Personal Data Protection Law as of 18.05.2015, number ՀՕ-49-Ն.
Personal Data Protection Law as of 18.05.2015, number ՀՕ-49-Ն.
Definition of Personal Data
Personal Data is defined as any information related to an individual that allows or may allow directly or indirectly identifying a person.
Definition of Sensitive Personal Data
Special Category is define as any information related to a person's։
- nationality or ethnicity
- political views
- religious or philosophical beliefs
- membership in a professional union
- health status, and
- sexual life.
Personal Data Protection Agency of the Ministry of Justice of the Republic of Armenia.
Registration is voluntarily unless otherwise specified by the authorised body.
No requirement to appoint a data protection officer.
- By and large, the entities must obtain prior express consent from data subjects to lawfully collect and process personal data․ The consent is not necessary in the cases directly provided by the legislation or if the data is being collected from public sources.
- The data subject may give his or her consent in person or through the representative, where the power of attorney specifically provides for such a power.
- The data subject's consent shall be considered to be given and the processor shall have the right to process, where:
- personal data are indicated in a document addressed to the processor and signed by the data subject, except for the cases when the document, by its content, is an objection against processing of personal data;
- the processor has obtained data on the basis of an agreement concluded with the data subject and uses it for the purposes of operations prescribed by this Agreement;
- the data subject, voluntarily, for use purposes, verbally transfers information on his or her personal data to the processor.
- Personal data may be processed without the data subject's consent, where the processing of data is directly provided for by law.
- The processor of personal data or the authorised person, for obtaining the data subject's written consent, shall notify the data subject of the intention to process the data.
- The data subject shall give his or her consent in writing or electronically, validated by electronic digital signature; in case of an oral consent — by means of such reliable operations which will obviously attest the consent of the data subject on using the personal data
Specific regulations regarding persons with incapacity or limited capacity and minor under the age of 16.
Specific regulations regarding biometric personal data.
Transfer to third parties shall mean an operation aimed at transferring personal data to certain scope of persons or public at large or at familiarising with them, including disclosure of personal data through the mass media, posting in information communication networks or otherwise making personal data available to another person.
The processor may transfer personal data to third parties or grant access to data without the personal data subject's consent, where it is provided for by law and has an adequate level of protection.
The processor may transfer special category personal data to third parties or grant access to data without the personal data subject’s consent, where:
- the data processor is considered as a processor of special category personal data prescribed by law or an interstate agreement, the transfer of such information is directly provided for by law and has an adequate level of protection;
- in exceptional cases provided for by law special category personal data may be transferred for protecting life, health or freedom of the data subject.
Personal data may be transferred to another country with the data subject's consent or where the transfer of data stems from the purposes of processing personal data and/or is necessary for the implementation of these purposes.
Personal data may be transferred to another state without the permission of the authorised body, where the given state ensures an adequate level of protection of personal data.
The processor has an obligation to destruct or block personal data that are not necessary for achieving the legitimate purpose.
In the course of processing personal data the processor shall be obliged to use encryption keys to ensure the protection of information systems containing personal data against accidental loss, unauthorised access to information system, unlawful use, recording, destructing, altering, blocking, copying, and disseminating personal data and other interference.
The processor is obliged to prevent the access of appropriate technologies for processing personal data for persons not having a right thereto and ensure that only data, subject to processing by him or her, are accessed by the lawful user of these systems and the data which are allowed to be used.
The requirements for ensuring security of processing of personal data in information systems, the requirements for tangible media of biometric personal data and technologies for storage of these personal data out of information systems shall be prescribed by the decision of the government of the Republic of Armenia. In case another body exercising control is prescribed by law, this body, within the scope of powers reserved to it by law, may prescribe higher requirements other than provided above.
Use and storage of biometric personal data out of information systems may be carried out only through such tangible media, application of such technologies or forms, which ensure the protection of these data from the unauthorised access thereof, unlawful use, destruction, alteration, blocking, copying, dissemination of the personal data, etc.
Processors of personal data or other persons provided for by this law shall be obliged to maintain confidentiality both in the course of performing official or employment duties concerning the processing of personal data and after completing thereof.
In case unlawful operations performed upon personal data are revealed, the processor shall be obliged to immediately, but not later than within three working days eliminate the committed violations. In case it is impossible to eliminate the violations, the processor shall be obliged to immediately destruct personal data.
The processor shall be obliged to inform the data subject or his or her representative on the elimination of violations or the destruction of personal data within three working days, and where the request is received from the authorised body for the protection of personal data — also this body.
Mandatory breach notification
In case of outflow of personal data from electronic systems the processor shall be obliged to immediately publish an announcement thereon, meanwhile reporting on the outflow the Police of the Republic of Armenia and authorised body for the protection of personal data.
Authorised body for the protection of personal data is entitled to:
- check, on its initiative or on the basis of an appropriate application, the compliance of the processing of personal data with the requirements of this Law;
- apply administrative sanctions prescribed by law in the case of violation of the requirements of this Law;
- require blocking, suspending or terminating the processing of personal data violating the requirements of this Law;
- require from the processor rectification, modification, blocking or destruction of personal data where grounds provided for by this Law exist;
- prohibit completely or partially the processing of personal data as a result of examination of the notification of the processor on processing personal data;
- keep a register of processors of personal data;
- recognise electronic systems for processing of personal data of legal persons as having an adequate level of protection and include them in the register;
- check the devices and documents, including the existing data and computer software used for processing data;
- apply to court in cases provided for by law;
- exercise other powers prescribed by law;
- maintain the confidentiality of personal data entrusted or known to it in the course of its activities;
- ensure the protection of rights of the data subject;
- consider applications of natural persons regarding the processing of personal data and deliver decisions within the scope of its powers;
- submit, once a year, a public report on the current situation in the field of personal data protection and on the activities of the previous year;
- conduct researches and provide advice on processing data on the basis of applications or coverages of processors or inform on best practices on processing of personal data;
- report to law enforcement bodies where doubts arise with regard to violations of criminal law nature in the course of its activities.
There is no regulation. However, it is advisable to obtain user consent, such as through appropriate disclaimers.
There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate disclaimers.