New Standards for Data Privacy In Armenia

Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data, also known as the Personal Data Law is a data protection law that was passed in Armenia in 2015. As the principles of personal data protection have grown in importance in the country of Armenia in recent years, the Personal Data Law represents the country’s first step in guaranteeing the data privacy rights of their respective citizens. Moreover, as Armenia is one of a number of European countries that is not a part of the European and as such, is not subject to the provisions of the General Data Protection Regulation or GDPR, the country needed legal protection that would be on par with their European counterparts. As such, the Personal Data Law establishes the legal grounds on which personal data may be processed in Armenia.

How are data controllers and processors defined under the Personal Data Law?

Under Armenia’s Personal Data Law, no specific definition is provided for the term “data controller”. However, the law defines the term “data processor” broadly to mean “a state administration or local self-government body, state or community institution or organization, and/or legal or natural person, which organizes and/or carries out processing of personal data”. Furthermore, personal data is defined as “any information relating to a natural person, which allows or may allow for direct or indirect identification of a person’s identity”. Additionally, while the law does not provide a specific definition for “sensitive data”, regulatory decisions that have been made according to the provisions of the law show “that sensitive includes biometric data and special categories of personal data which includes data relating to race, national identity or ethnic origin, political views, religious, or philosophical beliefs, a trade-union membership, and health and sex life of a person”.

What are the requirements of data processors under Armenia’s Personal Data Law?

Under Armenia’s Personal Data Law, data processors within the country are responsible for adhering to the following principles as it relates to data processing:

• The principle of lawfulness- Under the Personal Data Law, personal data may only be processed “when the data has been processed in observance of the requirements of the law and the data subject has given his or her consent”, or if “the data being processed has been obtained from publicly available sources of personal data”.
• The principle of proportionality- “The principle of proportionality refers to the processing of personal data only on the grounds of a legitimate purpose and with the moderate measures that are suitable and necessary”.
• The principle of reliability- Under the Personal Data Law, “personal data being processed must be complete, accurate, simple and, where necessary, kept up to date”.
• The principle of minimum engagement of subjects- “The processing of personal data shall be carried out under the principle of minimum engagement of subjects. Particularly, when a state body or notary public can obtain necessary personal data within a unified information system, the subject of personal data shall not be additionally engaged in this process”.

What are the rights of Armenian citizens under the Personal Data Law?

Under the Personal Data Law, data subjects have the following rights as it pertains to the protection of their personal data and privacy:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to erasure.
• The right to object or opt-out.

More specifically, the Personal Data Law states that “the data subject will have the right to information about his or her personal data, the processing of his or her data, grounds and purposes for the processing, the processor of the data, and the registered office thereof, as well as the scope of persons to whom the personal data may be transferred, as well as to get familiarised with his or her personal data, and require from the processor the right to rectify, block, or destruct his or her personal data where the personal data is not complete or accurate or is outdated or has been obtained unlawfully or is not necessary for achieving the purposes of the processing”. In terms of penalties that can be imposed as a result of violating the rights of Armenian citizens, the Personal Data Law is enforced through the Code on Administrative Violations.

To this point, the Code on Administrative Violations contains various sanctions and penalties that data processors operating with Arenmia are subject to should they violate any provisions set forth by the Personal Data Law. Some of these penalties and sanctions include:

• Violation of the procedure established by law for the collection or recording or coordination or organization or correction or storage or use or transformation or restoration or transfer, if the given act does not contain features of a crime: incurs a fine of 200 to 500 times the minimum wage.
• Not to use encryption means during the processing of personal data, if the given act does not contain features of a crime: incurs a fine of 100 times the minimum wage.
• Failure to maintain the confidentiality of personal data by or during the performance of official or work responsibilities related to the processing of personal data by personal data processors or other persons provided for by the Personal Data Law: incurs a fine of 200 to 300 times the minimum wage.
• A person who has committed the acts provided for in this Article shall be released from administrative liability if he/she has eliminated the violation committed within the period defined by the decision of the authorized body or before making a decision on being subject to administrative liability.

As many non-EU countries throughout Europe have taken legislative measures to protect the personal data rights of their citizens, such as Serbia’s Law on Protection of Personal Data and North Macedonia’s Law on Personal Data Protection, Armenia has taken similar steps through the passing of  Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data. Through the passing of Personal Data Law, the Armenian government can ensure that the citizens of their country are afforded rights and liberties that are similar to those offered to citizens of EU member states under the General Data Protection Regulation, as Europe continues to lead the charge for data protection and privacy around the world.