Romania's Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) is overseeing a compliance transformation in one of the EU's fastest-growing tech and outsourcing sectors. Bucharest, Cluj-Napoca, and Iași process EU citizen data from Germany, France, the UK, and the Netherlands at scale — and ANSPDCP enforcement is trending sharply upward.
ANSPDCP issued €1.8 million in GDPR fines between 2022 and 2024, with the BPO/outsourcing sector representing the highest concentration of enforcement cases.
The Romanian BPO GDPR Exposure Profile
High-volume personal data processing: Call centers processing billing disputes handle names, addresses, account numbers, payment history, and service usage data. IT support services access customer system configurations containing personal data.
EU citizen data in Romanian hands: Data subjects are primarily German, French, Dutch, or British citizens. When things go wrong, affected data subjects escalate to their home DPA — creating cross-border enforcement exposure from BfDI, CNIL, ICO, or AP NL in addition to ANSPDCP jurisdiction.
Subprocessor chain complexity: ANSPDCP found 45% of Romanian enterprises lack adequate Data Processing Agreements with their subprocessors. The DPAs must specify the technical measures the subprocessor will implement.
Access revocation failures: BPO sectors have high employee turnover. ANSPDCP repeatedly finds that former employees retain active credentials weeks after departure — a recurring violation in Romanian enforcement cases.
The CNP: Romania's Primary PII Identifier
The Cod Numeric Personal (CNP) is a 13-digit national identification number encoding:
- Digit 1: Gender and century (1=male 1900-1999, 2=female 1900-1999, 5=male 2000+, 6=female 2000+, 7=male foreign resident, 8=female foreign resident)
- Digits 2-7: Birth date (YYMMDD)
- Digits 8-9: County of birth code
- Digits 10-12: Sequential number
- Digit 13: Check digit (weighted modulus 11)
The CNP encodes gender, birth date, birth region, and citizenship status — making it far richer in personal information than most Western European identifiers. ANSPDCP has classified CNP as requiring heightened protection approaching special category status.
The detection problem: ANSPDCP's 2024 enforcement review found 78% of PII tools deployed in Romanian outsourcing fail to detect CNP with proper checksum validation. The consequences:
- CNP numbers in customer records, employee files, and ID scan copies go undetected
- Data shared with Western European parent companies for analytics or AI training contains identifiable Romanian citizens
- Post-breach analysis reveals CNP exposure in data certified as "anonymized"
ANSPDCP's 2024-2025 Enforcement Priorities
Call center audio recording: ANSPDCP has targeted recording practices that lack adequate retention schedules or access controls. Recordings retained "indefinitely for compliance" without documented purpose and deletion schedules violate GDPR.
Healthcare data outsourcing: Romanian companies processing medical records, insurance claims, or prescription data for Western European clients face the highest fine exposure. Healthcare data (Article 9 special category) requires explicit legal basis, DPIA, and heightened technical measures.
Access control and logging: ANSPDCP audits consistently identify inadequate logging — organizations cannot demonstrate what data was accessed, by whom, and when. For Romanian BPO companies handling EU customer data, access logs must be comprehensive enough to determine breach scope in case of incident.
Romanian Language: The Missing Layer
Beyond CNP, Romanian documents contain identifiers that generic tools miss:
Cartea de identitate (CI): Romanian national ID card with unique number format. Scanned copies in customer onboarding files require detection.
Romanian-language NER: Customer correspondence, support tickets, and internal documents in Romanian require Romanian-language natural language processing. Tools relying on English NLP applied to Romanian text underperform significantly.
Address formats: Romanian address conventions ("Strada," "Bulevardul," "Numărul") differ from Western European formats and are often mishandled by NLP models trained on English or German.
For Romanian outsourcing organizations: CNP detection with checksum validation, Romanian national ID and passport detection, Romanian language NER, and documented subprocessor management are the four capabilities that satisfy ANSPDCP's technical adequacy standard.
Sources: