Employer DPIA Guide & Model Notices

Last updated: June 9, 2026

This page is practical guidance for employer organisations that use Kronly to process their workers' personal data. It provides (1) help deciding whether a Data Protection Impact Assessment (DPIA) is needed, with a template to carry one out, and (2) a model notice you can give employees when you enter their details on their behalf. As the data controller for your employees' data, these obligations are yours; Kronly acts as your processor and will assist (see our Data Processing Agreement).

This is general guidance, not legal advice. For your specific circumstances, consult a Romanian data-protection professional.

1. Is a DPIA Required?

Under Art. 35 GDPR, a DPIA is required only where processing is likely to result in a high risk to individuals' rights and freedoms — typically processing involving large-scale systematic monitoring, large-scale processing of special-category data, or innovative technologies. Use this quick screening:

  • Do you process workers' data on a large scale relative to your size and sector?
  • Do you process workers' CNPs (national identification numbers) on a large scale? ANSPDCP Decision no. 174/2018 lists large-scale processing of national identification numbers among the operations for which a DPIA is required.
  • Do you carry out systematic monitoring of a publicly accessible area, or continuous location tracking? Note that Decision no. 174/2018 also lists large-scale systematic monitoring of employees, and the EDPB's WP248 guidelines treat employees as vulnerable data subjects — a standalone risk criterion. Where two or more WP248 criteria are met, a DPIA is likely required.
  • Do you combine Kronly with other monitoring tools (CCTV, GPS fleet tracking, biometric clocking)?
  • Do you process special categories of data (e.g. health, biometrics) through these systems?

The binding test in Romania is ANSPDCP Decision no. 174/2018 (adopted under Art. 35(4) GDPR), so always check your situation against that list. If you answered "no" to all of the above, a full DPIA is generally not mandatory for using Kronly on its own — Kronly's privacy-by-design architecture (see Section 2) keeps the risk low: there is no continuous monitoring (only point-in-time yes/no proximity results), and for a typical small or medium construction firm the processing is not "large scale". We still recommend you document this screening decision: a short record that you considered the question — including against Decision no. 174/2018 — and concluded a DPIA was not required is itself good accountability practice under Art. 5(2) GDPR. If you answered "yes" to any item, or two or more WP248 criteria apply to your deployment, complete the DPIA template in Section 3 — and note that any high risk is likely driven by the other tools rather than by Kronly.

2. How Kronly Reduces Your Risk

Kronly is built to minimise the compliance burden on employers:

  • No GPS coordinates leave the device. Proximity verification runs on the worker's phone; only a yes/no "in range" result is sent — there is no location tracking.
  • No continuous tracking and no biometrics. Workers are not monitored between clock-in events; no facial or fingerprint data is processed.
  • Photo EXIF location metadata is stripped before upload.
  • CNP is optional, access-restricted, and used only for payroll export (with the Law 190/2018 Art. 4 safeguards).
  • EU hosting with encryption in transit and access-restricted storage; the limited exceptions (push-notification delivery and technical error monitoring without personal identifiers, under the EU-US Data Privacy Framework) are described in Section 15 of the Privacy Policy.

3. DPIA Template

If a DPIA is warranted, work through the following steps. You can copy these headings into your own record:

  • Step 1 — Describe the processing: purpose, categories of data and data subjects, recipients, and retention. You may reference Annex 1 of the DPA and the Privacy Policy.
  • Step 2 — Necessity and proportionality: why the processing is necessary for your purpose (e.g. Codul Muncii Art. 119 record-keeping) and that you collect no more than is needed.
  • Step 3 — Consult: where relevant, seek the views of employees or their representatives (Art. 5, Law 190/2018; Art. 35(9) GDPR).
  • Step 4 — Identify and assess risks: to workers' rights and freedoms (e.g. excessive monitoring, data breach, function creep).
  • Step 5 — Mitigations: record the safeguards in Section 2, plus your own measures (access policies, retention limits, employee notice).
  • Step 6 — Outcome and review: conclude whether the residual risk is acceptable, record who signed off, and set a review date. If your organisation has designated a Data Protection Officer, seek and record the DPO's advice (Art. 35(2) GDPR).

Kronly will provide reasonable assistance and the information available to it to support your DPIA (see Section 10 of the DPA). Contact privacy@kronly.eu.

4. Model Art. 14 Notice for Employees

When a manager enters an employee's details (for example, their CNP, name, or phone number) into Kronly on the employee's behalf, the data is obtained from you, the employer, rather than from the employee. Article 14 GDPR requires you to inform the employee — at the latest within one month of entering the data (Art. 14(3)(a) GDPR), and ideally before or at the time of entry. You can adapt and give employees the following model notice (fill in the bracketed fields):

Notice on the processing of your personal data (Art. 14 GDPR)

[Employer legal name], [CUI / Trade Register no.], [address] ("we", the data controller) processes the following personal data about you, which we entered into the Kronly workforce-management application on your behalf:

  • Data concerned: your Personal Numeric Code (CNP) and, where applicable, your name and phone number.
  • Source: provided by us, your employer; we entered it into Kronly.
  • Purpose: preparing payroll/salary reports and keeping the workforce records we are required to maintain.
  • Legal basis: compliance with our legal obligations (Art. 6(1)(c) GDPR) and/or performance of your employment contract (Art. 6(1)(b) GDPR). We do not rely on your consent.
  • Recipients: our accountant/payroll provider, and Kronly (Oliniuc Bogdan-Nicolae PFA) as our processor. We do not sell your data.
  • Retention: for as long as required by payroll, tax, and labour law.
  • Your rights: access, rectification, erasure, restriction, objection, and portability, and the right to lodge a complaint with ANSPDCP (dataprotection.ro). To exercise your rights, contact us at [employer contact email].
  • Data Protection Officer: [DPO contact details, if your organisation has appointed one — otherwise delete this line].

This model reflects that you are the controller and Kronly is your processor. Keep your own employee privacy notice up to date; Kronly's Privacy Policy describes how the App processes data on your behalf.