Enforcement of the Data Protection Law is done by the data protection authority – CNPD.

Moreover, the Data Protection Law sets out criminal and civil liability as well as additional sanctions for breaches of the provisions of said statute.

Civil liability

Any person who has suffered pecuniary or non-pecuniary loss as a result of any inappropriate use of personal data has the right to bring a civil claim against the relevant party. 

Criminal liability

The DPL provides that all of the following constitute criminal offences:

• a failure to notify or to obtain the authorization of the DPA prior to commencing data processing operations that require such authorization
• provision of false information in requests for authorization or notification
• misuse of personal data (ie processing personal data for different purposes than those for which the notification / authorization was granted)
• the interconnection of personal data without the authorization of the DPA
• unlawful access to personal data
• a failure to comply with a request to stop processing personal data.

These offences are punishable with a term of imprisonment of up to 2 years or a fine of up to 240 days.

Additional sanctions

The DPL also lays down sanctions that can be imposed in addition to criminal and civil liability, namely:

• a temporary or permanent prohibition on processing data
• the advertisement of a sentence applied to a specific case
• a public warning or reproach of a data controller.