Blog Bucharest

In the context of the COVID-19 epidemic, both of the employer and employee have to know their rights and obligations and also the measures that have to be taken in order to protect the employees and the company and to minimize all the risks that can appear during the epidemic period. 

Hereinafter, the main legislative amendments issued in the field of work will be presented briefly.

Applicable law:

  • Law no. 19/2020 concerning the days off granted to the parents in case the educational establishments are closed temporary; 
  • Presidential Decree dated 16.03.2020;
  • In addition: the Labor Code regarding the working from home and the Law no. 81/2018 regarding the tele-working.

Duration of the provisional measures: 

  • Law no. 19/2020: as long as the educational establishments – where the kids of the employees are enrolled – are closed; 
  • Presidential Decree: until the end of the state of emergency. 

According to the Law no. 19/2020, as long as the educational establishments – where the kids of the employees are enrolled – are closed, the employer has the following obligations: 

  • to grant days off and to pay to the parent/person in charge with the supervision of the minor an indemnity of 75% of the salary corresponding to a working day, but not more than 75%/working day of the gross average salary used for the implementation of the state social insurance budget; 
  • the indemnity of 75% will be paid from the personnel costs of the budget of incomes and outcomes of the employer; 
  • the indemnity shall be paid to one parent only;
  • the parent/person in charge with the supervision of the minor must meet cumulatively the following conditions: 
  • to have children under the age of 12, enrolled in an educational institution or disabled children under the age of 18, enrolled in an educational institution; 
  • the workplace does not provide the possibility to work from home or the tele-working;
  • the law does not provide if the calculation base for the indemnity of 75% consists in the last month salary or an average of a number of months; 
  • the number of the days off will be established by Governmental Decision;
  • to the employees that work in the national energetic system, nuclear system, in workplaces with continuous work, medical units and social assistance, telecommunications companies, radio companies and public television,  railway transport, public transport and sanitation, and also in the units which provide electricity, heat and power, the days off will be granted with the employer`s approval. 

According to the Presidential Decree dated 16.03.2020

  • the provisions of the Law no. 19/2020 are not applicable to the employees who work in the national defence system, prison, public medical units and other categories laid down by the order of the Internal Affairs Minister, Economy, Energy and Business Environment Minister, Transportation, Infrastructure and Communication Minister. This employees have the right to a raise salary in the amount provided by the Law no. 19/2020 (75%) in case the other parent does not benefit from this legal provisions.
  • the decree regulates a derogation from the provisions of Law no. 81/2018, respectively, until the end of the state of emergency, the employer – whether private or public – can decide unilaterally the home-working or the tele-working. 
  • until the end of the state of emergency, there will be no control from the Territorial Labor Inspectorates, excepting the controls made by the Labor and Social Protection Minister and by the Labor Inspection in certain cases (commission of offences with higher social danger level and investigation of work accidents). 
  • until the end of the state of emergency it is prohibited any kind of collective labor dispute in certain areas. 
  • the collective contracts and agreements are maintained until the end of the state of emergency. 
  • the decree regulates a derogation from the provisions of Governmental Emergency Ordinance no. 111/2010 concerning the leave and the monthly indemnity for childcare – the person entitled will keep the incentive insertion in case of losing the job because of COVID-19 epidemic. 
  • the requests in order to obtain the social benefits can be send by electronic means. 
  • the validity of the certificates (including the ones regarding the disabilities) or attestations issued in the field will be extended until the end of the state of emergency. 

Working from home is regulated by the Labor Code (art. 108-110). The main provisions are: 

  • this kind of employees are the ones who are performing the specific tasks from home; 
  • working from home may be performed by any type of employee; 
  • the agreement in case of working from home must be registered in Revisal; 
  • the employees can establish their own working schedules; 
  • the employer must ensure the labor safety and security for its employees, in any aspects connected to the activity they perform; 
  • the employer may control the activity of the employee, the resources he uses and the resulting deliverables; 
  • as a rule, in the employment contract the parties have to mention the working at home procedure; the Presidential Decree stipulations are a derogation to this provisions;
  • the employer has the obligation to handle the transportation of the raw material to the employee and of the final work made by the employee; 
  • the parties/the employer (presidential decree) can establish more rules applicable in this procedure. 

The teleworking procedure is regulated by the Law no. 81/2018, which provide: 

  • tele-working is a form of organization of work in which, at least for one day per month, the work may be performed from another place than the working point of the employer, and it may be performed by an employee, regularly and voluntarily, with the help of technology information and communication;
  • the person working this way is called a tele-employee; his individual labor agreement has to provide the tele-working procedure and the places where the activity is going to be performed, and also the obligation of working this way at least one day per month;
  • the working schedule shall be established by mutual agreement between the employer and the employee and the over-time may be performed only with the written agreement of the tele-employee who works full time.
  • the tele-employee has the obligation to draft the timesheet for the performed activity.
  • the employer must ensure the technical means for information technology and communication and safe working equipment, must install and verify the working equipment and also to ensure the appropriate training of the employee for the specific field.

According to art. 3 from the Law no. 81/2018: the refusal of the employee to perform the tele-work cannot be considered a reason in order to unilaterally modify the individual employment contract and cannot be subject to any disciplinary measures. 

However, the employers may rely on the provisions of the Presidential Decree dated 16.03.2020 which establish that an employer can unilaterally modify the individual employment contract, stating that the work will be performed at home or under the tele-work regulations. 

In addition to this, the art. 48 from the Labor Law provides that an employer can unilaterally and temporary modify the place and the type of work, without the consent of the employee in the event of force majeure or as a measure to protect the employee. 

The quarantine means the preventive isolation of a person or collectivity which has been in contact with an infected patient or who comes from a region where there is an epidemic. 

According to the legislation in force: 

  • the employer cannot request to the employee to take the annual leave during the quarantine period; 
  • during the quarantine period, the employer cannot dismiss the employee;
  • according to the Labor Code (art. 50), the individual employment contract is automatically suspended during the quarantine period; 
  • the Governmental Emergency Ordinance no. 158/2005 state that during the quarantine period the employees will have a special indemnity; 
  • the monthly indemnity is 75% from the calculation base, determined as an average of the monthly salaries granted in the last 6 months from the 12 months (length of contribution), up to the limit of 12 minimum gross salaries in the country; 
  • the quarantine indemnity will be paid fully from the Unique National Fund of Health Insurances; 
  • in case an employee is tested positive for COVID-19, he has to submit a certificate issued by the Public Health District Authority; 
  • the certificate for the medical leave can be issued by the attending doctor or by the family doctor; 
  • the leave days will not be deducted from the annual medical leave of the employee. 

The measures that an employee can take in order to protect its employees and activity of its company during the epidemic period: 

  • the modification of the work program by adapting it to each activity and employee; 
  • establishing several work teams in order to ensure the continuity in front of the clients/partners; 
  • granting the protective equipment, together with training held to the employees regarding the conduct they must have during the “crisis” period, in order to prevent and minimize any kind of risk; 
  • implementation of the working at home and tele-work procedures; 
  • reduction of the working time and therefore reduction of the salaries;
  • technological unemployment – temporary cessation of activity; In this case, according to the law, the employees will receive a compensation of 75% of the basic salary corresponding to the position held.

In the context of doing business in a global environment, more and more companies active in Romania become increasingly interested in fostering a culture of corporate governance and compliance.  The main reason is to obtain business with, and from, companies which are required to have adequate and effective compliance and anti-bribery policies in place.

Bearing this in mind, the liability of a legal entity (especially potential criminal liability) becomes an essential topic especially as regards the consequences of triggering liability, such as financial penalties and/ or suspension of business and/ or closing down of business operations.  Dissolution of the legal entity can also be disposed by the court.  The reflections of those consequences are loss of business and loss of profit, affecting employees and business partners.

Consequently, the criminal liability of a legal person needs to be reflected in a business context, where corporate governance and compliance have a central role.

With this in mind, it is fair to ask whether an adequate and efficient compliance and anti-bribery programme might alleviate the potential criminal liability of a legal person in Romania.

Before answering this question, it would be useful to analyse the situation in UK briefly, since the UK’s Bribery Act (2010) may be considered to be the toughest legislation on corruption and makes companies responsible for preventing bribery.

Failure to prevent bribery is a distinct criminal offence.  In order for a company not to be convicted of this criminal offence if bribery has occurred, it has to prove it had adequate procedures in place to prevent people associated with it from committing bribery.  In this respect, the UK Ministry of Justice has published Guidance[1], based upon six principles, those being: (i) Proportionate procedures; (ii) Top-level commitment; (iii) Risk assessment; (iv) Due diligence; (v) Communication (including training); and (vi) Monitoring and review.

When investigating corporate bribery, the Serious Fraud Office (“SFO”) assesses whether the respective company has thoroughly applied and enforced these six principles.

So, would an effective compliance and anti-bribery programme attenuate the criminal liability of a legal entity and the consequences deriving therefrom?

One of the landmark cases pursued by the SFO is the Rolls Royce case, finalised with a deferred prosecution agreement (a “DPA”) concluded between the SFO and Rolls Royce Plc & Rolls-Royce Energy Systems Inc. (together “Rolls-Royce”), concerning breaches of criminal law in the areas of bribery and corruption in Nigeria, Indonesia, Russia, Thailand, China, India and Malaysia.  The DPA has been approved by the Court on 17 January 2017 and, to this date, is the largest DPA ever concluded in UK (the “approved DPA”).[2]

Before going into details regarding the facts which lead to the conclusion of the approved DPA, what is a Deferred Prosecution Agreement?

A DPA is a mechanism available only to legal entities which, in order to avoid prosecution, enter an agreement on negotiated terms with a prosecutor, which agreement must be approved by the court.  Such approval is granted only if such agreement is concluded in the interests of justice and comprises proportionate, fair and reasonable terms.

The consequence of the conclusion of such an agreement is that the respective legal entity will not be prosecuted in Court, thus avoiding the impact of a court decision such as losing business and revenue (especially in the public sector where certain public procurement rules provide the disbarment and exclusion of the legal entities which have been convicted for corruption-related offences.

A DPA is available only for certain economic (financial) offences whereby the only criminal sanction is financial and contains financial penalties which the legal entity must pay until a certain date.  There is no right for a company to enter into a DPA – this must be agreed by the prosecutor and approved by the court.  Changes in the management of the company concerned and co-operation with the prosecutor to allow the identification and prosecution of the individuals concerned can also be seen as preconditions to an offer of a DPA.

Bearing in mind the above, the approved DPA has been concluded based on the following facts:

  • Rolls-Royce is a reputed company, listed on London Stock Exchange and being a part of the FTSE 100 index.  Rolls-Royce employs around 50,000 people in more than 50 countries.  The SFO investigation which led to the conclusion of the approved DPA regards the civil aerospace business which generates approximately 50% of its revenue, defence aerospace business which is the second largest provider of defence aero engines and services in the world (generating approximately 20% of its revenue) and its former energy business regarding the manufacture of gas turbines and compressors to power offshore platforms.[3]
  • Mainly, the SFO concluded that:
    • there were various agreements to make corrupt payments to intermediaries in connection with the sale of the sale of aero engines for Civil aircraft in Indonesia and Thailand between 1989 and 2006;
    • there were various agreementsto conceal the use of intermediaries to facilitate the business defence in India between 2005 and 2009 when the use of intermediaries was restricted and the making of a corrupt payment in 2007 to retrieve a list of intermediaries taken
      from Rolls-Royce in India;

there was an agreementto make corrupt payments to intermediaries in Russia regarding the supply of gas compression equipment between 2008-2009;

  • failing to prevent bribery in conducting its energy business in Nigeria and similar failures regarding its civil business in Indonesia, China and Malaysia.[4]
  • Has the appointment and payment of intermediaries been internally regulated and
    thoroughly conducted by Rolls-Royce?

According to the statement of facts prepared by the SFO[5],
Rolls-Royce had various written policies and committees regarding the
appointment of intermediaries,
including a code of conduct applicable to all its employees (including a
prohibition on the payment or receipt of bribery[6])
and provisions related to the payment of intermediaries.  An additional policy for the appointment
and payment of intermediaries entered into force in 1999, where no due
diligence process was specified[7],
while any payment to any intermediary exceeding 5% of the value of
the contract required additional approval from a senior employee of
Rolls-Royce.  Guidance notes on intermediary
policies were issued, together with a Global Code on Business Ethics
with specific provisions on bribery and corruption[8],
including revised intermediary section
An Anti-bribery and Compliance Review has also been carried out by a
“Big 4” accountancy firm and completed in 2009. 
A new policy on intermediaries
was one of the results thereof, subsequently amended which prohibited
commissions in excess of 10% of the contract price.  The amended policy required that due
diligence and approval processes be defined by the risk rating for each
intermediary[9], while a new Compliance team was
established together with a Committee for Approval of High Risk Intermediaries.

  • In addition, pursuant to the statement of facts of the DPA, Rolls-Royce took various steps to enhance its ethics and compliance procedures,[10] reflecting the six principles published by the UK Ministry of Justice and which are mentioned above.  In consequence, the judge ruled that, in addition to the co-operation in the investigation, Rolls-Royce could not have done more to address the issued which have been exposed”[11].
  • Considering that Rolls-Royce has fully cooperated with the SFO and that it retained reputed specialists to review and update their anti-bribery and corruption compliance procedures, according to the approved DPA, Rolls Royce was required to:
    • Disgorge the profit on transactions of £258,170,000;
    • Pay a financial penalty of £239,082,645;
    • Pay the costs of £12,960,754 incurred by the SFO;
    • At its own expense, complete a compliance programme following the recommendations received from the expert and provide reports to the SFO; and
    • Renounce any tax reduction applicable to any of the above-mentioned payments in the UK or elsewhere.

Based on the interpretation of the approved DPA and of
the statement of facts prepared by the SFO, we cannot rule out the fact that
the enhanced ethics and compliance programme together with exceptional cooperation of Rolls-Royce, were an important factor which the judge took into account for the approved DPA.  Had Rolls Royce not made significant efforts for the reorganisation of its compliance and ethics departments (including separating the compliance officers from the business sector), there can be no doubt that the sanctions imposed
would have been more severe, including a potential conviction with serious
consequences for Rolls Royce, for its employees and for the industry where
Rolls-Royce plays a central role.

Separately, according to the approved DPA, separate agreements between Rolls-Royce and Department of Justice in the United States were to be concluded.  Settlements between Rolls-Royce and Brazilian authorities were also to be reached[12].

Coming back to Romania, what is the general legal framework as regards the criminal liability of a legal person?

Under the Romanian criminal system, the liability of a legal person is triggered for offences committed for the purpose of carrying on of its object of activity and/ or in the interest and/or in the name of the legal person.  These conditions are not cumulative.

Criminal liability is excluded in case of the state, public authorities
and public institutions.  In addition, it is necessary that the criminal offence is committed with the form of guilt provided by the law, this being applicable to the management bodies of the respective legal person, such as the administrator and/ or shareholder and/ or the censor etc.

The criminal liability of a legal person does not exclude the criminal liability of the natural person(s) which contributed to the respective criminal offence.

The Romanian Criminal Code regulates the principle of the alleviation of the criminal liability of the legal person, mentioning that, in case criminal liability is mitigated, then the legal person must pay the fine provided by the law.

Although currently an effective compliance and anti-bribery programme is not seen as a circumstance which mitigates the criminal liability of the legal person, we consider that in the growing business environment, the authorities need to take them into account when assessing penalties imposed on the respective legal person.

An argument in this respect is the fact that the Competition Council may consider that the implementation of an efficient compliance programme might protect the company against unfair competition practices.  Nonetheless, the existence of such compliance programme does not automatically mean that the Competition Council would not punish the respective company in case it has breached competition rules.  The existence of an effective compliance programme, together with the self-report performed by the respective company could lead to a reduction of the fine applied by the Competition Council.

In the light of the above it is recommended for Romanian companies to implement an effective compliance and antibribery programme, which could be seen as an important criterion to attract business worldwide and an attempt to mitigate the risks deriving from a potential criminal liability.


[1] https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf

[2] https://www.judiciary.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf

[3] https://www.judiciary.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf
-paragraph 3

[4] [4]
https://www.sfo.gov.uk/download/deferred-prosecution-agreement-statement-facts-sfo-v-rolls-royce-plc/?wpdmdl=14778
paragraph 14

[5] https://www.sfo.gov.uk/download/deferred-prosecution-agreement-statement-facts-sfo-v-rolls-royce-plc/?wpdmdl=14778
paragraph 16

[6] https://www.sfo.gov.uk/download/deferred-prosecution-agreement-statement-facts-sfo-v-rolls-royce-plc/?wpdmdl=14778
paragraph 17

[7] https://www.sfo.gov.uk/download/deferred-prosecution-agreement-statement-facts-sfo-v-rolls-royce-plc/?wpdmdl=14778
paragraph 20

[8] [8]
https://www.sfo.gov.uk/download/deferred-prosecution-agreement-statement-facts-sfo-v-rolls-royce-plc/?wpdmdl=14778
paragraph 22

[9] https://www.judiciary.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf
-paragraph 28

[10] [10]
[10] https://www.sfo.gov.uk/download/deferred-prosecution-agreement-statement-facts-sfo-v-rolls-royce-plc/?wpdmdl=14778
paragraph 44

[11] https://www.judiciary.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf
-paragraph 47

[12] https://www.judiciary.uk/wp-content/uploads/2017/01/sfo-v-rolls-royce.pdf
-paragraph 5.

We are in a period when the lobby activity becomes increasingly important, considering also the Emergency Ordinance project regarding the transparency in lobbying activities and representation of interests (the “Ordinance project”). The purpose thereof is to render transparent the relationship of public authorities with the business environment, so there is equality as regards the influence in the decision-making process.

What is lobby?

According to the Ordinance project, the lobby activity means “any organised and structured agreement with the public representatives for exercising an influence in the interest of a client, in the sense of the direct influence over the legislation activity and decision-making processes at the central and local public administration level.”

Therefore, the essence of the lobby activity is the action of influencing the persons responsible with the elaboration of public policies, in the sense of taking a certain position regarding a certain aspect comprised in the legislation, with the purpose of promoting the legitimate interests of a group.

Lobby is different from advocacy, which represents any action performed with the scope of influencing the public policies through different mechanisms (meetings, conferences, open letters etc).

Consequently, we do not consider that the definition of the lobby activity comprised by the Ordinance project does not reflect the essence thereof, as compared to advocacy.

How is the lobby activity performed?

Considering that the prerequisite of any lobby activity must be the promotion of both transparency and high standards of integrity, it is recommended that any type of legislation follows the principles of best practices in the field. The most known are the principles of the lobby activity stated by OECD1.

Without going into details in respect of these public principles, we consider that these 10 fundamental principles regarding the lobby activity must be accurately reflected by the national legislation regulating the lobby activity.

Therefore, even though the Ordinance project took as a model the Austrian legislation regarding transparency in lobby and representation of interests, and Austria is a member of OECD, we consider that the Ordinance project fails to reflect accurately the following principles of the lobby activity:

  • Ensuring the transparency in a manner which will allow the public representatives, the lobbyists, the business environment, the citizens to obtain information regarding the lobby activity2. The Ordinance project provides the establishment of the Registry for lobby and representation of interests (the “Registry”), without going into details regarding the functioning method thereof and the access thereto. In this sense, article 8 paragraph (2) of the Ordinance Project provides the access of legal and natural persons to the data in the Registry only provided they may argue a primary legal interest in the sense of article 8 paragraph (2) of the European Convention for Human Rights3. It appears that article 8(2) of the Ordinance Project restricts the access of legal and natural persons without any clear reason and without mentioning the access method of such persons to the data comprised by the Registry.
    Another method to ensure the transparency is that any legislative act should contain the precise identification of the lobbyist/ internal lobbyist/ association of interests/ representative of the groups of interests. Moreover, it is advisable that the issuers of public policies should also indicate the lobbyist/ internal lobbyist/ interests association/ representative of the groups of interests who tried to influence a certain legislative aspect4.
    It is necessary that the secondary legislation regarding the lobby activities considers these aspects.
  • Creating and implementing of standards regarding the lobby activity, together with the monitoring of the fulfilment of such standards.
    Considering the scope of the enactment of the lobby activity, we consider useful the elaboration and implementing of standards, principles, procedures to state the methods in which the public representatives may interact with the lobbyists and/or internal lobbyist and/or association of interests, with a scope to promote legitimate interests. Even though the Ordinance project generically states the interdictions and a conduct which must be followed by the public representatives according to the provisions of Law 161/2003 regarding some measures for ensuring the transparency in exercising public offices and within the business environment, we consider necessary a future regulation regarding the manner of communication and interaction of the public representatives with the lobby companies and/ or the companies which employ internal lobbyists.

Conclusions

The regulation of the lobby activity is welcomed in Romania, but this should be done judiciously and correlated with the other aspects of the lobby activity. Even though the Ordinance project is pretty lacunary, as we have pointed out above, our opinion is that the regulation of this activity must closely reflect OECD principles of transparency and integrity in lobby activities. Endeavours to create and implement the standards regarding the lobby activity must start, observing the principles of transparency and integrity, without losing sight of the fact that the final purpose of the lobby activity is taking a decision which serves legitimate interests.

Moreover, through the lobby activity the law-making process benefits from the expertise of specialists in a certain field, and the normative acts which would be issued pursuant to such joined effort, would better respond to the current economic and social requirements.

1The 10 principles for Transparency and Integrity in Lobbying – OECD 2013.
2The 10 principles for Transparency and Integrity in Lobbying – OECD 2013
3“The interference of a public authority in the performance of this right is not allowed, unless to the extent it is provided by the law and constitutes, in a democratic society, a necessary measure for the national security, public safety, economic wellbeing of the country, safeguarding the order and prevention of criminal deeds, protection of health, morals, the rights and liberties of others”.
4The 10 principles for Transparency and Integrity in Lobbying – OECD 2013

GDPR – the General Data Protection Regulation is an issue which at least over the last half year started to be very important in Romania and across Europe. But have you ever thought what exactly does it mean, how does it affect you as a citizen or your enterprise?

Until now it is likely you already scanned your company activity in terms of Data Protection and implemented some rules in accordance with GDPR, but have you also considered common practice like using apps?

After the big security breach that Facebook, who in 2014 bought WhatsApp for $19 Billion, has suffered we had a look to this latter app from the GDPR point of view.

    According to the new Data Privacy regulation which directly applies in European Union Member States starting on 25 May of this year, data subjects have the following rights:
  • Access: data subjects are entitled to ask the controller if it is processing their data and, if affirmative, they can obtain the details of such processing and a copy of the personal data it holds about them;
  • Correction: data subjects are entitled to request that any incomplete or inaccurate personal data the controller holds about them to be completed and corrected;
  • Erasure: data subjects are entitled to ask the controller to delete their personal data in certain circumstances (the Right to be Forgotten);
  • Restriction: data subjects are entitled to ask the controller to suspend the processing of their personal data in certain circumstances;
  • Portability: data subjects may ask the controller to transfer their personal data to another data controller;
  • Objection: if the controller is processing data subjects’ personal data based on legitimate interests (or those of a third party) they may challenge this;
  • Consent: if the controller is processing personal data based on data subjects’ consent, they can withdraw it anytime.

    • In respect to such rights, WhatsApp’s GDPR compliance is questionable on several counts, including the Right to Access, the Right to be Forgotten and Data Portability.

    Thus, it is well known about WhatsApp that, among others:
  • transfers users (meaning the eventual customers of your enterprise) data to the USA; This is in conflict with the obligation required by the GDPR to transfer or store personal data outside the EU provided that specific conditions are met. In this context, it should be noted the USA weaker privacy laws which results that an adequate protection of customer data cannot be ensured.
  • the address book of a user with all contacts including their emails and phone numbers is transferred to WhatsApp and thus Facebook without your enterprise being able to inform customers how this data is being handled and therefore to fulfill the „right to access“ requirement of the GDPR;
  • collects meta data of users and related personal data, even though the messages are said to be end-to-end encrypted, thus generating personal user profiles and understanding social relationships without being transparent what meta data WhatsApp collects, how it is processed and who it is transferred to and therefore GDPR compliant.

Bearing all this information in mind, some enterprises had already banned WhatsApp among their employees, while others had implemented professional and secure enterprise messaging app.

In the light of the above, you may consider either giving up on WhatsApp, or deploying an enterprise messaging app.

For the first choice, you should pay attention to the fact that a WhatsApp ban must be technically and organizationally feasible, meaning it is not sufficient to ban WhatsApp if employees do not apply such rule. However, there are some options to reduce the risk of GDPR non-compliance, such as separating business and personal contacts that mobile operating systems provide. Though, this solution is not 100% secure.

    Nonetheless, if you consider implementing an enterprise messaging app you should take into consideration, among others, the following:
  • if the enterprise messaging app does store data outside the European Union;
  • if the enterprise messaging app does pseudonymize and encrypt personal data as far as possible;
  • if the enterprise messaging app gives full transparency in its privacy policy and terms how personal data is used, processed and stored;

In conclusion, it is clear that WhatsApp does not meet the data protection requirements of the GDPR and an enterprise is non-compliant, if it uses WhatsApp for business purposes. Therefore, we suggest you that at least analyze how your employees use WhatsApp for business purposes so that to reduce the risk of GDPR non-compliance, or to deploy a professional and secure enterprise messaging app, that ensures maximum data protection and fully complies with the GDPR.

If you are considering to ban the WhatsApp and/or are looking for deploying a GDPR-compliant enterprise messaging app, we can assist you in implementing such measures in accordance with GDPR.

During the last months it appears that the biggest concern of the companies is the EU Regulation 2016/679 issued by the European Parliament and European Council on 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), either by rushing to obtain, no later than 25 May 2018, the consent of different natural persons with whom the company had a relationship at a certain time, with a view to maintaining this relationship, or by focussing on the implementation, in one way or another, of GDPR, after 25 May 2018, but in a more relaxed way, given the fact that the deflagration called GDPR enforcement has not happened yet.

This tension was and it still is, generally, the result of GDPR provision of the maximum limit of fines which may be applied in case of failing to observe the requirements of this normative act, which more likely seem to be without limit.

But, if GDPR is analysed as a whole, we may observe that these fines cannot be applied without a careful investigation, the lack of which represents an abuse in enforcing any sanction.

Moreover, beyond the fact that GDPR does not change the foundation in the field of Data Privacy, this normative act brings in fact a series of benefits and advantages.

Therefore, GDPR was adopted by the European Parliament in April 2016 and starting 25 May 2018 it shall be applied to all companies processing and holding personal data of natural persons – EU residents, regardless of the place the company is located. This was designed in order to:

  • ensure the standardisation of data confidentiality in Europe,
  • protect the confidentiality of citizens’ data, and
  • remodel the way the companies within the region think and enforce the data regarding confidentiality.

Therefore, in a world where even young children are using a smartphone, respectively the social networks, it can only be appreciated such a policy of raising awareness in respect of the disclosure and use by different persons of our personal data.

We are not insisting on the positive aspect from the point of view of natural persons protected by GDPR, each reader falling into this category and being able to easily understand this endeavour which practically represents a legislative concretisation of the technological developments.

To deny this aspect means, for instance, to deny the benefits of the legislation passed in the field of Consumer Protection, i.e. to send again telegrams even if we are one second away from hearing live the voice of the interlocutor.

Therefore, walking through the comparative lead, many benefits shall be later felt.

However, we appreciate that, at least for the moment, also from the perspective of companies, there can be considered the following positive aspects of applying GDPR, underlying applying because GDPR came into force, as stated above, even from 2016, when practically it was possible, but not compulsory to adopt measures in accordance with GDPR provisions.

As such, by applying GDPR you can obtain the following:

  • trust, honesty and loyalty of clients to the company brand,
  • a new start – being the beginning of an era really oriented to the clients, the brands can reinvent based on the wishes of their clients,
  • efficiency – GDPR requires that the personal data is not kept more than necessary, and therefore, the instinct is to find at least a legal base to process (even the simple storage of personal data is
  • circumscribed to the processing activity) the personal data already obtained, but is this profitable as long as certain persons do not contribute in any way to the growth of the company?!

Reviewing the situation from another angle, we also identify some negative aspects, respectively:

  • costs – if in the structure of your company’s activity there are no risk evaluations or audits to prove the compliance with other domains, such as quality, health and safety or security of information, it is
  • normal that the implementation of GDPR to incur costs, sometime significant,
  • time and effort – the implementation of GDPR provisions involves certain efforts for a certain period if you have neglected the organising of processing or merely due to new technical measures which can
  • be implemented with a view to provide a personal data high security level.
  • winding up companies with an ultra-conservative approach – such companies ,which are not big fans of competition, shall lose the capacity to use the personal data, as there most valuable asset.

Apart from these, the implementation of GDPR requirements shall improve the business process, making the company more efficient and bringing a competitive advantage.

If you decide to appoint an external organisation to manage the implementation of GDPR provisions, we can assume this role. We shall effectively become part of your team only until you acquire the necessary knowledge to perform an activity according to GDPR without our help.

We can start by elaborating a project to implement GDPR.

The notion of “beneficial ownership” will be introduced in Romanian legislation by the Law on money-laundering and terrorist financing (the “Law”), which will implement the single mechanism for the prevention of money-laundering and terrorist financing. This mechanism is provided by Directive (EU) 2015/849 of the European Parliament and Council of 20 May 2015 regarding the prevention of use of the financial system for money-laundering and terrorist financing, to amend Regulation (EU) no.648/2012 of the European Parliament and Council and to annul Directive 2005/60/CE of the European Parliament and Council and Directive 2006/70/CE of the Commission (“4 AML Directive”), which should have been transposed into Romanian law by 26 June 2017.

According to the Law, a beneficial owner is any private person who owns or ultimately controls an entity and / or a private person on whose behalf a transaction, an operation or an activity is performed, directly or indirectly.

Within the meaning of the Law, the notion of “beneficial owner” appears to be significantly extended, considering private persons (not legal persons) who control an entity by exercising an effective control over it, regardless of whether such person is or is not recorded in the entity’s registries as having powers of decision. We believe that this definition envisages effective controlling (directing) influence over the client, even if that private person does not appear as associate/ shareholder in the client.

What is the scope of the Register?

Firstly, the Law stipulates the creation of four different registers:

  • the central register held by the National Office of Commercial Registry for companies;
  • the register held by the Ministry of Justice for associations and foundations;
  • the central register held by the National Agency for Fiscal Administration for trusts; and
  • the central register organised at the level of the Central Depositary for the companies listed on the regulated markets.

Due to the fact that all four registers have the same scope, for ease of reference, we use the term “Register” in this paper. Any reference to a “Register” must be interpreted in relation to all four registers.

The Register is created to ensure transparency and to prevent the inadequate use of corporate assets as a whole. It is accessible exclusively to “reporting entities” as defined by article 5 of the Law, to the competent authorities and to the National Office for Prevention of Money-Laundering. The Register must comprise adequate and accurate information, published in due time. We consider that the wording “in due time” should include the following:

  • the obligation of reporting entities to register the information within a reasonable time (e.g. we would suggest 3 days as of the date of occurrence of the changes impacting the beneficial owner) and
  • the obligation of the holder of the register to disclose the relevant information to the reporting entities within a reasonable time (e.g. we would suggest 24 hours as of the request formulated by the reporting entities).

The Register must not be seen as eliminating an extensive due diligence process regarding a company / group of companies. The Register must be seen as an instrument available to Romanian and European authorities and to the reporting entities with a view to preventing the use of corporate assets for the purpose of preventing money-laundering and terrorist financing, as well as other economic crimes. According to article 18 (par 7) of the Law, the identification of the beneficial owner implies the fact that all reporting entities must perform risk analyses.

Is the Register a simple “depositary” of information on the beneficial owner or does it check the information published?

The methodology regarding the functioning of the Register is not yet available. Taking into account the scope thereof, we consider that the holder thereof must verify the information supplied and to apply sanctions in case the information is inadequate or inaccurate or provided late. It is desirable that secondary legislation should clarify the role of the Register so that the scope thereof is attained.

Conclusions

Transparency is one of the principles of a coherent and sustainable business, and by the creation and implementation of such Register, a series of high expectations are imposed in respect of a careful evaluation of risks derived from a wide due-diligence process on business partners. In this respect, we consider that the biggest challenge will be to reduce the gap between the due diligence as it is currently carried out on the identification of beneficial owners and the due diligence process which is needed to satisfy the obligations imposed by the Law and to the Directive to identify beneficial owners.