GDPR Seminar, Intercontinental Hotel, Bucharest, February 1, 2018

de | January. 16, 2018 | News

APDETIC organizes, with the support of ECOTIC, the GDPR Seminar on February 1, 2018, at the Intercontinental Hotel, Bucharest.

With the entry into force of the new GDPR Regulation in May 2018, the traditional way of processing and managing personal data and information about customers and employees will have to be fundamentally changed and will have an impact on all company departments.

In order to align with the new provisions for the protection of personal data, it is necessary to implement a set of actions that involve:

  • Inventory of personal data
  • Establishing the purposes for which the data are processed
  • Evidence of processing activities
  • Data security
  • Obtaining consent
  • Respecting the rights of the person

In this context, we intend to present during the seminar all these new provisions in order to facilitate the compliance of Romanian companies with the requirements of the GDPR Regulation.

I invited her for this purpose Av. Magda Popescu, IAPP member (International Association of Privacy Professionals) to provide for the first time some clarifications on the new regulation, before the dialogue with the participants in the seminar on February 1.

What topics will be addressed and who should participate in the audience?

Magda Popescu: The name "seminar" is ambitiously chosen, given the complexity of the regulation and the subject of data protection in general.

We will try to make an introduction, not for specialists, but rather for those stakeholders in companies who will have to make decisions to ensure compliance with GDPR and who therefore need to know: concepts (personal data, operator processing, processor, person the material and territorial scope of the Regulation, the principles applicable to the processing of personal data and the practical impact of these principles, the obligations incumbent on them, including from the perspective of new rights introduced for data subjects, and risk issues and sanctions.

It is simply a matter of making an awareness-raising effort. For this reason, addressability is primarily aimed at members and contractual partners of APDETIC and its sister organization, ECOTIC. At the end of this seminar, we aim to make sure that the participants understand what the GDPR is about and what the first steps to take once they return to the office are. We do not intend to create specialists, nor would it be possible in the time window available.

 We have found, with the possible exception of some multinationals that have already started preparations for the implementation of the Regulation for some time, that there are two categories of attitudes towards this subject:

There is an important part of the market for which GDPR has become a negative urban legend, being perceived as a kind of threatening cloud; towards this attitude, we intend to “de-sacralize” it and to show what it is about in this Regulation and, concretely, what are its consequences.

On the other hand, we also encountered situations of companies, especially small and medium-sized ones, which have not even heard of the GDPR, much less to assess its impact. They will be provided with information to help them make a plan to comply with the new rules.

For all cases, the room should be those people who bear the responsibility of the business, in general (general managers, administrators, etc.), because GDPR impacts the business as a whole, or those people in positions of influencer of those who make decisions, in order to be able to pass on the message and generate an appropriate reaction.

What services will you offer post-event?

Magda Popescu: The participants in the seminar will receive after the event, by mail, a material with the most important provisions of the GDPR Regulation.

The new General Data Protection Regulation (GDPR) will apply to all companies, regardless of their size, whether they are PFAs, SRLs or multinational companies. Is such a one size fit all measure appropriate? How will SMEs - which have fewer resources to conduct a dedicated audit, to implement solutions to ensure compliance with the GDPR and to train their staff - be affected by the entry into force of the GDPR on 25 May 2018?

Magda Popescu: The right to the protection of personal data is increasingly emerging as a human right, so it is natural to obtain adequate and generally applicable protection.

On the other hand, although in a more discreet manner, GDPR distinguishes between operators, in terms of size (when it comes to, for example, keeping track of processing operations, which is not mandatory, under certain conditions, for companies with less than 250 employees). ), but especially in relation to the impact that the company's activity has on the protection of personal data - there are different rules regarding the processing of special data (eg those on health); data protection impact assessment becomes mandatory if there is a high risk to human rights and freedoms; the audit as such is not required to be mandatory, but is a working tool, subordinate and useful to ensure compliance with other obligations; the appointment of a Data Protection Officer is mandatory, in the private sphere, only for companies for which activities related to personal data or special data represent “core business”.

Moreover, GDPR repeats the principle of adequacy of the technical and organizational measures necessary to ensure compliance with its provisions.

What does "appropriate" mean? What are the criteria according to which the "appropriate" nature of these measures is assessed? The GDPR does not clarify these issues, but provides a single example - pseudonymization of data.


"Adequate" is a notion that, of course, being so general, can become vague and therefore a source of anxiety for companies that have obligations under the Regulation. On the other hand, this is an area of ​​law that is still being created and in which practical aspects will be very important and will be outlined in instruments issued by the European Data Protection Board and in the advice provided, in specific cases, by national supervisory authorities. . It is very possible that a measure is considered appropriate for a small firm with up to 50 employees and that processes only employee data and business contact data of providers and customers and is completely inappropriate for a chain of medical clinics. which processes sensitive data.

 What should Romanian companies do in the next 5 months and what should they expect after May 25?

Magda Popescu: First, it should analyze its own activity in terms of the application of the GDPR, so as to clarify what obligations apply to them, in what capacity (operator or processor) and to what extent. We explained in the previous point that the answer may differ depending on the type of data processed, the extent of processing, etc.

Secondly, it needs to clarify what data it processes and on what basis. I recall that, after 25 May, there are many clarifications on the legal basis of the processing (especially on consent) and it is extremely important to clarify this in advance so that the processing of data that has no legal basis according to GDPR standards to stop.

Thirdly, it must decide and clarify internally who will be responsible for the “administrative kitchen” on data protection, in the sense of responding to the requests of the subjects to exercise their rights, to be in charge of notifying the data security breach, etc. This person should consider further information on these issues and, if questions persist, identify a source of specialist advice. Of course, it may be decided to appoint a Data Protection Officer (DPO) even in situations where this is not mandatory, according to the GDPR, to respond knowingly to the various challenges posed by new legislation, the breach of which can have a very high impact. severe - fines of up to 4% of world turnover or EUR 20 million (whichever is higher).

Fourthly, more attention needs to be paid to international data transfers. This may occur, for example, if the data is kept in the cloud with servers located outside the European Economic Area. In most cases, such situations are covered by adequacy decisions issued by the European Commission or international treaties (such as the Privacy Shield - US-EU), but this needs to be clarified. 

For îregisteri