The Official Gazette no. 994 of 29 October 2025 published Order M.E.D.A.T. no. 2147/17 October 2025, establishing the format of the Register of Beneficiaries of Digital Training Programmes, the categories of processed data, the procedures for accessing, storing and deleting data, and the specific measures for the protection of personal data. The order sets out the legal framework for the unified and secure management of data of individuals participating in digital training programmes under Investments 17 and 19 of the National Recovery and Resilience Plan (NRRP).
The Register is administered by the Authority for the Digitalisation of Romania (ADR) and functions as a centralised IT system structured as a database to enable efficient querying and reporting of beneficiary data. It processes two main categories of information: personal data (name, surname, personal identification number or alternative identifier, optional e-mail and phone number, certificate number) and training-related data (SME name and tax code for Investment 19, training programme title, provider, course duration, training dates, training type, skills acquired according to DigCompRo for Investment 17, location, evaluation details and certificate issuance date).
The data is collected exclusively for monitoring and reporting progress to the European Commission, in line with NRRP obligations. Access to the Register is granted only to authorised ADR personnel, beneficiaries, training providers and other authorities as provided by law. Authentication is performed through unique credentials – username and password – or via electronic devices (smart cards/tokens) requiring a PIN code, all of which are unique, personal and non-transferable. Passwords must contain at least nine characters and are changed regularly: at least every three months by users and every six months by system administrators.
Data is stored within ADR, with automated secure backups performed at intervals of no more than 72 hours until the completion of the NRRP investments. The minimum retention period is five years from the end of the training programme, after which data is irreversibly deleted in compliance with Regulation (EU) 679/2016 (GDPR). Data subjects may exercise their right to erasure by submitting a request to ADR.
Any further processing of data for purposes other than those for which it was collected is strictly prohibited unless expressly provided by law. Protection measures include restricted physical access to server rooms, storage of access logs for at least two years, monitoring of operations by ADR and the Data Protection Officer, as well as mandatory staff training. Log files record each access to the system and contain the workstation identifier or IP address, the user, the type of operation, accessed categories of data, and the exact date and time.
Beneficiaries are informed upon registration about the Register’s data controller, the purpose and legal basis of processing, data recipients, storage duration, rights under GDPR, the role of consent and the right to withdraw it, the right to lodge complaints, the requirement to provide data and consequences of refusal, and any automated decision-making processes.
Any security incident is notified according to Articles 33 and 34 of GDPR, and the Data Protection Officer designated at ADR performs the duties laid down in Article 39. The regulatory framework aims to protect beneficiary data, standardise processes and ensure a high level of security in the management of digital training information.