A German software company launches a Romanian subsidiary to handle customer support for Central and Eastern Europe. Within weeks, it is collecting employment records, processing client contact data, and transferring information to servers outside the EU. No privacy notices have been published. No consent mechanism is in place. Romania's supervisory authority receives a complaint. The window for voluntary remediation has already closed.
Data protection compliance in Romania is governed by the EU General Data Protection Regulation (GDPR) as directly applicable law, supplemented by Romanian national data protection legislation that adapts and specifies the regulation's optional provisions. Every organisation that acts as a data controller or data processor in Romania – or that targets Romanian residents from outside the country – must maintain a documented compliance programme. The Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP. Romania's national supervisory authority. Known as the DPA) enforces these obligations and may impose administrative fines calculated as a percentage of annual global turnover.
This guide walks through the procedural steps for building a compliant data protection programme in Romania, from the initial data audit to cross-border transfer safeguards. It addresses the documentary checklist, typical timelines, cost ranges, and the decision points that differ for different business models.
The regulatory setting: what Romanian law adds to the GDPR
The GDPR applies directly across Romania without requiring transposition. However, Romanian data protection legislation addresses the areas where the regulation grants member states discretion. These include the minimum age for valid consent by minors, specific rules for processing employee data, and conditions under which health and biometric records may be handled without consent.
Under Romanian employment legislation, employers have defined – but limited – grounds to monitor staff communications and location data. The rules are stricter than what many international businesses assume. Processing that would be routine under US employment law may require a separate legal basis and employee notification under Romanian data protection legislation.
The ANSPDCP also issues binding guidance on sector-specific matters, including online behavioural advertising, CCTV in workplaces, and health data processed by private clinics. This guidance does not have the force of statute, but the DPA treats departures from it as indicators of non-compliance. Practitioners in Romania note that following ANSPDCP guidance proactively is a more effective risk management strategy than relying on the literal text of the regulation alone.
For businesses operating across multiple EU jurisdictions, Romania follows the GDPR's one-stop-shop mechanism. If the organisation's main establishment is in another EU member state, the lead supervisory authority of that state coordinates enforcement. However, the ANSPDCP retains jurisdiction over local complaints and cross-border matters where Romanian residents are affected. This distinction matters when deciding where to locate the EU representative or the main establishment of a data controller group.
Companies building AI-driven products that process personal data in Romania should also consider how AI regulation intersects with data protection obligations. Our analysis of AI law in Romania sets out the emerging regulatory requirements that apply alongside the GDPR to automated decision-making and profiling activities.
Step-by-step compliance procedure: from audit to ongoing maintenance
Achieving GDPR compliance in Romania is a project, not a single filing. The steps below apply to an international business establishing or formalising its compliance programme. Each step has a defined output document and a realistic time estimate.
Step 1 – Data mapping and processing inventory (two to three weeks). The first task is identifying every category of personal data the organisation collects, holds, or transmits. This includes customer data, employee records, supplier contact information, and any data obtained through third-party integrations. The output is a Registrul activitatilor de prelucrare (Record of Processing Activities – RPA), which every data controller and data processor must maintain under data protection legislation. The RPA must identify the purpose of each processing activity, the legal basis relied upon, the categories of data subjects, retention periods, and the identity of any recipients including processors and sub-processors.
A common error at this stage is treating the RPA as a one-time exercise. In practice, the record must be updated whenever a new processing activity begins or an existing one materially changes. Organisations that treat it as a static document routinely fail during ANSPDCP inspections.
Step 2 – Legal basis assessment (one to two weeks). For each processing activity identified in the RPA, the organisation must select and document a valid legal basis. Romanian data protection legislation follows the GDPR's six lawful bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The legitimate interests basis requires a balancing test. The organisation must document why its interests are not overridden by the rights of data subjects.
Consent as a consent mechanism is often overused by foreign businesses entering Romania. Consent is appropriate only where the data subject has a genuine free choice and can withdraw without detriment. Relying on consent for processing that is actually necessary for a contract – such as processing a delivery address to fulfil an order – creates compliance risk. If consent is later withdrawn, the legal basis for the processing activity collapses entirely.
Step 3 – Privacy documentation (two to four weeks). The core documents required under Romanian data protection legislation are: a privacy notice for data subjects (covering customers. Website visitors. Additionally, employees separately). internal data protection policies. data processing agreements with all processors. and. There, applicable, records of data subject requests and responses. Privacy notices must be written in clear, plain language. Notices translated mechanically from English templates often fail this standard in Romanian-language contexts.
Data processing agreements must be concluded before a processor handles any personal data. This requirement catches many international businesses. A software vendor, payroll provider, or cloud hosting service is a processor if it handles personal data on the controller's behalf. The agreement must specify the subject matter, duration, nature, and purpose of the processing. Verbal or implied arrangements do not satisfy the legislative requirement.
Step 4 – Data Protection Officer appointment, where required (one week). The DPO obligation applies when processing is systematic and large-scale, involves regular monitoring of individuals, or concerns special categories of data. The DPO must be designated in writing. Their contact details must be published in the privacy notice and communicated to the ANSPDCP. The DPO cannot receive instructions on how to perform their tasks and must have access to senior management.
Many mid-sized businesses in Romania appoint an external DPO through a law firm or specialist consultancy. This is expressly permitted under data protection legislation. An external DPO must have a written service contract, documented access to all processing activities, and adequate time allocated to the engagement. A nominal appointment without substantive involvement does not satisfy the requirement.
Step 5 – Data Protection Impact Assessment for high-risk activities (two to four weeks. There. Applicable). A Evaluare a impactului asupra protectiei datelor (Data Protection Impact Assessment – DPIA) is mandatory before beginning any processing that is likely to result in a high risk to data subjects. ANSPDCP guidance identifies categories that presumptively require a DPIA: systematic profiling, large-scale processing of special categories, systematic monitoring of public areas, and processing involving new technologies.
The DPIA must describe the processing, assess the necessity and proportionality of the activity, identify the risks, and set out the measures taken to address them. Where the residual risk remains high after mitigation, the organisation must consult the ANSPDCP before beginning processing. This prior consultation process can add four to eight weeks to the project timeline for affected activities.
Step 6 – Cross-border data transfer safeguards (one to three weeks). Romanian businesses frequently transfer personal data outside the EU – to parent companies. To cloud providers with non-EU infrastructure. Alternatively, to clients in third countries. Each such data transfer requires a specific legal mechanism under data protection legislation.
The available mechanisms include adequacy decisions covering certain third countries, Standard Contractual Clauses approved by the European Commission. Binding Corporate Rules for intra-group transfers, and. in limited circumstances. derogations such as explicit consent or contractual necessity. Standard Contractual Clauses are the most widely used mechanism for Romania-based organisations. However, their use must be supplemented by a transfer impact assessment evaluating whether the law of the destination country undermines the protections the clauses provide.
A non-obvious risk at this stage is cloud infrastructure. Many businesses assume that using a major cloud provider with EU data centres resolves all transfer concerns. In practice, sub-processors may operate servers outside the EU, and support access from non-EU locations may constitute a transfer. The controller must map these flows and ensure transfer mechanisms cover each one.
Step 7 – Incident response procedures and breach notification (one to two weeks). Romanian data protection legislation requires controllers to notify the ANSPDCP of personal data breaches within 72 hours of becoming aware of them. Unless the breach is unlikely to result in risk to individuals. Processors must notify their controllers without undue delay. Where the breach is likely to result in high risk, the affected data subjects must also be informed directly.
The 72-hour window is tight. Organisations without a documented incident response procedure regularly miss it. The procedure must define who assesses potential breaches, what information must be gathered, who approves the notification, and how the notification is submitted to the ANSPDCP's online portal. A tabletop exercise – running through a simulated breach before one occurs – is one of the most cost-effective compliance investments available.
Step 8 – Staff training and ongoing maintenance (recurring). A compliance programme that exists only on paper will not withstand an ANSPDCP inspection. All staff who handle personal data must receive training appropriate to their role. Training records must be kept. The compliance programme must be reviewed at least annually and whenever a material change in processing activities occurs.
For a tailored strategy on data protection compliance in Romania, reach out to our data protection practice in Romania or contact us directly at info@ferrazwhitmore.com.
Common errors by foreign businesses and their consequences
International businesses entering Romania repeat a recognisable set of mistakes. Understanding them before starting the compliance project significantly reduces remediation costs later.
Assuming home-country compliance transfers automatically. A business compliant with German, French, or US privacy law is not automatically compliant in Romania. The GDPR baseline is shared across the EU, but Romanian national legislation introduces specific requirements – particularly in employment and health data contexts – that differ from other member states. Starting with a Romania-specific gap analysis, rather than adapting an existing group policy, saves substantial rework.
Inadequate vendor management. Many foreign businesses enter Romania through partnerships with local distributors, resellers, or HR providers. These third parties frequently handle personal data on the foreign company's behalf. Without a data processing agreement in place, the foreign company is exposed as a controller that has failed to mandate adequate processing conditions. The ANSPDCP holds controllers responsible for their processors' compliance failures where the agreement is absent or incomplete.
Relying on English-language privacy notices. Romanian data protection legislation does not expressly require notices in the Romanian language. However. The requirement for clear and plain language is interpreted in light of the data subject's reasonable expectations. A Romanian consumer presented with an English-language privacy notice has a credible argument that the notice did not provide intelligible information. ANSPDCP enforcement actions have addressed inadequate transparency in local-language contexts.
Underestimating the scope of special category data. Health data, biometric data, and data revealing trade union membership are subject to heightened protection. Processing these categories without a specific additional legal basis – beyond one of the standard six – is a serious violation. Businesses operating wellness programmes, using fingerprint access controls, or providing health insurance as an employee benefit frequently process special category data without recognising that the standard legal basis framework does not apply.
Neglecting data subject rights procedures. Data subjects in Romania have the right to access their data, correct it, erase it, restrict processing, and object to certain uses. Requests must be answered within one calendar month, extendable by a further two months for complex cases. Many businesses have no process for receiving, logging, and responding to these requests. A flood of requests following a media event or product controversy can overwhelm an unprepared organisation and generate secondary enforcement exposure.
Self-assessment checklist and decision framework
The compliance path is not identical for every business. The following checklist helps determine the scope and priority of the compliance project.
This compliance programme is immediately necessary if:
- The organisation collects personal data from Romanian residents, whether online or in person.
- The organisation employs staff based in Romania, even through a third-party employer of record.
- The organisation transfers personal data outside the EU as part of normal business operations.
- The organisation uses automated decision-making or profiling that affects individuals.
- The organisation processes health, biometric, or other special category data.
Before beginning the compliance project, verify:
- Whether the organisation's main establishment is in Romania or another EU member state – this determines which supervisory authority leads enforcement.
- Whether an EU representative must be appointed – required for non-EU controllers targeting EU residents without an EU establishment.
- Whether a DPO is mandatory given the nature and scale of processing.
- Whether any processing activities require a DPIA before commencing.
- Whether all existing vendor contracts contain compliant data processing clauses.
Decision framework by business type:
E-commerce business selling to Romanian consumers from outside the EU. The organisation is a data controller subject to GDPR. It must appoint an EU representative based in an EU member state, publish a compliant privacy notice, establish a consent mechanism for any cookie-based tracking. Additionally. Implement Standard Contractual Clauses or another transfer mechanism for any data sent outside the EU. The ANSPDCP can receive and act on complaints from Romanian consumers regardless of where the controller is established.
Romanian subsidiary of an international group. The subsidiary is likely both a controller (for its own processing, such as HR) and a processor (for group data it handles on behalf of the parent). Both roles require separate documentation. The group must decide whether to use Binding Corporate Rules or Standard Contractual Clauses for intra-group transfers. The subsidiary's DPO – if one is required – must be operationally independent even if employed or retained by the group.
Software-as-a-service provider with Romanian enterprise clients. The provider is a processor in relation to its clients' data. It must be able to produce a compliant data processing agreement on request. It must assist clients in responding to data subject rights requests and breach notifications. Sub-processors – including cloud infrastructure providers – must be listed and covered by back-to-back agreements. Many SaaS providers underestimate this last requirement until a client's legal team conducts a vendor audit.
Businesses building or deploying AI systems that process personal data in Romania face an additional layer of obligations. Our guide on AI law and regulation in Romania covers the intersection of the EU AI Act with GDPR requirements, including rules on automated decision-making and high-risk AI system deployment.
For a preliminary review of your data protection compliance position in Romania, email info@ferrazwhitmore.com.
Frequently asked questions
Q: Does a foreign company operating in Romania need to appoint a Data Protection Officer?
A: A Data Protection Officer is mandatory when processing is carried out on a large scale, involves systematic monitoring of individuals, or concerns special categories of data such as health or biometric records. Foreign companies that process Romanian residents' data as part of their core activities typically meet this threshold. The DPO must have specialist knowledge of data protection law and can be an external consultant rather than an employee.
Q: How long does it take to achieve GDPR compliance in Romania from scratch?
A: A focused compliance project for a mid-sized international business typically takes between eight and sixteen weeks. The timeline depends on the volume of data processing activities, the complexity of third-party vendor relationships, and whether a Data Protection Impact Assessment is required. Drafting internal policies and training staff are the steps most frequently underestimated in terms of time.
Q: What is the role of Romania's supervisory authority, and how does it enforce the rules?
A: The Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) is Romania's national supervisory authority under data protection legislation. It handles complaints, conducts investigations, and issues corrective orders or administrative fines. Engaging a lawyer in Romania with data protection expertise before a complaint is filed – rather than after – significantly reduces the risk of formal enforcement proceedings.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international businesses in building and maintaining GDPR compliance programmes across EU member states, including Romania. We combine Portuguese civil law expertise with English common law tradition to deliver practical. Cross-border data protection solutions. from initial audits and RPA drafting through to DPO services, DPIA support. Additionally, representation before national supervisory authorities. As a law firm in Romania with a European base, we assist multinational clients, technology companies, and institutional investors who require results-oriented counsel across multiple legal systems. Our team has advised on data transfer mechanisms, special category data processing, and enforcement response in both civil law and common law settings. To discuss your data protection compliance requirements in Romania, contact us at info@ferrazwhitmore.com.
For a comparative perspective on data protection obligations across the EU, our guide to data protection compliance in Portugal sets out the parallel framework that applies in the Portuguese jurisdiction.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.