RDPA issues wide reaching decision on investigation procedures

Romania

The Romanian National Authority for the Supervision of Personal Data Processing (the “RDPA”) recently issued Decision no. 161/2018 regulating personal data investigation procedures (the “Investigations Regulation”).

The Investigations Regulation sets out the RDPA’s investigative powers, the categories of investigations it may conduct, and the associated procedural requirements.

I. Types of investigations

The Investigations Regulation gives the RDPA broad discretion in conducting personal data investigations. Investigations may be performed:

  1. ex officio (at the initiative of the RDPA) or following a third party complaint;
  2. on site at the location(s) of the audited entity, at the RDPA’s headquarters, or through written correspondence; and
  3. with or without prior notification of the audited entity.

II. The RDPA’s investigative powers during an on-site investigation

The RDPA is entitled to carry out on-site investigations at the headquarters, working points or any other locations where the audited entity carries out its activity, or at locations related to the audited data processing operation.

During an on-site investigation, RDPA investigators have wide-reaching powers, including:

  1. to verify any document, device, equipment, data storage or other means necessary for the investigation;
  2. to take any document or relevant records related to the scope of the audit;
  3. to request police assistance if the audited entity opposes the investigation, or if there are indications that the audited entity will oppose the investigation;
  4. to seal any documents which may be relevant to the investigation; and
  5. to depose/hear any individual whose testimony may be relevant and necessary for the investigation.

On-site investigations must be conducted between 8.00 am and 6.00 pm, unless the audited entity consents to extended hours.

III. Obligations of the audited entity

Pursuant to the Investigations Regulation, the audited entity has the following main obligations during investigations:

  1. to allow the RDPA investigators to initiate and perform the investigation and provide necessary support in relation to the investigation;
  2. to ensure that the RDPA investigators have access to the location(s) in which activity is performed, and to any equipment, device, storage or processing medium, including those used remotely;
  3. make available any information/documents necessary for the purposes of the investigation, irrespective of the medium on which they are stored;
  4. provide complete documentation, information, files and records as requested, and any necessary clarifications, without being able to invoke confidentiality except as provided by law (no specific law mentioned);
  5. to allow the RDPA investigators to use audio-visual/photo equipment where necessary.

If the RDPA is prevented in any manner from exercising its prerogatives, the RDPA may request judicial authorisation to proceed with the audit.

IV. Conclusions of an RDPA investigation

Following the investigation, the RDPA may issue warnings or fines if it identifies a breach of data protection regulations. Fines not been paid within 15 days from communication may be enforced immediately. Challenging a fining decision suspends payment of the fine pending a resolution of the challenge in court. A challenge against an RDPA sanctioning decision may be filed within 15 days as from communication.

The RDPA is also entitled to impose remedial actions and make recommendations for compliance. The RDPA may also impose delay penalties of up to 3,000 RON/day for each day of delay in implementing its corrective/remedial actions or if the audited entity refuses to provide the requested documents and information or to submit itself to the investigation.

For further information on this subject, please contact Cristina Popescu.