"Deloitte Legal conducted an analysis exercise on the application of the General Data Protection Regulation (GDPR) in ten Central and Eastern European countries, resulting in a comprehensive material on the legal framework and market and authority preparation. Being the first study in the region, the document provides an overview of the GDPR impact on several key coordinates, such as: the main challenges with regards to the application of GDPR, best practices, the relationship with supervisory and control authorities, sectorial initiatives or activities subject to data protection impact assessment obligations. The players in Romania thus have the opportunity to understand the dynamics and developments of the sector compared to the states in the region. One of the most relevant conclusions of the document is that until now the corresponding authority of each country has focused on compliance guidance, avoiding controls and fines. However, unlike the vast majority of other states, Romania has not developed enough guidelines for companies," says Georgiana Singurel, Partner with Reff and Associates, corresponding firm of Deloitte Legal in Romania.
The countries included in the study are Romania, Bulgaria, Lithuania, Latvia, the Czech Republic, Slovakia, Hungary, Poland, Croatia and Slovenia.
The main findings of the study
The main challenges identified by practitioners are the complexity of issues related to personal data protection mechanisms, especially in large organizations, as well as the involvement in the process of different functions within companies that require the familiarization of the staff with the new regulatory framework.
Other important challenges are the difficulties in interpreting the notion of operator and processor (Bulgaria, Czech Republic, Poland, Latvia), setting the date of storage (Czech Republic, Poland), excessive use of consent (Czech Republic, Poland, Lithuania), records of processing activities (Poland).
Amongst the best practices, the significant ones are the use of specific IT systems for the activity of processing (Bulgaria), the publication of the data subjects' requests on the operator's site (Latvia, Romania), the inclusion of a data storage policy for the site recruitment (Latvia), the establishment of an association of data protection officers (Lithuania), the establishment of increased security standards, e.g. encryption of documents attached to e-mails (Poland).
With regards to the relationship with the data protection authorities, some countries are very active, for example by publishing guidelines to clarify different interpretations or insufficiently regulated issues for market participants (Bulgaria, the Czech Republic, Lithuania, Poland, Slovakia, Slovenia). The authorities in Romania and Hungary have not yet issued sufficient guidelines on problematic or interpretable issues related to the application of GDPR. In the vast majority of states, no fines were imposed, controls were not carried out, or, if they were, it was only in their early stages. Moreover, Slovakia announced that it will only carry out controls starting with 2019.
In almost all states in the report, sectoral initiatives, embodied in codes of conduct, have been started or even successfully completed, for example in the Czech Republic and Poland. Romania is an exception, since it has no sectorial initiatives yet. In particular, these initiatives concern the banking sector (Latvia), the medical sector (Czech Republic, Slovakia), small and medium-sized enterprises (Czech Republic), the retail industry (Czech Republic) or the legal sector (lawyers - Bulgaria, Lithuania).
Relevant findings for Romania
Unlike other jurisdictions, one of the main challenges for Romania is the insufficient involvement of the supervisory authority in the companies’ activity, due to insufficient recommendations or due to public interpretations issued with regards to the application of GDPR.
One of the common practices was the tendency to draft information notes, policies or other internal documents on sophisticated and highly personalized data protection, in the absence of guidelines. At the same time, as in other states, there is an excessive use of consent as legal ground for processing.
Organizational resilience has also represented a huge challenge in implementing GDPR, but ultimately understanding the business needs of companies and receiving personalized training on data confidentiality have been of great help in reducing this resistance.
Another challenge was balancing and adapting the business needs of companies and their past practices on data confidentiality with the GDPR requirements, without interrupting their business.
The Romanian supervisory authority was historically less active than most of the other European authorities. We believe that this has contributed to the lack of a previous culture or education in relation to data protection, but also to the fact that ongoing verification and monitoring of processing activities stops with the completion of the implementation exercise. On the contrary, employee training, regular checking of compliance and providing guidance on implemented issues (policies, internal documents etc.) must be carried out continuously.
Unlike other EU authorities, the Romanian supervisory authority has not issued any information available to the public about any entities under investigations (or their sector of activity) or about any fines imposed for non-compliance arising from or with regards to GDPR provisions.