Data & Privacy · Romania

Data protection & privacy laws in Romania (2026)

Comprehensive lawEU GDPR (Regulation 2016/679) directly applicable; national implementation via Law no. 190/2018; ePrivacy via Law no. 506/2004; supervised by ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)Country index 96 · A+

Romania shaded by its data & privacy status

Romania applies GDPR directly as binding EU law, supplemented by Law no. 190/2018 which provides national-level implementing measures for specific processing situations such as national identification numbers, employee monitoring, and special-category data. The supervisory authority ANSPDCP is an independent public authority established under Law no. 102/2005 and has been actively issuing fines through 2025–2026, demonstrating sustained enforcement.

Key points

Primary legal framework

GDPR (Regulation 2016/679/EU) applies directly. Law no. 190/2018, published in Official Gazette no. 651/26.07.2018 and applicable from 31 July 2018, provides the national implementing measures required or permitted by the GDPR, including derogations and further specifications for Romania.

source 1 ↗source 2 ↗

Supervisory authority – ANSPDCP

ANSPDCP (National Supervisory Authority for Personal Data Processing) is Romania's independent data protection authority, established by Law no. 102/2005. It handles complaints, conducts investigations, and issues corrective measures and fines for GDPR and Law 190/2018 violations, with enforcement actions documented through at least January 2026.

source 1 ↗source 2 ↗

National-ID number & special-category data

Law 190/2018 imposes additional requirements for processing national identification numbers and special-category data (genetic, biometric, health). Processing of health/biometric data for automated decision-making or profiling requires explicit consent or an express legal basis; a DPO must be designated where a national ID number is processed on legitimate-interest grounds.

source 1 ↗source 2 ↗

Employee monitoring

Law 190/2018 permits workplace video surveillance only where the employer's legitimate interests outweigh employees' rights. Employees must receive clear prior notification and the employer must consult the trade union or employee representatives before deploying monitoring measures.

source 1 ↗source 2 ↗

ePrivacy – Law no. 506/2004

Law no. 506/2004 implements Directive 2002/58/EC (ePrivacy) for electronic communications. It requires prior opt-in consent for cookies (with narrow technical-necessity exemptions) and for unsolicited e-marketing, and obliges electronic communications providers to notify ANSPDCP of personal data breaches without undue delay.

source 1 ↗source 2 ↗

Fines & enforcement activity

GDPR's standard fine tiers (up to €20 million or 4% of global turnover) apply in Romania. Law 190/2018 caps fines on public authorities at RON 200,000 (~€43,000). ANSPDCP has issued sanctions against banks (e.g., Raiffeisen Bank €150,000 for a data breach), marketing firms, and high-profile individuals (e.g., RON 50,000+ fine against Călin Georgescu in July 2025 for unlawful data collection).

source 1 ↗source 2 ↗

Romania - other topics

Crypto & Digital Assets Artificial Intelligence Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Cybersecurity Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →