Personal Data

Art. 4 (1) of the GDPR states that personal data reveal information about an identified or identifiable natural person. Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint etc.

Please visit:

In Romania, the national identifier is defined under the Data Protection Law as “that specific number which has general application and identifies a natural person in certain record systems”. Expressly mentioned examples include:

  • natural identification numbers,
  • passport numbers,
  • driving licence numbers,
  • national health insurance numbers.


Special Category of personal data

‘Special category of personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning health, sex life or judicial information.

Art. 9 of the GDPR contains rules about Processing of special categories of personal data. Sensitive data are personal data which reveals individual’s racial and ethnic origin, political beliefs, religion, philosophical and moral convictions, trade union affiliation or membership, health and sexual orientation  or refers to genetic and biometric data.

Article 9(2) sets out the circumstances in which the processing of special category of personal data which is otherwise prohibited, may take place. These include, among others:

  • Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law;
  • Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;
  • Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.

Please visit:

Further, the Romanian Data Protection Law states that the processing of genetic data, biometric data and data concerning health for automated individual decision-making, including profiling, is permitted if the individual expressly consents to such data processing or if the processing is performed based on a legal obligation.



The GDPR definition of ‘consent’, written in Art. 4 (11), is: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.


Children’s age

The Laws do not include any specific clauses in relation to processing the personal data of children, hence the minimal age for consent is 16 years as imposed by the GDPR.