July 2023

1. Governing Texts 

The data protection regime in the Republic of Azerbaijan is primarily regulated by the Law on Personal Data of 11 May 2010 No 998-IIIQ (only available in Azerbaijani here) ('the Personal Data Law'). While the Personal Data Law follows several fundamental principles established in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), there are certain key deviations. Importantly, the Personal Data Law establishes the requirement to register the information system of personal data in the Republic of Azerbaijan with the Ministry of Transport, Communications and High Technologies ('the Ministry'). In addition, specific requirements with respect to the protection of personal data and registration of the information systems are provided in the secondary legislation comprised of the normative acts of the Republic of Azerbaijan Cabinet of Ministers.

1.1. Key acts, regulations, directives, bills

• the Personal Data Law
• the Law of 13 June 2008 No 651-IIIQ on Biometric Data (only available in Azerbaijani here) ('the Biometric Data Law')
• the Rules on State Registration and De-registration of Information Systems of Personal Data Approved by the Decree No. 149 of the Cabinet of Ministers dated 17 August 2010 (only available in Azerbaijani here) ('the Rules on State Registration')
• the Requirements for the Protection of Personal Data Approved by the Decree No. 161 of the Cabinet of Ministers dated 6 September 2010 (only available in Azerbaijani here)
• the Decree No. 237 of the Cabinet of Ministers dated 17 December 2010 on Approval of the Information Systems of Personal Data which Are not Required To Be Registered (only available in Azerbaijani here) ('the Decree on Approval of the Information Systems')
• the Rules on Annihilation of Information Stored in the Information System when the State Registration of the Information System of Personal Data is Terminated Approved by the Decree No. 238 of the Cabinet of Ministers dated 17 December 2010 (only available in Azerbaijani here)
• the Regulations on Transmission of Personal Data Collected and Processed at Corporate Information Systems to Third Parties on Fee Basis Approved by the Decree No. 35 of the Cabinet of Ministers dated 2 March 2011(only available in Azerbaijani here) ('the Regulations')
• the Rules on Entering Personal Identification Number into Information Systems of Personal Data and Use of it Approved by the Decree No. 49 of the Cabinet of Ministers dated 4 April 2011 (only available in Azerbaijani here)
• Administrative Violations Code of the Republic of Azerbaijan of 29 December 2015 (only available in Azerbaijani here) ('the Administrative Violations Code')
• Criminal Code of the Republic of Azerbaijan of 30 December 1999 (only available in Azerbaijani here) ('the Criminal Code')

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Personal Data Law applies to specific or identifiable natural persons whose personal information is collected, processed, and protected (data subjects).

The Personal Data Law also applies to deceased individuals.

2.2. Territorial scope

The Personal Data Law does not expressly specify its territorial scope.

However, pursuant to the general principles established by the legislation of the Republic of Azerbaijan, it could be argued that the Personal Data Law applies to the activities conducted in the territory of the Republic of Azerbaijan.

2.3. Material scope

The Personal Data Law and the Regulations apply to and regulate the issues related to the collection, processing, and protection of personal data, the establishment of a personal data unit of the national information space, as well as the cross-border transmission of personal data, defining of the rights and obligations of state and local self-government authorities, legal and physical persons operating in this field, such as:

• data subject;
• data processor (operator of personal data);
• data controller (owner of personal data); and
• user of personal data.

Under the Personal Data Law, the processing covers the following operations in relation to personal data:

• record-keeping;
• systematization;
• updating;
• modification;
• extraction;
• anonymization;
• retention;
• transmission; and
• destruction.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator is the Ministry.

3.2. Main powers, duties and responsibilities

The responsibility of the Ministry is to control the collection, processing, and protection of personal data in the information systems included in the State Register to ensure their compliance with the requirements of the Personal Data Law and the declared objectives of the information system and the methods of their processing.

Furthermore, the Ministry must:

• assure the confidentiality of the personal data obtained in the course of its activity; and
• maintain the state registry of information systems of personal data.

The Ministry also has the following powers:

• making inquiries to the data controllers or data processors in the manner prescribed by law, as well as receiving the necessary information on a free-of-charge basis from the state authorities, data controllers, or data processors;
• checking the information provided by the data controller during the state registration of information systems of personal data, including the relevance of information systems to the project;
• organizing the state expertise of information systems in a prescribed manner;
• requiring state authorities, legal entities, and physical persons involved in the collection, processing, and protection of personal data to eliminate violations of the Personal Data Law; and
• taking measures, in accordance with the established procedure, to bring to justice those who violate the requirements of the relevant legislation in the field of collection, processing, and protection of personal data.

4. Key Definitions 

Special categories of personal data (sensitive data): Information pertaining to race or nationality, family life, religious beliefs and faith, health, or conviction of an individual.

Data subject: An individual whose identity is identified or identifiable, and personal data of whom is collected, processed, and protected.

Data controller: The Personal Data Law refers to 'owner of personal data', defined as the state or local self-government authority, legal, or physical person that exercises the right to possess, use, or dispose of information systems or resources of personal data in accordance with the legislation.

Data processor: The Personal Data Law refers to 'operator of personal data,' defined as the owner of personal data, that collects, processes, and stores personal data, or the state or local self-government authority, legal, or physical person, whom these functions have been delegated to, to a certain extent and on certain conditions by the owner of personal data.

User of personal data: State or local self-government authority, legal, or physical person, that has the right to use personal data only in the manner as specified by the owners of personal data for the purpose of obtaining the necessary information.

Personal data: Data enabling to identify, directly or indirectly, the identity of the person. Personal data is protected from the moment of its collection and, for such purposes, is categorised as confidential and public personal data depending on type of allowed access (acquisition) to the data.

Biometric data: Biometric data that is collected, stored, processed, and transmitted in information systems for the purpose of identification and verification.

Health data: Not applicable.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

Under the Personal Data Law, collection, processing, and cross-border transmission of personal data of any physical person is permitted only with the written consent of that person.

5.2. Contract with the data subject

The Personal Data Law does not impose a specific requirement to execute a contract with the data subject.

5.3. Legal obligations

The Personal Data Law permits the transfer of personal data without the consent of the data subject when the transfer of confidential personal data is in connection with the performance by state bodies or local self-government bodies of the tasks assigned to them, provided that the requirements for information systems of personal data established by law are observed.

5.4. Interests of the data subject

The Personal Data Law permits the transfer of personal data without the consent of the data subject if it is necessary to transfer personal data to protect the life and health of the data subject and it is impossible to immediately obtain the data subject's consent.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles 

The formation of information resources of personal data and the creation of the information systems must be carried out in accordance with the principles of legality, confidentiality, and harmonization of voluntariness with coercion, while observing the fundamental rights and freedoms of persons and citizens, granted by the Constitution of Azerbaijan.

The collection, processing, and protection of Personal Data must not create a danger to life, health, or cause humiliation of honor and dignity of persons.

7. Controller and Processor Obligations

Data Controller (Owner of Personal Data)

The data controller has the right to act as the data processor or to entrust the collection and processing of personal data to the data processor on a contractual basis, provided that personal data protection is ensured.

The data controller has the following duties:

• ensuring the legality and security of the collection and processing of personal data during the collection and processing thereof;
• compensating material and moral damage to the data subject as determined by the court as a result of the collection and processing of personal data and inadequate protection of such data; and
• creating conditions for conducting intelligence and counter-intelligence, as well as investigation activities in accordance with the legislation of the Republic of Azerbaijan, addressing relevant organizational and technical issues, and observing the confidentiality of the methods used to conduct these activities, in case the data controller acts as the data processor.

Data processor

The data processor has the following duties:

• ensuring the legality and security of the collection and processing of personal data during the collection and processing thereof; and
• creating conditions for conducting intelligence and counterintelligence, and investigation in accordance with the legislation of the Republic of Azerbaijan, addressing relevant organizational and technical issues, and observing the confidentiality of the methods used to conduct these activities.

7.1. Data processing notification

Registration of Information System of Personal Data

According to the Personal Data Law, an information system of personal data must be registered with the relevant state authority. The state registration of an information system of personal data is conducted by the Ministry based on the Rules on State Registration.

The registration must include the following information (Article 15(4) of the Law):

• information identifying the owner of personal data;
• the legal basis for the creation of the personal data information system;
• the purpose and intended methods of processing personal data;
• the categories of personal data used in the personal data information system;
• categories of data subjects;
• a general description of the actions undertaken by the personal data owner to protect personal data during the operation of the personal data information system;
• the date of collection and processing of personal data;
• the scope of users' personal data;
• monitoring and audit mechanisms for the collection and processing of personal data;
• other related information systems, methods of information exchange with those systems, and the categories of information exchanged;
• the scope of e-services that can be provided to the public using the information systems;
• rules for ensuring the rights of the data subject as provided in the Law; and
• the categories of personal data transmitted to other states and international organizations.

The state registration of information systems that contain personal information is carried out within one month upon the written request of the personal data owner (Article 15(4) of the Law).

In addition, if there is a change in the information in the application for state registration of personal data information system, it must be notified in writing to the relevant executive authority within three working days (Article 15(5) of the Law).

Exemptions from Registration

The Personal Data Law and the Decree on Approval of the Information Systems prescribe certain exemptions with respect to the registration of information systems of personal data. For example, the following systems, among others, are not required to be registered:

• the data is depersonalized in accordance with an established procedure or, with the consent of the data subject, personal data is collected for general use in information systems;
• data archived in accordance with the Law of 22 June 1999 No. 694-IQ on the National Archive Fund (only available in Azerbaijani here) is collected and processed;
• data is collected on the basis of the written consent of the data subject, and the data is collected and used for the purpose of meeting the provision of information society services in the field of telecommunications and mail services, in information systems that contain personal data of less than 1,000 subjects;
• the data concerning members of public associations and other non-profit organizations are collected and processed by such organizations for the purpose of achieving their legal purposes, and on the condition that such information is not provided to third parties without the consent of the data subject, in information systems which contain the personal data of less than 1,000 subjects;
• for state or local government information systems, the collection and processing of information is performed by state bodies or local government bodies in connection with the fulfillment of obligations established by law, in information systems which contain the personal data of less than 1,000 subjects;
• the data is collected for the purposes of scientific research and statistics, where the information does not contain state secrets and is provided on an anonymized basis, and the personal data is collected for information systems that contain the personal data of less than 1,000 subjects;
• the collection of the data is required to protect the life or health of the data subject, and the personal data is collected and used for information systems that contain the personal data of less than 1,000 subjects;
• the data relates to state secrets in accordance with the Law of 7 September 2004 No. 733-IIQ about state secrets (only available in Azerbaijani here); and
• the data relates to a subject's labor relations with a personal information owner or is necessary for admission to the territory of work.

Given that the information system of personal data with respect to employees of a legal entity is exempt from state registration, it is conceivable to conclude that the employer is not required to obtain the license for the creation of such an information system of personal data. If, however, an entity deals with creation of an information system of personal data for other persons i.e. non-employees, it must obtain the license for this type of activity.

Failure to register a database by legal entities will result in an administrative penalty in the amount of AZN 300 to AZN 500 (approx. €160 to €270) (Section 375.0.1 of the Code).

Finally, please see the following form for registration:

• the Forms for state registration of individual information systems and cancellation of state registration (only available in Azerbaijani here); and
• Forms for a registration card for state registration of personal information systems (only available to download in Azerbaijani here)

7.2. Data transfers

Requirement for consent

The transfer of personal data to the data controller or the data processor by third persons and transfer of personal data to any third persons by the data controller or the data processor shall be only allowed with the written consent of the data subject, their heirs, or representatives.

Exceptions

Transfers of personal data without the consent of the data subject are only allowed in the following cases:

• transfer of personal data of open category;
• transfer confidential personal data in connection with exercising of the obligations by the state authorities or local self-government authorities, provided that the requirements to information systems of personal data set forth in the legislation are complied with; and
• transfer where it is:
  • necessary for the protection of the life and health of the data subject; and
  • impossible to obtain immediately the data subject's consent.

Localization requirement

There is no direct localization requirement imposed by the Personal Data Law.

7.3. Data processing records

Under the Personal Data Law, it is required to maintain a collection of records on the collection and processing of personal data in information systems and resources, lodging requests, and their processing/responding, results of registration, and review of applications, as well as on operations associated with the management and protection of information systems in the relevant control and audit logs shall be provided by the data controllers or data processors.

7.4. Data protection impact assessment

There is no direct requirement to carry out Data Protection Impact Assessment imposed by the Personal Data Law.

7.5. Data protection officer appointment

There are no requirements for data controllers and/or data processors to appoint a data protection officer. Under the Personal Data Law, the protection of personal data shall be ensured by the data controller and the data processor.

7.6. Data breach notification

The data processor must notify the data subject in case their personal data is entered into information systems of public use from open sources. The notice must include information about the data that was entered in the system and the source from which the data was obtained.

The data must be immediately removed from the information system based on the written request of the data subject.

7.7. Data retention

Personal data must be immediately deleted in the following cases:

• the purposes of its collection and processing have been achieved and the need for their retention has been eliminated;
• termination of the state registration of information system; and
• the reasons for collection and processing of personal data of special category are eliminated, if the data subject does not give consent for retention of such data in the information system or transfer of such data to the national archive.

7.8. Children's data

Under the Personal Data Law, consent to collection and processing of children's data should be obtained from their parents or custodians.

7.9. Special categories of personal data

The Personal Data Law prohibits collection and processing of personal data of special category except for the cases in which:

• collection and processing of personal data is required by the law;
• the personal data is of open category;
• processing of personal data of special category is required for protection of life and health of the data subject (other persons or group of persons) and obtaining written consent from the data subject is not possible; and
• collection and processing of personal data of special category is carried out by public associations and other non-governmental organizations within their legitimate objectives in respect of their members provided that the data is not provided to third parties without the consent of the data subject.

7.10. Controller and processor contracts

The Personal Data Law requires there to be an agreement between the data processor and the data controller. This agreement, subject to the data protection legislation of the Republic of Azerbaijan, must determine the rights and duties of the data processor.

According to the Personal Data Law, the data controller is entitled to entrust the collection and processing of personal data on the basis of the agreement to the data processor provided that it is ensured that the personal data will be protected.

8. Data Subject Rights

8.1. Right to be informed

Notification

Upon collection of personal data, the data controllers or the data processor of personal data must inform the data subject about:

• identification details of the data controller/the data processor;
• the purpose of processing of personal data and basis of such purpose from the legal point of view;
• level of protection afforded to collected and processed personal data at the information system;
• information on the existence of a certificate of conformity of an information system and completion of the state expertise;
• category of users of personal data and the information systems with which exchange of information is intended; and
• information on the rights of the data subjects as provided under the law.

8.2. Right to access

The data subject is entitled to be familiarised with the content of their personal data collected in the information system.

More specifically, the data subjects are entitled to obtain information about:

• existence of their personal data in the information system, as well as the information about the data controller or the data processor;
• sources from which any personal data about them has been obtained and entered in the information system;
• the purpose of collection and processing, timing, and methods of processing of their personal data in the information system, including the persons who have access to their personal data, as well as information systems for which exchange of information is planned;
• existence of the compliance certificate and completion of state examination of the information systems, in which their personal data is collected and processed;
• legal justification for the collection, processing, and transfer of their personal data to third parties in the information system; and
• obtain information about the legal consequences for the data subject from the collection, processing, and transfer of their personal data to third parties.

8.3. Right to rectification

The data subject is entitled to require alteration and, except for cases envisaged in the law, deletion of their personal data collected and processing in the information system, and to transfer such data to the national archive in the prescribed manner.

8.4. Right to erasure

The data subject is entitled to demand the destruction of any personal data collected in the information system about the data subject except for cases required by the law.

8.5. Right to object/opt-out

The data subject is entitled to:

• object to the collection and processing of their personal data, except in cases when the collection and processing of personal data is required by the law; and
• require the prohibition of the collection and processing of their personal data.

In addition, the data subject is entitled to object to the collection and processing of personal data in the following case unless this is required by the law:

• the collection and processing of personal data is carried out through information technology; and
• the decisions made during such collection and processing violate the data subject's interests.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

The data subject is entitled to object to the collection and processing of personal data in the case the collection and processing of personal data is carried out through the information technology and the decisions made during such collection and processing violate the data subject's interests unless this is required by the law. In the event the data controller or the data processor receives an objection against the processing of personal data through information technologies, it shall be obliged to receive the consent of the data subject for processing of data through the other method or to suspend the processing of personal data immediately.

8.8. Other rights

The data subject is entitled to:

• require the protection of their personal data collected and processed in the information system;
• appeal to the relevant executive authority or court in cases of:
  • unlawful collection and processing of their personal data; or
  • violation of their rights, the data subject has the right to demand compensation for the moral and material damage caused as a result of such violation.

9. Penalties

The Personal Data Law requires that the information systems of personal data be registered with the Ministry. The collection and processing of personal data in the information system without registration may result in administrative liability under Article 375 of the Administrative Violations Code, including a fine in the amount of AZN 300 (approx. €160) up to AZN 500 (approx. €270).

Furthermore, under the Administrative Violations Code, an administrative fine in the amount of AZN 300 (approx. €160) up to AZN 500 (approx. €270) may be imposed for the failure to:

• protect personal data by the data controller or data processor;
• destroy personal data; or
• cease collection, processing, or transfer of personal data,

in cases and within the time limits prescribed by the Personal Data Law.

In addition, the formation of information sources and the establishment of information systems of personal data is a licensable activity. Failure to obtain a license may result in criminal liability (Article 192 of the Criminal Code), including a fine of a maximum amount of four times of revenue generated from such non-licensed activity, and/or up-to seven years of imprisonment.

9.1 Enforcement decisions

Not applicable.