Romania GDPR and ANSPDCP: Your Complete Privacy Rights Guide

The General Data Protection Regulation (GDPR) gives every Romanian citizen powerful rights over their personal data. Since 2018, any organization operating in Romania — from BCR and eMAG to your local medical clinic — must follow strict rules about how they collect, store, and process your personal information.

ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) is Romania's data protection authority responsible for enforcing GDPR. They investigate complaints, issue fines, and ensure organizations respect your privacy rights.

Despite these protections, most Romanians are unaware of their rights or how to exercise them. This guide covers everything you need to know.

Your GDPR Rights in Romania

1. Right to Access (Dreptul de acces)

You can request any organization to tell you what personal data they hold about you, why they have it, and who they have shared it with. They must respond within 30 days.

2. Right to Rectification (Dreptul la rectificare)

If an organization holds incorrect data about you, you can demand they correct it.

3. Right to Erasure (Dreptul la ștergere — "Right to Be Forgotten")

You can request that an organization delete your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw your consent
• The data was processed unlawfully
• There is no legitimate legal basis for keeping it

4. Right to Data Portability (Dreptul la portabilitatea datelor)

You can request your data in a machine-readable format and transfer it to another service provider.

5. Right to Object (Dreptul la opoziție)

You can object to the processing of your personal data for direct marketing, profiling, or other purposes not related to a contract or legal obligation.

6. Right to Restriction (Dreptul la restricționarea prelucrării)

You can request that an organization temporarily stop processing your data while a dispute is resolved.

How to Exercise Your Rights

Step 1: Contact the Organization Directly

Send a written request (email is acceptable) to the organization's DPO (Data Protection Officer) or privacy contact. Most Romanian companies now have a privacy page on their website with contact details.

Your request should include:

• Your full name and identification details
• Which right you are exercising
• Specific details about what data you want accessed, corrected, or deleted
• Your contact information for the response

Step 2: Wait for the Response

Organizations have 30 days to respond. They can extend this by another 60 days for complex requests, but they must inform you of the extension within the initial 30 days.

Step 3: File a Complaint with ANSPDCP

If the organization ignores your request, denies it without valid justification, or fails to respond within the deadline, you can file a formal complaint with ANSPDCP.

How to File a Complaint with ANSPDCP

1. Visit the ANSPDCP website at dataprotection.ro
2. Download the complaint form (formular de plângere)
3. Fill in the details:
   • Your personal information
   • The organization you are complaining about
   • A description of what happened
   • Evidence of your request and the organization's response (or lack thereof)
4. Submit the complaint via email, postal mail, or in person at:
   • Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București
   • Email: anspdcp@dataprotection.ro

ANSPDCP will investigate and can impose fines up to €20 million or 4% of the organization's annual global revenue.

Common Privacy Situations in Romania

Over-Collection of CNP

Many Romanian businesses request your CNP when it is not legally required. Under GDPR, you can ask why they need it and whether an alternative identifier is acceptable. Supermarket loyalty cards, gym memberships, and online services often do not need your CNP.

Marketing Calls and SMS

If you receive unwanted marketing calls or SMS from Romanian companies, you have the right to opt out and request deletion of your phone number from their marketing database. If they continue after your request, file a complaint with ANSPDCP.

Employee Data Privacy

Your employer can only collect personal data necessary for the employment relationship and legal obligations. They cannot monitor your personal communications, install surveillance software on your personal devices, or share your data with third parties without a legal basis.

Medical Data

Healthcare providers must protect your medical records under both GDPR and Romanian medical confidentiality laws. You have the right to access your complete medical records and control who else can access them.

Protecting Your Privacy Proactively

Beyond exercising your GDPR rights, take these practical steps:

1. Minimize the personal data you share. Do not provide your CNP, buletin photo, or other sensitive identifiers unless legally required.
2. Read privacy policies before signing up for services. Look for what data is collected and with whom it is shared.
3. Use secure channels for sensitive information. When you need to share personal documents, use LOCK.PUB to create password-protected, self-destructing memos instead of sending them through Messenger or email where they persist permanently.
4. Regularly audit your accounts. Check which services have your data and request deletion from those you no longer use.
5. Use strong, unique passwords and enable two-factor authentication on all accounts.

When You Must Share Personal Data

Some situations legitimately require sharing sensitive personal data — job applications, rental agreements, notary appointments. Instead of emailing your buletin scan or CNP in plain text, use LOCK.PUB to create an encrypted memo with the required information. Set an expiration time, share the link, and the data disappears after being accessed. This aligns with GDPR's principle of data minimization — you provide only what is needed, only when it is needed, and it does not persist beyond its purpose.

The Bottom Line

GDPR gives you real power over your personal data in Romania, and ANSPDCP is there to enforce it. But rights are only useful when you exercise them. Challenge unnecessary data collection, report violations, and protect your information by sharing it only through secure, temporary channels. Use LOCK.PUB when you need to share sensitive personal data — it keeps your information encrypted, password-protected, and temporary by design.