MFA Data Protection

The Ministry of Foreign Affairs pays special attention to the processing of personal data, from the perspective of the protection of fundamental rights and freedoms of natural persons, with focus on the protection of the right to an intimate, private and family life.

Community legal framework:

• The Convention for the Protection of Human Rights and of fundamental Freedoms;
• The Convention for the Protection of Persons Concerning the Automatic Processing of Personal Data, adopted in Strasbourg in January 28^th, 1981;
• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); 
• Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

National legal framework:

• The Constitution of Romania;
• Law N° 677/2001 for the Protection of Persons Concerning the Processing of Personal Data and the Free Circulation of Such Data;
• Law N° 682 from November 28th, 2001 on Ratifying the Convention on the Protection of Individuals with Regard to the Automatic Processing of Their Personal Data;
• Decree N° 52/2002 of the Romanian Ombudsman, Regarding the Approval of Minimum Security Standards in the Activity of Personal Data Processing;

Through the General Directorate for consular Affairs, the Ministry of Foreign Affairs of Romania is registered as data controller, under the following registration numbers:

• 5285 – for the processing of personal data in relation to visa processing, granting and issuing;
• 5286 – for the processing of personal data in relation to notary activity;
• 5287 - the processing of personal data in relation to the evidence of people and civil status.

The processing of personal data is carried out according to the following principles:

• Legitimacy: The processing of personal data is carried out on the grounds and in accordance with legal provisions;
• A well-determined purpose: Any personal data processing is carried out for well-determined, explicit and legitimate purposes;
• Confidentiality: Users who are entitled to process personal data on behalf of a data controller must hold labor contracts comprising a confidentiality clause in this respect;
• The consent of the data subject: A key element in the processing of personal data is the consent that the data subject must unequivocally express, on the grounds of thorough information furnished in relation to the processing of their personal data, as well as based on personal choice;
• Information: The furnishing of information to data subjects is carried out by the data controller entitles to process the personal data of the data subject in question;
• The quality of data: Processed personal data must be adequate, pertinent and non-excessive, by comparison to the purpose for which it is collected and subsequently processed;
• The protection of data subjects: According to this principle, the data subjects hold the right to have access to the processed data, the right to intervene upon the processed data, the right to oppose the processing of their personal data, the right of not being subjected to an individual decision, as well as the right of addressing the National Supervisory Authority for the Protection of Personal Data, or to refer to a Court of Law, in view of the protection of any prejudiced rights guaranteed by law.
• Security: The security measures with regard to personal data are established in such a way as to ensure an optimal level of security of processed personal data.
• Notification: The data controller is registered within the National Supervisory Authority for the Protection of Personal Data. Subsequently, the data controller is granted a data controller number.

Definitions:

a. Personal data: any information regarding an identified or identifiable natural person; An identifiable natural person is a person who can be directly or indirectly and particularly identified under an identification number, or according to one or several factors that are specific to their physical, physiological, psychological, economical, cultural or social identity;

b. The processing of personal data: Any operation or set of operations that are carried out upon personal data, through automated or non-automated means, such as: the collection, registering, organizing, storage, adaptation or amendment, extraction, consulting, use, disclosure towards third parties by means of transmission, dissemination, or in any other manner, the association or combining, blocking, erasure or deletion of personal data;

c. Storage: The storage of collected personal data on any kind of support ; 

d. An evidence system for personal data - any organized structure of personal data, accessible according to some pre-determined criteria, regardless of the fact that this structure might be organized in a centralized or non-centralized manner, or is distributed depending on functional or geographical criteria;

e. Data controller - any natural or legal person, of private or public law, including public authorities, institutions and their territorial structures, that hereby establish the purpose and manners of personal data processing; if the purpose and the manners of personal data processing are established by means of a normative act or on the grounds of a normative act, the controller is the natural or legal person, of public or private law, who is designated as data controller by means of that normative act or based on that normative act;

f. Specially-entitled person, empowered by the data controller - any natural or legal person, of private or public law, including public authorities, institutions and their  territorial structures, that carry out any personal data processing on behalf of the data controller;

g. Third party - any natural or legal person, of private or public law, including public authorities, institutions and their territorial structures, other than the data subject, other than the data controller or other than the person entitled by the data controller to process such data, or individuals who are authorized to process personal data, under direct authority of the data controller or of the entitled personal data processor;

h. Recipient - any natural or legal person, of private or public law, including public authorities, institutions and their territorial structures, towards which data is disclosed, be they third parties or not; public authorities that receive personal data in the frame of a special investigation competences are not considered as recipients;

i. Anonymous data – categories of data that, due to its specific origin or due to the special manners of processing, cannot be associated to an identified or an identifiable person.

According to the provisions of article 24 (2) from Law N° 677/2001 for the Protection of Persons Concerning the Processing of Personal Data and the Free Circulation of Such Data, the registration number must be incorporated in any document/form drafted by the Directorate General for Consular Affairs, by means of which personal data is collected, stored or disclosed.

In accordance with the legislation in force, data subjects that fall under the incidence of Law N° 677/2001 for the Protection of Persons Concerning the Processing of Personal Data and the Free Circulation of Such Data, have the following rights:

• The right to be informed;
• The right of access to data;
• The right of intervention upon the processed data;
• The right to object;
• The right of not being subject to an individual decision;
• The right to file complaints to the NSAPPD, or to a court of law.

The Right to be Informed

The Ministry of Foreign Affairs of Romania is registered as data controller and all the collected personal data is necessary in view of exercising its institutional duties in the field of visa processing, granting and issuing, in the field of notary activity, as well as in relation to the register of population and civil status. Citizens who require assistance in these areas must correctly fill-in all the forms at their disposal, in order for their demands to be appropriately dealt with. The refusal to furnish any of the compulsory personal data required, may lead to a negative answer to the submitted request. The personal data delivered to the staff of the Ministry of Foreign Affairs is consequently disclosed to the competent Romanian authorities and subsequently processed by these authorities, in view of taking a final decision regarding the claim for which personal data was furnished. The furnished data may be implemented and stored in databases accessible to the competent Romanian authorities.

The Right of Access to Data

According to the provisions of Law N° 677/2001, the citizens therein concerned can require the following information from the data controller, by means of a written, signed and dated request: they may require to be informed whether their personal data is being processed or not, the categories of data processed, the purpose for which their data is processed, possible third parties their data might be disclosed to, the source their personal data was collected from, the types of automated processing mechanism are used, the other rights they benefit from.

The Right of Intervention upon the Processed Data

Depending on each case, upon request and with a fee exemption, any data subject has the right to obtain from the data controller:

• the amendment, updating, blocking or deletion of any data the processing of which breaches the provisions of Law N° 677/2001, more specifically in the case of incomplete or inaccurate data;
• rendering personal data anonymous, in the case of data the processing of which breaches the provisions of Law N° 677/2001;
• the notification of any third party the processed data was disclosed to, with regard to any operation performed according to letters a) or b), in case such notification does not prove to be impossible, or if it does not request a disproportionate effort towards the legitimate interest that might thus be violated. 

The Right to Object

At any moment, without any justifications and with a fee exemption, the data subject has the right to object to the processing of their personal data for direct marketing purposes on behalf of the data controller or of any third party, or that their personal data is disclosed to third parties for such a purpose.

The Right of not Being Subjected to an Individual Decision 

Any data subject benefits from the right to claim and obtain:

1. the withdrawal or the cancellation of any decision produces juridical effects upon them, provided that that decision has been exclusively adopted on the grounds of personal data processing, carried out through automatic means, destined to evaluate several aspects of their personality and/or professional competence, credibility, behavior or other such aspects;
2. the re-evaluation of any decisions taken with regard to their own person and that significantly affects them, if that decision was exclusively adopted on the grounds of personal data processing, according to the conditions laid down under point a).

The Right to File Complaints to the NSAPPD, or to a Court of Law

If the situation should occur, the data subject benefits from the right to file complaints with regard to the breaching of their rights as provided for by Law N° 677/2001. Complaints can initially be filed to the data controller and subsequently to the NSAPPD. Also, the data subject can bring the data controller to court for the breaching of the rights as laid down by Law N° 677/2001, or for any prejudice they might suffer from the illegal processing of their personal data.

• Leaflet comprising information with regard to personal data protection
• Personal data
• Are you aware of your rights?

For more information and details, please refer to the National Supervisory Authority for the Processing of Personal Data:

Olari St., 32, 2^nd Department, Bucharest
Tel: (021).252.58.88
Fax: (021).252.57.57
Web: http://www.dataprotection.ro/