Data & Privacy · Romania
Data protection & GDPR compliance in Romania (2026)
Romania shaded by its data & privacy status
Data protection in Romania: comprehensive law, under EU GDPR (Regulation 2016/679) directly applicable; national implementation via Law no. 190/2018; ePrivacy via Law no. 506/2004; supervised by ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal).
Romania applies GDPR directly as binding EU law, supplemented by Law no. 190/2018 which provides national-level implementing measures for specific processing situations such as national identification numbers, employee monitoring, and special-category data. The supervisory authority ANSPDCP is an independent public authority established under Law no. 102/2005 and has been actively issuing fines through 2025-2026, demonstrating sustained enforcement.
GDPR & data protection in Romania
In Romania, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the National Supervisory Authority for Personal Data Processing (ANSPDCP).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the National Supervisory Authority for Personal Data Processing (ANSPDCP)
- Applies to
- any organisation processing the personal data of people in Romania, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Romania supplements it with a national data-protection act and its own supervisory authority.
GDPR in Romania: FAQ
Yes. As an EU/EEA member, Romania applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the National Supervisory Authority for Personal Data Processing (ANSPDCP).
The National Supervisory Authority for Personal Data Processing (ANSPDCP).
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
GDPR (Regulation 2016/679/EU) applies directly. Law no. 190/2018, published in Official Gazette no. 651/26.07.2018 and applicable from 31 July 2018, provides the national implementing measures required or permitted by the GDPR, including derogations and further specifications for Romania.
ANSPDCP (National Supervisory Authority for Personal Data Processing) is Romania's independent data protection authority, established by Law no. 102/2005. It handles complaints, conducts investigations, and issues corrective measures and fines for GDPR and Law 190/2018 violations, with enforcement actions documented through at least January 2026.
Law 190/2018 imposes additional requirements for processing national identification numbers and special-category data (genetic, biometric, health). Processing of health/biometric data for automated decision-making or profiling requires explicit consent or an express legal basis; a DPO must be designated where a national ID number is processed on legitimate-interest grounds.
Law 190/2018 permits workplace video surveillance only where the employer's legitimate interests outweigh employees' rights. Employees must receive clear prior notification and the employer must consult the trade union or employee representatives before deploying monitoring measures.
Law no. 506/2004 implements Directive 2002/58/EC (ePrivacy) for electronic communications. It requires prior opt-in consent for cookies (with narrow technical-necessity exemptions) and for unsolicited e-marketing, and obliges electronic communications providers to notify ANSPDCP of personal data breaches without undue delay.
GDPR's standard fine tiers (up to €20 million or 4% of global turnover) apply in Romania. Law 190/2018 caps fines on public authorities at RON 200,000 (~€43,000). ANSPDCP has issued sanctions against banks (e.g., Raiffeisen Bank €150,000 for a data breach), marketing firms, and high-profile individuals (e.g., RON 50,000+ fine against Călin Georgescu in July 2025 for unlawful data collection).
Romania - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →