bnt attorneys for CEE close.straight.forward

Romania: Electronic Archiving

Electronic Archiving of Documents by Companies in Their Own Name
Today, companies increasingly favour the use of documents in electronic form, so that digitalization of day-to-day activities is becoming an imperative.
Under applicable law, archiving of certain documents resulting from company activities is obligatory, so that documents in electronic form are also subject to this obligation.
On this matter, please find below the requirements laid down by the applicable law in respect of electronic document archiving.

1. Electronic document archiving
Any natural or legal person can file documents electronically for storage in an electronic archive.1 Thirty days before starting activities related to electronic document archiving, those planning to provide electronic archiving services must notify the regulatory and supervisory authority specialized in the field of the starting date of the activities.
In interpreting the legal provisions, taking into consideration that Law no. 135/2007 refers to the supply of electronic archiving services”, it may be inferred that electronic archiving can only be done by outsourcing.
Nevertheless, companies may carry out archiving activities in relation to their own electronic   documents   both   in   their   own   name   and   through   suppliers   of   electronic archiving services.2
So, since activities related to electronic document archiving may also be carried out in the company’s own name, outsourcing electronic archiving is not a requirement.

2. Requirements on electronic document archiving in the company’s own name
In order to manage the electronic archiving system and archived electronic documents under an electronic archive, companies must first obain accreditation from the Ministry of Communications and Information Society (MCSI”).3 With MCSI accreditation, companies also become managers of the electronic archive (“Manager/s”).
Companies that plan to become Managers must notify the MCSI in this respect 30 days before starting this activity by filling out a standard form drawn up by the MCSI.
Along with notice, applicants must provide the MCSI with the following documents that form an integral part of the notification:

a) Certification(s) with respect to the company employee/s intending to become a Manager (certifications may be held cumulatively by several employees):
(i).   tertiary education diploma in the field of information technology; (ii).   qualifications   /   certifications attesting   to   the   knowledge of   the   ISO/IEC 27001 or equivalent standards and also to prior versions thereof; (iii).   certifications / attestations in the field of database and operating system management; 1. qualifications / certifications in the field of archives;
b) documents attesting to the fact that the electronic archiving system complies with the following functional requirements: (i). providing a means of control and security in relation to documents and database; (ii).   maintaining   internal   integrity,   operation   and   consistency   of   the   system and database; (iii).   ensuring     unlimited     retention     of     documents     with     permanent     storage requirements and permanent removal of those with an expired retention period, according to the archiving list, except as provided by law; (iv).   providing processes for loading documents into the management system; (v). providing a document search function; (vi). providing access to documents stored in the archive by observing the defined terms of access as well as document presentation, irrespective of document format (e.g., displaying, printing format); (vii). providing document management and deletion functions, while guaranteeing operational control with a view to eliminating the risk of unauthorized access to documents and improper document destruction;
c) the identification data of the data centre that hosts the electronic archive;
d) the   policy   and   procedures   related   to   data   security   and   retention,   including personal data protection policy;
e) a sworn declaration by the company’s legal representative holding the capacity of a data controller, indicating compliance with legal requirements.4

The notice and attached documents must be sent to the MCSI premises,5 notice being deemed sent if all the legal requirements regarding its transmission, form and content are met.
An applicant who sends the notice within the deadline and according to the conditions laid down6 will become a Manager as of the date mentioned in the notice standard form as the estimated date for the beginning of the activity, but not earlier than 30 days from the date when notice was sent.

3. Requirements for managing an electronic archive
As for management of an electronic archive, the Manager must create and operate an electronic register. The register’s minimal content and structure are defined by law.7
Electronic archiving of documents is governed by the same rules as those applicable to printed documents and is subject to the provisions of archiving legislation in force, with the following clarifications:
a) registration of electronic documents in the electronic archiving system certifies the official existence of those documents. The registration number assigns a unique identification to the document within the system. Once registered, the document can no longer be subject to any changes in content. At the same time as registration, an electronic document sheet must be filled out;8
b) if documents are transferred from the system or migrated from their original medium, record-keeping of the documents in the new media will include record-keeping of external media and record-keeping of the stored documents’ content. Documents with the same storage period will be grouped on an external medium;
c) the electronic document management system has to automatically generate an auditing record where all decisions and actions on a document are registered, without the possibility of change, from the document’s registration until its destruction or transfer to the National Archives;
d) documents and files that are electronically archived must be displayed in the company’s archiving list, bearing the following mention written under the “Observations” heading: “in electronic form”.
4. Requirements on the data centre (the server used for document storage)
With a view to storing electronic archives, Managers have to use data centres equipped with the necessary technical facilities and apply the necessary management and security policies and procedures in order to fulfil the following requirements:
a) the integrity and security of electronic documents;
b) the security and integrity of the area used for the equipment hosting the electronic archive;
c) information recovery after a natural calamity, according to the regulations in force.
Data centres used by Managers have to comply with certain minimum requirements and be subject to the prior authorization of the MCSI, following the procedure designed in this regard.9
Hence, generally, the procedure is carried out at the request of the parties concerned, with the following main objectives set by the MCSI during the authorization procedure, in order to check compliance with the respective requirements:
- provision of data security and integrity, in terms of physical security and access by electronic means;
- availability of the electronic archiving service and backup of stored information.

Data centre authorization takes place based on an audit by the MCSI at the expense of the data centre authorization applicant.
As for as the location of the data centre, it may be either on Romanian territory or abroad. On this point, if the data centre is located abroad, the system must be audited by any of the following methods:
a) the Romanian auditor audits systems located abroad;
b) the Romanian auditor agrees to a system abroad being audited by equally qualified personnel from the respective country;
c) certification by the Romanian auditor will rely on documents/certifications issued in the country where the system operates and providing an adequate degree of assurance.
Nevertheless, the entire documentation related to the authorization procedure has to be drawn up in Romanian.
Unlike accreditation for electronic archive management purposes, whose validity is not limited to a certain period of time, the authorization order is valid for a 3-year period as of its issue. Authorization may be renewed, the reauthorization procedure being identical to the one followed for authorization purposes.
 
Source:
1 Based   on   Law   no.   135/2007   on   the   electronic   archiving   of   documents,   republished,   as   subsequently amended and supplemented (Law no. 135/2007”).
2 According to Order no. 493/2009 regarding the technical and methodological rules for implementing Law no. 135/2007 on the electronic archiving of documents (Order no. 493/2009”).
3 For the purpose of Order no. 493/2009.
4 Law no. 190/2018 on the measures for implementation of Regulation (EU) 2016/679 on protection of natural persons with regard to processing of personal data and on the free movement of such data.
5 In compliance with the procedures set forth in Order no. 493/2009.
6 In Order no. 493/2009.
7 Order no. 493/2020.
8  In   compliance   with   Law   no. 135/2007 on   the   electronic   archiving   of   documents,   republished,   as subsequently amended and supplemented (Law no. 135/2007”).
9  According to Order no. 489/2009  on   detailed   provisions   for   data   centre   authorization (Order   no. 489/2009”).