins – against the conditions required under data protection legislation. Pre-ticked boxes, bundled consents, and consent banners that make refusal more difficult than acceptance are all enforcement targets. Consent mechanisms must be renewed if they were implemented before the authority's recent guidance on valid consent was published.

Review data transfer arrangements. Identify every cross-border data transfer to countries outside the EEA. Confirm that each transfer rests on a valid legal basis. Where standard contractual clauses are used, verify that a transfer impact assessment has been completed and documented. Transfers relying solely on legacy mechanisms that have since been invalidated must be restructured immediately.

Update controller-processor agreements. Every processing relationship with a third-party service provider must be governed by a written agreement that meets the conditions required under data protection legislation. Generic terms of service are insufficient. Agreements must specify the subject matter, duration, nature, and purpose of the processing, and must allocate responsibilities clearly between data controller and data processor.

Verify records of processing activities. Organisations above the applicable threshold – and all organisations processing special categories of data – must maintain up-to-date records of processing activities. These records are the first document the DPA requests at the outset of any investigation. Gaps in records are treated as evidence of systemic non-compliance.

Confirm representative designation. Foreign companies processing Romanian residents' data without an EU establishment must confirm that a properly mandated representative is in place. The representative must be reachable by both the supervisory authority and data subjects. A nominal designation with no operational substance will not satisfy the DPA's requirements.

Full details of the data protection compliance regime applicable in Romania. This includes the obligations of controllers and processors under Romanian and EU data protection law. Are set out in our data protection advisory service for Romania. Organisations facing parallel enforcement environments across EU member states may also find our alert on data protection enforcement in Portugal directly relevant.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients on data protection and GDPR compliance across 46 jurisdictions. Our technology and data protection practice supports international companies, digital platforms, and in-house legal teams in managing regulatory exposure across the EU, including in Romania. Engaging a lawyer in Romania with cross-border data protection experience is essential when the DPA's supervisory scope extends across multiple processing relationships and jurisdictions. As an international law firm in Romania advising on GDPR compliance, Ferraz &. Whitmore combines Portuguese civil law expertise with English common law tradition to deliver results-oriented counsel on data controller obligations. Data processor arrangements, and cross-border data transfer compliance. For a preliminary review of your organisation's data protection position in Romania, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.