Ooni Koda
  1. Home
  2. /
  3. Newsfeed
  4. /
  5. GDPR: Investigation Procedure

GDPR: Investigation Procedure

November 7, 2018

By Cristina BOJICA, Partner, GRUIA DUFAUT Law Office The entry into force, on 25 May 2018, of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, has determined not only compliance efforts made by data controllers, but also the regulation of the operation of the national supervisory body, namely the National Supervisory Authority for the Processing of Personal Data (ANSPDCP), which will investigate potential violations of the specific legislation. The investigation procedure that the ANSPDCP will have to comply with has recently been published in Official Journal no. 892 of 23 October 2018.   The Investigation Procedure ANSPDCP is authorized to start surveillance and legality monitoring investigations either ex officio or as a result of a prior complaint made by any concerned persons against a data controller. Ex officio investigations may be carried out either following a notification regarding a personal data security breach or for the purpose of checking certain data and information relating to personal data processing, obtained by ANSPDCP from sources other than those referred to in the complaint. Ex officio investigations may also be conducted on the basis of notifications or information provided by another supervisory or public authority. Also, ex officio investigations may also take the form of data protection audits. Investigations following a complaint are initiated by the authority as a result of the receipt of a complaint about a potential violation of the law by a data controller. In both cases, investigations can be conducted: on site, at the headquarters of the institution, in writing or at the headquarters of the authorities/public bodies. Detailed procedures are stipulated for each type of investigation. These procedures also stipulate the rights and obligations of the entities under investigation and how penalties for the violation of data protection provisions are applied. Thus, during on-site investigations (held at the headquarters, domicile, working point of the entity under investigation or in other premises where the entity operates), the inspectors may propose: The elaboration of an expert report; That the persons whose statements are considered relevant and necessary for the purposes of the investigation be heard; The application of one of the penalties provided by the law. For this purpose, the investigation report is both a debt instrument and a payment notice. If the inspectors are prevented from carrying out the investigation, ANSPDCP may request the issuance of a judicial authorization. A copy of the judicial authorization will be notified to the audited entity before the start of the investigation and, although it may be challenged before the High Court of Cassation and Justice, the dispute does not suspend the enforcement of the judicial authorization. Police intervention may also be requested. The investigations carried out at the headquarters of the Supervisory Authority are conducted on the basis of a notice sent to the representatives of the data controller under investigation. The notice must mention the obligation of the investigated entity to send documents, relevant registers and computer equipment to ANSPDCP headquarters, depending on the purpose of the investigation. As an exception, when the evidence is deemed sufficient to finalize the investigation, the law authorizes the conclusion of the investigation/penalty report at the headquarters of the authority without convening the representatives of the audited entity. Written investigations are conducted on the basis of a letter sent by the authority to the entity under investigation, whereby the authority requests the information, data and documents needed to resolve the case under investigation. The entity under investigation is required to answer in writing and attach evidence to the said answer in compliance with the deadline set by the National Supervisory Authority. Depending on the answer, the Authority may decide to continue the investigation in writing or on site, or even to finalize the investigation, by concluding an inspection/penalty report, at the headquarters of ANSPDCP.   Penalties The main penalties applied by the National Supervisory Authority for the Processing of Personal Data are the warning and the fine. Moreover, the National Supervisory Authority may issue a warning to the investigated entity, if the controller might violate the law through the personal data processing operations it intends to perform. Penalties are applied according to the investigation/penalty report concluded by the inspectors. If the amount of the fine exceeds the Lei equivalent of 300,000 Euros, the penalty will be applied according to the decision of the President of ANSPDCP. In addition to the penalties stipulated by law, the National Supervisory Authority for the Processing of Personal Data may order other corrective measures and make recommendations. www.gruiadufaut.com    

The post GDPR: Investigation Procedure appeared first on Nine O' Clock.

The text of this article has been partially taken from the publication:
https://www.nineoclock.ro/2018/11/07/gdpr-investigation-procedure/
Read in full - click here
Little London International Academy boosts high school capacity by 30% for the 2025-2026 academic year with a EUR 3 mln expansion project

“Little London” Theoretical High School, a private educational institution in Romania that values the Romanian educational system, has started construction work for the expansion of its school campus located in Voluntari, on Erou Iancu Nicolae Street. This initiative will increase high school capacity by 30% starting from the 2025-2026 academic year. In this context, the […]

Iron Maiden to bring ‘Run For Your Lives’ tour to Bucharest in 2026

British heavy metal band Iron Maiden will perform at Bucharest’s National Arena on May 28, 2026, as part of their “Run For Your Lives” anniversary world tour, promoter Emagic announced on Thursday, September 18. The concert will feature a career-spanning setlist highlighting defining moments from the group’s five-decade history, accompanied by what organizers described as […]

Three out of four Romanians believe Ukraine war greatly impacts Romania, survey shows

Three-quarters of Romanians believe that the war in Ukraine affects Romania to a very great and fairly great extent, according to the third edition of the Informat.ro barometer by INSCOP Research, carried out between September 1 and 9. The monthly survey, which aims to bring to public attention topics of interest, shows that “opinions are […]

Romanian investor reportedly buys Bucharest’s emblematic Scala building

Daniela Schoppmeyer, the majority shareholder and general manager of Faberrom, a company that took over in the 1990s most of the spaces of the former APACA clothing factory in western Bucharest, is the new owner of half of the emblematic Scala residential block, on Magheru Boulevard, Profit.ro reported. Schoppmeyer...

Bucharest Parking Company reports strong results, adds over 12,400 new parking spaces in H1

The Bucharest Municipal Parking Company (CMPB) inaugurated 189 new parking facilities with more than 12,400 spaces in the first half of 2025, while revenues from parking fees rose 20% year-on-year to RON 50.4 million (roughly EUR 10 million), the company said on Thursday, September 18.  CMPB reported a net profit of RON 28.3 million for January–June […]

Romanian project creates seagrass meadows, artificial reefs in the Black Sea

Romania has inaugurated underwater seagrass meadows and artificial reefs in the Black Sea as part of a major restoration project aimed at curbing erosion and reviving marine biodiversity, the National Administration “Apele Române” said. More than 20 hectares of seabed have already been planted with Zostera noltii seagrass and transplanted with Cystoseira barbata seaweed, creating […]