Employee Data Privacy

Romania - GDPR National Laws

 Download as a PDF

GDPR Related National Laws & Modifications

The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:

  • provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
  • limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
  • “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).


arrowinsandDerogations in Romania

EU member nations are updating their current data protection policies to align with the GDPR. Romania’s Law no. 190/2018 implemented the GDPR in the country and set a few requirements that may impact employers, including requirements relating to automated data processing and employee monitoring. 


Under the law (Art. 5), employers can process personal data using electronic monitoring or video surveillance in the workplace to achieve legitimate interests pursued by the employer only if:

  • the legitimate interests pursued by the employer are duly justified and prevail over the interests or rights and freedoms of the data subjects (i.e., the employee);
  • the employer has provided employees with mandatory, complete and explicit information about the monitoring;
  • the employer has consulted the trade union or, if appropriate, employee representatives before implementing the monitoring systems;
  • other less intrusive ways to achieve the goal pursued by the employer previously have been proven ineffective; and,
  • the retention period of personal data is proportionate to the purpose, and is no longer than 30 days, except when expressly provided for by law or in duly justified cases.

samuel-zeller-242172In addition, under Law no. 190/2018 (Art. 3), the processing of genetic, biometric or health data for the purpose of automated decision-making or profiling is allowed with the explicit consent of the employee (or other data subject), or if the data is processed under specific legal provisions, as long as appropriate measures have been taken to protect the rights, freedoms and legitimate interests of the individual. Note that as employee consent is often not considered valid under the GDPR due to the unequal relationship between the employer and employee, employers should use caution before processing genetic, biometric or health information on the basis of an employee or job applicant’s consent.

Prior to processing large scale personal employee data, a data protection impact assessment should be completed. Decision no. 174 of the 18th of October 2018, issued by the Supervisory Authority, on the list of type of processing operations which are subject to a data protection impact assessment (Art. 1) incudes any large scale processing of personal data of vulnerable individuals (e.g. children) and/or employees through automatic means of systematic monitoring and/or recording of behavior (including for the purpose of carrying out advertising, marketing and publicity activities).


UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk