Skip to content
World Watch/Romania/Data & Privacy

Data & Privacy · Romania

Data protection & GDPR compliance in Romania (2026)

Comprehensive lawEU GDPR (Regulation 2016/679) directly applicable; national implementation via Law no. 190/2018; ePrivacy via Law no. 506/2004; supervised by ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)Country index 96 · A+

Romania shaded by its data & privacy status

Data protection in Romania: comprehensive law, under EU GDPR (Regulation 2016/679) directly applicable; national implementation via Law no. 190/2018; ePrivacy via Law no. 506/2004; supervised by ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal).

Romania applies GDPR directly as binding EU law, supplemented by Law no. 190/2018 which provides national-level implementing measures for specific processing situations such as national identification numbers, employee monitoring, and special-category data. The supervisory authority ANSPDCP is an independent public authority established under Law no. 102/2005 and has been actively issuing fines through 2025-2026, demonstrating sustained enforcement.

GDPR & data protection in Romania

In Romania, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the National Supervisory Authority for Personal Data Processing (ANSPDCP).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the National Supervisory Authority for Personal Data Processing (ANSPDCP)
Applies to
any organisation processing the personal data of people in Romania, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Romania supplements it with a national data-protection act and its own supervisory authority.

GDPR in Romania: FAQ

Does the GDPR apply in Romania?

Yes. As an EU/EEA member, Romania applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the National Supervisory Authority for Personal Data Processing (ANSPDCP).

Who enforces data protection law in Romania?

The National Supervisory Authority for Personal Data Processing (ANSPDCP).

What are the GDPR fines in Romania?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Romania?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Romania?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary legal framework

GDPR (Regulation 2016/679/EU) applies directly. Law no. 190/2018, published in Official Gazette no. 651/26.07.2018 and applicable from 31 July 2018, provides the national implementing measures required or permitted by the GDPR, including derogations and further specifications for Romania.

Supervisory authority, ANSPDCP

ANSPDCP (National Supervisory Authority for Personal Data Processing) is Romania's independent data protection authority, established by Law no. 102/2005. It handles complaints, conducts investigations, and issues corrective measures and fines for GDPR and Law 190/2018 violations, with enforcement actions documented through at least January 2026.

National-ID number & special-category data

Law 190/2018 imposes additional requirements for processing national identification numbers and special-category data (genetic, biometric, health). Processing of health/biometric data for automated decision-making or profiling requires explicit consent or an express legal basis; a DPO must be designated where a national ID number is processed on legitimate-interest grounds.

Employee monitoring

Law 190/2018 permits workplace video surveillance only where the employer's legitimate interests outweigh employees' rights. Employees must receive clear prior notification and the employer must consult the trade union or employee representatives before deploying monitoring measures.

ePrivacy, Law no. 506/2004

Law no. 506/2004 implements Directive 2002/58/EC (ePrivacy) for electronic communications. It requires prior opt-in consent for cookies (with narrow technical-necessity exemptions) and for unsolicited e-marketing, and obliges electronic communications providers to notify ANSPDCP of personal data breaches without undue delay.

Fines & enforcement activity

GDPR's standard fine tiers (up to €20 million or 4% of global turnover) apply in Romania. Law 190/2018 caps fines on public authorities at RON 200,000 (~€43,000). ANSPDCP has issued sanctions against banks (e.g., Raiffeisen Bank €150,000 for a data breach), marketing firms, and high-profile individuals (e.g., RON 50,000+ fine against Călin Georgescu in July 2025 for unlawful data collection).

Romania - other topics

Data & Privacy in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →