Data Privacy Tool
You may also be interested in our Data Privacy Scorebox to assess your organization's level of data protection maturity.
Law on Personal Information dated 11 May 2010.
Definition of Personal Data
Any information allowing to identify a person, directly or indirectly, is considered personal data.
Definition of Sensitive Personal Data
Personal data of special category includes information relating to race or nationality of an individual, his/her family life, religion and belief, health or conviction.
The major regulator/enforcement authority (DPA) is the Ministry of Digital Development and Transport.
In addition, the other designated state authorities which are vested in powers to enforce applicable data protection/privacy laws, within the scope of their competences, include the Ministry of Internal Affairs, the Ministry of Justice, the State Security Service, and the Special State Protection Service.
Information systems of personal data must be registered with the DPA. There are also certain exemptions from such registration requirement.
The DPA, through its officers, may demand elimination of violations of statutory requirements by legal entities and individuals, also take necessary actions for holding accountable persons who breached the statutory requirements regarding collection, processing and protection of personal data.
Collection and processing of personal data can be implemented either with obtaining a prior consent of a data subject or when the data is of open category (i.e. non-confidential).
Transfer of personal data can be performed with a prior written consent of a data subject, unless the data is of open category.
Adequate level of protection of personal data should be provided by owners of operators of personal data.
There is no specific requirement as to notification of the DPA by the owner or operator of personal data about breach.
If the rights of a data subject are breached as a result of the illegal collection and processing of personal data, inadequate protection of such data, or non-compliance with the statutory requirements, the data subject may claim for compensation of material and moral damages sustained by him/her through the local court.
No consent of a recipient is required for e-mail marketing, provided only that service providers must establish a registration system for persons who wish to opt out from receiving marketing materials, and comply with such system.
There are no rules directly regulating use of cookies in Azerbaijani legislation. However, if cookies contain any personal data, the Azerbaijani data protection rules will apply as to the use of such cookies.
If a data subject cannot be identified just based on location data, it would unlikely be deemed as personal data, falling outside the scope of personal data protection related requirements.