September 2023

1. Governing Texts

Personal data protection is a developing sphere in the Republic of Armenia. The first step in regulating data protection was the adoption of the Law of the Republic of Armenia of  June 13, 2015 No. 49-ZR on the Protection of Personal Data ('the Personal Data Law'). Amendments to other regulatory acts were also conducted in relation to the Personal Data Law, for instance, amendments to the Labor Code of the Republic of Armenia of 2004 ('the Labor Code') to enhance the protection of employee's personal data and regulation of their processing by the employer.

There is no specific case law or precedents in the sphere, however, the number of administrative procedures held by the main regulatory body, the Personal Data Protection Agency ('Agency'), is increasing. This has occurred for two reasons, firstly, strict supervision for data protection, and secondly, the development of a sense of justice for physical persons and companies regarding the protection of their personal data. Prior to the adoption of the aforementioned regulations, not many people were informed that personal data is subject to processing and transfer only by their consent whereas, now people have started to pay more attention to the issues of their data protection.

In 2022, the Agency provided 200 consultations, from which 177 consultations were verbal or online, and 23 consultations were in written form and were mostly addressed to state bodies.

The transfer of personal data is one of the activities highly regulated by the Agency. In 2023, an exhaustive list of the countries providing a sufficient level of personal data protection was drafted by the Agency (only available in Armenian here). In the case of data transfers to all other countries, that have not been included in this list, the consent of the Agency must be obtained.

The regulations are currently being reprocessed, the Government of the Republic of Armenia ('the Government') has developed a strategy for 2019-2023 for the adoption of new regulations and amendments to the existing ones.

1.1. Key acts, regulations, directives, bills

The key acts regulating the sphere are the following:

• Constitution of the Republic of Armenia (2005) (as amended from time to time) (December 6, 2015) ('the Constitution');
• Labor Code of the Republic of Armenia of 2004 (regulations regarding personal data protection of employees) ('the Labor Code');
• Law on Freedom of Information; and
• Personal Data Law.

1.2. Guidelines

The following notable guidelines were drafted by the Agency from 2015 to 2023:

• video surveillance guide (only available in Armenian here);
• be careful, they are children: a Guide to children's personal information (only available in Armenian here);
• guidelines on how to make your Instagram page and personal information secure (only available in Armenian here);
• guidelines on personal data processing by service providers for maintenance and repair of equipment containing memory devices (only available in Armenian here);
• guidelines on processing personal data by state bodies (only available in Armenian here);
• important steps that need to be undertaken in order to protect your personal data after selling your phone, guidelines developed by the Agency, 2019;
• how to protect personal data on the internet and not become a phishing victim (only available in Armenian here);
• how to apply to Facebook for removal of personal or other information (only available in Armenian here);
• how to make personal data more secure on Google and YouTube (only available in Armenian here);
• guideline concerning the protection of the personal data of children (only available in Armenian here);
• guideline concerning the protection of personal data in the labor relationship (only available in Armenian here); and
• guideline concerning the processing of personal data by providers of photocopying, printing, photocopying, and other similar services (only available in Armenian here).

1.3. Case law

No notable cases have been examined over recent years in courts, however different administrative proceedings were conducted by the Agency, and five of the most notable ones are presented below:

• proceedings no. 1: Against the State Register of Legal Entities on the publication and collection of personal data of the participants of closed joint stock companies (please note, that the data on participants is processed by the depositary and not the State Register of Legal Entities). One of the law firms initiated the administrative proceeding, applying to the Agency and asking to oblige the State Register of Legal Entities to destroy the information concerning the participants and the size of participation of the law firm. The Agency approved the application and ordered the Register to destroy the data within three working days.
• proceedings no. 2: On video surveillance of paid parking lots in Yerevan. During the proceedings, the Agency recorded that through a video of the parking lot, personal data must only be collected and used for the aim of control over the payment of parking fees and only the minimum amount required to achieve that goal should be collected. Personal data that is not required for that purpose or is incompatible with it should not be processed and/or kept. The Agency decided that providing the video to the addressee without the depersonalization of the data of other persons present in the video contradicts the proportionality personal data processing principle.
• proceedings no. 3: On video surveillance in schools. Some schools in Yerevan conducted video surveillance without any notification to the staff and pupils, as well as without putting a notice in the places where the cameras were placed. The Agency noted that video surveillance must only be conducted in cases when the protection of minors from harmful influences and protection of their property can only be conducted by video surveillance means. The Agency also noted that data collected through video surveillance conducted for safety purposes, must not be used for supervision of the behavior of pupils or the working methods of teachers. Thus, the Agency ordered 20 schools in Yerevan to comply with the methods of video surveillance required by the principles of personal data protection.
• proceedings no. 4: Personal data protection in the media. The application to the Agency was received by World Vision regarding the following incident: a media website published an article regarding the sexual assault of a 16-year-old girl and provided the personal data of the girl. By solicitation of the Agency, the personal data was removed and replaced with the first letter of the name of the victim. The Agency also examined cases on publication of personal information in media without the consent and without the knowledge of persons. In all these cases, the personal data was destroyed. The Agency also discussed cases where information can be published without the consent of the person and held that in such circumstances there should be significant public interest for the disclosure, as well as such action being compatible with the aim of processing.
• proceedings no. 5: Regarding the right to be forgotten. A person applied to the Agency stating that their personal data had been published in the media with their consent, however, the publication of their personal data interfered with their personal life and therefore they wanted their data to be deleted from the websites and research instruments. They wanted to use their right to be forgotten. The data was removed from the websites, and the Agency stated that when a publication has reached its main aim, on the ground of the application of the affected person, the personal data availability in media can be limited and the data can be destroyed, as, after losing its actuality, the publication of the personal data shall not interfere with their personal life.

2. Scope of Application

2.1. Personal scope

Regulations in the sphere of personal data apply to the procedure and conditions for processing personal data and exercising state control by state administration or local self-government bodies, state, or community institutions or organizations, and/or legal or natural persons.

2.2. Territorial scope

Personal Data Law applies within the territory of the Republic of Armenia, as well as to regulate the issues of personal data transfer to countries with a sufficient level of personal data protection, as well as the countries that are not included in the corresponding list.

2.3. Material scope

Personal Data Law covers the means of protection of personal data, including special categories of personal data, biometric personal data, publicly available personal data, and anonymous personal data.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator in the sphere of personal data protection is the Agency, which was established and is supervised by the Government.

3.2. Main powers, duties and responsibilities

The goals of the Agency are:

• ensuring the maintenance of the register of personal data processors;
• ensuring the protection of the rights of the subjects related to the protection of personal data; and
• ensuring the legality of the processing of personal data within its competence.

According to the Personal Data Law, the Agency has the following functions:

• to check on its initiative or on the basis of an appropriate application, the compliance of the processing of personal data with the requirements of the corresponding regulations;
• apply administrative sanctions prescribed by law in the case of violation of the corresponding regulations;
• require blocking, suspending, or terminating the processing of personal data violating the requirements of corresponding regulations;
• require from the processor rectification, modification, blocking, or destruction of personal data where grounds provided for by corresponding regulations;
• prohibit completely or partially the processing of personal data as a result of examination of the notification of the processor on processing personal data;
• keep a register of processors of personal data;
• recognize electronic systems for processing of personal data of legal persons as having an adequate level of protection and include them in the register;
• check the devices and documents, including the existing data and computer software used for processing data;
• apply to the court in cases provided for by corresponding regulations;
• exercise other powers prescribed by corresponding regulations;
• maintain the confidentiality of personal data entrusted or known to it in the course of its activities;
• ensure the protection of the rights of the data subject;
• consider applications of natural persons regarding the processing of personal data and deliver decisions within the scope of its powers;
• submit, once a year, a public report on the current situation in the field of personal data protection and on the activities of the previous year;
• conduct research and provide advice on processing data on the basis of applications or coverages of processors or inform on best practices on processing of personal data; and
• report to law enforcement bodies where doubts arise with regard to violations of criminal law in the course of its activities.

4. Key Definitions

Data controller: 'Data controller' is not defined in the Personal Data Law.

Data processor: Means a State administration or local self-government body, State or community institution or organization, and/or legal or natural person, which organizes and/or carries out processing of personal data (Article 3 of the Personal Data Law).

Personal data: Means any information relating to a natural person, which allows or may allow for direct or indirect identification of a person's identity (Article 3 of the Personal Data Law).

Sensitive data: 'Sensitive data' is not specifically defined in the Personal Data Law but the analysis of the corresponding regulations shows that sensitive includes biometric data and special categories of personal data which include data relating to race, national identity, or ethnic origin, political views, religious, or philosophical beliefs, a trade-union membership, and health and sex life of a person.

Health data: The Personal Data Law does not provide an exact definition for this 'health data'.

Biometric data: Means information characterizing the physical, physiological, and biological characteristics of a person (Article 3 of the Personal Data Law).

Pseudonymization: 'Depersonalization of personal data' means operations, which render it impossible to identify the data subject to whom they belong (Article 3 of the Personal Data Law).

5. Legal Bases

The following legal bases are found in the data protection regulations, which are obligatory for the data processors:

• consent;
• contract with the data subject;
• legal obligations;
• interests of the data subject;
• public interest; and
• legitimate interests of the data controller.

5.1. Consent

According to Article 8 of the Personal Data Law, the processing of data is considered to be done lawfully, in case the data subject has provided its consent.

The data subject may give their consent in person or through the representative, where the power of attorney specifically provides for such a power.

From the analysis of regulations, it can be understood that the data subject consent is mostly deemed to be validly provided, in case it is given in written form (by signing a contract with an indication of personal data to be processed or by signing a separate agreement). The data subject shall have the right to withdraw their consent given priorly.

5.2. Contract with the data subject

Contract with the data subject is considered one of the means for obtaining the latter's consent for processing or transfer of personal data. The contract in the sense of law does not require any notary or other verifications, it shall just be concluded in written form and be signed by the data subject. The essential point for the contract is that it shall indicate the personal data that will be processed as well as the time limits of processing, in case it is possible in the sense of that particular contract.

5.3. Legal obligations

In the frames of existing regulations, the main legal obligations of the data processor include, among others, ensuring that the data is processed in observance of the requirements of the law.

5.4. Interests of the data subject

Please refer to the sections on consent and contract with the data subject above.

5.5. Public interest

Public Interest is mostly maintained by having an authorized body, namely the Agency, which exercises control over the maintenance of regulations by the data processors, as well as checks that the necessary level of guarantee is provided for the safety of personal data being transferred to the third countries.

The Agency also raises awareness within the public, as anyone is a potential data subject or data processor which shall be informed of its rights and obligations in the process of processing and giving consent for processing of personal data.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The main principles of personal data protection are highlighted in Chapter 2 of the Personal Data Law. In particular, the principles are the following:

• lawfulness;
• proportionality;
• reliability; and
• minimum engagement of subjects.

Principle of lawfulness

The Personal Data Law enumerates the cases when data processing will be considered lawful, particularly:

• when the data has been processed in observance of the requirements of the law and the data subject has given their consent; or
• the data being processed has been obtained from publicly available sources of personal data.

Principle of proportionality

The principle of proportionality refers to the processing of personal data only on the grounds of a legitimate purpose and with moderate measures that are suitable and necessary.

The personal data which is required to be processed shall be minimal and all the collected data which is unnecessary and incompatible with the processing purpose shall be depersonalized and destroyed. Depersonalization is especially expected to be applied in case the purpose of personal data processing can be achieved in a depersonalized manner.

Personal data must be stored in such a way as to exclude the identification of the data subject for a period longer than is necessary for achieving predetermined purposes.

Principle of reliability

The Personal Data Law explains the principle of reliability with the following 'the personal data being processed must be complete, accurate, simple and, where necessary, kept up to date.'

Principle of minimum engagement of subjects

The processing of personal data shall be carried out under the principle of minimum engagement of subjects. Particularly, when a state body or notary public can obtain necessary personal data within a unified information system, the subject of personal data shall not be additionally engaged in this process.

In case of written consent of the personal data subject, natural, or legal persons considered as a processor of personal data may obtain from a state or local self-government body the personal data necessary for a certain operation, directly specified in the written consent of a personal data subject.

7. Controller and Processor Obligations

7.1. Data processing notification

Article 23 of Personal Data Law defines data processing notification requirements and the content of such notification.

Specifically, the personal data processor (the data controller) may notify the Agency of its intention to process personal data (Article 23(1) of the Personal Data Law), however, it is required to notify the Agency of its intention to process personal data in the following circumstances (Articles 23(2) and (3) of the Personal Data Law):

• at the request of the Agency; and
• prior to the processing of biometric or special category personal data.

The notification shall include the following information (Article 23(4) of the Law):

• the name (surname, name, patronymic) of the processor or their authorized person (if any), registered office, or place of registration (actual residence);
• purpose and legal grounds for processing the personal data;
• scope of personal data;
• scope of data subjects;
• list of operations performed upon personal data, general description of the methods of processing personal data by the processor;
• description of measures that the processor is obliged to undertake for ensuring the security of personal data;
• date of the commencement of processing; and
• time limits and conditions for completing the processing.

In cases where the information submitted by the processor is incomplete or inaccurate, the Agency can require the processor to provide additional information before entering the information into the Register (Article 23(7) of the Law). Moreover, if there are any changes to the information provided to the Agency, the processor must notify the Agency within ten working days after the changes are made (Article 23(8) of the Law).

7.2. Data transfers

The Personal Data Law regulates the personal data transfer process to third parties and third countries. Article 26 provides:

• the processor may transfer personal data to third parties or grant access to data without the personal data subject's consent, where it is provided for by law and has an adequate level of protection; and
• the processor may transfer special category personal data to third parties or grant access to data without the personal data subject's consent, where:
  • the data processor is considered as a processor of special category personal data prescribed by law or an interstate agreement, the transfer of such information is directly provided for by law, and has an adequate level of protection; and/or
  • in exceptional cases provided for by law, special category personal data may be transferred for protecting the life, health, or freedom of the data subject.

Article 27 defines the requirements for personal data transfer to other states, providing:

• personal data may be transferred to another country by the data subject's consent, or where the transfer of data stems from the purposes of processing personal data, and/or is necessary for the implementation of these purposes;
• personal data may be transferred to another state without the permission of the authorized body, where the given state ensures an adequate level of protection of personal data. An adequate level of protection of personal data shall be considered to be ensured, where:
  • personal data is transferred in compliance with international agreements; and
  • personal data is transferred to any of the countries included in the list officially published by the authorized body;
• personal data may be transferred to the territory of the State not ensuring an adequate level of protection only by the permission of the authorized body where personal data is transferred on the basis of an agreement, and the agreement provides for such safeguards with regard to the protection of personal data which was approved by the authorized body as ensuring adequate protection;
• the processor of personal data shall be obliged, prior to the transfer of data to another country, to apply to the authorized body to obtain permission. The processor of personal data shall be obliged to specify in the application the country where personal data is transferred, the description of the recipient of personal data (name, legal form), the description (content) of personal data, the purpose of processing and transferring personal data, and agreement or the draft thereof. The authorized body shall be obliged to permit or reject the application within 30 days. The authorized body may require from the processor of personal data additional information by observing the time limit for the consideration of the application. In case the authorized body finds that contractual safeguards are not sufficient, it will be obliged to specify those necessary changes that will ensure safeguards for the protection of personal data;
• the authorized body for the protection of personal data, regularly but not less than once a year, shall be obliged to revise the list of countries ensuring an adequate level of protection of personal data and publish the changes in the official journal and in its official website; and
• personal data under the disposition of state bodies may be transferred to foreign state bodies only within the scope of interstate agreements, whereas to non-state bodies in accordance with the norms of this Guidance Note.

To sum up:

• the general rule for the transfer of personal data to third parties defines that consent is required in order to make the transfer. In the sense of the Personal Data Law, the burden of proof that the consent has been acquired is on the data processor, thus it is highly recommended to obtain the consent in a written form; and
• the transfer of personal data to third countries shall also be conducted by the consent of the persons, however, additional consent from the Agency may not be required in case the personal data is transferred to one of the countries included in the list of states providing sufficient data protection level. The list of these states has been drafted by the Agency (only available in Armenian here).

7.3. Data processing records

Concerning the record kept in the course of processing personal data, the Personal Data Law stipulates in Article 19 that 'the processor shall be obliged to destruct or block personal data that is not necessary for achieving the legitimate purpose.

7.4. Data protection impact assessment

Legislative regulations in the field of personal data protection do not stipulate an obligation to conduct an impact assessment before processing or transferring personal data.

However, Article 19 of the Personal Data Law provides for the obligation to secure the confidentiality of personal data, specifically, the obligation of the processor to use encryption keys to ensure the protection of information systems containing personal data against accidental loss, unauthorized access to information systems, unlawful use, recording, destructing, altering, blocking, copying, disseminating personal data, and other interference.

The impact assessment of data transfers can be conducted before the transfer of personal data to countries that are not included in the 'whitelist' of states having a sufficient level of personal data protection by the Agency within the 30 days period when the Agency decides on the question of allowing the data transfer or not permitting it to those countries.

7.5. Data protection officer appointment

The Personal Data Law does not require the appointment of a data protection officer ('DPO').

7.6. Data breach notification

Article 21 of the Personal Data Law stipulates the notification obligation of data processors in the case of any breach of data processing, as well as the actions that shall be undertaken in case of such breaches.

Particularly, in case unlawful operations performed upon personal data are revealed, the processor must be obliged to immediately, but not later than within three working days, eliminate the committed violations. In case it is impossible to eliminate the violations, the processor will be obliged to immediately destroy the personal data. The processor will be obliged to inform the data subject or their representative on the elimination of violations or the destruction of personal data within three working days, and where the request is received from the authorized body for the protection of personal data, also inform the body.

7.7. Data retention

No specific requirement is present in the data protection regulations. The general rule is the retention of personal data should be retained as long as it is proportionate to the aim of such retention. In case the necessity of personal data retention is suspended, the data shall be further destroyed.

7.8. Children's data

The Personal Data Law stipulates that in the case of minors under the age of 16, consent for processing or the transfer of personal data will be given by a legal representative (parents, guardians, or adopters). The consent will be given according to the general requirements, for example, written or verbal consent with conclude actions.

7.9. Special categories of personal data

The Personal Data Law does not stipulate special provisions for the processing of criminal conviction data, thus the general provisions for processing of personal data shall apply in this case.

7.10. Controller and processor contracts

The procedure for receiving permission from the data processor is conducted by sending a notification for the data processing/transfer and receiving the decision from the data processor. No special provision for a contract to be in place between the processor and the controller is stated in law.

8. Data Subject Rights

Article 15 of the Personal Data Law states that the data subject will have the right to information about their personal data, the processing of their data, grounds, and purposes for the processing, the processor of the data, and the registered office thereof, as well as the scope of persons to whom the personal data may be transferred, as well as to get familiarized with their personal data, and require from the processor the right to rectify, block, or destruct their personal data where the personal data is not complete or accurate or is outdated or has been obtained unlawfully or is not necessary for achieving the purposes of the processing.

8.1. Right to be informed

The notification shall include:

• surname, name, and patronymic of the data subject;
• legal grounds and purpose of the processing of personal data;
• list of personal data subject to processing;
• list of operations to be performed upon personal data for which the subject's consent is requested;
• scope of persons to whom personal data may be transferred;
• name (surname, name, patronymic, position) of the processor or their representative requesting the data subject's consent and registered office or place of registration (actual residence);
• information on requiring, by the data subject, rectification, destruction of personal data, terminating the processing of data, or on carrying out other operations relating to the processing; and
• validity of the consent requested, as well as the procedure and consequences of withdrawing the consent.

8.2. Right to access

Please see the section on data subject rights above.

8.3. Right to rectification

Please see the section on data subject rights above.

8.4. Right to erasure

Please see the section on data subject rights above.

8.5. Right to object/opt-out

According to Article 9 of the Personal Data Law, the data subject will have the right to withdraw their consent for data processing anytime they wish.

8.6. Right to data portability

There is no right to data portability.

8.7. Right not to be subject to automated decision-making

There is no right to not be subject to automated decision-making.

8.8. Other rights

Not applicable.

9. Penalties

The Code on Administrative Violations (only available in Armenian here) stipulates the applicable penalties for violations of the Personal Data Law, particularly:

• violation of the procedure established by law for the collection, recording, coordination, organization, correction, storage, use, transformation, restoration, or transfer, if the given act does not contain features of a crime: incurs a fine of 200 to 500 times the minimum wage;
• violation of the procedure established by law for destroying or blocking personal data, if the given act does not contain features of a crime: incurs a fine of 300 to 500 times the minimum wage;
• during the collection of personal data, at the request of the personal data subject, the developer does not provide information provided by law or violates the procedure for providing it, or does not explain the reasons and consequences of not providing: incurs a fine of 100 to 200 times the minimum wage;
• failure of the personal data processor to notify the authorized body of personal data protection or violation of the notification procedure: incurs a fine of 50 to 100 times the minimum wage;
• not to use encryption means during the processing of personal data, if the given act does not contain features of a crime: incurs a fine of 100 times the minimum wage;
• requirements to ensure the security of the processing of personal data in information systems, violation of the requirements for biometric personal data carriers technologies for the storage of personal data outside the information systems, if the act does not contain features of a crime: incurs a fine of 100 to 200 times the minimum wage;
• failure to maintain the confidentiality of personal data by or during the performance of official or work responsibilities related to the processing of personal data by personal data processors or other persons provided for by the Personal Data Law: incurs a fine of 200 to 300 times the minimum wage; and
• a person who has committed the acts provided for in this Article shall be released from administrative liability if they have eliminated the violation committed within the period defined by the decision of the authorized body or before making a decision on being subject to administrative liability.

9.1 Enforcement decisions

Please see the section on case law above.