1. Introduction

The protection of personal data is undoubtedly a topical subject, both nationally and internationally. In the European Union there is, as already pointed out, a genuine constitutional concern with regard to the protection of personal data.3 As of 1 December 2009, the right to protection of personal data has been a fundamental right at EU level and it has been enshrined as such in Article 8 of the Charter of Fundamental Rights of the European Union. The European regulatory framework for the protection of natural persons during the processing of personal data is, however, much more extensive, including the Charter and the Treaty on European Union, the Treaty on the Functioning of the EU, the rules of secondary law, i.e. the directives and the decisions of the institutions of the Union, completed with the judgments of the Court of Justice of the European Union, soft law rules and codes of conduct, both in the Member States and at Union level. 4

Numerous studies and a rich case-law of national and international courts are shaping the legal regime of the right to the protection of personal data, particularly important in the context of technological developments resulting in an increased collection and exchange of such data. Of course, information technology and its development constitute forms of evolution of society, but this evolution should take place with respect for fundamental rights as regulated by States' constitutions and international documents. In this regard, we think that it is important to analyse the right to the protection of personal data in the light of other fundamental rights, such as the fundamental right to privacy, from the scope of which the secrecy of correspondence, the freedom of conscience, the freedom of expression, the right to information, the inviolability of the home, the right to life and to physical and psychological integrity, personal liberty have emerged.

This study presents some landmarks decisions that can reveal the content and limits of the right to the protection of personal data in relation to other fundamental rights, as identified by national constitutional courts, the European Court of Human Rights and the Court of Justice of the European Union. We consider this useful and we agree with the distinction drawn in the specialised literature5 between the regulatory framework of the Council of Europe, where, in view of the enshrinement in the Convention for the protection of human rights and fundamental freedoms and based on the practice of the European Court of Human Rights, the right to the protection of personal data is not an autonomous right, and it is rather regarded as a subtype of the right to private and family life (right to information privacy) and, at the same time, an objective legal guarantee of that fundamental right within the European Union, where the right to the protection of personal data autonomously co-exists as a fundamental right with the right to private and family life, based on the Charter of Fundamental Rights of the European Union and within the regulatory framework of the Member States of the European Union, where the right to the prote ction of personal data is either specifically enshrined in national constitutions (Austria, Slovenia, Poland), or received through the implementation of European Union law, with the exception of States which have expressly invoked the derogations from the provisions of the Charter (Poland and the United Kingdom). We would add that this distinction may be applied, mutatis mutandis, also internationally, not only at European level, having regard to the provisions of Article 12 of the Universal Declaration of Human Rights, to the provisions of other international instruments, and to the modality in which these rights are enshrined in national constitutions.

Given that this is vast subject, we shall only give some examples which we consider relevant in highlighting the extent of the obligation to protect personal data, whilst conciliating several fundamental rights relevant in specific contexts.

2. Protection of personal data in the context of measures related to the investigation, detection and prosecution of serious crime

We consider particularly relevant in this regard a number of solutions which demonstrate, on the one hand, the continuity and the consistency of the case - law of the Constitutional Court of Romania and, on the other hand, the consistency of approaches used by the constitutional courts in the European Union and by the Court of Justice of the European Union in cases related to Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC6, and to national legislation by which the Directive was transposed into national law.

We would like to recall7 that this Directive has been adopted as a result of globalisation of serious criminal activity, especially terrorism, its aim being "to harmonise obligations to retain certain data and to ensure that those data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law". This Directive applies to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. It does not apply to the content of electronic communications, including information consulted using an electronic communications network. The Directive sets forth the obligation of compliance with citizens' fundamental rights to respect for private life and communications and to the protection of their personal data, as enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The deadline for bringing into force the laws, regulations and administrative provisions necessary to comply with this Directive was 15 September 2007; until 15 March 2009, each Member State could postpone application of this Directive to the retention of communications data relating to Internet Acc ess, Internet telephony and Internet e-mail.

In Romania, this Directive was initially8 transposed by Law no. 298/20089 on the retention of data generated or processed by providers of publicly available electronic communications services or of public communications networks, and amending Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector. This law has been contested by means of an exception of unconstitutionality and, by Decision no. 1258/200910, the Constitutional Court upheld the exception and found that the law transposing the said Directive is unconstitutional. The Court noted, in essence, the lack of precision in the legislation, as well as the violation, by the implementation law, of the right to a private life, the secrecy of correspondence and the freedom of expression.

After the issuance of Decision no.1258/2009 by the Constitutional Court of Romania, several other constitutional courts have declared unconstitutional, based on a similar reasoning, the national laws transposing the same Directive. Thus, for example, the Constitutional Court of the Czech Republic11, in its decision of 22 March 2011, stated that similar conclusions "had been drawn by the constitutional courts of other Eu ropean countries, when they examined the constitutionality of legal rules implementing the above-mentioned Directive on data retention ", namely: the Federal Constitutional Court of Germany, the Constitutional Court of Romania, the Constitutional Court of Bulgaria, the Supreme Court of Cyprus.

Moreover, following Ireland and Slovakia's unsuccessful attempt 12 to challenge the Directive before the Court of Justice of the European Union, the latter was vested by the Constitutional Court of Austria and the Supre me Court of Ireland, which challenged the compatibility of the Directive with the Charter of Fundamental Rights of the European Union, and questioned whether the Directive ensures a good functioning of the internal market of the European Union13. By the judgement delivered on 8 April 2014, the Court of Justice declared the Directive invalid. The Court held, in essence, that the data to be retained under the Directive make it possible, in particular, (1) to know the identity of the person with whom a subscriber or registered user has communicated and by what means, (2) to identify the time of the communication as well as the place from which that communication took place and (3) to know the frequency of the communications of the subscriber or registered user with certain persons during a given period. Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented. The Court took the view that, by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Furthermore, the fact that data are retained and subsequently used without the subscriber or registered use r being informed is likely to generate in the persons concerned a feeling that their private lives are the subject of constant surveillance. Having examined whether such an interference with the fundamental rights at issue is justified, the Court was of the opinion that, by adopting the Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality.

Vested with the settlement of the exception unconstitutionality of the provisions of Law no. 82/2012 on the retention of data generated or processed by providers of public electronic communications networks and by providers of publicly available electronic communications services, and amending and supplementing Law no. 506/2004 concerning the processing of personal data and the protection of privacy in the electronic communications sector, republished in the Official Gazette of Romania, Part I, no. 211 of 25 March 2014, and Article 152 of the Code of Criminal Procedure, the Constitutional Court of Romania followed the same line of case-law. Thus, noting that Law no. 82/2012 was adopted by Parliament following the issuance of the Constitutional Court Decision no. 1258/2009, cited above, taking account of the recitals of this Decision, as well as of the judgment of the Court of Justice of the European Union of 8 April 2014, by which Directive 2006/24/EC was declared invalid, the Constitutional Court held that they are, in principle, applicable also as regards Law nr.82/2012. Consequently, it declared that law unconstitutional in its entirety.14

Similar considerations and reliance on the judgment of the Court of Justice of the European Union referred to above have led to the decision of unconstitutionality of the Law on cyber security of Romania. 15

We note that, in those cases, the Constitutional Court of Romania has examined the constitutional requirement of personal data protection in relation to other fundamental rights expressly enshrined in the Constitution of Romania, namely the right to personal, family and private life, the freedom of expression and the secrecy of correspondence, applying, therefore, a reasoning similar to that of the European Court of Human Rights, in its case -law (with the differentiations set out in the first part of this paper). The Court has he ld in this regard that, "in the matter of personal rights, such as the right to personal life and the freedom of expression, as well as of processing of personal data, the widely recognized rule is to ensure and guarantee their observance, respectively of confidentiality, the State having, in this respect, mostly negative obligations, of abstention, avoiding, insofar possible, its interf erence in the exercise of such right or freedom."16

Apart from the considerations behind this case-law, it is important to highlight the applicability of the Charter of Fundamental Rights of the European Union in the constitutional review. In this respect, the Constitutional Court of Romania has ruled upon adjudicating on other cases, stating that that the aforementioned instrument is, in principle, applicable to the review of constitutionality "to the extent that it ensures, guarantees and develops the constitutional provisions regarding fundamental rights, in other words, to the extent that its level of protection is at least at the level of constitutional rules in the field of human rights " 17 As concerns the Constitutional Charter, the constitutional basis for relying on this instrument lays in Article 148 of the Constitution and not in Article 20 and, in this respect, the Constitutional Court stated: «as concerns Article 41 of the Charter of Fundamental Rights of the European Union, relating to the right to good administration, the Court notes, first of all, that it can be relied upon, in the light of Article 148 and Article 20 of the Constitution, as indicated by the author of the exception, since, according to Article 6 (1) of the Treaty on European Union (consolidated version), "The Union recognises the rights, freedoms and principles set out in the Charter of Fundamental R ights of the European Union of 7 December 2000, as adapted at Strasbourg, on 12 December 2007, which shall have the same legal value as the Treaties" .18

3. The protection of personal data in the light of the obligation to ensure tax secrecy and the right to information

The basic idea of this study is that the right to the protection of personal data requires compliance with other basic right, but the limits to these rights and their co-existence are often difficult to determine, in specific contexts. Often, the constitutional courts must carry out a delimitation in respect of those categories of data entering the scope of protection of that right, as well as the conditions in which they enjoy protection. Such delimitation was made in a case brought before the Constitutional Court in Georgia and which aimed, in essence, tax secrecy, therefore also the right to the protection of personal data and the right to information.

In that case, the impugned rules were the provisions of the Tax Code governing the concept of tax secrecy, on the ground that there was no precise definition of the scope of the information covered by tax secrecy. Consequently, any information obtained by the tax authorities was included in this category, even if such information could not be defined as classified information (state secrecy, commercial secrecy, professional secrecy), listed as such in Article 41.1 of the Constitution of Georgia. The complainants have argued that for this reason the challenged rules disproportionately restrict freedom of information enshrined in Article 41 of the Constitution.

In order to delimit the scope of the mentioned information, the Constitutional Court found several characteristics shared by all information belonging to the category of tax secrecy: the information relates to a taxpayer; it makes it possible to identify a taxpayer; it is acquired in the process of administration of taxes and is held by tax authorities; it is related to and reflects tax relationships.

The Constitutional Court emphasised the importance of freedom of information for maintaining ongoing public debate in a democratic society and for personal development. The freedom of information entrenched in Article 41.1 of the Constitution differs from freedom of expression, enshrined in Article 24.1, which enshrines the universal right "to freely receive and impart information". Thus, Article 24.1 guaranteed the free receipt of information from generally accessible sources, whereas Article 41.1 referred specifically to information stored in official records and held by State institutions. In this context, the Court identified four groups of information stored by state authorities and regulated under Article 41 of the Constitution: information concerning a person; information, which is not directly related to the person applying for it, but is available to anyone; official information, which contains State, commercial or professional secrecy; data stored in official records, dealing with private matters, such as health and finances.

The Constitutional Court stressed that in contrast to Article 41.1 of the Constitution which enshrines freedom of information, the constitutional value protected in Article 41.2 of the Constitution is the right of the individual to control the dissemination of information related to his or her private affairs, one of the most fundamental aspects of privacy. As regards information on specific aspects, the Constitution of Georgia provides that if the person does not wish to disseminate such information, the State is obliged to protect him/her against disclosure until he/she request disclosure of the relevant information. Although Article 41.2 refers to "individual's health, finances or other private matters", it is also applicable to legal persons, aside from the section on health-related personal data. The Court decided that the information relating to finance within the meaning of Article 41.2 of the Constitution, shall include any data reflecting directly or indirectly the material aspects of a person's private affairs or the material basis of his/her activities. The Court further emphasised that only the identification information of the taxpayer are considered to fall within the scope of tax secrecy. Accordingly, the Court found that the information covered by tax secrecy were protected in accordance with Article 41.2 of the Constitution of the disclosure and the challenged rules governing tax secrecy served the constitutional aim of inviolabilit y of personal data.

In response to the claimants' argument that the challenged norms imposed a disproportionate restriction on their freedom of information, the Constitutional Court declared that the Constitution does not provide for the right of a person to acquire information from official sources pertaining to somebody else's health, finances or other private affairs. The value protected in Article 41.2 of the Constitution was the right of an individual to assurance that information pertaining to his or her private affairs and stored in official sources was not accessible. Disclosure of such information, regardless of the consequences that would entail, is in itself an infringement of a constitutional right.

In response to the claimants' contention that the norms did not satisfy the criteria of foreseeability and legal certainty, the Court noted that although the disputed articles of the Tax Code did not give an exhaustive list of what was contained therein, it was quite possible to discern which information should be classified as tax secrecy and who could have access to it and when. As a result, it found that the challenged rules meet the requirements of legal certainty and leave no room for arbitrariness in the decision-making process. 19

We note the line of reasoning on "the right of the individual to control the dissemination of information related to his or her private affairs", which reflects the right outlined in the case-law of the European Court of Human Rights and development also in the case-law of other courts, such as the right to informational self-determination. As noted in the legal literature20, this concept was explained for the first time by Federal Constitutional Court of Germany, in a decision of 1983, where it stated that "in the context of modern data processing, the protection of the individual against unlimited collection, storage, use and disclosure of his/her personal data is encompassed by the general personal rights of the German Constitution. This basic right warrants in this respect the capacity of the individual to determine in principle the disclosure and use of his/her personal data. Limitations to this informational self-determination are allowed only in case of overriding public interest"; "the freedom of individuals to make plans or decisions in reliance on their personal powers of self-determination may be significantly inhibited if they cannot with sufficient certainty determine what information on them is known in certain areas of their social sphere and in some measure appraise the extent of knowledge in the possession of possible interlocutors 21."

In a similar context, there have been developments in the same direction, i.e. existence of a subjective right to informational self-determination, regarding personal data protection versus tax obligations imposed by national law. For example, the Constitutional Court of Moldova has recently issued a decision on the amendments to the Tax Code.22 Under the new rules, persons exercising a liberal profession: notaries, lawyers, bailiffs, mediators, were no longer individualised as separate entities to whom a tax code was assigned, and records of their tax liabilities was kept on the basis of State identification number of the natural person (IDNP). The Court held that, according to Article 86 of the Tax Code, each person that obtains taxable income or makes taxable payments, uses the tax code assigned (obtained) as to keep record of taxpayers as laid down by the Code and by other legislative acts n adopted in accordance with the Code. Articles 162 to 165 of the Tax Code govern taxpayers' records per tax codes. Natural persons exercising a liberal profession, included in the category of taxpayers under tax law and subjects to a tax legal relationship, must go through the registration tax before the tax body, for the purpose of registration and for obtaining the tax records code. According to the amendments to the law, notaries, lawyers (practicing within law offices), bailiffs, persons performing the activity of private detective and guard, mediators are identified by a tax code identical to the citizen's personal number, mentioned in the Tax Register of the State Register of the Population. The legislature has thus assimilated the activity carried out by lawye rs, bailiffs with the mere activity of a natural person. However, the activity carried out by those persons is governed by separate laws. The liberal status and the almost exclusive activities of these professions are not tantamount to an absolute freedom in the actions to be undertaken in the performance of the duties. The persons carrying on those liberal activities are obliged to act in strict compliance with legal provisions. The Court has held that notaries, bailiffs and lawyers are authorised by law t o exercise activities of public interest, whilst the income from the liberal professions represents income from the provision of services of a professional nature, performed individually or in various form of association. Although the sole partnership, the rural household or the limited partnership is not considered a legal person and it is treated as a natural person, the tax number thereof is the identification number of the natural person assigned by the State Chamber of Registration and generated from the Register of legal units. Further, the Court held that the legislature is to make a delimitation of the subject of the taxation, i.e. between the natural person not engaged in professional activity who, during the tax period, obtains taxable income and the person engaged in professional activity who, during the tax period, obtains taxable income from work and personal activity. As regards the State identification number of the natural person (IDNP), it falls within the notion of personal data, and the spe cific legislation in the field becomes applicable. The Court held in that regard that, on the one hand, according to requirements of domestic and international law, the State must provide for effective safeguards to protect personal data and prevent an interference with private life and, on the other hand, according to the modifications envisaged, it creates the premises for public disclosure of the State identification number of the natural person exercising a liberal profession, awarded as fiscal code, without the consent of the person. The personal codes of notaries, lawyers, bailiffs, etc. used as tax codes, become accessible to all persons with whom they interact in the pursuit of their activity. In such circumstances, in the absence of protection of on e's own information, the person may not be safe and he/she is not protected from interference in his/her private life. In this context, the Court referred to the case - law of the European Court of Human Rights, namely Brüggemann and Scheuten v. Germany , in which it was held that the provisions of Article 8 of the Convention "ensure a sphere within which everyone can freely pursue the development and fulfilment of his personality" and that "the individual himself is the one who determines the extent of protection in so far as he put his private life into contact with public life or into close connection with other protected interests." For these reasons, the Court held that "the right to informational self -determination guarantees the freedom of any person to decide on the disclosure and use of his personal data, in so far as the registration and use of such data must be normally authorised by the person concerned". However, given that the legislature extended the scope and the possibilities of use of confidential codes, this may seriously affect the right to informational self-determination and human dignity. According to the provisions of Article 54 of the Constitution and Article 8 of the European Convention, in the present case, the interference in the priva te life of the person using the State identification number of the natural person (IDNP) as the fiscal code for persons exercising a liberal profession is not proportionate to the aim pursued. That interference does not come within the situations where the Constitution and the European Convention allow limitations. The Court found no objective and reasonable justification for adopting such rules, which allow, therefore, the disclosure of the State identification number (IDNP) of the persons practising the professions of lawyer, notary, bailiff, mediator, etc. In view of the "sensitive" nature of the right to respect for private life and to prevent interference in the exercise of this right, the legislature to provide effective opportunities and remedies. In conclusion, the Court held that the protection of personal data is of fundamental importance to ensure the right to privacy, and therefore, the contested regulations, allowing access by a circle of individuals to the State identification number of the natural persons (IDNP) practicing a liberal profession, contrary to their wishes, allow an interference with the private life of the person disproportionate to the aim pursued, in breach of Article 28 of the Constitution.

4. The protection of personal data in the light of the obligation to insure banking s ecre cy, the right to information and the effective access to a court

The relevant arguments on the limits of reliance upon banking secrecy and hence the limits of the protection of data falling within its scope, by reference to the need to guarantee other fundamental rights, are those underlying the judgment of the Court of Justice of the European Union asked to give a preliminary ruling by a German court in proceedings between a holder of intellectual property rights and a bank which has refused to provide information on a bank account. The national court asked whether Article 8 (3) (e) of Directive 2004/4823 must be interpreted as precluding a national provision which, in a case such as that in the main proceedings, allows a banking institution to refuse, by invoking banking secrecy, to provide information pursuant to Article 8(1)(c) of that directive concerning the name and address of an account holder.

The Court noted that the Member States are to ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by any person who was found to be providing on a commercial scale services used in the infringing activities. The measures, procedures and remedies provided for in this Directive should be determined in each case in such a manner as to take due account of the specific features of each intellectual property right and, where appropriate, the intentional or unintentional character of the infringement.

The right to information which is intended to benefit the applicant in the context of proceedings concerning an infringement of his right to property thus seeks, in the field concerned, to apply and implement the fundamental right to an effective remedy guaranteed in Article 47 of the Charter, and thereby to ensure the effective exercise of the fundamental right to property, which includes the intellectual property right protected in Article 17(2) of the Charter. Therefore, the first of those fundamental rights is a necessary instrument for the purpose of protecting the second. The protection of intellectual property must not hamper the protection of personal data.

That case therefore raised the question of the need to reconcile the requirements of the protection of different fundamental rights, namely an analysis and interpretation of Article 52 of the Charter of Fundamental Rights of the European Union. Article 52 (1) of the Charter states that any limitation on the exercise of the rights and freedoms recognised must respect the essence of those rights and freedoms. A measure which results in serious infringement of a right protected by the Charter is to be regarded as not respecting the requirement that such a fair balance be struck between the fundamental rights whic h must be reconciled. The national provision at issue allows a banking institution to invoke banking secrecy in order to refuse to provide, pursuant to Article 8 (1) (c) of Directive 2004/48, information concerning the name and address of an account holder. However, although it is true that Article 8(1) of that directive does not recognise an autonomous right to information which individuals may exercise directly against the infringer, it nevertheless imposes on the Member States an obligation to ensure that that information can be obtained by means of measures of enquiry ordered by a court.

The Court stated that a national provision, such as that at issue in the main proceedings, taken in isolation, is such as to seriously infringe the fundamental right to an effective remedy and, ultimately, the fundamental right to intellectual property and that it does not, therefore, comply with the requirement to ensure a fair balance between, on the one hand, the various fundamental rights, and, on the other, Article 8 of Directive 2004/48. It is, however, for the referring court to determine whether there are, in the national law concerned, any other means or other remedies which would allow the competent judicial authorities to order that the necessary information concerning the identity of persons who are covered by Article 8 (1) of Directive 2004/48 be provided, in view of the specific circumstances of each case, in accordance with recital 17 in the preamble to that directive. It follows from all the foregoing that Article 8 (3) (e) of Directive 2004/48 must be interpreted as precluding a national provision, such as that at issue in the main proceedings, which allows, in an unlimited and unconditional manner, a banking institution to invoke banking secrecy in order to refuse to provide, pursuant to Article 8 (1) (c) of that directive, information concerning the name and address of an account holder.24

5. The legal regime of data on the health status of a person

We mention in this regard a decision of the Constitutiona l Court of Romania, relevant both in terms of the conclusions therein, and in terms of the subject of the complaint and the reaction of the legislature, which amended the respective piece of legislation taking account of the criticism of unconstitutionalit y, before the resolution of the case. Thus, the Court was notified with the exception of unconstitutionality of the provisions of Law no. 95/2006 on health reform with regard to the "national health insurance card ".25 As grounds for the exception of unconstitutionality, the author claimed, in essence, that the legal provisions in question are unconstitutional as "they establish an obligation, without alternative, in terms of acceptance of such electronic health card and preparation of the electronic file", in breach of the constitutional provisions that protect and guarantee freedom of thought and conscience, the Universal Declaration of Human Rights, and Article 18 (1) of the International Covenant on Civil and Political Rights. Freedom of thought, conscience and religion includes the individual right to have or to adopt a religion or belief of one's own choice. At European level, the UK has waived electronic identity cards, the Constitutional Council of France has issued decision no. 652 of 22 March 2012 concerning the unconstitutionality of the Law on electronic identification documents, and the European Parliament's Rapporteur, Ole Sorensen, pointed out that the use of biometrics could be a step towards systematic and centralised storage of sensitive personal data, and that such a central storage of biometric data might endanger the protection of civil rights, especially the right to privacy. In Romania, civil society is almost unanimously against electronic identity card, and 46 non-governmental organisations notified the Government on this issue. It was also argued that the concrete means by which such electronic communication services operate were left entirely at the discretion of the software vendors, and the operating mode transforms these databases int o an open system which offers to an indefinite number of people not only information relating to the medical procedures applied, , but also what Law no. 506/2004 concerning the processing of personal data and the protection of privacy in the electronic communications sector defines as "location data". At the same time, this system stores for unlimited and indefinite periods all the data identifying the insured, the diseases he/she suffers from, the treatments prescribed etc., which affects the right to own image and dignity, in violation of the right to private life as provided for in Article 26 of the Constitution and in Article 8 of the Convention for the protection of human rights and fundamental freedoms. In this respect, the author relies on the judgment of the European Court of Human Rights of 16 December 1992 in Case Niemietz v. Germany . The storage of personal data for an unlimited period is not necessary in a democratic society and it is thus also in breach of Article 53 (2) of the Constitution as long as the capacity as insured person and the proof of payment of contributions to the national health system can be proven also by the classic insurance certificate form. At the same time, the refusal to provide medical insurance without a health card is in breach of Article 44 (1) of the Constitution and of the right to protection of health.

Having examined the exception of unconstitutionality, the Court held that the legal provisions subject to criticism have been amended after referral to the Constitutional Court26, without keeping the legal solution criticised by the author of the exception. According to the new legal content of Article 212 (1) of Law no. 95/2006 "the documents certifying the capacity as insured person are, as the case may be, the certif icate issued by the health insurance house where the insured person is registered or by the document obtained by providers under contract with health insurance agencies upon accessing the electronic tool made available by the National Health Insurance Agency. Af ter the implementation of the provisions of Title IX, these supporting documents shall be replaced by the national health insurance card, or the certif icate with a validity of 3 months for persons who expressly decline for reasons related to religion or conscience the receipt of the national card. [...]" At the same time, under the second sentence of Article 330 (2) of Law no. 95/2006, as amended by Government Ordinance no. 11/2015, persons who expressly decline, for reasons related to religion or cons cience, the receipt of the national card, in order to prove the capacity as insured person, will be issued the certificate with a validity of 3 months provided for in Article 319 (b1), according to which this is "the document attesting the capacity as insu red person, valid for a maximum period of 3 months f rom the date of issue, f or persons who expressly decline for reasons related to religion or conscience the receipt of the national card, the template of which is laid down by order of the President of the National Health Insurance Agency. " Therefore, after submission of the notification to the Constitutional Court, the impugned legal text have been modified in line with the challenges made by the author of the exception, and thus the complaint has become devoid of purpose, and the exception of unconstitutionality was rejected as inadmissible .27

Furthermore, the protection of personal data relating to a person's state of health and the obligations of public authorities as regards the processing of these categories of data formed the subject-matter of a question referred for a preliminary ruling by the Court of Appeal, in a dispute concerning the processing of certain personal data of the applicant by the National Health Insurance Agency ("CNAS") and the National Agency for Fiscal Administration ("ANAF"). 28 The referring court has asked whether Articles 10, 11 and 13 of Directive 95/46 must be interpreted as precluding national measures, which allow a public administrative body in a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects being informed of that transfer and processing.

Article 10 of the directive provides that the data controller must provide a data subject, from whom data relating to himself are collected, with the information listed in subparagraphs (a) to (c), except where he already has that information. That information concerns the identity of the data controller, the purposes of the processing and any further information necessary to guarantee fair processing of the data. That requirement to inform the data subjects about the processing of their personal data is all the more important since it affects the exercise by the data subjects of their right of access to, and right to rectify, the data being processed, set out in Article 12 of Directive 95/46, and their right to object to the processing of those data, set out in Article 14 of that directive. It follows that the requirement of fair processing of personal data laid down in Article 6 of Directive 95/46 requires a public administrative body to inform the data subjects of the transfer of those data to another public administrative body for the purpose of their processing by the latter in its capacity as recipient of those data.

It is clear from the information provided by the referring court that the applicants in the main proceedings were not informed by the ANAF of the transfer to the CNAS of personal data relating to them. The Romanian Government submitted, however, that the ANAF was required, in particular under Article 315 of Law No 95/2006, to transfer to the regional health insurance funds the information necessary for the determination by the CNAS as to whether persons earning income through self-employment qualify as insured persons. It is true that Article 315 of Law no. 95/2006 expressly provides that "the data necessary to certify that the person concerned qualifies as an insured person are to be communicated free of charge to the health insurance funds by the authorities, public institutions or other institutions in accordance with a protocol". However, it is clear from the case file that the data necessary for determining whether a person qualifies as an insured person do not include those relating to income, since the law also recognises persons without a taxable income as qualifying as insured. In those circumstances, Article 315 of Law no. 95/2006 cannot constitute, within the meaning of Article 10 of Directive 95/46, prior information enabling the data controller to dispense with his obligation to inform the persons from whom data relating to their income are collected as to the recipients of those data. Therefore, it cannot be held that the transfer at issue was carried out in compliance with Article 10 of Directive 95/46.

The Court examined whether Article 13 of the directive applies to that failure to inform the data subjects, whereas it is apparent from Article 13(1)(e) and (f) that Member States may restrict the scope of the obligations and rights provided for in Article 10 of the same directive when such a restriction constitutes a necessary measure to safeguard "an important economic or financial interest of a Member State [...], including monetary, budgetary and taxation matters" or "a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e)". The Court added that Article 13 expressly requires that such restrictions are imposed by legislative measures. Apart from the fact that data relating to income are not part of the personal data necessary for the determination of whether a person is insured, the Court observed that Article 315 of Law no. 95/2006 merely envisages the principle of the transfer of pe rsonal data relating to income held by authorities, public institutions and other institutions. The definition of transferable information and the detailed arrangements for transferring that information were laid down not in a legislative measure but in the 2007 Protocol agreed between the ANAF and the CNAS, which was not the subject of an official publication. In those circumstances, the Court stated that it cannot be concluded that the conditions laid down in Article 13 of Directive 95/46 permitting a Member State to derogate from the rights and obligations flowing from Article 10 of the directive are complied with.

In conclusion, Articles 10, 11 and 13 of Directive 95/46 must be interpreted as precluding national measures which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.29

6. Conclus ions

In view of the dynamics of the rights concerned by this study, in a society in which technological developments lead to permanent shifts in transmission and reception of information, it is hard to believe that the legislature will be able to make a timely adaptation of legislation in order to respond in real time to such dynamics. As it has been pointed out30, the regulatory framework relating to the protection of personal data is quite old (years 2001-2004), so that the new technologies and the problems they pose can hardly find an appropriate legislative response. In addition, at European level, the protection of personal data is covered by the Directives which require transposition into national legislations, sometimes significant, resulting in differences, significant at times, in the legal systems of the Member States.

Thus, a key role in defining and ensuring these rights will belong to national courts (in particular constitutional courts) and international courts, obliged to carry out an evolutionary and, at the same time, consistent appr oach in this matter.

The judges' dialogue 31 will certainly constitute the key to achieving effective protection of the fundamental rights that need to be reconciled. In this respect, it is noted that one of the key concepts in the evaluation and decision-making process with reference to each case is the proportionality of the measures adopted, whenever it is involved a restriction on the exercise of fundamental rights32, so that we shall certainly see also a refinement and development of the proportionality test/examination and of the principle of proportionality.33

Identified in the specialised literature 34 as originating from German constitutional case-law, namely from the Decision of 11 June 1958 - BVerfG 7, 377- Apothek enurteil, whereby35 the Federal Constitutional Court has developed the "steps" theory, each step representing an ascendant intensity of the interference with the right, the principle of proportionality has been subject to an important development in legal writings and in case-law, and the "proportionality test" is currently applied in the case-law of the European Court of Human Rights, the case - law of the Court of Justice of the European Union and the case -law of constitutional courts. The expressis verbis implementation of the principle of proportionality according to the German model and of the test related thereto was carried out for the first time in the case -law of the Constitutional Court of Romania by Decision no. 266 of 21 May 2013, being developed by many decisions in which the provisions of Article 53 of the Constitution - Restriction on certain rights and freedoms, has experienced a significant interpretative development. 36