A Complete Guide to the obligations that must be fulfilled regarding the processing of personal data. Non-compliance with these obligations could lead to fines of up to 20,000,000 EUR or 4% of the turnover.

All You Need to Know About GDPR
Since the implementation of Regulation (EU) 2016/679 on April 27, 2016, which focuses on safeguarding individuals in terms of personal data processing (referred to as the "GDPR Regulation"), businesses, individuals, and companies dealing with personal data have faced growing challenges.
These entities are now subject to a series of obligations, the failure to comply with which can lead to significant fines.
Learn about the categories of personal data whose processing is inherent in conducting any economic activity and the measures you can take to legally collect personal data.
Furthermore, the processing of certain sensitive personal data is generally prohibited, which requires heightened attention.
This article also addresses situations where you must seek and obtain prior consent for data processing.
Keep reading to discover all the essential information about handling personal data in the course of your business operations.
Contact us via email at office@cristinatudor.ro to ensure that you process personal data legally within your activities.
Contents:
What is personal data?
What does data processing mean, and how do we legally process personal data? GDPR for individuals. GDPR for legal entities.
Special categories of personal data and their processing.
1. What is personal data? More about GDPR.
How about GDPR?
Before grasping the primary responsibilities placed on economic agents, it is crucial to first understand the concept of personal data.
According to the GDPR Regulation, personal data is:
(i) any information concerning a specific individual;
(ii) any information concerning an individual who can be identified.
The Regulation offers a thorough definition that includes details about an individual whose identity is either clear or can be determined with the assistance of supplementary information.
An identifiable person is someone who can be identified, directly or indirectly, particularly by referencing an identifier such as:
(i) a name, national identification number, location data, online identifier, account information needed to open a website account,
(ii) an Internet protocol (IP) address, data held by a hospital or doctor that could uniquely identify a person, or
(iii) one or more elements specific to their physical, physiological, genetic, mental, economic, cultural, or social identity, such as specific political preferences or publicly expressed opinions that would lead to their direct identification.

Different pieces of information that, when combined, can lead to the identification of a particular person also constitute personal data.
Therefore, consideration must be given to the possibility of identifying the person by using this information together with other data from different sources.
When determining if a person can be identified, all methods through which the individual can be distinguished and reasonably accessed by an operator for identification must be taken into account.
Furthermore, if personal data has been anonymized, encrypted, or pseudonymized but can still lead to the re-identification of a person, it remains personal data subject to the obligations set forth by the GDPR Regulation.
The person whose information is being processed and who is subject to the obligations of the Regulation is known as the "data subject".
It is also important to note that only living individuals are protected by the GDPR Regulation.
Additionally, only natural persons enjoy the data protection provided by the Regulation, not companies.
For example, even the evaluation of an employee's performance by an employer falls into the category of personal data.
The following do not constitute personal data:
(i) the registration code of a company (CUI);
(ii) email addresses provided by companies, such as a@societate.com.
If you are uncertain about whether the data you are handling qualifies as personal data, feel free to contact us at office@cristinatudor.ro for an assessment.
2. What does data processing mean, and how do we legally process personal data? GDPR major principales
Processing is any operation performed on personal data, with or without the use of automated means.
Data processing can be an automatic operation or completely non-automatic.
For example, video surveillance that involves recording and storing images leading to the identification of an individual constitutes automated processing of personal data.
Processing involves one or more of the following:
(i) collection,
(ii) recording,
(iii) organization,
(iv) structuring,
(v) storage,
(vi) adaptation or alteration,
(vii) retrieval,
(viii) consultation,
(ix) use,
(x) disclosure by transmission,
(xi) dissemination or making available in any other way,
(xii) alignment or combination,
(xiii) restriction,
(xiv) erasure or destruction.
Thus, if you perform one or more of the aforementioned operations on a set of personal data of an individual, you are required to comply with the obligations imposed by the GDPR Regulation, which we will analyze below.
Automated processing refers to the processing of personal data by automated means and is typically carried out through search engines.
Non-automated data processing is done through a manual record-keeping system, most commonly found in the form of various files maintained by companies that group personal data of employees or clients based on different criteria.
It is important to note that this non-automated processing also requires special attention.
3. Special categories of personal data and their processing
GDPR governs categories of personal data that, by their nature, are more sensitive and require greater protection.
These categories of sensitive data include:
(i) personal data revealing racial or ethnic origin;
(ii) personal data disclosing political opinions, religious or other beliefs, including philosophical beliefs;
(iii) personal data disclosing trade union membership;
(iv) genetic and biometric data processed for the purpose of identifying an individual;
(v) personal data concerning health.
Processing these categories of data is generally prohibited.
What exactly does this mean?
Operators are required to refrain from processing these special categories of data unless there are circumstances that legally allow such processing.
The circumstances that justify the processing of these specific data categories are restricted and pertain to:
(i) situations where the individual whose data is being processed has given explicit consent for this purpose, with exceptions for cases where national or EU law specifies that prior consent is not sufficient for processing these special categories of data;
(ii) circumstances where data processing is absolutely necessary in the field of employment, social security, and social protection, but only if provided for in national or EU law;
(iii) instances where data processing is necessary to protect the vital interests of an individual when they are unable to provide consent;
(iv) under certain conditions, when the processing of these special categories of data is carried out within the legitimate activities of a foundation, association, or other nonprofit organization;
(v) processing of special categories of data that have already been clearly made public by the data subject;
(vi) circumstances where processing special categories of data is necessary for the establishment, exercise, or defense of legal claims;
For instance, if a lawsuit is initiated to protect a right, and it involves revealing specific information about the defendant from one of the aforementioned categories, the defendant does not need to have provided prior consent for this processing.
(vii) processing is carried out for occupational health purposes, the assessment of an employee's work capacity, medical diagnosis, or the provision of healthcare or social assistance;
(viii) when data processing is carried out for reasons of public interest in the field of public health;
(ix) in circumstances where data processing is necessary for archiving purposes in the public interest, or for scientific, historical, or artistic research purposes.
Am I allowed to handle criminal record information?
Under what circumstances do we handle criminal record information?
According to GDPR, the processing of data relating to criminal convictions or offenses can be performed:
only in those situations where there is a legal provision in Romanian law or EU law, which explicitly permits the performance of operations on this special category of data.
For example, the law regulating the profession of employment agency requires the agent to create a file containing specific information about each candidate, including the criminal record. In this situation, the processing of data relating to criminal convictions is legal.
If you need further details or help regarding GDPR compliance, feel free to reach out to us at office@cristinatudor.ro.
Comments