What is mutual legal assistance (MLA) involving Romania?

Mutual legal assistance (MLA) involving Romania refers to formal cooperation in criminal matters between Romanian authorities and foreign authorities for the purpose of obtaining and exchanging evidence, such as bank records, telecom data, company files or witness testimony. The main domestic framework is Law no. 302/2004 on international judicial cooperation in criminal matters, complemented by the Romanian Code of Criminal Procedure. Internationally, Romania relies on the 1959 European Convention on Mutual Assistance in Criminal Matters and its protocols, the EU 2000 MLA Convention, the European Investigation Order regime under Directive 2014/41/EU, the Budapest Convention on Cybercrime and EU regulations on freezing, confiscation and electronic evidence. Depending on whether the partner state is an EU Member State, a Council of Europe state or a third country, different combinations of these instruments apply.

How can a foreign company verify a Romanian MLA or evidence request?

A foreign company should first identify the instrument used (for example, an MLA request under the 1959 Convention, an EU 2000 MLA request, a European Investigation Order, or a European Production or Preservation Order for electronic evidence). It should then verify the authenticity of the document (official letterhead, seals, signatures), confirm that the issuing authority is competent (typically a Romanian court or prosecutor’s office), and check whether the measure requested requires a Romanian judicial authorisation (for example, searches or access to bank transactions or traffic and location data). Where appropriate, the company can request clarification through the central authority, Eurojust or the European Judicial Network, and engage local counsel in both the issuing and executing states to assess legal obligations and possible grounds to narrow or challenge the request.

Can a person challenge the disclosure of their bank or telecom data in Romania?

Yes. Under the Romanian Code of Criminal Procedure, access to detailed bank-transaction data and to traffic and location data held by telecom providers generally requires prior authorisation by the judge of rights and freedoms. Individuals whose data has been obtained can challenge the legality of the authorisation, the scope of the measure and the way it was executed, either during the investigation (through complaints against prosecutorial acts) or before the trial court (through motions to exclude unlawfully obtained evidence). In addition, they may invoke data-protection rights under Law no. 363/2018 and the GDPR, and can lodge a complaint with the Romanian data-protection authority (ANSPDCP) if they believe their personal data has been processed or disclosed unlawfully in the context of MLA.

What rights does a company have when served with an MLA-related order involving Romania?

A company served with an MLA-related order involving Romania must comply with lawful orders but also has rights and protections. It can verify the competence of the issuing authority and the authenticity of the order, seek clarification or narrowing of overly broad requests, and challenge coercive measures (such as searches and seizures or wide-ranging data-disclosure orders) before Romanian courts where the measure is executed. The company should ensure data minimisation and logging of what was disclosed, involve its legal and data-protection teams, and, where appropriate, coordinate counsel in all affected jurisdictions. Depending on the circumstances, it may also have remedies under data-protection law and, ultimately, the possibility to raise objections to the admissibility or use of the evidence in the foreign proceedings where it will be relied upon.

How does data protection law apply to MLA and cross-border evidence requests involving Romania?

In MLA and cross-border evidence cases involving Romania, personal data is processed both by law-enforcement and judicial authorities and by private entities such as banks and online service providers. Processing by Romanian competent authorities is governed by Law no. 363/2018, which implements Directive (EU) 2016/680, and must be lawful, necessary and proportionate for the investigation or prosecution of offences. Processing by private entities is generally subject to the GDPR, which requires a valid legal basis (for example, compliance with a legal obligation), as well as respect for principles such as purpose limitation and data minimisation. Article 23 GDPR allows Member States to restrict certain data-subject rights where necessary to protect criminal investigations, but such restrictions must be set out in legislation and accompanied by safeguards. Individuals may lodge complaints with ANSPDCP or bring actions before courts if they consider that their data-protection rights have been violated in connection with MLA or cross-border evidence requests.

Mutual Legal Assistance and Evidence Requests Involving Romania

Cross-border criminal investigations increasingly depend on the rapid exchange of data: bank account information, corporate records, emails, messaging logs and other electronic evidence. When such data has a Romanian “nexus” – because the account is held with a Romanian bank, the user is located in Romania, the servers or company are established here, or Romanian authorities are investigating – mutual legal assistance (MLA) and related EU instruments determine how that evidence can be requested and used.

This article explains how MLA and cross-border evidence requests involving Romania work in practice. It is addressed to foreign lawyers, compliance officers and individuals whose data, bank accounts or communications may be requested from or by Romanian authorities. It focuses on:

the legal framework for MLA and cross-border evidence gathering involving Romania;
how Romanian authorities request evidence from abroad;
how foreign authorities request evidence located in Romania (including bank records, telecom data and company files);
rights and remedies available to affected individuals and companies; and
the respective roles of Romanian prosecutors and courts in authorising and executing measures.

The overview is descriptive and practical. It does not replace tailored legal advice under Romanian law and the specific treaty or EU instrument applicable to a concrete case.

Legal Framework for Mutual Legal Assistance (MLA) with Romania

Domestic legal basis

The main Romanian statute governing MLA in criminal matters is Law no. 302/2004 on international judicial cooperation in criminal matters. It sets out general principles (primacy of international treaties, reciprocity, proportionality), defines the forms of cooperation (mutual legal assistance, extradition, transfer of proceedings, recognition and execution of foreign decisions, joint investigation teams, etc.) and details the procedure for sending and executing MLA requests, including grounds for refusal and the speciality rule (limiting the use of evidence to the purposes for which it was requested). Law 302/2004 is available in Romanian on the official legislative portal and has been amended multiple times to reflect EU instruments and Council of Europe (CoE) conventions.

According to Romania’s official MLA country profile submitted to the Council of Europe, Law 302/2004 is expressly identified as “the main domestic framework” for MLA, and it confirms that the speciality rule is codified in Article 186 and applies both when Romania is the issuing and when it is the executing state. That profile also clarifies that, as a rule, double criminality is not a prerequisite, with limited exceptions for intrusive measures such as searches and certain other coercive acts.

The Romanian Code of Criminal Procedure (Codul de procedură penală – “CPC”) complements Law 302/2004. It regulates:

the separation of criminal functions – including the function of the prosecutor, the “judge of rights and freedoms” in the investigation phase, the preliminary chamber judge, and the trial court;
general principles such as legality of criminal proceedings and respect for fundamental rights; and
the concrete tools used to obtain evidence: searches, seizures, access to banking data, access to traffic and location data, technical surveillance and other “special methods of surveillance or investigation”.

Article 3 CPC explicitly states that measures in the investigation phase which restrict fundamental rights and freedoms are ordered by the judge of rights and freedoms, except where the law provides otherwise. This principle is critical for cross-border evidence: many MLA or EU tools are executed in Romania by applying these internal rules on judicial authorisation and proportionality.

For sensitive data, specific CPC provisions apply, including:

Article 152 CPC on obtaining traffic and location data processed by providers of public electronic communications networks or services (metadata, not content), which requires prior authorisation by the judge of rights and freedoms and limits use to serious offences specified by law.
Provisions on obtaining information about financial transactions and accounts (banking secrecy), under which access to transactional data and account content likewise requires prior judicial authorisation, separate from more limited requests for general financial information.

In the financial area, Romanian case law and commentary distinguish between obtaining data on financial transactions (movements of funds and account content) and more general information on a person’s financial situation. The former – typically the core of MLA requests for bank records – can only be ordered with the prior approval of the judge of rights and freedoms, reflecting its intrusiveness.

Council of Europe conventions and protocols

Romania is a party to the European Convention on Mutual Assistance in Criminal Matters of 1959 and its additional protocols, which constitute the backbone of “classic” MLA within the Council of Europe and beyond. The 1959 Convention covers the execution of letters rogatory, taking of evidence, service of documents, information on criminal records and other forms of assistance between parties.

The Second Additional Protocol to the 1959 Convention significantly modernises MLA by introducing, among others, provisions on:

spontaneous exchange of information;
video- and telephone-conference hearings;
cross-border observations, controlled deliveries and covert investigations; and
a more flexible regime for direct transmission between judicial authorities.

In a training module on MLA prepared for European judicial staff, it is expressly noted that the Second Additional Protocol to the 1959 Convention is in force in Romania and is a legal basis for MLA between Romania and other parties (for example, Georgia). This confirms that Romania can both send and receive MLA requests under the modernised CoE framework, including for cross-border operations and advanced investigative techniques.

Romania is also a party to the Convention on Cybercrime (the Budapest Convention), the first international treaty on cybercrime, which harmonises certain offences and provides investigative powers for electronic evidence, coupled with provisions on international cooperation. The Convention’s procedural chapter covers expedited preservation of stored computer data, expedited disclosure of traffic data, real-time collection of traffic data, and interception of content, and expressly aims to facilitate fast cross-border cooperation, subject to human-rights safeguards such as the European Convention on Human Rights (ECHR).

The Second Additional Protocol to the Budapest Convention on enhanced cooperation and disclosure of electronic evidence, opened for signature in 2022, further strengthens cross-border access to electronic evidence (for example, by providing frameworks for direct cooperation with service providers and simplified MLA rules). The EU has adopted a Council Decision authorising its Member States, including Romania, to ratify the Protocol in the interest of the Union, but each state must complete its own national ratification process.

EU mutual legal assistance and mutual recognition instruments

Within the European Union, MLA involving Romania is shaped by a dense layer of EU instruments that supplement or partially replace classic MLA treaties:

The Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union (2000) and its Protocol improve and supplement the 1959 CoE Convention. They introduce direct contacts between judicial authorities, rules on the interception of telecommunications and access to banking information within the EU.
Directive 2014/41/EU on the European Investigation Order (EIO) establishes a single, standardised judicial decision – the European Investigation Order – that can be issued by a judicial authority in one Member State and executed in another based on mutual recognition. The Directive, which Romania has transposed into national law, allows an EIO to be issued for most types of investigative measures, provided that they are necessary, proportionate and available in a comparable domestic case. It also lays down grounds for refusal and time limits for execution.
Regulation (EU) 2018/1805 on the mutual recognition of freezing and confiscation orders creates a uniform EU regime for recognising and executing orders freezing property and evidence, and confiscation orders, issued in one Member State and executed in another, including Romania. It is directly applicable and coexists with Law 302/2004’s rules on freezing and confiscation.
Regulation (EU) 2023/1543 on European Production Orders (EPOC) and European Preservation Orders (EPOC-PR) for electronic evidence enables national judicial authorities to order service providers offering services in the EU to produce or preserve electronic evidence, regardless of where the data is stored, with specific safeguards and deadlines. The Regulation aims to speed up cross-border access to electronic evidence while maintaining procedural protections.
Other EU instruments (for example, on financial penalties, supervision measures, probation and the European Arrest Warrant) interact with MLA by governing certain specific forms of cooperation or the enforcement of sanctions in cross-border cases.

Where both Romania and the requesting state are EU Member States, the practice is increasingly to use mutual recognition instruments (EIO, Regulation 2018/1805, Regulation 2023/1543) rather than classic MLA, especially for time-sensitive electronic evidence and asset freezing. Outside the EU or in mixed situations (for example, a non-EU state requesting evidence from Romania), Law 302/2004 and the 1959 Convention with its protocols remain central.

Bilateral treaties and lex specialis

Romania is also party to a network of bilateral MLA treaties, some concluded before EU accession and others more recent. These may provide more favourable or specific rules on issues such as language, channels of transmission, urgency measures, or waiver of double criminality. Under Law 302/2004, where a bilateral treaty contains provisions more favourable than the general law or a multilateral convention, those treaty provisions usually prevail (lex specialis).

In practice, when advising a company or individual faced with an MLA-related measure involving Romania, it is essential to identify: (i) whether the other state is an EU Member State or a third state; (ii) which multilateral convention applies (1959 Convention, EU 2000 MLA Convention, Budapest Convention, etc.); and (iii) whether a bilateral MLA treaty exists. These instruments, together with Law 302/2004 and the CPC, determine the available tools, safeguards and remedies.

How Romanian Authorities Request Evidence from Abroad

Authorities competent to issue requests

The competent Romanian authorities depend on the stage of the criminal proceedings and the type of cooperation sought. According to the official MLA profile submitted to the Council of Europe:

during the investigation and prosecution stage, the Prosecutor’s Office attached to the High Court of Cassation and Justice (Ministerul Public – Parchetul de pe lângă Înalta Curte de Casație și Justiție) acts as central authority, working through specialised structures such as the Directorate for Investigating Organised Crime and Terrorism (DIICOT) and the National Anticorruption Directorate (DNA), depending on the offence;
during the trial and execution stages, the Ministry of Justice (Directorate for International Law and Judicial Cooperation) acts as central authority;
for criminal records information, the central authority is the General Inspectorate of the Romanian Police (Criminal Records Directorate).

For certain types of cross-border operations (such as cross-border surveillance, controlled delivery, covert investigations), the Second Additional Protocol to the 1959 Convention designates specific central authorities in Romania, usually either the Ministry of Justice or the Prosecutor’s Office attached to the High Court.

However, Romania’s MLA profile also notes that direct contact between central authorities is the rule, that “expedited means of communication” (fax, email with originals to follow by post) are standard, and that direct contact between issuing and executing judicial authorities is strongly recommended and used de facto for urgent cases, particularly when both states are parties to the Second Additional Protocol or EU instruments. Eurojust, the European Judicial Network and Interpol channels can also be used in appropriate cases.

Choice of instrument: MLA, EIO, cybercrime and e-evidence tools

When Romanian authorities need evidence abroad, they must choose the appropriate legal basis:

Within the EU, Romanian prosecutors and judges will often issue a European Investigation Order to collect evidence (bank records, company files, witness hearings, searches and seizures, interception of communications) in another Member State, or make use of mutual recognition instruments for freezing/confiscation orders or European Production/Preservation Orders for electronic evidence.
For non-EU CoE states, Romania will usually rely on the 1959 Convention and its additional protocols, issuing a letter rogatory or other request via the central authorities.
For electronic evidence at global providers (email, messaging, cloud), Romania may use MLA under the Budapest Convention and, where applicable, its Second Additional Protocol, as well as contractual channels or voluntary cooperation with service providers (subject to domestic law rules and human rights constraints).
For countries with bilateral MLA treaties, those treaties may provide a more direct or flexible route, especially where they remove or soften double-criminality requirements or allow direct judicial-to-judicial transmission.

Romanian authorities must still comply with domestic law on when and how they may seek specific categories of data (for example, banking information, telecom traffic data or the content of communications). The fact that a request is addressed abroad does not allow them to circumvent internal thresholds or the requirement of prior judicial authorisation for intrusive measures.

Evidence typically requested by Romanian authorities

The types of evidence Romanian authorities commonly request abroad include:

Banking and financial information: identification of accounts, account statements, transaction histories, information on beneficial owners, loan documentation and related records, often in investigations involving corruption, organised crime, money laundering or tax offences.
Telecom and internet data: subscriber information, traffic and location data, data on IP addresses used to access online services, and, where legally possible, content of communications (emails, messages, stored files).
Corporate and transactional documents: company incorporation documents, shareholder registers, management records, contracts, invoices, transport and customs documents, as well as internal policies relevant to alleged offences.
Testimonial evidence: interviews of witnesses abroad (by rogatory commission, video link or telephone conference), identification parades and confrontations.

When such evidence is requested under an EIO or MLA request, issuing Romanian authorities are expected to include detailed information on the underlying facts, the legal classification of the offences, the requested measures, and the reasons why those measures are necessary and proportionate. For requests under the 1959 Convention and its protocols, Law 302/2004 also imposes certain minimum content requirements (for example, regarding searches, seizures and the handling of objects).

Practical implications for foreign companies receiving Romanian-origin requests

Foreign companies – particularly banks and online service providers – may receive an evidence request originating from Romania in several forms:

an EIO issued by a Romanian prosecutor or court and transmitted to the executing state’s judicial authority, which then addresses a domestic order to the company;
a European Production Order or Preservation Order under Regulation 2023/1543, addressed directly to a designated legal representative or establishment of the provider in the EU;
a classic MLA request or letter rogatory transmitted via central authorities and then translated into a domestic order by the executing state; or
a request for voluntary cooperation from Romanian authorities (for example, under the Budapest Convention or national law), which still needs to be reconciled with the provider’s legal obligations in the state of establishment.

Foreign legal and compliance teams should:

verify the authenticity of the instrument (EIO certificate, official seals, reference to a specific convention or Regulation) and the competence of the issuing authority;
clarify whether the order is addressed directly to the provider (as under the EPOC/EPOC-PR regime) or must be implemented through local authorities in the state of establishment;
assess any conflicts between the requested disclosure and local law (for example, banking secrecy or data-protection rules) and consider seeking clarification or modification of the request;
ensure that internal policies (including data-retention and deletion policies) are adjusted to preserve relevant data pending clarification, without engaging in voluntary over-disclosure; and
where appropriate, instruct local counsel in both the issuing and executing states to evaluate possible challenges or protective conditions (for example, phased disclosure, redaction, minimisation of collateral data).

How Foreign Authorities Request Evidence from Romania

Central authorities and communication channels

Foreign authorities seeking evidence located in Romania must determine the appropriate central authority and channel of communication. The Romanian MLA profile to the Council of Europe identifies three main central authorities responsible for MLA requests:

the Ministry of Justice – for requests formulated during the trial and execution stages;
the Prosecutor’s Office attached to the High Court of Cassation and Justice – for requests formulated during the investigation and prosecution stages, with internal allocation to specialised structures depending on the type of offence (organised crime and terrorism, corruption, other offences); and
the General Inspectorate of the Romanian Police – for requests relating solely to criminal records.

Direct communication between central authorities is the standard rule. For urgent cases, and where permitted by the applicable convention (for example, the Second Additional Protocol to the 1959 Convention or the EU 2000 MLA Convention), foreign issuing authorities may also communicate directly with competent Romanian judicial authorities (courts or prosecutors’ offices), while copying the central authority.

Expedited means of communication (email, fax) are accepted, with a formal paper copy to follow where required. For very urgent cases, Romania accepts use of Interpol channels when it is the executing state, but strongly encourages direct contact between central authorities and, where appropriate, the use of Eurojust or the European Judicial Network.

Language, translation and formal requirements

Under Romania’s MLA practice, requests should be translated into one of the Council of Europe official languages (English or French) when a Romanian translation is not available at the time of transmission. In urgent cases, English and French are preferred, with Romanian translation to follow. Where bilateral treaties contain more favourable language provisions, those prevail, and reciprocity applies.

Law 302/2004 and the applicable conventions specify the minimum content for MLA requests, such as:

the issuing authority and the executing authority (if known);
a description of the facts, including time, place and circumstances of the alleged offences;
the legal classification of the offences (with relevant statutory provisions attached);
a clear description of the requested measures (for example, search of specified premises, seizure of listed items, obtaining of specific banking or telecom data); and
any particular procedural forms requested (for example, presence of foreign officials, use of video-link or special formalities for evidence admissibility).

Where MLA is requested for searches, seizures and similarly intrusive measures, Romanian law may require double criminality – that is, the underlying conduct must constitute an offence in both the requesting state and Romania. For less intrusive forms of assistance, such as service of documents or taking of non-coercive witness statements, double criminality is generally not required.

Bank records and financial information in Romania

Foreign authorities frequently request bank records held in Romania, including:

identification of accounts held by a suspect or company at Romanian banks;
account statements and transaction histories over specified periods;
information on beneficial owners of accounts or companies; and
documentation associated with suspicious transactions or financial instruments.

Under Romanian law, bank secrecy is not an absolute bar to disclosure to criminal-justice authorities. However, access to data concerning financial transactions, account content and movement of funds is considered intrusive and can be ordered only with the prior authorisation of the judge of rights and freedoms. Practically, when executing an MLA request for bank records, Romanian prosecutors will seek such judicial authorisation, then issue orders to the relevant bank(s) to disclose the requested information.

The bank is obliged to cooperate, under penalty of criminal liability for non-compliance, and must keep the operation confidential. The procedure mirrors that used in purely domestic cases, with the foreign MLA request serving as the trigger for a Romanian judicial authorisation and bank disclosure order.

Telecoms data and electronic communications

Requests for telecom or internet-related data may seek:

subscriber details linked to a phone number, SIM card or IP address;
traffic and location data (for example, cell location at specific times, call logs); or
content of communications (intercepted or stored).

Article 152 CPC governs the obtaining of traffic and location data processed by providers of public electronic communications networks or services. It provides that prosecution authorities, with prior authorisation of the judge of rights and freedoms, may request such data from providers if certain conditions are met (reasonable suspicion of specified crimes, and reasonable grounds to believe the data constitute evidence). The judge must decide within 48 hours, by a reasoned decision rendered in chambers, and providers that cooperate are legally obliged to maintain secrecy as to the operation.

Content interception and other forms of technical surveillance are regulated separately (for example, under Article 138 CPC and related provisions) and also require judicial authorisation, with stricter conditions and time limits. These powers can be used in the execution of foreign MLA requests or EIOs where the underlying conditions are satisfied and where the applicable convention or EU instrument provides for such cooperation.

Company files, searches and seizures

Foreign authorities may also request:

corporate documents held in public registers, such as the Trade Register (registrul comerțului);
tax and customs records related to Romanian entities; and
internal company documents (contracts, correspondence, accounting records) held at business premises in Romania.

Where the requested documents are public or easily accessible under Romanian law (for example, certified copies from the Trade Register), Romanian authorities may simply obtain them and transmit them under MLA or EU frameworks.

When internal files are sought and the company does not voluntarily provide them, Romanian authorities may have to conduct searches and seizures at the company’s premises. Such measures require judicial authorisation under the CPC, and in executing a foreign MLA request, Romanian courts will apply domestic standards on necessity, proportionality and respect for privileged material (for example, communications covered by legal professional privilege).

Practical implications for companies located in Romania

Romanian banks, telecom operators and companies can be served with orders issued in execution of a foreign MLA request or EIO. In practice, they will see a Romanian order or warrant (emanating from a prosecutor or court), which may refer to the underlying foreign request.

From a risk-management perspective, local entities should:

treat such orders as they would domestic ones – failure to comply without lawful justification can entail criminal or administrative liability;
verify internally that the order has been issued by a competent prosecutor or court and covers specific data or premises;
involve the legal department and, where necessary, external counsel to assess the scope of the measure, the presence of privileged or third-party data, and options for challenging or narrowing the order; and
implement data-minimisation and logging practices (for example, clear records of what data was disclosed, when and under which legal basis), which are important both for defence strategy and for demonstrating compliance with data-protection obligations.

Rights and Remedies for the Data Subject or Company Affected

Criminal-procedure safeguards under Romanian law

The CPC provides multiple safeguards that apply equally when evidence is collected domestically or in execution of an MLA request or EU instrument:

Legality and judicial control: evidence must be obtained in accordance with the law, and measures restricting fundamental rights (searches, interceptions, access to traffic and banking data) generally require prior authorisation by the judge of rights and freedoms.
Right to legal assistance: suspects and accused persons have the right to be assisted by counsel, and in some situations legal assistance is mandatory.
Right to challenge measures and evidence: individuals and companies affected by searches, seizures or other coercive measures may lodge complaints against the acts of prosecution authorities, including before a judge, and may challenge the legality of evidence before the court that ultimately hears the case.
Use limitations (speciality): under Law 302/2004, Article 186, evidence and information obtained through MLA are subject to the speciality rule, meaning they may only be used for the purposes specified in the request, unless the requested state consents to broader use.

If a person’s premises are searched or their bank or telecom data are obtained as part of the execution of a foreign MLA request, they can, under Romanian law, challenge the legality of those measures in front of the competent court (for example, by contesting the search warrant or the order authorising access to data). If the court finds that the measure violated legal requirements, the resulting evidence may be excluded or its use limited.

Data-protection framework in criminal matters

In addition to the CPC, the processing of personal data in the context of criminal investigations and MLA is governed by EU and national data-protection law. Two key instruments are:

Regulation (EU) 2016/679 (GDPR), which applies mainly to general (non-law-enforcement) processing of personal data, but contains important rules on data-subject rights, lawful processing, security and international transfers; and
Law no. 363/2018, which implements Directive (EU) 2016/680 on data protection in the context of criminal law enforcement in Romania. Law 363/2018 regulates the processing of personal data by competent authorities for the purposes of preventing, detecting, investigating or prosecuting criminal offences or executing penalties, and confirms that its objective is to protect fundamental rights, especially the right to data protection.

Law 363/2018 applies to personal-data processing by Romanian law-enforcement and judicial authorities in criminal matters, including when such processing occurs in the context of international cooperation. Official guidance from the Romanian data-protection authority (ANSPDCP) notes that the law covers investigations, prosecutions, execution of penalties and public-order activities, and that processing must be lawful, necessary and proportionate.

Under GDPR, data subjects have rights such as access to their data, rectification, erasure, restriction of processing and objection. Article 23 GDPR allows Member States to restrict certain rights (for example, information, access, rectification) by legislative measures where this is necessary and proportionate to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Romania has implemented such restrictions in Law 363/2018 to protect ongoing investigations, but those restrictions must respect the essence of fundamental rights and be subject to safeguards.

Supervisory authority and complaints

The National Supervisory Authority for Personal Data Processing (ANSPDCP) is Romania’s independent data-protection authority. Its mandate is to protect fundamental rights and freedoms of natural persons, particularly the right to private and family life in connection with processing of personal data, and to monitor and control the legality of such processing on Romanian territory.

Individuals who believe their data has been unlawfully processed or disclosed in connection with MLA or cross-border evidence gathering can lodge a complaint with ANSPDCP. The authority’s procedures, including the conditions for an admissible complaint and the steps of investigation, are set out in internal decisions and published on its website. Complainants are to be informed about the progress and outcome of their complaint, including the possibility of judicial remedies under Article 78 GDPR.

In addition to or instead of a complaint to ANSPDCP, data subjects may bring actions before Romanian courts against controllers or processors for alleged violations of data-protection law, seeking effective remedies and, where appropriate, compensation (for example, pursuant to Articles 77–79 GDPR and the corresponding national provisions).

Fundamental-rights protection (ECHR Article 8)

Romania is bound by the European Convention on Human Rights and its case law. Article 8 ECHR guarantees everyone the right to respect for private and family life, home and correspondence. Any interference by public authorities must be in accordance with the law, pursue a legitimate aim (such as prevention of crime) and be necessary in a democratic society.

The European Court of Human Rights has repeatedly addressed Romanian cases involving surveillance, data collection and workplace monitoring. In Bărbulescu v. Romania, the Grand Chamber found that the monitoring of an employee’s communications by a private employer, and the handling of those communications in domestic proceedings, raised issues under Article 8 and clarified the state’s positive obligations to protect privacy even in the workplace. Although Bărbulescu concerned an employment context rather than MLA, its principles – including requirements of transparency, foreseeability and proportionality – are relevant when evaluating the compatibility of cross-border data collection with Article 8.

When Romanian authorities execute MLA requests or issue EIOs and other cross-border tools, they must ensure that the resulting interference with privacy is prescribed by law, proportionate and accompanied by adequate safeguards (judicial control, limits on scope and retention, restrictions on onward use). Individuals may ultimately bring cases to the European Court of Human Rights alleging violations of Article 8 arising from cross-border evidence gathering, including where MLA instruments were used.

Remedies for companies

Companies affected by MLA-related measures – such as searches of premises, seizures of servers, or orders to disclose customer data – have a complex set of remedies that typically include:

the right to challenge the underlying Romanian warrant or order in domestic courts (for example, contesting the scope or proportionality of a search order or data-disclosure order);
procedural objections in the foreign proceedings where the evidence will ultimately be used (for example, arguing that evidence obtained via MLA in Romania is inadmissible or should be excluded because it violated Romanian or international law);
data-protection complaints to ANSPDCP, especially where the request appears to exceed what is necessary for the stated investigative purpose or conflates multiple data categories without clear justification; and
civil or administrative actions where company rights (such as trade secrets or privileged material) have been unduly interfered with.

In practice, the effectiveness of those remedies may depend on early legal advice and coordinated litigation strategies in both the requesting and the executing states. Companies should therefore build internal escalation protocols for MLA-related measures, so that local counsel can assess options before irreversible disclosure occurs.

Role of Romanian Courts vs. Prosecutors in Authorizing Measures

Separation of functions in the Romanian criminal process

Article 3 CPC sets out a clear separation of functions in the criminal process:

the prosecution function, exercised by the prosecutor and criminal-investigation bodies, responsible for gathering evidence necessary to determine whether there are grounds for indictment;
the function of deciding on measures affecting fundamental rights and freedoms in the investigation phase, exercised by the judge of rights and freedoms;
the function of verifying the legality of the indictment and the evidence, exercised by the preliminary chamber judge; and
the trial function, exercised by the trial court.

Paragraph (5) of Article 3 makes explicit that measures and acts in the investigation phase which restrict fundamental rights and freedoms are ordered by the judge designated with such powers, except in cases expressly provided by law. This framework is central to understanding which Romanian authority must act when executing MLA requests or issuing EIOs that involve intrusive measures.

Measures requiring court authorisation

Under the CPC, the following categories of investigative measures – which are also frequently requested in cross-border cooperation – generally require prior authorisation by the judge of rights and freedoms:

Searches of premises and computers, and the seizure of physical or electronic evidence;
Access to bank-account transactions and content when obtaining detailed information on movements of funds and account balances, distinct from more limited requests for general financial data;
Access to traffic and location data held by providers of public electronic communications networks and services, under Article 152 CPC, subject to thresholds regarding the seriousness of the offence and the necessity of the measure; and
Technical surveillance measures such as interception of communications, audio and video surveillance, and GPS tracking, governed by provisions including Article 138 CPC.

When a foreign MLA request seeks any of these measures to be executed in Romania, the competent prosecutor must bring the request before the judge of rights and freedoms and obtain an authorisation that complies with Romanian law. The foreign request or EIO cannot, by itself, substitute domestic judicial control.

Measures within the prosecutor’s competence

Romanian prosecutors have broader powers for less intrusive measures, which may include:

requesting basic identifying information (for example, subscriber details) from service providers, in situations where the law does not require judicial authorisation;
requesting public or semi-public records (for example, Trade Register extracts, publicly available company information);
inquiring with banks or other institutions about the existence of accounts or relationships, without yet obtaining full transactional data; and
issuing and transmitting MLA requests, EIOs and other cooperation instruments to foreign authorities, within the competence allocated by Law 302/2004 and EU instruments.

While such measures do not always require prior court authorisation, they remain subject to legality and proportionality requirements. In addition, affected persons or entities may challenge prosecutorial acts in court and seek judicial review of the lawfulness and necessity of the measures.

Execution of MLA and mutual recognition measures by courts

In specific areas, Law 302/2004 designates Romanian courts as the competent authorities to recognise and execute foreign judicial decisions. For example:

for foreign freezing and confiscation orders transmitted under the 1959 Convention, its protocols or EU instruments, the competent authority for execution in Romania is, in certain cases, the district court where the asset is located, which must verify the conditions under Law 302/2004 (for example, Article 140) before recognising and enforcing the order;
for certain forms of cross-border operations and joint investigation teams, courts may have to approve specific actions requested by foreign partners, ensuring compliance with domestic legal standards.

This reinforces a key point: even when foreign authorities issue binding instruments (such as EIOs or freezing orders under mutual-recognition instruments), there is always a layer of domestic judicial or quasi-judicial control in Romania, especially where fundamental rights are at stake.

Practical guidance: understanding who does what

For foreign lawyers and companies, it is crucial to understand whether they are dealing primarily with the prosecutor or with a court in Romania:

If the measure is clearly coercive or rights-restricting (search, seizure, full bank and telecom data, interception), there should normally be a judicial authorisation underpinning the measure, even if the order is transmitted or served by a prosecutor.
Where an EIO or MLA request appears to bypass judicial control (for example, by requesting a foreign company to provide highly intrusive data directly to prosecutors), it is legitimate to ask whether Romanian law has been correctly followed and whether a judicial decision exists and can be provided or summarised at least in essential respects.
In challenging measures or negotiating scope and minimisation, it is important to identify whether the relevant addressee is the prosecutor who initiated the measure or the court that authorised it.

Understanding this division of roles can also help in designing litigation strategies that combine challenges in Romania with objections in the requesting state’s proceedings (for example, by arguing that evidence was obtained in breach of Romanian procedural safeguards).

Practical Guidance for Companies Served with MLA-Related Orders Involving Romania

1. Identify the instrument and the legal basis

The first step is to determine what you have actually received. Common scenarios include:

a Romanian search and seizure warrant or order to produce documents, referencing a foreign MLA request or EIO;
an EIO issued by a Romanian authority but addressed to an authority in your state, which then serves a domestic order on your company;
a European Production Order or Preservation Order under Regulation 2023/1543, addressed directly to your designated establishment or representative in the EU; or
a classic MLA request transmitted through diplomatic or central-authority channels, requesting assistance from your national authorities, which then reaches you via a domestic order.

Each instrument (1959 Convention MLA request, EU 2000 MLA Convention request, EIO, EPOC/EPOC-PR) has its own rules on scope, deadlines, grounds for refusal, and rights of affected parties. Understanding which legal regime applies is essential to evaluating your obligations and options.

2. Verify authenticity and competence

Before disclosing any data, verify that:

the order or request is on official letterhead, bears appropriate signatures or seals, and clearly identifies the issuing authority;
the issuing authority is competent under the relevant instrument (for example, a “judicial authority” for EIOs, which in Romania will usually be a court or prosecutor’s office); and
if the instrument presupposes domestic judicial authorisation (for example, for searches, access to bank transactions or traffic data), such authorisation exists and is referenced in the order (even if not fully disclosed).

Where doubts arise, in-house counsel should promptly seek clarification from the contact details provided in the instrument, possibly through the company’s national authorities or, in EU cases, via the central authority or Eurojust contact points.

3. Assess scope, necessity and data minimisation

Companies should not treat MLA-related orders as a licence for unrestricted disclosure. Instead:

review the requested categories of data carefully and assess whether they are specific, time-bound and linked to identified individuals or accounts;
check whether the request appears proportionate to the stated offences and factual background, and whether any obviously unrelated or excessive categories (for example, “all emails ever sent from this domain”) are included;
consider negotiating the scope with the issuing authority, offering narrower sets of data that still meet the investigative needs (for example, a shorter time period, specific search terms, or partial anonymisation).

Under GDPR and Law 363/2018, controllers must respect data-minimisation and purpose-limitation principles even in the law-enforcement context. While an MLA or EIO order creates a strong legal basis for processing, it does not completely displace those principles. Documenting internal assessments and correspondence with authorities can be important later, if the company’s handling of the request is scrutinised by regulators or courts.

4. Manage confidentiality and communication with customers

Many MLA regimes require addressees (banks, telecom operators, service providers) to maintain secrecy about the existence of the request and the fact of disclosure, at least for a certain period, in order not to compromise the investigation. Romanian law, for example, obliges providers cooperating under Article 152 CPC and other special methods of surveillance to keep operations confidential.

At the same time, GDPR and consumer-protection rules may, in some circumstances, support transparency about governmental access requests. Companies should therefore:

review secrecy obligations in the specific order and the applicable law (Romanian, local and EU), including any possibility to inform the customer after a delay;
ensure that any transparency reports or notifications they provide are consistent with legal obligations and, if necessary, cleared with the issuing authority; and
incorporate government-access clauses in contracts and privacy policies that explain, in a general way, that data may be disclosed to law-enforcement authorities under legal obligation.

5. Coordinate counsel in all relevant jurisdictions

MLA-related issues rarely stay confined to a single legal system. A company may need to manage parallel proceedings in:

the requesting state, where the criminal case is being investigated or prosecuted and where the evidence will be used;
Romania, where the evidence is located or where the company has a presence and where domestic procedural requirements must be satisfied; and
other states where data is stored or through which it transits (for example, data centres or regional hubs).

Coordinated advice from counsel familiar with Romanian criminal procedure, EU MLA instruments and local law in the company’s state of establishment is therefore critical. Among other things, counsel can help identify:

whether there are grounds in Romanian law to challenge or narrow the measure (for example, lack of necessity, overbreadth, interference with privileged material);
whether evidence obtained from Romania can be challenged in the foreign proceedings; and
whether there are potential conflicts of law (for example, between US blocking statutes and EU MLA obligations) that need to be addressed through diplomatic channels or specific arrangements.