Regina Mühlich

Germany & Romania – comparison of data protection

Law no. 677/2001 governs the protection of persons in terms of the processing and disclosure of personal data in Romania. The law entered into force on 12 December, 2001. Following the foundation of the Data Protection Authority (see Point 8 for contact data), Law no. 102/2005 introduced amendments.

Law no. 677/2001, like the Federal Data Protection Act (BDSG), is a prohibitive law. Exceptions to the processing of personal data (allowing facts under BDSG) are:

  • Contract fulfilment
  • Statistics
  • Data accessible to public

1. Definitions

Law no. 677/2001 defines processors as natural or juristic persons under private or public law (including authorities).

Special types of data are data with identification functionality, data providing information on the state of health (health data) and criminal offense and misdemeanour data.

Processing of data relating to race or ethnicity, political opinion, religious or philosophical conviction, membership of unions, health or sexual orientation is prohibited in principle. Provided no exception has been granted (permission granted).
Rights of the affected parties
In terms of collection, processing and use of personal data, affected persons have a right to

  • Information
  • Access
  • Editing
  • Objection
  • Complaint
  • Right to complain to the data protection authority

2. Order data processing (ADV)

ADVs will typically be carried out by data centres, printing shops, typing pools, collection companies, back-up service providers, call centres, service technicians, external administrators….to name but a few.

What is typical of order data processing?

  • The contractor has no decision-making authority (order data processor)
  • Support dependant on instructions
  • No (contractual) relationship between contractor and the affected party
  • Handling of data restricted to data the client makes available to the contractor for processing as per order, within the ADV framework.

An agreement pursuant to § 11 BDSG on the processing of personal data as per order shall be entered into with the order data processor or contractor.

3. Order data processing in Romania

“Order data processing by a contractor not residing within the area of validity of the Federal Data Protection Act (BDSG) shall be assessed pursuant to § 11 BDSG as well. The transfer rules applying to the client may then, however, be ignored, since foreign customers are not third parties in the EU and EEA as per § 3 Para. 8 sentence 3 BDSG, […]” (Bergmann/Möhrle/Herb, Datenschutzrecht, § 11 margin no. 14).

An agreement pursuant to § 11 BDSG on the processing of personal data as per order shall be entered into with the order data processor or contractor.

3.1 Requirements for agreements on the processing of personal data on order (ADV) – EU-RL and Romanian Data Protection Law:

  • Responsible: Client (controller)
  • Written form requirement
  • Contractor (processor) bound by instructions
  • Technical organisational measures: Availability, integrity, confidentiality

Especially the requirements of § 11 Para. 2 BDSG shall be agreed and included in ADV contracts, viz.:

  • subject matter and duration of the order,
  • scope, type and purpose of the envisaged collection, processing or utilisation of data, the type of data and the group of affected persons,
  • technical and organisational measures required under § 9,
  • correction, deletion and blockage of data,
  • the duties of the contractor under Paragraph 4, especially the control he will be required to exercise,
  • possible authorisation justifying sub-contracting conditions
  • the client’s rights of control and the corresponding duties of the contractor to tolerate and cooperate,
  • violations by the contractor or his employees of regulations for the protection of personal data or of stipulations under the order
  • the scope of the authority the client reserves in terms of issuing directives to the contractor,
  • return of data carriers handed over and deletion of stored data in the possession of the contractor after completion of the order.
  • The technical and organisational measures under § 9 BDSG and Annex shall then also be agreed in this context.

3.2 Technical and organisational measures

Security line (EU-RL [EU Directive] and Law No. 677/2001):

  • Confidentiality
  • Integrity
  • Availability

TOM (§ 9 BDSG):

  • Entry control
  • Access control
  • Data access control
  • Distribution control
  • Input control
  • Order control
  • Availability control
  • Data separation control

The demands the Federal Data Protection Act makes on the technical and organisational measures are more comprehensive than those of the Romanian Data Protection Act.

The measures required have not been combined in a single article as in the BDSG. Virtually all 35 articles of the Romanian Data Protection Act refer to security objectives. These often state “only” that “appropriate measures shall be taken”.

4. Problems in practice

  • Language problems:
    Detour via English translations
  • Often inadequate sensitivity to data protection laws.
    (applies to Germany and also to other EU countries)
  • The German Data Protection Act goes beyond the Romanian, such as e.g. § 9 BDSG.
  • There is no such thing as a data protection officer in Romania. Only “contact persons” for ADV agreements.
  • 11 Para. 2 BDSG “The client shall, before the start of order processing and at regular intervals, satisfy himself that the technical and organisational measures the contractor has put in place are complied with. The result shall be documented.”
    Inspections on site will often not be avoidable.
    It is important here that the scope and subject matter of inspection are agreed in advance and a corresponding audit plan is drawn up.
  • Implementation and control of technical/organisational measures will be problematic. The technical and organisational measures demanded by the BDSG are more comprehensive than the Romanian demands on security objectives.
    It is therefore imperative that these are precisely defined in the ADV agreement and also explained where necessary.

5. Conclusion

Data protection does not stop at borders. Data protection legislation and the legal requirements of other countries may differ considerably.

Globally operating companies must consider the requirements of each of the EU member states. Whilst the General Data Protection Regulation (GDPR) has not yet entered into effect, companies are obligated to comply with the requirements of the specific country.

The General Data Protection Regulation (GDPR) will enter into effect on 25 May 2018.
Applicable until then:
Be fully aware of data protection – both here and in foreign countries.

6. Links

Romanian Data Protection Act: Law No. 677/2001
BDSG: Federal Data Protection Act
AHK: German-Romanian Chamber of Trade and Industry
BayLDA: Order data processing pursuant to § 11 BDSG

President of the National Supervisory Authority for Personal Data Processing
Ms. Georgeta Basarabescu
28-30 G-ral Gheorghe Magheru Bld.,
District 1, post code 010336

Web page:
(available in English and French – select language, top right)


(Author: Regina Mühlich)