The Law “On protection of personal data” of RA (Law) guarantees the rights of natural persons (data subjects) and imposes mandatory requirements on personal data processors, authorised persons, and third parties.
In the scope of the Law:
“Personal data” shall mean any information relating to a natural person, which allows or may allow for direct or indirect identification of a person's identity;
“Processor of personal data” shall mean a state administration or local self-government body, state or community institution or organisation, legal or natural person, which organise and/or carries out processing of personal data;
“Data subject” shall mean a natural person to whom the personal data relate.
The Law defines personal data processing. Processing includes any operation or set of operations, regardless of the form and mode of implementation (automated, with or without use of technical means), related to personal data including:
The Law also establishes the basic principles on which the personal data should be processed. These are:
1. Principle of lawfulness (The processor of personal data shall be obliged to follow and ensure that the data are processed in observance of the requirements of the Law. Personal data shall be processed for legitimate and specified purposes and may not be used for other purposes without the data subject's consent).
2. Principle of proportionality (The processing of data must pursue a legitimate purpose, measures to achieve it must be suitable, necessary and moderate. The processor of personal data shall be obliged to process the minimum volume of personal data that are necessary for achieving legitimate purposes. The processing of personal data that are not necessary for the purpose of processing of data or are incompatible with it shall be prohibited. The processing of personal data shall be prohibited where the purpose of processing of data is possible to achieve in a depersonalised manner. Personal data must be stored in such a way as to exclude the identification thereof with the data subject for a period longer than is necessary for achieving predetermined purposes).
3. Principle of reliability (The personal data being processed must be complete, accurate, simple and, where necessary, kept up to date).
4. Principle of minimum engagement of subjects (The processing of personal data shall be carried out under the principle of minimum engagement of subjects. Where the state administration or local self-government body, the notary are able to obtain the personal data from other body through a uniform electronic information system, personal data subject shall not be required to submit personal data necessary for certain operations. In case of a written consent of the personal data subject, natural or legal persons considered as a processor of personal data may obtain from a state or local self-government body personal data necessary for a certain operation and directly specified in the written consent of a personal data subject. The procedure for the transfer of personal data through an electronic information system shall be prescribed by the Government of the Republic of Armenia).
In Armenia, personal data processing is deemed lawful if: The data subject has consented to the processing, except in cases provided by law, the processed data is obtained from a publicly available source.
Before processing the data, the Law requires the data subject’s consent for lawful processing, except where the personal data is publicly available. The data subject must give consent in writing or electronically, validated by an electronic digital signature. Verbal consent may suffice if it obviously attests to the data subject’s consent to the use of the subject’s personal data.
To obtain the data subject’s written consent before processing personal data, a processor or authorized person must notify the data subject of its intention to process the subject’s data.
Before processing personal data, the data processor also may notify the Armenian Personal Data Protection Agency (PDPA) of its intention to process data. A processor must notify the PDPA if:
1. The PDPA requests notice.
2. The processor intends to process biometric or special category personal data.
The Law does not guarantee publicly available personal data to be protected, such as information that either:
The Law defines special category personal data as information relating to a person’s race, national identity or ethnic origin, political views, religious or philosophical beliefs, trade union membership, health, and sex life. The Law also defines biometric personal data as information relating to a person’s physical, physiological, and biological characteristics.
The Law recognizes a data subject’s right to:
The Law also defines the obligations of personal data processor:
The Law does not clearly specify its jurisdictional scope. For example, the Law does not specify which rules apply to a foreign company’s collection and transfer of Armenian citizens’ or foreign citizens’ personal data outside Armenia, or to an Armenian company that uses collection and processing technology located outside Armenia. However, a person who collects and processes personal data in Armenia, and transfers that data outside Armenia, likely must meet the Law’s requirements.
Author: Meri Artashesyan, Counsel