As part of the European Union, Romania has adopted legislation on the protection of personal data. According to the General Data Protection Regulation, personal data is any information relating to an identified or identifiable natural person. The various pieces of information which, taken together, can lead to the identification of a specific person also constitute personal data.
Personal data that has been anonymised, encrypted or pseudonymised but can be used to re-identify an individual remains personal data and is covered by the GDPR.
Personal data that have been rendered anonymous in such a way that the individual is not or is no longer identifiable are no longer considered personal data. For data to be truly anonymised, anonymisation must be irreversible.
The GDPR protects personal data regardless of the technology used to process that data – it is “technology neutral” and applies to both automated and manual processing, provided that the data is organised according to predefined criteria (e.g. alphabetically). It also does not matter how the data is stored – in an ICT system, by video surveillance or on paper; in all these cases, personal data is subject to the protection requirements formulated in the GDPR.
Examples of personal data:
- a first and last name;
- a home address;
- an e-mail address;
- an identity card number;
- location data (e.g. location data function available on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie identifier;
- your phone’s advertising identifier;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
Rights of individuals with regard to the processing of personal data
You have the right to:
- receive information about the processing of your personal data;
- obtain access to personal data held about you;
- request the correction of inaccurate, incorrect or incomplete personal data;
- request deletion of personal data when they are no longer needed or if their processing is unlawful;
- object to the processing of your personal data for marketing purposes or for reasons related to your particular situation;
- request restriction of the processing of your personal data in certain cases;
- receive your personal data in a machine-readable format and send it to another controller (“data portability”);
- personal data relating to you or significantly affecting you to be taken by individuals, not exclusively by computers. In this case, you also have the right to express your point of view and challenge the decision.
To exercise your rights, you should contact the company or organisation processing your data (i.e. the data controller). If the company/organisation has a Data Protection Officer (DPO), you can address your request to this DPO. The company/organisation must respond to requests without undue delay and at the latest within one month. If the company/organisation does not intend to comply with your request, it must give reasons for the refusal. You may be asked to provide information to confirm your identity (e.g. click on a verification link, enter a username or password) in order to exercise your rights.
These rights apply throughout the EU, regardless of where the data is processed and where the company is based. These rights also apply when you buy products and services from non-EU companies operating in the EU.