Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Romania România

WEB ANALYTICS · COOKIE COMPLIANCE · EASTERN EUROPE · RO

Romania — analytics & cookie compliance reference

What you can run on a Romanian-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. ANSPDCP enforcement is moderate but consistent, with many SME-targeted actions and a firm expectation that privacy notices be available in Romanian.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Romania. Sectoral rules (healthcare, banking, telecoms) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Legea nr. 190/2018  Stricter
Legea nr. 190/2018 privind măsuri de punere în aplicare a Regulamentului (UE) 2016/679
National GDPR implementation act. Sets the Romanian-specific permissions for special-category data, employee monitoring conditions, child-consent age, public-authority sanctioning regime, and ANSPDCP procedural powers. Romania kept the GDPR child-consent age at 16 (Art. 8 GDPR default) — no derogation downward.
  • Art. 2 Special-category data — additional safeguards (DPO + 2-year policy review + staff training register) when processing genetic/biometric/health data for non-medical purposes
  • Art. 5 Employee monitoring — proportionality test, 30-day max retention for monitoring records, prior consultation of employees, written internal policy
  • Art. 6 Personal-identification-number processing (CNP) — restricted legal bases; consent alone is generally insufficient
  • Art. 13–14 Public-authority sanctioning regime — corrective plan instead of fine on first instance, capped administrative fines (200,000 RON)
Monitorul Oficial Partea I nr. 651 din 26 iulie 2018
Legea nr. 506/2004
Legea nr. 506/2004 privind prelucrarea datelor cu caracter personal și protecția vieții private în sectorul comunicațiilor electronice
Romanian transposition of the ePrivacy Directive. Article 4(5) governs cookies and storage/access on terminal equipment — prior, informed opt-in is required for any non-strictly-necessary tracking technology. Article 12 governs unsolicited commercial communications — opt-in baseline with a narrow soft opt-in for existing customers.
  • Art. 4(5) Cookies + terminal-equipment access — prior informed consent required; analytics, marketing, A/B testing never qualify as strictly necessary
  • Art. 12 Direct marketing — opt-in for email/SMS, soft opt-in for similar products to existing customers, opt-out at every contact
  • Art. 13 Sanctioning regime — ANSPDCP and ANCOM joint competence over electronic-communications privacy
Monitorul Oficial Partea I nr. 1101 din 25 noiembrie 2004; modified by Legea 235/2015 to align with the ePrivacy Directive 2009/136/EC.
Legea nr. 363/2007
Legea nr. 363/2007 privind combaterea practicilor incorecte ale comercianților în relația cu consumatorii
Consumer-protection statute that overlaps with privacy/marketing rules — misleading or aggressive commercial practices (including dark-pattern consent banners, hidden opt-outs, and pre-ticked boxes) trigger ANPC competence in addition to ANSPDCP.
  • Art. 6–9 Misleading practices — applies to deceptive cookie banners and undisclosed data uses
  • Art. 10–11 Aggressive practices — applies to dark-pattern consent flows and forced-consent walls
Monitorul Oficial Partea I nr. 899 din 28 decembrie 2007

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
ANSPDCP · Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Sole national supervisory authority for GDPR + Legea 190/2018 + cookie/ePrivacy enforcement under Legea 506/2004 (shared with ANCOM for telecoms infrastructure).
https://www.dataprotection.ro/

Coordination body

EDPB · European Data Protection Board
ANSPDCP participates in EDPB; Romania has no domestic federal–state coordination body since enforcement is centralized.
  • 2018-07-26 · Legea 190/2018 enacted — ANSPDCP confirms Romanian child-consent age remains at 16 (GDPR Art. 8 default, no downward derogation).
  • 2023-07-10 · EU-US DPF — ANSPDCP aligns with EDPB FAQ — DPF-certified US importers acceptable for transfers; non-DPF transfers still require TIA + supplementary measures.
  • 2024-Q4 · Cookie-banner sweep — ANSPDCP flagged dark-pattern banners (no equal-prominence reject button) in routine inspections; enforcement remained at warning + corrective-plan stage for SMEs.
https://edpb.europa.eu/

Notable enforcement

ANSPDCP is best characterized as moderate but consistent. Headline fines are smaller than in Germany or France — the largest Romanian GDPR fine remains UTI Group at €290,380 — but the volume of SME-level enforcement is high, with frequent decisions in the €2,000–€25,000 range across banking, telecoms, healthcare, and retail. ANSPDCP applies a corrective-plan-first approach to public bodies (capped at 200,000 RON administrative fines under Legea 190/2018) and reserves fines for repeat or wilful violations. Romanian-language privacy notices are a recurring inspection point — ANSPDCP treats English-only notices on .ro websites as a transparency failure under Article 12 GDPR.

  1. 2020-06 €290k
    UTI Group ANSPDCP · Art 32 stood

    Credentials breach exposing client data; insufficient technical and organizational measures. Largest Romanian GDPR fine to date.

  2. 2019-08 €100k
    Banca Transilvania ANSPDCP · Art 32 stood

    Insufficient technical measures led to disclosure of personal data of bank customers. First major Romanian financial-sector GDPR fine.

  3. 2024-09 €25k
    Vodafone Romania ANSPDCP · Art 5, 32 stood

    Customer-data exposure via insufficient measures; corrective plan attached.

  4. 2019-07 €15k
    World Trade Center Bucharest ANSPDCP · Art 5, 6 stood

    Hotel scanned ID cards of breakfast-buffet attendees without lawful basis. First Romanian GDPR fine — set the SME-enforcement template.

  5. 2024-04 €9k
    BPO / call-center operator ANSPDCP · Legea 190 Art 5 stood

    Employee-monitoring deployment without prior consultation and without a written internal policy. Substantive monitoring lawful; procedural failure independently sanctioned.

  6. 2020-09 €5k
    Telekom Romania Mobile Communications ANSPDCP · Art 5, 6 stood

    Customer-account access without sufficient identity verification; representative SME-tier sanction.

GA4 status

GA4 is usable in Romania only with prior, informed, granular opt-in consent under Article 4(5) of Legea 506/2004 (ePrivacy transposition). Post-DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified — ANSPDCP follows the EDPB position. ANSPDCP has not pursued a noyb-style GA4 cluster, but cookie-banner inspections regularly flag missing equal-prominence reject buttons.

DPAStance
ANSPDCPAligned with EDPB — opt-in consent required for GA4 cookies; DPF-certified transfers acceptable; Romanian-language consent layer expected on .ro sites.

Cross-border transfers + Schrems II

Post-DPF (10 Jul 2023) ANSPDCP follows the EDPB position — DPF-certified US importers are accepted for transfers to the United States without additional Article 46 safeguards while DPF certification remains active. For non-DPF US recipients, Schrems II logic still applies and a Transfer Impact Assessment plus supplementary measures are expected. ANSPDCP enforcement on transfers is moderate — no Romanian equivalent of the Austrian noyb GA4 cluster — but documentation is checked during routine inspections.

EU 2021/914 SCCs are the standard fallback when DPF is absent or revoked. ANSPDCP expects the SCC annex to be populated with concrete categories of data, sub-processors, and TIA findings — empty templates trigger Article 32 findings.

Topic: International transfers

Employee data

Key thresholds

Child consent age
16 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Romania vs Bulgaria
COMPARE
Romania vs Hungary
COMPARE
Romania vs Poland
COMPARE
Romania vs Germany

Common questions

Is Google Analytics legal in Romania in 2026?
Yes, conditionally. GA4 is usable in Romania only with prior, informed, granular opt-in consent under Article 4(5) of Legea 506/2004 (the Romanian ePrivacy transposition). After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. Without consent — or if DPF certification lapses — ANSPDCP treats GA4 as non-compliant in line with the EDPB position.
How is ANSPDCP structured and how does it enforce?
ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) is the single national supervisory authority for both GDPR and Legea 190/2018, with shared competence over Legea 506/2004 alongside ANCOM. There is no federal–state structure — enforcement is centralized in Bucharest. ANSPDCP applies a corrective-plan-first approach to public bodies (capped at 200,000 RON under Legea 190/2018) and reserves administrative fines for the private sector and for repeat or wilful violations.
Why does ANSPDCP issue so many small fines?
ANSPDCP runs a high-volume SME-enforcement programme — hundreds of public decisions in the €2,000–€25,000 range across banking, telecoms, healthcare, BPO, hospitality, and retail. The pattern is by design: ANSPDCP prioritizes coverage and deterrence over headline amounts, so the largest Romanian GDPR fine remains UTI Group at €290,380 (2020) while the median enforcement target is a SME with an Article 32 or Article 12 transparency gap.
Must my privacy notice be in Romanian?
In practice, yes, for any website or app targeting Romania. ANSPDCP has consistently treated English-only notices on .ro websites as a transparency failure under Article 12 GDPR. The targeting test mirrors GDPR Article 3(2) — Romanian-language site content, .ro domain, RON pricing, and Romanian-language marketing all signal targeting. Cookie banners must also be available in Romanian.
What is the child-consent age in Romania?
16, the GDPR default. Romania did not exercise the Article 8(1) GDPR derogation to lower the age — Legea 190/2018 retains 16 as the threshold for valid consent in information-society services offered directly to a child. Below 16, parental authorization is required for consent-based processing (other lawful bases such as contract or legitimate interest may still apply on their own terms).
Are there special rules for processing health, biometric, or genetic data in Romania?
Yes. Legea 190/2018 Article 2 imposes additional safeguards on top of GDPR Article 9 when special-category data is processed for non-medical purposes — a designated DPO, a documented privacy policy reviewed at least every two years, training of staff handling the data, and a register of trainings. Healthcare data processing for medical purposes follows GDPR Article 9(2)(h) directly, supplemented by the sectoral health-data law.
What about employee monitoring and analytics on staff?
Article 5 of Legea 190/2018 sets four cumulative requirements for any employee monitoring (including web-analytics on internal dashboards, productivity-tracking pixels, and server-side logs of staff behavior): (1) proportionality and prior necessity assessment, (2) maximum 30-day retention of monitoring records, (3) prior consultation of employees, and (4) a written internal policy. ANSPDCP has sanctioned BPO and healthcare operators for skipping the consultation or policy step — the substantive monitoring may be lawful, but the procedural failure is independently fineable.
Do I need a Romanian Article 27 representative?
Yes if you are a non-EU controller offering goods or services to, or monitoring behavior of, people in Romania (or any other EEA state), unless the small-business exception in Article 27(2) applies. ANSPDCP checks for designation during cross-border investigations and accepts an Article 27 representative based in any EEA state — it does not need to be Romania-specific, but the representative must be reachable in Romanian or English and able to interface with ANSPDCP.
Is double opt-in required for email marketing in Romania?
Article 12 of Legea 506/2004 requires prior opt-in consent for direct-marketing email and SMS to subscribers. While the law speaks of a single 'prior consent', double opt-in (confirmation email after sign-up) is the established market standard and a strong evidentiary safeguard against ANSPDCP and ANPC challenges. A narrow soft opt-in for similar products to existing customers is permitted, with opt-out at every contact.
Does Schrems II still affect transfers post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23), and ANSPDCP follows the EDPB position. For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment plus supplementary measures are required, and ANSPDCP routinely checks SCC annexes during inspections (empty templates trigger Article 32 findings).

// EDITORIAL · NOT LEGAL ADVICE This page summarises Romania's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.