ARMENIA Law and Practice Contributed by: Narine Beglaryan and Anahit Aloyan, Concern Dialog
cal maintenance and operation are entrusted exclu - sively to a single operator selected by public tender, under government-defined criteria. This ensures state oversight and protection of medical confidentiality in technology-related outsourcing. 2.3 Restrictions on Data Processing or Data Security The Law on the Protection of Personal Data defines personal data broadly as any information relating to an identified or identifiable natural person. It distin - guishes between ordinary data, special category data (such as information on race, ethnicity, political views, religious or philosophical beliefs, trade union member - ship, health or sexual life), biometric personal data and publicly available data. Armenian legislation on data protection provides for four general principles relating to the general process - ing of personal data: lawfulness, proportionality, reli - ability, and minimum engagement of data subjects in the process. As a general rule, the processing of personal data requires the data subject’s consent, except for the cases directly provided by Armenian legislation. Data controllers are obliged to ensure security of pro - cessing, including the use of encryption keys and the prevention of unauthorised access. Although the law foresees further detailed requirements to be adopted by government decision, such secondary legislation has not yet been enacted, leaving a degree of uncer - tainty in practice. In the event of a security breach such as the leakage of personal data from an elec - tronic system, the controller is obliged to immediately publish a statement about it while also informing the Police of the Republic of Armenia and the Personal Data Protection Agency. Another security breach envisaged by the Law on the Protection of Personal Data is the detection of illegal actions with personal data. In such a case, the controller is obliged to elimi - nate the committed violations not later than within three working days. In case of impossibility to elimi - nate the violations, the controller is obliged to imme - diately destroy the personal data and inform the data subject or their representative about eliminating viola - tions or destroying personal data within three working
days, and to also inform the Agency if the request was received from it. Cross-border transfers of personal data are permitted with the consent of the data subject or if the transfer of data results from the purposes of personal data pro - cessing and/or is necessary for the fulfilment of those purposes. The authorisation of the Agency to transfer personal data to another country may not be needed if a sufficient level of protection of personal data is ensured in the receiving country. A sufficient level of personal data protection is considered to be provided if personal data is transferred in accordance with inter - national agreements or personal data is transferred to any country included in the list officially published by the Agency. Personal data may be transferred to the territory of a state that does not provide a sufficient level of protection only with the permission of the Agency, if the personal data is transferred on the basis of a contract and the contract provides guarantees of personal data protection that have been approved by the Agency as providing sufficient protection. In such cases, the controller is obliged to apply in writing to the Agency and receive permission to transfer. Sector-specific rules apply in areas such as banking, insurance, medical services, telecommunications and anti-money laundering. Telecom operators, for example, are required to maintain the confidentiality of communications, with disclosure permitted only upon written consent or by court order in cases pro - vided by law. Recent Developments As for developments in the last year, there is currently a legislative project that includes a proposed Law on Cybersecurity. This law aims to create a cyber-safe environment for the information systems and criti - cal information infrastructures used to provide vital services in the Republic of Armenia. The proposed law aims to regulate relations relating to the detection of cyber incidents and their notification, prevention and resolution, monitoring, control, and cybersecu - rity audit of compliance with the requirements of this law, as well as defining the scope of the persons who are obliged to ensure the cybersecurity of information systems, infrastructures and the critical information they use, as well as their continuous, uninterrupted
12 CHAMBERS.COM
Powered by FlippingBook