Protection of personal data

The legal framework regarding the protection of personal data adopted at the European level and applicable to all EU Member States

On 4 May 2016, the legislative package regulating the protection of personal data was published in the Official Journal of the European Union:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR);

Regulation (EU) 2016/679 entered into force on 25 May 2016 and is applicable from 25 May 2018. The provisions of GDPR are directly applicable in the territories of the EU Member States, without, in principle, the need for transposition or implementation measures. However, GDPR provides that, in certain situations, national implementing provisions are required or Member States are empowered to adopt certain legal provisions.  

 Thus, entered into force, on 31 July 2018, Law no. 190/2018 on measures to implement EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

• Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data by the competent authorities for the purpose of preventing, detecting, investigating or prosecuting crimes or executing penalties and on the free movement of such data and repeal of the Council's Framework Decision 2008/977/JHA.

 Directive (EU) 2016/680 entered into force on 5 May 2016 and was transposed into national law by Law no. 363/2018 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of preventing, discovering, investigating, prosecuting and combating criminal offences or the execution of criminal penalties, educational and security measures, as well as on the free movement of such data.

1. The General Inspectorate of the Border Police (GIBP) is the central unit of the Romanian Border Police (RBP), with legal personality and territorial competence for the entire area of responsibility of the border police, which exercises the management and is responsible for the entire activity of the border police, carries out activities of investigation of particularly serious crimes circumscribed to organized crime, illegal migration and cross-border crime committed in the area of territorial competence of RBP, as well as any other powers given to it by law.

 GIBP is personal data controller, in accordance with article 4 point 7 of GDPR.

 Contact information for the General Inspectorate of the Border Police (GIBP)

• Headquarters: Bucharest, 42C Geniului Avenue, district 6, postal code 060117;
• E-mail address: pfr@igpf.ro;      
• Phone: 021.316.25.98; 021.318.25.92;
• Fax: 021.312.11.89;
• Information phone: (+4)0219590.

Within GIBP operates the Personal Data Protection Department.

The designated personal data protection officers within GIBP are:

• Chief Police Inspector Sergiu-Răzvan MALIȚA;
• Police Inspector Georgiana NEDA.

Contact information for the Personal Data Protection Department

• Headquarters: Bucharest, 42C Geniului Avenue, district 6, postal code 060117;
• E-mail: dataprotection.igpf@igpf.ro or sergiu.malita@igpf.ro;
• Phone: 021.316.25.98 / extension 19.270;
• Fax: 021.316.35.11.

Forms for exercising rights (GDPR):

• Request to exercise the right of access GDPR
• Request to exercise the right to rectification GDPR 
• Request to exercise the right to object GDPR
• Request to exercise the right to restrict processing GDPR
• Request to exercise the right to erasure of data GDPR

• Guidelines for the exercise of the rights by persons whose personal data are processed by the Romanian Border Police
• Information note regarding the processing of personal data by the Romanian Border Police
• Information note ABC Gates

2. Entry-Exit System (EES) - Regulation (EU) 2017/2226

The Entry/Exit System (EES) is an automated information system for recording third-country travelers, both short-stay visa holders and visa-exempt travelers, each time they cross an external border of the EU. The system will record the person’s name, type of travel document, biometric data (fingerprints and facial images), as well as the date and place of entry and exit, while fully respecting fundamental rights and data protection. It will also record refusals of entry.

According to article 17 of Law no. 300/2022 on establishing the organizational framework for the national operationalization of the Entry/Exit System and the European Travel Information and Authorization System (ETIAS), in accordance with article 39 (1) of EES Regulation, the General Inspectorate of the Romanian Border Police (GIBP) has been designated as the personal data controller for data processing carried out within EES and ETIAS systems, as well as for fulfilling the specific responsibilities of the ETIAS National Unit.

Forms for exercising rights regarding EES:

• Request to exercise the right of access EES
• Request to exercise the right to rectification EES
• Request to exercise the right to erasure of data EES

• Guide for exercising the rights of individuals whose data is processed within the European Entry/Exit System (EES)

For more informations:

• EES - https://travel-europe.europa.eu/ees_en
• ETIAS - https://travel-europe.europa.eu/etias_en

3. The Visa Information System (VIS)

The Visa Information System (VIS) allows Schengen States to exchange visa data. It consists of a central IT system and of a communication infrastructure that links this central system to national systems. VIS connects consulates in non-EU countries and all external border crossing points of Schengen States. It processes data and decisions relating to applications for short-stay visas to visit, or to transit through, the Schengen Area. The system can perform biometric matching, primarily of fingerprints, for identification and verification purposes.

Pursuant to Article 44 of Law no. 271/2010, the request regarding the exercise of the data subject’s rights in the context of the processing of personal data in the National Visa Information System (SNIV) or the Visa Information System (VIS) shall be addressed to the National Visa Centre, and the response shall be communicated to the applicant as soon as possible, but no later than 60 days from the date of receipt of the request.

The correspondence address for sending requests for exercising the rights in the context of the processing of personal data in SNIV or VIS:

Ministry of Foreign Affairs of Romania through the Diplomatic Missions/Consular Posts of Romania and the National Visa Centre of Romania:

• Premises: 31 Aleea Alexandru, 1^st district, Bucharest, PO 011822
• Tel.: +40 21 431 11 00; +40 21 431 15 62; +40 21 319 21 08; +40 21 319 21 25
• Fax: +40 21 319 68 62
• Email: dpo@mae.ro

Information note VIS

Useful links:

• https://eviza.mae.ro/DataProtection
• http://www.mae.ro/en/node/2060
• https://www.dataprotection.ro/?page=Sistemul_de_informatii_privind_vizele
• https://home-affairs.ec.europa.eu/policies/schengen/visa-information-system_en
• https://www.eulisa.europa.eu/activities/large-scale-it-systems/vis

4. NATIONAL PASSENGER INFORMATION UNIT - Directive (EU) 2016/681

The National Passenger Information Unit (NPIU) is a specialized structure without legal personality within GIBP, which processes personal data for the purpose of fulfilling its responsibilities as provided for by Law no. 284/2018.

According to article 32 of Law no. 284/2018 and GDPR, the General Inspectorate of the Romanian Border Police is designated as the personal data controller for data processing within the Passenger Name Record (PNR) data system.

Within NPIU, there is a Personal Data Protection Department. The designated personal data protection officers within NPIU are:

• Chief Police Commissioner Alexandru-Gabriel DUMITRU;
• Police Commissioner Cristian-Eduard POPA.

Contact Information for the NPIU Personal Data Protection Department

• Headquarters: Bucharest, 42C Geniului Avenue, district 6, postal code 060117;
• Email: protectiadatelor.unip@igpf.ro;
• Phone: 021.316.25.98 / extension 19.232;
• Fax: 021.316.35.11.

Information note regarding the processing of personal data by NIPU

5. The National Supervisory Authority for Personal Data Processing (NSAPDP)

In order to defend the rights provided by GDPR and Law no. 363/2018, the individuals whose personal data are subject to be processed within GIBP may submit a complaint to NSAPDP at its headquarters in Bucharest, 28-30 G-ral Gheorghe Magheru Avenue, district 1, postal code 010336, on website www.dataprotection.ro, using fax 031.805.96.02, or  e-mail anspdcp@dataprotection.ro.

Also, in the situations provided for in art. 15, art. 17(3) or art. 19 (6) of Law no. 363/2018, the data subject may exercise their rights through the National Supervisory Authority for Personal Data Processing.

To file a complaint on NSAPDP’s website click here.