Skip to main content

The role of Romanian courts in the protection of personal data in the post GDPR era


Where does the role of the data protection authority (DPA) end and where the court takes priority? The relevant legal provisions are spread around the national laws and regulations, most of them being included in the laws regulating the organization of the Romanian DPA.

We summarized the available challenge options from the perspective of all three main actors: (1) data subject, (2) controller/processor and (3) DPA (see summaries below).

We certainly expect a high number of disputes related to data protection matters. On the basis of the legal recourse options summarized below, we expect at least the following:

  • a high number of court challenges against sanctions and other measures imposed by the DPA;
  • a high number of civil
  • claims based on data protection matters; 
  • disputes related to the suspension/rejection by the DPA of a complaint which is also brought before a court;
  • issues raised by claims lodged in courts by the DPA as proxy of the data subjects;
  • complexities raised by collective complaints/claims and the involvement of not-for-profit organizations representing the interests of data subjects;
  • debates regarding the acts/measures that require a preliminary procedure before the DPA before lodging a court challenge (versus DPA acts that sanction a misdemeanor and can be challenged directly in court);
  • last but not least, vexatious behavior and "extortion" attempts (e.g. threats with complaints before the DPA and settlement requests).

Therefore, which options are available to the data protection actors?


WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Complaint (plangare)DPAController / processorFor any non-observance of their rights under data protection legislation

Can be suspended/rejected in case an identical court action is also initiated (same parties and object).

DPA can impose a fee for repetitive or obviously ungrounded (vexatious) complaints

Complaint (administrative action) (plangere)DPADPA actAs mandatory preliminary action against any action/omission of the DPA (e.g. failure to periodically inform the data subject of the course of the investigation)
Court action (administrative action) (contestatie)


Tribunal in first instance

DPAAgainst the outcome of the investigation of a complaint for various reasons (e.g. decision on inadmissibility of a complaint)
Court action (civil action)CourtController / processor

Observance of/failure to observe data protection legislation.

Reparation of damage caused to data subject (monetary, non-monetary)

No court fees. The action can be initiated by the DPA and the data subject will have the option to take-over the claim or to waive it


WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Court action (administrative action) (contestatie)


Tribunal in first instance

Cour of appeal in appeal

DPAAgainst a measure and/or sanction and/or fines for the delay in complying with the obligations

No express provision regarding necessity of the preliminary administrative action before the DPA. To be determined when such a preliminary action is necessary and when it is not (sanctioning of a misdemeanor).

It suspends only the payment of fines up to final court decision (not also other measures or sanctions)

Court action (civil action)CourtOther parties (controllers / processors / data subjects)For any monetary or non-monetary damage related to a data protection context
Court action (administrative action) (contestatie)

High Court

Decision of Court of AppealChallenge of lower court's decision re. obligation of controller/processor to grant access to locations and documents during DPA investigationsDoes not suspend the enforcement decision of first instance

Who? DPA

WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Court action (administrative action)Court of AppealController / processorObligation of controller/processor to grant access to locations and documents during DPA investigations


Court action (civil action)CourtController / processorLodged on behalf of the data subjects for observance of data protection legislation and/or reparation of damage caused to data subject Question: Only non-monetary or also monetary damage?


This brief reflects the legislative status as of 28 February 2019.


Article provided by: Adelina Iftime-Blagean (Attorney at Law, Wolftheiss)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.