Romania's Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) published a 2024 technical assessment with a striking finding: 78% of PII tools deployed in Romanian outsourcing operations fail to detect the Cod Numeric Personal (CNP) with proper checksum validation. For a country processing EU citizen data at scale for Western European clients, this creates systemic compliance exposure.
CNP: Romania's Richest Personal Identifier
The CNP is a 13-digit national identification number:
- Digit 1: Gender and century code (1=male 1900-1999, 2=female 1900-1999, 5=male 2000+, 6=female 2000+, 7=male foreign resident, 8=female foreign resident, 9=other resident)
- Digits 2-3: Last two digits of birth year
- Digits 4-5: Birth month (01-12)
- Digits 6-7: Birth day (01-31)
- Digits 8-9: County code (01-52, corresponding to Romania's 41 counties + Bucharest sectors)
- Digits 10-12: Sequential birth number within day and county
- Digit 13: Check digit (weighted sum modulus 11)
The CNP encodes gender, birth date (complete), birth county, and citizenship status — making it one of Europe's most information-rich national identifiers. The gender encoding in digit 1 makes CNP a de facto special category indicator under GDPR Article 9 (revealing biological sex), requiring heightened protection.
Checksum validation: The check digit algorithm multiplies the first 12 digits by weights (2,7,9,1,4,6,3,5,8,2,7,9), sums the products, takes modulo 11. If the result is 10, the check digit is 1. If the result is 11, the CNP is invalid. Otherwise the check digit equals the result.
78% of tools miss this validation — generating both false positives (any 13-digit number gets flagged) and false negatives (corrupted CNP numbers pass pattern matching but fail checksums and are therefore missed as potentially invalid data requiring review).
Romanian Language NER: The Missing Layer
Beyond CNP, Romanian language processing creates specific NER challenges:
Romanian diacritics: Romanian uses characters ș (s-cedilla), ț (t-cedilla), ă, â, and î. Tools trained on non-Romanian text may fail to recognize Romanian names that contain these characters. Encoding issues (UTF-8 vs. Latin-2) in legacy Romanian documents create additional detection challenges.
Romanian address formats: "Strada" (abbreviated "Str."), "Bulevardul" (abbreviated "Bd."), "Aleea" (abbreviated "Al."), "Calea" (abbreviated "Cal.") for street types. Romanian localities include both cities (municipii) and communes (comune) with naming conventions different from Western European address formats.
Romanian name patterns: Romanian names follow specific patronymic and grammatical conventions. The same name appears in different grammatical cases depending on its grammatical role in the sentence (nominative, genitive-dative). NER models must handle case variation to correctly identify Romanian names across document contexts.
ANSPDCP's Enforcement Pattern
ANSPDCP's enforcement cases follow a consistent pattern that reveals the specific technical failures leading to violations:
BPO data breach cases: Call center or IT support organizations suffer a data breach. Investigation reveals that shared files containing Romanian employee CNP numbers and EU customer personal data were stored without adequate encryption. The breach scope assessment is hampered by inadequate logging — the organization cannot determine exactly which records were accessed.
Healthcare data exposure: Patient records containing CNP numbers, health card numbers, and diagnosis information are inadvertently shared with unauthorized parties (emailed to wrong recipient, posted to incorrect cloud folder). The CNP numbers were not detected or pseudonymized before sharing because the organization's PII tool did not include Romanian identifier support.
Cross-border transfer without safeguards: Romanian BPO organization transfers EU customer data (including CNP-linked records) to Indian subprocessor for data entry or processing, without adequate Transfer Impact Assessment and Standard Contractual Clauses. CNP numbers in transferred files create GDPR special-category transfer exposure.
For Romanian GDPR compliance: CNP detection with modulo-11 checksum validation, Romanian language NER with diacritic-aware processing, and Romanian national ID card detection are the technical baseline that ANSPDCP's enforcement record shows is required.
Sources: