Personal Data Protection In Armenia
The Law “On protection of personal data” of RA (Law) guarantees the rights of natural persons (data subjects) and imposes mandatory requirements on personal data processors, authorised persons, and third parties.
In the scope of the Law:
“Personal data” shall mean any information relating to a natural person, which allows or may allow for direct or indirect identification of a person's identity;
“Processor of personal data” shall mean a state administration or local self-government body, state or community institution or organisation, legal or natural person, which organise and/or carries out processing of personal data;
“Data subject” shall mean a natural person to whom the personal data relate.
The Law defines personal data processing. Processing includes any operation or set of operations, regardless of the form and mode of implementation (automated, with or without use of technical means), related to personal data including:
- Collection.
- Input.
- Systematization.
- Organization.
- Storage.
- Use.
- Alteration.
- Restoration.
- Transfer.
- Rectification.
- Blocking.
- Deletion.
The Law also establishes the basic principles on which the personal data should be processed. These are:
1. Principle of lawfulness (The processor of personal data shall be obliged to follow and ensure that the data are processed in observance of the requirements of the Law. Personal data shall be processed for legitimate and specified purposes and may not be used for other purposes without the data subject's consent).
2. Principle of proportionality (The processing of data must pursue a legitimate purpose, measures to achieve it must be suitable, necessary and moderate. The processor of personal data shall be obliged to process the minimum volume of personal data that are necessary for achieving legitimate purposes. The processing of personal data that are not necessary for the purpose of processing of data or are incompatible with it shall be prohibited. The processing of personal data shall be prohibited where the purpose of processing of data is possible to achieve in a depersonalised manner. Personal data must be stored in such a way as to exclude the identification thereof with the data subject for a period longer than is necessary for achieving predetermined purposes).
3. Principle of reliability (The personal data being processed must be complete, accurate, simple and, where necessary, kept up to date).
4. Principle of minimum engagement of subjects (The processing of personal data shall be carried out under the principle of minimum engagement of subjects. Where the state administration or local self-government body, the notary are able to obtain the personal data from other body through a uniform electronic information system, personal data subject shall not be required to submit personal data necessary for certain operations. In case of a written consent of the personal data subject, natural or legal persons considered as a processor of personal data may obtain from a state or local self-government body personal data necessary for a certain operation and directly specified in the written consent of a personal data subject. The procedure for the transfer of personal data through an electronic information system shall be prescribed by the Government of the Republic of Armenia).
In Armenia, personal data processing is deemed lawful if: The data subject has consented to the processing, except in cases provided by law, the processed data is obtained from a publicly available source.
Before processing the data, the Law requires the data subject’s consent for lawful processing, except where the personal data is publicly available. The data subject must give consent in writing or electronically, validated by an electronic digital signature. Verbal consent may suffice if it obviously attests to the data subject’s consent to the use of the subject’s personal data.
To obtain the data subject’s written consent before processing personal data, a processor or authorized person must notify the data subject of its intention to process the subject’s data.
Before processing personal data, the data processor also may notify the Armenian Personal Data Protection Agency (PDPA) of its intention to process data. A processor must notify the PDPA if:
1. The PDPA requests notice.
2. The processor intends to process biometric or special category personal data.
The Law does not guarantee publicly available personal data to be protected, such as information that either:
- Becomes publicly available to certain persons or the public either with the data subject’s consent, or through the data subject’s conscious actions to make the information public,
- Constitutes publicly available information by law (such as a person’s name, surname, year, month and day of birth, and place of birth).
The Law defines special category personal data as information relating to a person’s race, national identity or ethnic origin, political views, religious or philosophical beliefs, trade union membership, health, and sex life. The Law also defines biometric personal data as information relating to a person’s physical, physiological, and biological characteristics.
The Law recognizes a data subject’s right to:
- Obtain information on his or her personal data, processing of data, grounds and purposes for processing, processor of data, the registered office thereof, as well as the scope of persons to whom personal data may be transferred.
- Get familiarised with his or her personal data, require from the processor to rectify, block or destruct his or her personal data, where the personal data are not complete or accurate or are outdated or has been obtained unlawfully or are not necessary for achieving the purposes of the processing.
- In case of doubts with regard to the rectification, blocking or destruction of personal data by the processor, to apply to the authorised body for the protection of personal data to make clear the fact of his or her personal data being rectified, blocked or destructed and by the request to be provided with information.
- Appeal actions or inaction of the processor before an authorised state body for the protection of personal data or through judicial procedure.
The Law also defines the obligations of personal data processor:
- To provide information to the data subject at the request of the data subject.
- To explain to the data subject in writing the consequences for failure to provide personal data, including the rights of personal data subject.
- In case of incomplete, inaccurate, outdated, unlawfully obtained personal data or those unnecessary for achieving the purposes of the processing, to carry out necessary operations for making them complete, keeping up to date, rectifying or destructing.
- To destruct or block personal data that are not necessary for achieving the legitimate purpose.
- To use encryption keys to ensure the protection of information systems containing personal data against accidental loss, unauthorised access to information systems, unlawful use, recording, destructing, altering, blocking, copying, disseminating personal data and other interference.
- To prevent the access of appropriate technologies for processing personal data for persons not having a right thereto and ensure that only data, subject to processing by him or her, are accessed by the lawful user of these systems and the data which are allowed to be used.
- To maintain confidentiality both in the course of performing official or employment duties concerning the processing of personal data and after completing thereof.
The Law does not clearly specify its jurisdictional scope. For example, the Law does not specify which rules apply to a foreign company’s collection and transfer of Armenian citizens’ or foreign citizens’ personal data outside Armenia, or to an Armenian company that uses collection and processing technology located outside Armenia. However, a person who collects and processes personal data in Armenia, and transfers that data outside Armenia, likely must meet the Law’s requirements.
Author: Meri Artashesyan, Counsel
