Last updated: 26.02.2026

1. General provisions and scope

This Privacy Policy sets out the conditions under which the Office for Industrial Licensing (hereinafter the “Controller” or “OLI”), headquartered in Bucharest, 65 Paris Street, Sector 1, Postal Code 011815, e-mail: contact@oli.gov.ro, website: www.oli.gov.ro, registered under unique registration code 50053290, acting as a personal data controller, processes the personal data of users of the “Single Electronic Contact Point for Industrial Licensing (PCUEL) of Romania” web platform (hereinafter the “PCUEL web Platform”) in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR” or “Regulation 679/2016”);
  • Law no. 190/2018, as subsequently amended, and any other national legal acts on personal data protection;
  • the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality.

This policy applies to all natural persons who access or use the PCUEL web Platform, whether acting on their own behalf or on behalf of an institution/organization.

We reserve the right to periodically update and amend this Privacy Policy in order to reflect any changes in how we process your personal data or any changes in legal requirements. In the event of such changes, we will publish the updated version on our website; therefore, we recommend that you periodically review the content of this Privacy Policy.

2. Categories of personal data processed

For the purpose of providing services and enabling use of the web platform, the Controller may process the following categories of personal data:

2.1. Identification data

  • First and last name;
  • electronic signature.

2.2. National identification data

  • personal numeric code (CNP) or place and date of birth for citizens who do not have an assigned CNP;
  • series and number of the electronic identity card/identity card, or series and number of the passport for citizens who do not have an identity document issued by Romanian authorities, or another identity document issued by a foreign entity.

2.3. Contact data

  • home address or residence;
  • correspondence address;
  • e-mail address;
  • phone number.

2.4. Professional data (where applicable)

  • position held;
  • institution or organization;
  • professional contact details;
  • status as an economic operator (representative / authorized person).

2.5. Technical and platform usage data

  • IP address;
  • online identifiers;
  • authentication data (username, passwords stored in encrypted form);
  • access and activity logs;
  • date and time of access;
  • information about the browser, operating system, and device used.

2.6. Data voluntarily provided by the user

  • information entered in electronic forms;
  • data submitted through platform functionalities or via the communication channels made available.

3. Categories of data subjects

The categories of data subjects whose personal data are processed by the Office for Industrial Licensing through the platform are as follows:

  • industrial license applicants, namely the legal representative of the economic operator or the person authorized by them, in the procedure for obtaining the single industrial license;
  • project developers (the legal representative of the economic operator or the person authorized by them) for critical raw materials projects (Regulation (EU) 2024/903 – CRMA), for NZIA projects (Regulation (EU) 2024/1252), and for renewable energy projects (ESR) – Government Emergency Ordinance no. 163/2022;
  • citizens who submit petitions either in their own name or through a legal representative, addressed to the Office for Industrial Licensing for resolution;
  • persons signing collaboration/cooperation protocols for the performance of duties, under the applicable legislation.

4. Purposes of processing personal data

Personal data are collected and processed exclusively for specific, explicit, and legitimate purposes, such as:

  • ensuring the technical operation, administration, and maintenance of the web platform;
  • providing the digital and administrative services offered through the platform;
  • managing user accounts and authentication processes;
  • processing requests, applications, and communications submitted by users;
  • fulfilling the Controller’s legal duties and administrative obligations;
  • ensuring platform security and preventing unauthorized access, security incidents, and fraud;
  • internal reporting and statistical analysis, without direct identification of data subjects, where possible.

The Office for Industrial Licensing processes personal data by automated/manual means for the following purposes related to its scope of activity:

  • exercising the legal powers regarding the issuance of the single industrial license;
  • updating the register of single industrial licenses;
  • administering the PCUEL IT system;
  • performing the duties of a contact point/one-stop shop for CRMA, NZIA, and ESR projects;
  • organizing public communication and public relations activities;
  • handling petitions/requests addressed to the institution;
  • concluding collaboration/cooperation protocols for the performance of duties, under the applicable legislation, with public authorities/institutions, associations and non-governmental organizations, and, where applicable, with natural and legal persons.

The processed personal data are intended for use by the Controller/the Controller’s processors and are disclosed only upon request to public authorities and institutions, economic operators, and other legal persons for carrying out actions of general interest regulated by legal acts.

Personal data are processed securely by the Controller and by the competent authorities involved in issuing permits, approvals, consents, licenses, or other administrative acts required by law, through PCUEL, for the purpose of issuing the single industrial license in accordance with Government Emergency Ordinance no. 140/2022 regarding the single industrial license.

Furthermore, in performing the function of national contact point for NZIA and CRMA projects, the Office for Industrial Licensing processes personal data within the limits of its contact point responsibilities under Article 9 and Article 10 of Regulation (EU) 2024/1735 establishing a framework of measures for strengthening Europe’s net-zero technology manufacturing ecosystem and amending Regulation (EU) 2018/1724, as well as under Article 9 of Regulation (EU) 2024/1252 of 11 April 2024 establishing a framework for ensuring a secure and sustainable supply of critical raw materials and amending Regulations (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1724, and (EU) 2019/1020.

5. Legal basis for processing

Personal data are processed based on one or more of the legal grounds provided under Article 6(1)(c) and (e) of Regulation (EU) 2016/679, as follows:

  • compliance with a legal obligation to which the Controller is subject;
  • performance of a task carried out in the public interest or in the exercise of official authority.

The legal grounds underlying the purposes stated above and for which personal data are processed result from the application of the following legal acts:

  • Government Emergency Ordinance no. 140/2022 regarding the single industrial license, as subsequently amended and supplemented;
  • Government Decision no. 1251/2023 on the organization and functioning of the Office for Industrial Licensing, and for supplementing Annex no. 1 to Government Decision no. 832/2022 regarding the establishment of responsibilities, organization and functioning of the Prime Minister’s Chancellery;
  • Government Emergency Ordinance no. 163/2022 supplementing the legal framework for promoting the use of energy from renewable sources and amending and supplementing certain legal acts, as subsequently amended and supplemented (ESR);
  • Government Ordinance no. 27/2002 on regulating the handling of petitions, as subsequently amended and supplemented.

6. Data retention period

Personal data are retained only for the period necessary to achieve the purposes for which they were collected, in compliance with:

  • the retention periods required by applicable legislation;
  • our internal archiving policies.

Upon expiration of the retention period, data are deleted, anonymized, or archived securely, as applicable.

You may request at any time the deletion of certain information or the closure of your account, and we will comply with such requests, subject to the retention of certain information even after account closure where required by applicable law or by our legitimate interests.

7. Recipients of personal data

Personal data may be disclosed, under strictly regulated conditions, to the following categories of recipients:

  • authorized staff within the Controller;
  • processors acting on behalf of the Controller (IT services, hosting, maintenance, or technical support providers);
  • competent public authorities and institutions, based on a legal obligation;
  • other entities, only to the extent that disclosure is necessary for achieving a lawful purpose.

Data are not transferred outside the European Union or the European Economic Area, except in cases expressly provided by the applicable legislation.

8. Rights of data subjects

In accordance with Regulation 679/2016 and Romanian legislation (Law no. 190/2018 and decisions of the Romanian Supervisory Authority), data subjects have the following rights, which may be exercised directly with the Controller or through the Data Protection Officer (DPO) at the following e-mail address: [DPO_EMAIL], free of charge, within the legal timeframe.

8.1. Right of access (Article 15 of Regulation 679/2016)

The data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed. Where processing is carried out, the data subject has the right to obtain:

  • the categories of data processed;
  • the purposes of processing;
  • the recipients or categories of recipients of the data, including in the case of transfers outside the EU;
  • the storage period or the criteria used to determine it;
  • the rights to rectification, erasure, restriction, and objection;
  • the right to lodge a complaint with ANSPDCP;
  • information about the source of the data, where the data were not collected from the data subject;
  • information about automated decision-making and profiling, where applicable.

8.2. Right to rectification (Article 16 of Regulation 679/2016)

The data subject may request the rectification of inaccurate or incomplete data, and the Controller is required to update the information without undue delay. Rectification includes correcting technical errors and completing missing information.

8.3. Right to erasure (“right to be forgotten”) (Article 17 of Regulation 679/2016)

The data subject may request the erasure of data in the following situations:

  • the data are no longer necessary for the purposes for which they were collected;
  • withdrawal of consent, where consent was the legal basis for processing;
  • processing is unlawful;
  • the data must be erased for compliance with a legal obligation;
  • the data were collected from a minor, under the conditions of Article 8 of Regulation 679/2016.

The Controller may refuse erasure in certain cases justified by law (e.g., compliance with legal obligations, public interest, or the establishment, exercise, or defense of legal claims).

8.4. Right to restriction of processing (Article 18 of Regulation 679/2016)

The data subject may request restriction of processing in the following situations:

  • the accuracy of the data is contested, for the period necessary to verify accuracy;
  • processing is unlawful and the data subject opposes erasure and requests restriction instead;
  • the Controller no longer needs the data for the original purposes, but the data are required by the data subject for the establishment, exercise, or defense of legal claims;
  • the data subject has objected to processing based on public interest or legitimate interest, pending verification.

8.5. Right to data portability (Article 20 of Regulation 679/2016)

The data subject may request the transfer of data provided to the Controller in a structured, commonly used, and machine-readable format. The data subject may also request that the data be transmitted to another controller, insofar as:

  • processing is based on consent or a contract;
  • processing is carried out by automated means.

This right does not adversely affect the rights of others and may be exercised only to the extent technically feasible.

8.6. Right to object (Article 21 of Regulation 679/2016)

The data subject may object to processing carried out on the basis of public interest or the Controller’s legitimate interest, on grounds relating to their particular situation. The Controller will assess the objection and may stop processing unless it demonstrates compelling legitimate grounds overriding the interests, rights, and freedoms of the data subject.

8.7. Right to withdraw consent (Article 7(3) of Regulation 679/2016)

Where processing is based on consent, the data subject may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal. Withdrawal can be made through the same means used to provide consent.

8.8. Right to lodge a complaint (Article 77 of Regulation 679/2016)

The right to lodge a complaint with the competent national supervisory authority for personal data protection – ANSPDCP.

9. Exercising your rights

The data subject has the right to lodge a complaint with ANSPDCP if they consider that the processing of their data does not comply with Regulation 679/2016 or national legislation.

Contact details of the Romanian supervisory authority are as follows:

National Supervisory Authority for Personal Data Processing (ANSPDCP)

Address: 28-30 General Gheorghe Magheru Blvd., Sector 1, Postal Code 010336, Bucharest, Romania

Phone: +40 318 059 211 or +40 318 059 212

E-mail: anspdcp@dataprotection.ro

10. Security of processing

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks related to data processing, including measures to protect against unauthorized access, loss, destruction, or accidental disclosure of data, in accordance with Article 32 of Regulation 679/2016.

The transmission of your personal data uses state-of-the-art encryption algorithms, and your data are stored on secure servers, while ensuring data redundancy.

We note that transmitting information over the Internet, in general, or through other public networks is not completely secure, and there is a risk that data may be viewed and used by unauthorized third parties. In such cases, we cannot be held responsible for vulnerabilities of systems that are not under our control.

11. Cookies

The web platform uses cookies to ensure proper website functionality, improve user experience, and ensure platform security.

Detailed information on the types of cookies used, purposes, storage duration, and consent management is available in the Cookie Policy.

This policy should be interpreted together with the Cookie Policy.

12. Contact details

You may contact at any time the Data Protection Officer appointed by our institution by sending your request either by e-mail or by post/courier, as follows:

– by e-mail at: [DPO_EMAIL]

or

– by post or courier to: Bucharest, 65 Paris Street, Sector 1, Postal Code 011815, with the note: For the attention of the Data Protection Officer