The Romanian data protection authority (the ANSPDCP) has adopted the final list of cases which require a data protection impact assessment (DPIA).The unofficial translation into English of the list, prepared by PrivacyOne, ca be found here.
PrivacyOne has contributed with observations on the draft DPIA list which was previously opened for public debates according to the national transparency regulations. The final list reflects some of the points we raised, such as certain terminology issues.
We underline that the list is only indicative and we recommend data controllers to always refer to the general rules in GDPR Art. 35 every time they need to decide on whether to apply a DPIA with regard to their proposed data procesing operations.
The list, which was adopted through ANSPDCP Decision no. 174/2018 on 18 October 2018 is applicable from 31 October 2018.