We have previously detailed the scope of personal data protection in Armenia and the legislative framework governing this area. This included definitions of personal data, the rights of data subjects, the entities responsible for processing personal data, and the security measures employed to safeguard such data. In this article, we will focus on another critical aspect of personal data protection: the classification of personal data and the implementation of corresponding cyber law measures in Armenia.
What Is Data Classification and Why Is It Important?
Data is classified based on the level of vulnerability and sensitivity of its content. Depending on the category of information being collected and processed, the measures and mechanisms for protecting and controlling the security of this data will vary in severity. Data classification is crucial because it enables the data processor to effectively organize the data and its protection systems, ensuring both the safety of the data and compliance with legal requirements.
To ensure effective data protection, it is essential to continually review and update data classification, particularly in response to significant technological advancements or changes in legislation, data privacy regulations, and data security guidelines. Such changes may necessitate a corresponding review and alignment of security measures.
Data Classifications Under the Legislation of the Republic of Armenia
The RA Law on Personal Data Protection (hereinafter referred to as the “Law”) provides for the following types of personal data:
- Biometric Personal Data: This category includes information characterizing the physical, physiological, and biological attributes of an individual.
- Personal Information of a Certain Category: This encompasses information related to race, nationality, or ethnic origin, political views, religious or philosophical beliefs, trade union membership, health status, and sexual life of an individual.
- Publicly Available Personal Data: This includes information that becomes accessible to a specific or indefinite group of persons with the consent of the data subject or through actions intended to make the data public. Additionally, it covers information designated by law as publicly available, such as first name, last name, patronymic, date of birth, location, and place of death.
Data Privacy Regulations for Each Type
The law establishes specific regulations for biometric data and data of a certain category. Particularly, data of a certain category is processed solely with the consent of the data subject, except in cases where its processing is explicitly authorized by law. Moreover, processing of such data ceases immediately upon elimination of the grounds and purpose for processing.
Similarly, biometric data is processed only with the explicit consent of the data subject, allowing such processing only when necessary to achieve legitimate objectives that can only be realized through biometric data processing.
Simultaneously, the legislator stipulated the obligation of data processors to inform the competent authority for personal data protection, specifically the Agency for the Protection of Personal Data under the Ministry of Justice of the Republic of Armenia, prior to processing biometric personal data or personal data falling under a special category.
The notification required by the legislator includes the following details:
- Full name (last name, first name, patronymic), address, or place of registration of the data processor or an authorized representative (if applicable)
- Purpose and legal basis for processing the personal data
- Quantity of personal data being processed
- Categories of data subjects
- Overview of actions involving personal data, outlining the general methods used by the data processor for data processing
- Description of security measures implemented by the data processor to ensure the security of personal data processing
- Commencement date of personal data processing
- Terms and conditions for terminating the processing of personal data
The right to transfer personal data falling under a specific category to third parties or grant access to such data without the consent of the data subject is permitted under the following circumstances:
- The data processor is specifically designated as a processor of personal data falling under a certain category as defined by law or a certified international agreement, or possesses an adequate level of protection.
- The transfer of such data is explicitly authorized by law and provides a satisfactory level of protection.
- In exceptional cases stipulated by law, personal data of a specific category may be transferred to safeguard the life, health, or liberty of the data subject.
It is worth noting that the draft law of the Republic of Armenia titled “On Cybersecurity” has been submitted for public discussion. The primary objective of the draft legislation of cyber law is to establish a comprehensive legal framework aimed at safeguarding cybersecurity and addressing cybercrime effectively.
Notably, the draft encompasses measures to ensure the seamless functioning of information systems and/or critical information infrastructures pivotal for delivering essential services within the Republic of Armenia. It also addresses aspects such as access to processed, distributed, stored, transmitted, and published information, data integrity, privacy settings, notification procedures for cyber incidents, as well as measures for their prevention and resolution.
Cross-Border Transfer of Personal Data Regulation in Accordance with Armenian Legislation
Cross-border transfer of personal data is subject to stringent regulations in accordance with Armenian legislation. Apart from the requirement for data subject consent, the legislator mandates obtaining permission from the competent authority to transfer personal data to another country. Specifically, transferring personal data to a country lacking adequate data protection measures is permissible only with authorization from the competent authority. Such authorization is contingent upon the transfer being executed based on a contract that includes stipulated guarantees for personal data protection, endorsed by the competent authority as providing sufficient protection.
Additionally, personal data may be transferred to another country without the need for authorization from the competent authority if the recipient country ensures a satisfactory level of personal data protection. This assurance is typically inferred when personal data transfers adhere to international treaties or when data is transferred to a country listed in the official publication by the competent authority.
Conclusion
The regulatory landscape governing personal data protection and cyber law in Armenia is quite challenging. From defining data classifications to outlining stringent measures for cross-border data transfers, the legal framework prioritizes the rights and privacy of individuals while also addressing the evolving challenges posed by cyber threats.
As businesses and organizations try to survive the terrain, partnering with a competent legal team becomes paramount.
At MB Legal, our professional team specializes in navigating the intricacies of data protection regulations and cyber law in Armenia and beyond. Collaborate with us today to ensure compliance and safeguard your data assets effectively!
