LAW NO. 676 OF NOVEMBER 21ST,
2001
on the Processing of Personal Data
and the Protection of Privacy in the Telecommunications Sector
The Romanian Parliament hereby
adopts this law:
Scope
Article 1
(1) This law ensures the specific
conditions of guaranteeing the right to protection of privacy with
regard to the processing of personal data in the
telecommunications sector.
(2) The provisions of this law shall
apply to the operators of public telecommunications networks and
to the providers of publicly available telecommunications services
who, in the context of their activities, carry out processing of
personal data.
(3) The provisions of this law shall be
complemented with the legal provisions regarding the protection of
individuals in respect of processing of personal data and the free
movement of these data.
(4) This law does not apply to the
processing of personal data carried out:
a) in the context
of the activities in the field of national defence and state
security, performed within the limits and with the restrictions
established by law;
b) in the context
of the activities concerning the prevention, investigation and
reprimanding of criminal offences and the keeping of public
security, as well as in the context of other activities in the
areas of criminal law, performed within the limits and with the
restrictions established by law.
Definitions
Article 2
For the purposes of this law, the terms
below are defined as follows:
a) telecommunications
service – service whose provision is made, in
whole or in part, by transmission and conveyance of signals in
telecommunications networks, except for radio and television
broadcasting;
b) publicly
available telecommunications service – any
telecommunications service, except for those necessary exclusively
to their provider or to a closed users group;
c) provider
of publicly available telecommunications services
– legal person providing a publicly available telecommunications
service;
d) public
telecommunications network – transmission
systems and, where applicable, switching equipment and other
resources which permit the conveyance of signals between defined
terminal points, by wire, by radio, by optical fibre or by other
electromagnetic means, which are used, in whole or in part, for
the provision of publicly available telecommunications services;
e) operator
of the public telecommunications network – the
legal person authorized to install or operate a public
telecommunications network with a view to offer publicly available
telecommunications services;
f)
subscriber – any natural or
legal person who is party to a contract with the provider of
publicly available telecommunications services for the supply of
such services;
g) user
– any natural person using a publicly available
telecommunications service, for private or business purposes,
without necessarily having subscribed to this service;
h) personal
data – any information relating to an
identified or identifiable natural person; an identifiable person
is one who can be identified directly or indirectly, in particular
by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic,
cultural or social identity;
i)
processing of personal data –
any operation or set of operations performed upon personal data,
whether or not by automatic means, such as collection, recording,
organization, storage, adaptation or alteration, retrieval,
consultation, use, disclosure to third parties by transmission,
dissemination or otherwise, alignment or combination, blocking,
erasure or destruction;
j)
regulatory authority – the
authority referred to in article 5 paragraph (1) of the Law on
telecommunications no. 74/1996;
k) supervisory
authority – the authority in charge with
monitoring and controlling the lawfulness of the operations
concerning the processing of personal data subject to the legal
provisions that govern the protection of individuals with respect
to the processing of personal data and the free movement of these
data.
l)
directories of subscribers –
databases, in electronic or written form, which are available to
the public or may be consulted through directory enquiry services
or are used by third parties for commercial purposes, and which
contain personal data of the subscribers;
m) itemized
bill – all the information referring to called
or calling lines, or to the data and length of time of every call.
Security Measures
Article 3
(1) The provider of a publicly available
telecommunications service and the operator of a public
telecommunications network used for the aforementioned service
must take all the appropriate technical and organizational
measures in order to guarantee the security of the service and of
the network.
(2) These measures shall ensure a level
of security proportionate with the risk presented, taking into
account the state of the art and costs of their implementation.
(3) Minimum security requirements to be
adopted as a preventive measure shall be established by the
regulatory authority within six months from the date of the entry
into force of this law.
(4) The security requirements established
according to the paragraph (3) shall be revised by the regulatory
authority, taking into account the state of the art and the
experience in this area, within two years after the date of the
entry into force of this law, and thereafter at least every two
years.
(5) In case of a particular risk of a
breach of the security of the network, the provider of a publicly
available telecommunications service is obliged to inform the
subscribers about such risk. The notification shall also refer to
the possible remedies, as well as to the costs of their
implementation.
(6) The information under paragraph (5)
shall also be communicated to the competent public authority in
the field of the protection of persons with regard to the
processing of personal data.
Confidentiality of Communications
Article 4
(1) The confidentiality of communications
by means of a public telecommunications network or by publicly
available telecommunications services is hereby guaranteed.
(2) Listening, taping, storage or any
other form of interception of telecommunications is hereby
forbidden, except for the following cases:
a) such
operations are realized by the users participating to that
communication;
b) the users
participating to that communication have previously given their
written consent;
c) such
operations are performed in the capacity of public authority,
according to the law.
(3) An user or a subscriber, as
applicable, shall inform the other user or subscriber if during
the conversation equipment permitting other people to listen, tape
or store the conversation is used.
Article 5
Telecommunications services and in
particular developing telephony services shall be offered in
observance of users’ right to privacy, of the secrecy of
correspondence, and of the freedom of communication.
Article 6
Any interference of public authorities in
the content of a communication, including use of means of
interception or supervision of communications, are hereby
forbidden, except for the cases where such interferences are
provided by law and represent a necessary measure in a democratic
society for:
a) the protection
of state security, public security, monetary interests of the
state, or fighting criminal offences;
b) the protection
of the person concerned, upon his request, or of the rights and
freedoms of another person.
Article 7
In case of an interference of public
authorities in the content of a communication, the authorization
law shall provide:
a) the manner in
which the person concerned may exercise the right of access and of
rectification;
b) the conditions
subject to which the competent public authorities are entitled to
refuse to give information to the person concerned;
c) the modalities
of storing or destructing the personal data.
Article 8
(1) The operators of public
telecommunications networks or of telephony services or the
providers of publicly available telecommunications services may
not communicate data obtained by interfering in the content of a
communication to other person but the one designated in the
authorization for obtaining such data issued according to the law.
(2) The authorization of the operators of
public telecommunications networks to interfere in the content of
a communication, including by use of interception or supervision
means, as well as the use of technical means for the localisation
of the source of unsolicited calls, shall be made only subject to
conditions and constitutional guarantees for the exercise of
fundamental rights and freedoms granted by law.
Traffic and Billing Data
Article 9
(1) Traffic data related to subscribers
and users, processed in order to establish the calls made and
stored by the provider of a publicly available telecommunications
service or by the operator of a public telecommunications network
must be erased or made anonymous upon the termination of the call,
without prejudice to the provisions of paragraphs (2) to (4).
(2) Processing of data containing: the
number or identification of subscriber’s station, the address of
the subscriber and the type of the station, the total number of
units that have to be billed for the countering period, the number
of the called subscriber, the type, the starting time and the
duration of the calls effected or the volume of data transmitted,
the date of call or service, other information relating to
payments, such as the advance payments, payments for installing,
disconnections and reminders, carried out for the purpose of
subscriber billing or interconnection payments is permitted only
within 3 years from the due date of the payment obligation
corresponding to the invoice, respectively, from the due date of
the payment obligation corresponding to the interconnection.
(3) The provider of a publicly available
telecommunications service may process only the significant data
referred to in paragraph (2) for the purpose of marketing or
selling its own services, only with the notification of the
subscriber and his express consent.
(4) Access to and processing of traffic
and billing data must be limited to the persons acting by virtue
of a job-related obligation binding them to the provider of
publicly available telecommunications services or, respectively,
to the operator of the public telecommunications network, who have
as tasks handling billing or traffic management, customer
enquiries, fraud detection or marketing the provider’s or
operator’s own telecommunications services. The processing
operations carried out by these persons must be restricted to the
data necessary for the purposes of accomplishing these job-related
obligations.
(5) The paragraphs (1) to (4) shall not
be construed as limiting the access of the competent authorities
to traffic or billing data, in accordance with the law, for the
purpose of settling disputes, in particular interconnection or
billing disputes.
Itemized Billing
Article 10
(1) Subscribers shall receive
non-itemized bills.
(2) Itemized bills can be issued only
upon request of the subscribers, in observance of the right to
privacy of subscribers and users, according to the law.
(3) The categories of information which
can be included in the itemized bills shall be established by the
regulatory authority.
Presentation and Restriction of
Calling and Connected Line Identification
Article 11
(1) Where presentation of calling line
identification is offered, the calling user must be offered by the
provider of the publicly available telecommunications service or
by the operator of the public telecommunications network, free of
charge, a simple means to eliminate the presentation of the
calling line identification on a per-call basis.
(2) The calling subscriber must be
offered by the provider of the publicly available
telecommunications service or by the operator of the public
telecommunications network, free of charge, a simple means to
eliminate the presentation of the calling line identification on a
per-line basis, in the case referred to in paragraph (1).
(3) The called subscriber must be offered
by the provider of the publicly available telecommunications
service or by the operator of the public telecommunications
network, free of charge for a reasonable use of this function, a
simple means to eliminate the presentation of the calling line
identification of incoming calls, in the case referred to in
paragraph (1).
(4) If the calling line identification is
presented prior to the call being established, the called
subscriber must be offered by the provider of the publicly
available telecommunications service or by the operator of the
public telecommunications network a simple means to reject
incoming calls where the presentation of the calling line
identification data has been eliminated by the calling user or
subscriber, in the case referred to in paragraph (1).
(5) Where presentation of connected line
identification is offered, the called subscriber must be offered
by the provider of the publicly available telecommunications
service or by the operator of the public telecommunications
network, free of charge, a simple means to eliminate the
presentation of the connected line identification to the calling
user.
(6) The provisions set out in paragraphs
(1) and (2) shall also apply with regard to calls to another
country originating in the territory of Romania, and the
provisions set out in paragraphs (3) to (5) shall also apply with
regard to calls to Romania originating in another country’s
territory.
(7) If calling or connected line
identification is offered, the providers of publicly available
telecommunications services must make it public, as well as the
rights provided in paragraphs (1) to (6).
Exceptions
Article 12
A provider of a publicly available
telecommunications services, or the operator of a public
telecommunications network, may override the provisions regarding
the presentation of calling line identification, provided the
applicable procedures are made public, in the following cases:
a) temporarily,
following the request of a subscriber for tracing of malicious or
nuisance calls; in this case, identification data shall be
recorded and made accessible, in accordance with applicable law;
b) on a per-line
basis, for organizations dealing with emergency calls, legally
recognized as such, in accordance with applicable law, such as
police stations, fire brigades, or ambulance services.
Automatic Call Forwarding
Article 13
Any subscriber must be offered by the
provider of a publicly available telecommunications service or by
the operator of a public telecommunications network a simple means
to stop automatic call forwarding, made by a third party, to the
subscriber’s terminal.
Directories of Subscribers
Article 14
(1) The providers of publicly available
telecommunications services must include in the directories of
subscribers they realise or to make available to the third parties
that realise such directories, only personal data that are
necessary to identify a certain subscriber, except where the
subscriber has given his explicit consent to the publication of
additional data.
(2) Any subscriber is entitled, free of
charge, to request:
a) to be omitted
from a directory of subscribers;
b) to indicate
that his personal data may not be used by third parties for direct
marketing purposes;
c) to have his
address specified only in part;
d) that no
mentions on his sex are made, where this is linguistically
possible.
Unsolicited Calls
Article 15
Unsolicited calls, for direct marketing
purposes, made through automated calling systems without human
intervention, by means of facsimile machines, or by any other
means are hereby forbidden, except where the called subscriber has
given his prior explicit consent.
Liability
Article 16
(1) Violation of the provisions of this
law shall be punished by disciplinary, administrative, civil or
criminal measures, as applicable.
(2) Providers of publicly available
telecommunications services and/ or operators of public
telecommunications networks are liable towards users for the
effective losses caused by the failure to execute or by the
incorrect execution of their obligations as per this law.
Contraventions and Sanctions
Article 17
(1) The following shall constitute
contraventions, if they not committed so as to constitute criminal
offences, in accordance with the criminal law:
a) Failure to
adopt or incomplete adoption of the minimum security requirements
referred to in article 3, paragraphs (3) and (4);
b) Failure to
comply with the obligation of information referred to in article 3
paragraphs (5) and (6);
c) Failure to
comply with the confidentiality obligation referred to in article
4 paragraphs (2) and (3);
d) Failure of the
public authorities, of the providers of publicly available
telecommunications or telephony services, or of the operators of
public telecommunications networks to comply with the obligations
referred to in articles 5, 6, 7, and 8;
e) Failure to
comply with the obligations regarding the processing and
restriction of access to personal data, referred to in article 9;
f)
Violation of the subscribers’ rights referred to in article 10
by or relating to issuing itemized bills;
g) Failure to
comply with the obligations regarding the provision of calling or
connected line identification, referred to in article 11;
h) Failure to
comply with the obligation regarding the provision of automatic
call forwarding, referred to in article 13;
i)
Failure to comply with the obligations regarding subscribers
directories, referred to in article 14;
j)
Initiating an unsolicited call, in violation of article 15.
(2) The contraventions referred to in
paragraph 1 shall be sanctioned with fine from ROL 10,000,000 to
ROL 250,000,000.
(3) The contraventions referred to in
paragraph 1 (a) - (d) shall be ascertained by the personnel of the
regulatory authority, as well as by authorized representatives of
the bodies legally entrusted with supervisory and control tasks.
(4) For the contraventions referred to in
paragraph 1 (a) - (d), the regulatory authority may dispose also
the suspension or the cancellation of the licence or of the
authorization.
(5) The contraventions referred to in
paragraph (e) - (j) shall be ascertained by the personnel of the
supervisory authority, as well as by authorized representatives of
the bodies legally entrusted with supervisory and control tasks.
(6) The provisions of the present law
shall be complemented by the provisions of the Government
Ordinance no. 2/2001 on the juridical regime of contraventions.
(7) The amount of fines referred to in
this law may be updated by Government Decision, taking account of
the evolution of the inflation rate.
Final and Transitory Provisions
Article 18
The present law enters into force within
3 months after the date of its publication in the Official Journal
of Romania, Part I.
This law has been adopted by the Senate
in the meeting of October 22nd 2001, in compliance with the
provisions of article 74 paragraph (2) of the Constitution of
Romania.
For the President of the Senate,
ALEXANDRU ATHANASIU
This law has been adopted by the Chamber
of Deputies in the meeting of October 29th 2001, in compliance
with the provisions of article 74 paragraph (2) of the
Constitution of Romania.
The President of the Chamber of Deputies
VALER DORNEANU
Published in the Official Journal no. 800
of December 14th 2001.
|