Personal Data Regulation in Armenia

Disclaimer: The information provided in this Q&A is accurate as of March 05, 2024, and is intended for general informational purposes only. It is not intended as legal advice and should not be relied upon as such.

For personalized legal advice tailored to your specific situation, please contact us. Our team can provide you with the latest information and legal insights to help you navigate the complexities of personal data protection.

1. To whom does the law apply?

Law on Protection of Personal Data of Armenia (hereinafter also referred to as “the Law”) (adopted on 2015) defines “data subject” as a natural person to whom the personal data relates.

The Law outlines a “processor of personal data” as a “person” responsible for organizing and/or carrying out the processing of personal data, and an “authorized person” as a “person” which was assigned by the data processor to collect, input, systematize or otherwise process personal data in cases prescribed by law or based on an agreement. These includes:

• • Legal person, their branches
  • Natural person.
  • State administration,
  • Local self-government body,
  • State or community institution or organization,

A “third party” encompasses any person, body, institution, or organization other than the data subject, processor of personal data or authorized person and whose rights or legitimate interests are affected or may be affected due to the processing of personal data.

2. What data falls under regulation?

The Law defines “Personal data” as any information pertaining to an individual that enables or may enable their direct or indirect identification, and “Data on personal life” as details concerning an individual’s personal and family life, physical, physiological, mental, social condition.

The Law defines “Biometric personal data” as information characterizing the physical, physiological, and biological characteristics of a person.

The Law also defines “Special category personal data” as information relating to race, national identity or ethnic origin, political views, religious or philosophical beliefs, a trade-union membership, health, and sex life of a person.

3. What actions fall under regulation?

The Law governs the processing of personal data. This encompasses any operation, regardless of its form or method of implementation, related to the personal data, including:

• • collection,
  • stipulation,
  • input,
  • systematization,
  • organization,
  • storage,
  • use,
  • alteration,
  • restoration,
  • transfer,
  • rectification,
  • blocking,
  • destruction
  • other related operations.

Within the meaning of the Law “Transfer” involves operation aimed at transferring personal data to certain scope of persons or public at large or at familiarizing with them, including disclosure of personal data through the mass media, posting in information communication networks, or otherwise making personal data available to another person.

“Use” refers to operation performed upon personal data, whether directly or indirectly, aimed at delivering decisions or forming opinions or acquiring rights or granting rights or privileges or restricting or depriving of rights or achieving other purpose, which give rise or may give rise to legal consequences for the data subject or third parties or otherwise relate to the rights and freedoms thereof.

“Blocking” means temporary suspension of the possibility to collect or fix or systematize or transfer or use personal data.

“Destruction” means an operation, which renders the restoration of the content of personal data contained in an information system impossible.

4. Is Notification Required Before Processing Data?

There is a requirement for notification before processing personal data. The processor:

• • must notify the data subject of obtaining the data subject’s consent.
  • has the right to notify the Authorized body – Personal Data Protection Agency (hereinafter referred to as Agency).
  • Upon request from the Agency, must send a notification.
  • Before processing biometric or special category personal data, is obligated to notify the Agency.

5. What Details are Required in the Notification Process?
6. For the Agency’s Notification:

• • Name (surname, name, patronymic) of the processor or their authorized person, along with their registration address.
  • Purpose and legal basis for processing personal data.
  • Scope of personal data
  • Scope of data subjects
  • List of operations performed upon personal data, general description of the ways of processing personal data.
  • Security measures taken to protect the data.
  • Start date.
  • Duration of data processing.

1. For the Data Subject’s Notification:

• • surname, name, patronymic of the data subject.
  • Purpose and legal basis for processing the data.
  • List of the personal data being processed.
  • Description of actions to be taken with their data requiring consent.
  • Recipients who may receive the data.
  • name (surname, name, patronymic, position) of the processor or their representative requesting consent, and registration address.
  • information on requesting correction, destruction of personal data, termination of data processing or other processing-related actions by the data subject.
  • the period of validity of the requested consent,
  • the procedure for withdrawing the consent and its consequences.

6. Is Data Subject’s consent required for processing Personal Data?

Obtaining consent from individuals before processing their personal data is generally necessary for lawful processing. Consent can be given in various ways:

• • Written Consent: This involves the individual physically signing a document.
  • Electronic Consent: This is validated through an electronic digital signature.
  • Oral Consent: Can be given through reliable means that clearly show the individual’s agreement to use their personal data.

Individuals can give consent either:

• • in person; or
  • through a representative if they have granted specific power of attorney.

7. Under what circumstances can personal data be processed without obtaining consent from the data subject?

• • Processing data has been obtained from publicly available sources of personal data.
  • In the event of the data subject’s death, certain personal data, including name, gender, year, month, and day of birth and death, may be processed without consent.
  • In case of death of a figure in the fields of culture, arts, science, education, sport, religion and in other public field, data on his personal life may be processed without consent, where 50 years have elapsed from the day of death.
  • Bye transfer of special category personal data to third parties or granting access to such data without the data subject’s consent is permissible (1) when the data processor is designated as such under the law or an interstate agreement for special category personal data, with the transfer being directly stipulated by law and ensuring an adequate level of protection, (2) in exceptional circumstances outlined by law, special category personal data may be transferred for protecting life, health, or freedom of the data subject.
  • Additional cases provided for by law may also permit the processing of personal data without consent.

8. What are the regulations concerning the transfer of personal data to other countries?

Personal data may be transferred to other country:

• • by the data subject’s consent; or
  • where the transfer of data stems from the purposes of processing personal data and/or is necessary for the implementation of these purposes.

Personal data may be transferred to another state without the permission of the Agency, where the given State ensures an adequate level of protection of personal data. An adequate level of protection of personal data shall be considered to be ensured, where:

• • personal data are transferred in compliance with international agreements.
  • personal data are transferred to any of the countries included in the list officially published by the Agency.

Personal data may be transferred to the territory of the State not ensuring an adequate level of protection only by the permission of the Agency where personal data are transferred based on an agreement, and the agreement provides for such safeguards with regard to the protection of personal data which were approved by the Agency as ensuring adequate protection. In this case the processor of personal data is obliged prior to the transfer of data to another country to apply to the Agency to obtain permission. The processor of personal data is obliged to specify in the application:

• • the country where personal data are transferred,
  • the description of the recipient of personal data (name, legal form),
  • description (content) of personal data,
  • purpose of processing and transferring personal data,
  • agreement or the draft thereof.

9. What rights do data subjects have according to the Law? 

• • Data subjects have the right to receive information regarding their personal data, list of personal data being processed and the source from which it has been obtained, including details on processing, ways of processing the personal data, the grounds and purposes for processing, the processor of data, its registered address, and the scope of persons to whom personal data may be transferred, time limits for processing personal data, potential legal consequences for the data subject due to processing personal data.
  • Data subjects have the right get familiarized with their personal data, require from the processor to rectify, block, or destruct their personal data, where the personal data are not complete or accurate or are outdated or has been obtained unlawfully or are not necessary for achieving the purposes of the processing.
  • In cases where data subjects believe that the processing of their personal data is carried out in violation of the requirements of the Law or otherwise violates their rights and freedoms, they have the right to appeal actions or inaction of the processor before an Agency or through judicial procedure.

10. What obligations do processors of personal data have according to the Law?

• • The processor is obliged to provide data subjects and the Agency (upon their request) with information regarding the personal data.
  • In case of incomplete, inaccurate, outdated, unlawfully obtained personal data or those unnecessary for achieving the purposes of the processing, the processor is obliged to carry out necessary operations for making them complete, keeping up to date, rectifying, or destructing.
  • The processor is obliged to destroy or block personal data that is not necessary for achieving the legitimate purpose.
  • During data processing, the processor is obliged to use encryption keys to ensure the protection of information systems containing personal data from unauthorized access or other interference.
  • The processor is obliged to prevent unauthorized access to personal data and ensure that only authorized users can access and use the data.
  • The processor is obliged to maintain confidentiality both while performing official or employment duties concerning the processing of personal data and after completing it thereof.

11. What are the sanctions for non-compliance with data protection laws?

In case of violations, the Law does not define sanctions but refers to the Code of Administrative Violations. The sanctions vary from 50 000 to 500 000 AMD.

Criminal sanctions include penalties, public work, and imprisonment.

12. Which regulations govern the collection and use of personal data?

• • Armenia ratified:
  • The Council of Europe Convention for the Protection of Individuals regarding Automatic Processing of Personal Data, 1981 in 2012.
  • The Council of Europe Additional Convention for the Protection of Individuals regarding Automatic Processing of Personal Data in 2012.
  • The Convention for the Protection of Human Rights and Fundamental Freedoms 1950 (European Convention on Human Rights) (Article 8).
  • The Constitution guarantees the protection of personal data. “Everyone has the right to personal data protection” (Article 34).
  • Law on Protection of Personal Data of Armenia (adopted on 2015) regulates the procedure and conditions for processing personal data, exercising state control over them by state administration or local self-government bodies, state or community institutions or organizations, legal or natural persons.
  • Characteristics pertaining to personal data are regulated by other laws, such as:
  • The RA Law on Advocacy,
  • The RA Labor Code,
  • The RA Law on banking secrecy,
  • The RA Law on insurance and insurance activity,
  • The RA Law on combating money laundering and terrorism financing,
  • The RA Code of Administrative Offenses.s
    

    ---