- Introduction
There is more and more talk in the domestic space about GDPR. What is it and why should we care about how our personal data is processed?
GDPR stands for General Data Protection Regulation. It is a European regulation[1]which became law in Romania on 25 May 2018[2]. At this point it is important to note that the regulation has individuals at its core and has (or should have) greater control of their personal data and the means of processing it.
More than 5 years after the personal data protection reform (NB the idea of personal data protection is not a new concept in European law[3]) we cannot help but wonder how informed Romanian citizens actually are about the rights conferred by the Regulation, how much control they have over the processing of their personal data and what are the means by which the Romanian state makes the application of the GDPR effective also towards persons belonging to vulnerable groups.
In the following we will detail some considerations regarding the right to information of persons with intellectual and psychosocial disabilities as guaranteed by the GDPR.
| Intellectual disability | According to the World Health Organization, it refers to those persons having a significantly reduced ability to understand new or complex information and to learn and apply new skills (i.e. intelligence is impaired) or to cope independently (i.e. social functioning is impaired) and began before adulthood and has a lasting effect on development. |
| Psychosocial disability | A psychosocial disability is a limitation that arises due to a mental health problem. |
2. About the CRPD – preliminary issues
In 2010, the European Union acceded to the Convention on the Rights of Persons with Disabilities[4] (CRPD), thus becoming the first legally binding international instrument to which the Union is a party. In implementing the Convention, States Parties (including the European Union as a body in its own right, and Romania as a State Party) undertake to ensure and promote the full enjoyment of all human fundamental rights and freedoms for all persons with disabilities, without discrimination on the basis of disability.
An essential mechanism, both at European and national level, is independent monitoring of the implementation of the CRPD. Article 33[5] of the Convention sets the framework for the implementation of the specific requirements of independent monitoring mechanisms, recognising the role of civil society[6] and in particular of persons with disabilities in actively monitoring the implementation of the Convention.
The CRPD Committee underlined[7] that an essential aspect of independent monitoring is to observe and bring to the attention of decision-makers the gaps that prevent persons with disabilities, as rights-holders, from fully enjoying their rights. Article 31[8] of the Convention places an obligation on States Parties to collect personal data to facilitate the implementation of the provisions of the CRPD, mentioning that the process shall comply with ‘, a) safeguards established by law, including data protection legislation, to ensure the confidentiality and anonymity of persons with disabilities;’. It is interesting to note that this is the first UN human rights convention to include a specific article on the collection of personal and statistical data. The obligations imposed on states by Article 31 were detailed in a report [9]of December 2021 by the Office of the UN High Commissioner for Human Rights which states that ”data protection laws and policies should include persons with disabilities” and goes on to emphasise that States should use privacy and data protection principles when developing principles that may affect persons with disabilities.
3. About the right to information under GDPR
The GDPR Regulation gives the individual several rights. The rights under data protection law can be exercised by the person whose rights are at stake – the data subject[10]. However, other persons – who meet the necessary requirements under national law, may represent data subjects in exercising their rights. Thus, under Romanian law, minors and persons with disabilities placed under interdiction [11] (or who benefit, according to Law 140/2022[12] of judicial advice or special guardianship) must be represented by a guardian or protector.
What is the right to information? Article 13 of the Regulation states that the data subject must be informed, among other things, of what data are being processed, why, for what purposes, to whom they are disclosed and what rights they have.
How does this work in practice? Although Article 12 of the Regulation requires the personal data controller [13] to communicate the information referred to in Article 13 in a “concise, transparent, comprehensible and easily accessible form, using clear and plain language”, this remains a desideratum, far from being implemented in practice.
A concrete example of violation of the European provision is found in the beneficiary’s own file[14] which, for the accuracy of the information, we attach to this article; following the unannounced monitoring visits carried out with CLR, we found numerous situations in which residents (i.e. persons with institutionalised disabilities) had signed acknowledgement of the provisions on the processing of their personal data (!), including persons placed under a judicial interdiction. Asked how this information was achieved in practice, the authorities had a uniform answer – by signing a page listing the provisions of the GDPR. In order to respect the right to privacy of the person with a disability who signed the personal data processing agreement, we anonymised their name, surname and signature; however, the data subject was, at the time of the monitoring visit, a person under a judicial interdiction – who does not have the right to decide where they live, what they eat one day or what job they choose, but has the capacity to understand the implications of the GDPR. Should we also ask about the validity of such consent for those placed under interdiction?
Personal data controllers, i.e. the Ministry of Labour and Social Solidarity, the National Authority for the Protection of Persons with Disabilities, the General Directorates for Social Assistance and Child Protection and even Social Care Homes with legal personality, must pay particular attention to ensuring that persons with intellectual disabilities understand that they have certain rights and how they can exercise them. Of course, this requires the authorities involved in the care of persons with disabilities to be proactive in providing information in easily accessible formats that facilitate the exercise of these rights. In almost 2 years of monitoring visits, we have never come across such a case where the beneficiary’s file contains a minimum of information in an easily accessible format, and the websites of the above-mentioned authorities are lacking in terms of the existence of guides to make the GDPR provisions accessible to persons with disabilities.
Also, where the institutionalised person with an disability has a guardian, the guardian should be aware of the rights they can exercise on behalf of the vulnerable person. Given the many situations[15] where guardians are appointed from among the heads of centres, social workers or even directors of the DGASPC, and the obvious conflict of interest that exists between the person who is required to provide care and facilitate the reintegration of the person with a disability into society and the interest in exercising the rights in the Regulation on behalf of the vulnerable person, we consider that these situations are not encountered in national practice.
Both the European Regulation and the CRPD have tried to balance the protection of the fundamental right to privacy against the collection of personal data (which is also important for persons with disabilities when determining their individual rehabilitation and social integration programme). Persons with disabilities are at a crossroads between the power given to individuals by the GDPR to control their personal data and the intrinsic vulnerability that lack of accessibility again puts between them and their rights. The services offered by the Romanian state further avoid putting the person with disabilities at their centre and deprive them of access to their fundamental rights.
Here are some ways in which the GDPR could be made easily accessible to persons with disabilities:
- The information must be provided in simple and clear language;
- Accessible information includes the layout of headings and paragraphs on a page; an appropriate way to inform can be achieved with a pleasant, airy font;
- The use of standardised icons is encouraged when it can facilitate the comprehensibility and accessibility of information;
- Where persons with comprehension difficulties request to be informed about the processing of their personal data, the controller shall take steps to facilitate the understanding of this information, including by presenting it orally[16] where possible, e.g. by recording pre- defined oral messages.
Author: Oana Dodu
[1] Regulation (EU) 2016/697 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, available here
[2] Law on implementing measures of EU Regulation 2016/697, available at: https://legislatie.just.ro/Public/DetaliiDocument/203151
[3] See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[4] Romania ratified the Convention by Law No 221/2010, available at: https://legislatie.just.ro/Public/DetaliiDocumentAfis/123948
[5] Article 33- National implementation and monitoring
[6] For the work of the CLR in this area, please see the page dedicated to unannounced monitoring visits: www.crj.ro/rapoarte-de-monitorizare-si-raspunsuri/
[7] Implementation of the UN Convention on the Rights of Persons with Disabilities – Guide for National Independent Monitoring Mechanisms developed by the FRA (EU Agency for Fundamental Rights), 2023, p 5
[8] Article 31- Statistics and data collection
[9] The report is available here: www.ohchr.org/sites/default/files/2022-06/G2139630- Accesible.pdf
[10] The GDPR specifies that data subjects of the Regulation are identified or identifiable natural persons.
[11] Placing under interdiction has been declared unconstitutional in Romania by CCR decision no. 601/2020 and we will refer to persons under interdiction as those with a final judgment of interdiction pending review under Law no. 140/2022.
[12] Law No. 140 of 17 May 2022 on some protection measures for persons with intellectual and psychosocial disabilities, available here.
[13] “Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data;
[14] The personal file of the beneficiary contains, at least, the following documents: application for admission, signed by the beneficiary/family representative, in original; admission decision, approved/approved by the head of the centre/provider representative, in original; identity card of the beneficiary; service provision contract signed by the parties, in original; individualized recovery and reintegration plan, etc.
[15] For a detailed analysis of the situations in which the person placed under interdiction and the appointed guardian are most often in a conflict of interest, please refer to the Diagnoza situației persoanelor cu dizabilități în România (2021), page 71, available here
[16] WP29 Guidelines on transparency, para. 21, available in English here: https://ec.europa.eu/newsroom/article29/items/622227
