Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

The role of Romanian courts in the protection of personal data in the post GDPR era


Where does the role of the data protection authority (DPA) end and where the court takes priority? The relevant legal provisions are spread around the national laws and regulations, most of them being included in the laws regulating the organization of the Romanian DPA.

We summarized the available challenge options from the perspective of all three main actors: (1) data subject, (2) controller/processor and (3) DPA (see summaries below).

We certainly expect a high number of disputes related to data protection matters. On the basis of the legal recourse options summarized below, we expect at least the following:

  • a high number of court challenges against sanctions and other measures imposed by the DPA;
  • a high number of civil
  • claims based on data protection matters; 
  • disputes related to the suspension/rejection by the DPA of a complaint which is also brought before a court;
  • issues raised by claims lodged in courts by the DPA as proxy of the data subjects;
  • complexities raised by collective complaints/claims and the involvement of not-for-profit organizations representing the interests of data subjects;
  • debates regarding the acts/measures that require a preliminary procedure before the DPA before lodging a court challenge (versus DPA acts that sanction a misdemeanor and can be challenged directly in court);
  • last but not least, vexatious behavior and "extortion" attempts (e.g. threats with complaints before the DPA and settlement requests).

Therefore, which options are available to the data protection actors?


WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Complaint (plangare)DPAController / processorFor any non-observance of their rights under data protection legislation

Can be suspended/rejected in case an identical court action is also initiated (same parties and object).

DPA can impose a fee for repetitive or obviously ungrounded (vexatious) complaints

Complaint (administrative action) (plangere)DPADPA actAs mandatory preliminary action against any action/omission of the DPA (e.g. failure to periodically inform the data subject of the course of the investigation)
Court action (administrative action) (contestatie)


Tribunal in first instance

DPAAgainst the outcome of the investigation of a complaint for various reasons (e.g. decision on inadmissibility of a complaint)
Court action (civil action)CourtController / processor

Observance of/failure to observe data protection legislation.

Reparation of damage caused to data subject (monetary, non-monetary)

No court fees. The action can be initiated by the DPA and the data subject will have the option to take-over the claim or to waive it


WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Court action (administrative action) (contestatie)


Tribunal in first instance

Cour of appeal in appeal

DPAAgainst a measure and/or sanction and/or fines for the delay in complying with the obligations

No express provision regarding necessity of the preliminary administrative action before the DPA. To be determined when such a preliminary action is necessary and when it is not (sanctioning of a misdemeanor).

It suspends only the payment of fines up to final court decision (not also other measures or sanctions)

Court action (civil action)CourtOther parties (controllers / processors / data subjects)For any monetary or non-monetary damage related to a data protection context
Court action (administrative action) (contestatie)

High Court

Decision of Court of AppealChallenge of lower court's decision re. obligation of controller/processor to grant access to locations and documents during DPA investigationsDoes not suspend the enforcement decision of first instance

Who? DPA

WhatWhere? In front of whom?Against whom?For what?In what conditions? Other interesting facts
Court action (administrative action)Court of AppealController / processorObligation of controller/processor to grant access to locations and documents during DPA investigations


Court action (civil action)CourtController / processorLodged on behalf of the data subjects for observance of data protection legislation and/or reparation of damage caused to data subject Question: Only non-monetary or also monetary damage?


This brief reflects the legislative status as of 28 February 2019.


Article provided by: Adelina Iftime-Blagean (Attorney at Law, Wolftheiss)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.