ARMENIA LAW AND PRACTICE Contributed by: Aram Orbelyan, Narine Beglaryan, Artur Hovhannisyan, Lilit Karapetyan, Sarkis Knyazyan and Shushanik Stepanyan, Concern Dialog
• the processing must pursue a legitimate pur - pose, and the measures to achieve it must be suitable, necessary and moderate; • the volume of personal data processed needs to be the minimum necessary for achieving a legitimate purpose; • processing needs to comply with its purpose or be compatible with it; and • processing should be depersonalised if the purpose of processing may be achieved with - out personalisation of the data subject. Compliance with the principle of reliability means that personal data being processed needs to be complete, accurate, simple and, where neces - sary, kept up to date. The principle of minimum engagement of a data subject is mostly applica - ble to the public authorities when the latter must collect data necessary for exercising their pow - ers from the official sources available rather than request that a data subject regularly provide the same information. Data Processing Framework Data processing should be performed with the data subject’s consent unless the law allows the processing without it – eg, in the case of a court order to disclose personal data. The data sub - ject has basic rights such as the right to access personal data, the right to erasure, the right to rectification, and the right to object. The data processor should notify the data sub - ject prior to the processing of their personal data by indicating the purpose of processing, the list of data processing, the category of processors and other information defined under the law. There is no mandatory requirement to approve a privacy policy. The transfer of personal data to third parties needs to be performed with the data subject’s
consent, as well as the transfer of personal data abroad. The transfer of personal data abroad is subject to the preliminary approval of the Per - sonal Data Protection Agency of the Republic of Armenia if the data needs to be transferred to a state without a sufficient level of data protection. 8.2 Geographical Scope The Data Protection Law and the powers of the Personal Data Protection Agency of the Republic of Armenia are limited to the territory of Armenia. If the personal data is collected (stored) by a legal entity – or a branch or representative office of a legal entity – established in Armenia, the collection and further processing will have to be performed under the Data Protection Law, and the Personal Data Protection Agency of the Republic of Armenia will be entitled to enforce its powers over this data processing. 8.3 Role and Authority of the Data Protection Agency The Personal Data Protection Agency of the Republic of Armenia is part of the Ministry of Justice of Armenia. However, the Data Protec - tion Law declares that the Agency operates independently. Among other authorities listed under the law, the Agency is entitled to do the following: • apply administrative sanctions prescribed by law in the case of violation of the require - ments of the Data Protection Law; • require the blocking, suspension or termina - tion of the processing of personal data violat - ing the requirements of the Data Protection Law; • require the rectification, modification, block - ing or destruction of personal data;
33
CHAMBERS.COM
Powered by FlippingBook