The GDPR must be complied with and implemented by any company or controller processing personal data. A company must implement a procedure that ensures compliance with the provisions on protecting personal data concerning the personal data it processes. Implementing this procedure requires a personalized analysis of the company’s activity so that the solution is right.

In terms of GDPR, we are at your disposal through:

Analyzing and consulting on how to implement the GDPR concerning the company’s activity.

In the transition to the digital age, personal data protection is a serious topic on every company’s agenda.

The General Data Protection Regulation (hereinafter “GDPR” or “GDPR Regulation”) became law in Romania on 25 May 2018. For non-compliance with the protection requirements, the penalties provided by the law can reach up to 4% of turnover or €20,000,000.

The GDPR Regulation focuses on the individual and brings into question the principle of responsibility to be guided by when running and organizing a company. You need to know that GDPR applies to all economic operators in Romania regardless of whether the place of processing of personal data is in Romania or not.

The Blaj Law team offers you legal advice and assistance to implement and comply with the provisions set out in the Regulation. Still, it will also help you propose appropriate personal data protection policies and draft agreements for the consent of data subjects.

GDPR policy drafting.

The processing of personal data is an operation carried out by most companies that, in their daily business, collect, store, use or disclose personal data belonging to individuals.

After two years designed to allow organizations and public entities to adapt to the new requirements, the implementation of the GDPR policy became mandatory in 2018. It imposed severe penalties on those who did not comply with the Regulation.

According to Article 5, personal data must be processed lawfully, fairly, and transparently, collected for specified, explicit and legitimate purposes, adequate, relevant, and limited to what is necessary for the purpose, accurate, and up-to-date.

For GDPR principles to be enforceable within your organization, a full audit of data processing is required – a good data protection policy must be carried out, an analysis of your company’s shortcomings must be carried out, and necessary corrections must be made be implemented. We can help you do this to avoid drastic sanctions for the company you run.

Challenging sanction decisions for GDPR violations.

Appealing is a way for an individual to enforce their rights and avail of the protection offered by the legal framework, and, in the alternative, they can prove their innocence of a breach.

According to the law, the main applicable contravention sanctions are a warning and a fine, and the establishment of these infringements will be carried out by the National Supervisory Authority, in compliance with the provisions of Law No 102/2005 on the establishment, organization, and functioning of the National Supervisory Authority for Personal Data Processing.

The current legislative framework also provides for how we can appeal against the sanction received as a result of a breach of the GDPR provisions. In this regard, Article 28 of Decision No 161/2018 approving the procedure for conducting investigations is relevant. Thus, against the minutes of the appeal or sanction and against the decision to apply punitive measures, either the controller or the processor has at his disposal the appeal as a means of defense regarding the violation of legal provisions. The appeal may be lodged with the administrative court of the competent court. The law stipulates that the time limit for lodging an appeal is 15 days from the date of delivery, i.e., from the date of communication of the official report of the finding or sanction and the decision of the President of the ANSPDCP.

Assistance and representation in disputes related to the protection of personal data.

Even if, according to specific legislation, persons involved in data processing are required to adopt and respect a series of measures to ensure respect for the individual’s privacy, conflict situations frequently arise between them and companies processing personal data, which may give rise to disputes.

Personal data controllers are obliged to ensure, both organisationally and technically, all necessary measures to ensure the minimization of the data processed, pseudonymization and encryption of personal data, confidentiality, integrity, availability of personal data, the ability to restore the availability of personal data and timely access to personal data in the event of a physical or technical incident.

Suppose you consider that your personal data has entered the public domain without your consent or the person responsible for processing it has violated any provision of the GDPR Regulation. In that case, the Blaj Law team is prepared to represent you in such a dispute.

See other services

Consumer protection

People regularly enter into legal relationships as consumers without being aware of the legal remedies available to them if they are harmed in their dealings with...

read more

Intellectual property

Intellectual property law is an area that primarily involves providing specialist advice on the protection afforded by the law when a dispute over intellectual...

read more


Failure to comply with the rules of conduct for the exercise of certain professions, particularly the medical professions, may give rise to litigation seeking to...

read more