Romania - Law no.506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector

Law on on the processing of personal data and the protection of privacy in the electronic communications sector

Number 506/2004

Article 1
General provisions

(1) This Law establishes the specific conditions for safeguarding the right to privacy with respect to the processing of personal data in the electronic communications sector.
(2) The provisions of this Law shall apply to the providers of public electronic communications networks and of publicly available electronic communications services, as well as to the providers of value added services and of directories of subscribers who, in the frame of their commercial activity, are processing personal data.
(3) The provisions of this Law shall be complemented by the provisions of the Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
(4) This Law shall not apply to the processing of personal data carried out:
a) in the frame of the activities in the field of national defence and national security, performed within the limits and subject to restrictions set out by the legal provisions in force;
b) in the frame of the activities concerning the fight against crime and the keeping of public order, as well as in the frame of other activities in the areas of criminal law, performed within the limits and subject to restrictions set out by the legal provisions in force.

Article 2
Definitions

(1) For the purposes of this Law, the following definitions shall apply:
a) user – any natural person using a publicly available electronic communications service, without necessarily having subscribed to this service;
b) traffic data – any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;
c) location data – any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;
d) communication – any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service; this does not include the information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information;
e) call – a connection established by means of a publicly available telephone service allowing two-way communication in real time;
f) value added service – any service which requires the processing of traffic data or location beyond what is necessary for the transmission of a communication or the billing thereof;
g) electronic mail – service consisting in conveyance on a public electronic communications network of any text, voice, sound or image message, which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient.
(2) For the purposes of this Law, the definitions set out in Art. 3 letters a), b), c) and i) of Law no. 677/2001, in Art. 2 letters a), b), c) and h) of Government Ordinance no. 34/2002 on the access to the public electronic communications networks and to the associated infrastructure, as well as their interconnection, approved with amendments and completions by Law no. 527/2002, in Art. 2 paragraph (1) letter b) of Government Emergency Ordinance no. 79/2002 on the general regulatory framework for communications, approved with amendments and completions by Law no. 591/2002, Art. 1 points 1 and 8 of Law no. 365/2002 on the electronic commerce, with the subsequent amendments, and in Art. 2 paragraph (1) letter c) of the Law no. 304/2003 on the universal service and users’ rights relating to the electronic communications networks and services shall also apply.

Article 3
Security measures

(1) The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its service. With respect to network security, if necessary, the provider of the publicly available electronic communications service shall take those security measures in conjunction with the provider of the public electronic communications network. Having regard to the state of the art and the cost of their implementation, the measures taken shall ensure a level of security appropriate to the risk presented.
(2) The National Regulatory Authority for Communications, hereinafter referred to as ANRC, shall establish the conditions under which the providers must fulfil the obligation set out in paragraph (1).
(3) In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must:
a) inform the subscribers of such risk and of the possible consequences ensuing;
b) inform the subscribers of any possible remedies;
c) inform the subscribers of the likely costs involved by eliminating the risk.

Article 4
Confidentiality of the communications

(1) The confidentiality of communications and the related traffic data by means of public electronic communications networks and publicly available electronic communications services is guaranteed.
(2) Listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data are prohibited, except for the following cases:
a) these operations are carried out by the users who participate in that communication;
b) the users who participate in that communication have previously given their written consent;
c) these operations are carried out by the competent authorities, under the conditions set out by the legal provisions in force.
(3) The provisions of paragraphs (1) and (2) shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.
(4) The provisions of paragraphs (1) and (2) shall not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of a business communication.
(5) The use of an electronic communications network to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that:
a) the subscriber or user concerned was provided with clear and comprehensive information in accordance with Art. 12 of Law no. 677/2001, inter alia about the purposes of the storage or access to information stored; and
b) the subscriber or user concerned was offered the possibility to refuse such storage or access to information stored.
(6) The provisions of paragraph (5) shall not prevent the technical storage or access in the following cases:
a) when these operations are performed for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network;
b) when these operations are strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.

Article 5
Traffic data

(1) Traffic data relating to subscribers and users, processed and stored by the provider of a public electronic communications network or by the provider of a publicly available electronic communications service, must be erased or made anonymous when they are no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs (2), (3) and (5).
(2) Traffic data necessary for the purposes of subscriber billing and interconnection payments may only be processed up to the end of a period of 3 years from the due date of the corresponding payment obligation.
(3) For the purpose of marketing its electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph (1) only to the extent and for the duration necessary for such services or marketing, and only if the subscriber or user to whom the data relate has previously given his/her express consent. The subscriber or user shall be given the possibility to withdraw his/her consent for the processing of traffic data at any time.
(4) In the cases referred to in paragraphs (2) and (3), the provider of the publicly available electronic communications service must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing. In the case referred to in paragraph (3), this information must take place prior to obtaining the consent of the subscriber or user.
(5) Processing of traffic data, in accordance with paragraphs (1) to (4), may only be carried out by the persons acting under the authority of the providers of public electronic communications networks or publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing value added services, and is allowed only to the extent it is necessary for the fulfilment of these duties.
(6) Paragraphs (1) to (3) and (5) shall apply without prejudice to the possibility for competent bodies to have access to traffic data in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes.

Article 6
Itemised billing

(1) Subscribers receive non-itemised bills.
(2) Itemised bills shall be issued upon subscribers’ request, while respecting the right to privacy of calling users and called subscribers.
(3) The minimum information which must be provided in the itemised bills is established by ANRC.

Article 7
Presentation and restriction of calling and connected line identification

(1) Where presentation of calling line identification is offered, the provider of the publicly available electronic communications service must offer the calling user the possibility, using a simple means and free of charge, of preventing the presentation of the calling line identification on a per-call basis, irrespective of the country of destination of the call. The calling subscriber must have this possibility on a per-line basis.
(2) Where presentation of calling line identification is offered, the provider of the publicly available electronic communications service must offer the called subscriber the possibility, using a simple means and free of charge for reasonable use of this function, of preventing the presentation of the calling line identification of incoming calls, irrespective of the country where the calls are originated.
(3) Where presentation of calling line identification is offered and where the calling line identification is presented prior to the call being established, the provider of the publicly available electronic communications service must offer the called subscriber the possibility, using a simple means, of rejecting incoming calls where the presentation of the calling line identification has been prevented by the calling user or subscriber, irrespective of the country where the calls are originated.
(4) Where presentation of connected line identification is offered, the provider of the publicly available electronic communications service must offer the called subscriber the possibility, using a simple means and free of charge, of preventing the presentation of the connected line identification to the calling user, irrespective of the country where the calls are originated.
(5) Where presentation of calling or connected line identification is offered, the providers of publicly available electronic communications services must inform the public thereof and of the availability of means to prevent the presentation of line identification or to reject incoming calls, set out in paragraphs (1) to (4).
(6) The provisions of this Article shall apply to subscriber lines connected to digital exchanges and, where technically possible and if it does not require a disproportionate economic effort, to subscriber lines connected to analogue exchanges.

Article 8
Location data other than traffic data

(1) Where location data other than traffic data, relating to users or subscribers of public electronic communications networks or publicly available electronic communications services, can be processed, such data may only be processed in the following situations:
a) the data concerned are made anonymous;
b) with the prior express consent of the user or subscriber to whom that data relate, to the extent and for the duration necessary for the provision of a value added service;
c) when the value added service with user location function is intended for the one-way undifferentiated transmission of information to users.
(2) The provider of the publicly available electronic communications service must make available to the user or subscriber, prior to obtaining his/her consent in accordance to the provisions of paragraph (1) letter b), information on:
a) the type of location data other than traffic data which will be processed;
b) the purposes and duration of the processing;
c) the potential transmission of data to a third party for the purpose of providing the value added service.
(3) The users or subscribers giving their consent for the processing of data in accordance with the provisions of paragraph (1) letter b) shall have the right to withdraw their consent for the processing of data at any time or to temporarily refuse the processing of such data for each connection to the network or for each transmission of a communication. The provider of the publicly available electronic communications service must make available to users or subscribers a simple means, free of charge, to exercise these rights.
(4) Processing of location data other than traffic data in accordance with the provisions of paragraphs (1) to (3) may only be carried out by the persons acting under the authority of the provider of the public electronic communications network or publicly available communications service or of the third party providing value added services, and is allowed only to the extent it is necessary for the purposes of providing the value added service.

Article 9
Exceptions

(1) The provider of a public electronic communications network or of a publicly available electronic communications service may override the provisions of Art. 7 referring to offering the possibility to prevent the presentation of the calling line identification, as follows:
a) on a temporary basis, upon application of a subscriber requesting the tracing of abusive calls; in this case, the data containing the identification of the calling subscriber shall be stored and made available by the provider of the public electronic communications network or of the publicly available electronic communications service, under the conditions set out by the legal provisions in force;
b) on a per-line basis, for organisations dealing with emergency calls and recognised as such under the conditions set out by the legal provisions in force, including police, fire brigades and ambulance services, for the purpose of resolving the situations which are brought to their attention by such calls.
(2) In the case referred to in paragraph (1) letter b), the provider of a public electronic communications network or of a publicly available electronic communications service may also override the provisions of Art. 8 referring to obtaining the consent of the subscriber or user for the processing of location data.
(3) The exceptions referred to in paragraphs (1) and (2) shall be permitted under the conditions set out by the Ombudsman, with consultation of ANRC.
(4) The provisions of this Article shall apply to subscriber lines connected to digital exchanges and, where technically possible and if it does not require a disproportionate economic effort, to subscriber lines connected to analogue exchanges.

Article 10
Automatic call forwarding

(1) The provider of the public electronic communications network or of the publicly available electronic communications service, as the case may be, must offer to any subscriber the possibility, using a simple means and free of charge, of stopping automatic call forwarding by a third party to that subscriber's terminal equipment.
(2) The provisions of this Article shall apply to subscriber lines connected to digital exchanges and, where technically possible and if it does not require a disproportionate economic effort, to subscriber lines connected to analogue exchanges.

Article 11
Directories of subscribers

(1) The undertakings who make available to the public printed or electronic directories of subscribers or provide directory enquiry services must inform the subscribers about the purposes of such directories, in which their personal data can be included, and of any further usage possibilities based on search functions embedded in electronic versions of directories. The information shall be free of charge and must be done before subscribers are included in the directories.
(2) The undertakings referred to in paragraph (1) must offer to subscribers the following possibilities, free of charge:
a) to decide whether their personal data are to be included in a public directory of subscribers, and if so, which;
b) to verify, correct or withdraw their personal data included in a public directory of subscribers.
(3) The undertakings referred to in paragraph (1) may use the public directories of subscribers for a purpose other than the mere search of contact details of persons on the basis of their name and, where necessary, a minimum of other identifiers, only with the prior express consent of all the subscribers included in those directories.
(4) The provisions of paragraphs (1) and (2) shall correspondingly apply to the subscribers who are legal persons, with respect to the inclusion of their identification data in the public directories of subscribers.

Article 12
Unsolicited communications

(1) The undertaking of commercial communications by using automated calling systems without human intervention, fax, electronic mail, or any other method employing publicly available electronic communications services, is forbidden, except in cases where the subscriber concerned has previously given his/her express consent to receive such communications.
(2) Notwithstanding paragraph (1), where a natural or legal person directly obtains from a customer his/her electronic mail address, in the context of the sale of a product or a service to that customer, in accordance with the provisions of the Law no. 677/2001, the natural or legal person concerned may use that electronic mail address for undertaking commercial communications referring to similar products or services marketed by that person, provided that customers are given clearly and distinctly the possibility to object, free of charge and in an easy manner, to such use when the electronic mail address is obtained and on the occasion of each message in case the customer has not initially objected.
(3) In any event, the undertaking of commercial communications by electronic mail concealing the real identity of the sender on whose name and behalf the communication is made, or without specifying a valid address to which the recipient may send a request that such communications cease, shall be prohibited.
(4) The provisions of paragraphs (1) and (3) shall correspondingly apply to the subscribers who are legal persons.

Article 13
Sanctions

(1) The followings deeds shall constitute contraventions:
a) breach of the obligation set out in Art. 3 paragraph (1), under the conditions established in accordance with Art. 3 paragraph (2);
b) breach of the information obligation set out in Art. 3 paragraph (3);
c) failure to comply with the provisions of Art. 4 paragraph (2) referring to the interdiction to undertake interception and surveillance of communications and the related traffic data;
d) failure to comply with the conditions set out in Art. 4 paragraph (5);
e) failure to comply with the provisions of Art. 5 referring to the processing of traffic data;
f) failure to comply with the conditions for the issue of itemised bills established pursuant to Art. 6;
g) breach of the obligations referring to the availability of means to prevent the presentation of line identification or to reject incoming calls, set out in Art. 7;
h) failure to comply with the provisions of Art. 8, referring to the processing of location data other than traffic data;
i) failure to comply with the provisions of Art. 9 referring to the conditions under which one may override the provisions of Art. 7 or 8;
j) breach of the obligations referring to the possibility of stopping automatic call forwarding, set out in Art. 10;
k) failure to comply with the obligations referring to the directories of subscribers, set out in Art. 11;
l) failure to comply with the provisions of Art. 12 referring to the unsolicited communications.
(2) The contraventions set out in paragraph (1) letters a) to j) and l) shall be sanctioned by fine from ROL 50,000,000 to ROL 1,000,000,000, and for the undertakings with a turnover exceeding ROL 50,000,000,000, by way of derogation from the provisions of Government Ordinance no. 2/2001 on the legal regime of contraventions, approved with amendments and completions by Law no. 180/2002, with the subsequent amendments, by fine up to 2% of the turnover.
(3) The contravention set out in paragraph (1) letter k), as well as the contravention set out in paragraph (1) letter h), committed by failure to comply with the obligation set out in Art. 8 paragraph (1) letter b), shall be sanctioned by fine from ROL 300,000,000 to ROL 1,000,000,000, and for the undertakings with a turnover exceeding ROL 50,000,000,000, by way of derogation from the provisions of Government Ordinance no. 2/2001 on the legal regime of contraventions, approved with amendments and completions by Law no. 180/2002, with the subsequent amendments, by fine up to 2% of the turnover.
(4) The contraventions set out in paragraph (1) letters a), b), f), g) and j) shall be ascertained by the control personnel of ANRC empowered for such purpose and the sanctions shall be applied, through written resolution, by the president of ANRC.
(5) The ascertainment of contraventions set out in paragraph (1) letters c), d), e), h), i), k) and l) and the application of sanctions shall be carried out by the control personnel of the Ombudsman empowered for this purpose, under the conditions of the Law no. 677/2001.
(6) To the extent that this Law does not provide otherwise, the contraventions set out in paragraph (1) shall be subject to Government Ordinance no. 2/2001, approved with amendments and completions by Law no. 180/2002, with the subsequent amendments.

Article 14
Final and transitory provisions

(1) The provisions of Art. 11 shall not apply to editions of directories of subscribers already produced or placed on the market in printed or off-line electronic form before the entry into force of this Law.
(2) On the date of the entry into force of this Law, the Law no. 676/2001 on the processing of personal data and the protection of privacy in the telecommunications sector, published in the Official Journal of Romania, Part I, no. 800 of December 14th, 2001, with the subsequent amendments, shall be repealed.

Article 15
Transposition of Community legislation

This Law is transposing the Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector, published in the Official Journal of the European Communities no. L 201 of July 31st, 2002.