Personal data protection has gained significant importance, particularly in the context of the rapid advancement of information technologies. The pace of technological development in this field has brought forth various challenges, such as data breaches and the emergence of new types of threats. Therefore, the main targeting in the field of personal data protection due to this large-scale digitalization is directed to the companies of the IT sector.
It is worth addressing the question of how to prevent the violation of personal data and/or what to do if your rights have already been violated.
Which data is considered personal and what is the purpose of protecting personal data?
Any information related to a natural person that allows or can allow to directly or indirectly verify the identity of a person (recognize a person) is considered personal data.
The purposes of personal data protection are: safety, security, protection of human rights, prevention of abuses and etc.
What is personal data processing and who are the processors of personal data?
Any activity and/or group of activities related to the processing of personal data is considered processing of personal data.
- State administration bodies
- Local self-government bodies
- Legal entities
- Natural persons
Additionally, according to Article 4, Part 1 of the Law of the Republic of Armenia “On Personal Data Protection” personal data should be processed for lawful and specific purposes and cannot be utilized for other purposes without obtaining consent from the data owner.
What security measures are used to protect your personal data?
- The developer is obliged to use encryption means to ensure the protection of information systems containing personal data from accidental loss, illegal access to information systems, illegal use of personal data, recording, destruction, transformation, duplication, distribution and other interference.
- The developer is obliged to prevent the availability of appropriate personal data processing technologies for persons who do not have the right to do so.
What are the rights of the owner of data which is being processed?
- The right to be informed, which implies the right of an individual to receive information about the fact and purposes of processing his personal data, about the methods of processing personal data, about the data processor, its location, about the list and sources of data, about the terms of processing personal data.
- The right to receive information, that is, a person has the right to receive transparent, easily understandable, and precise details regarding the processing of their personal data. They have the right to be informed about the purpose, extent, and manner in which their data is processed. Additionally, individuals have the right to obtain copies of their processed personal data, both in physical and electronic formats. Upon submitting a written or electronic request, the information must be provided within 5 days, free of charge, and in its entirety, irrespective of when the data was processed.
- The right to correction and modification allows individuals to request the rectification or amendment of their personal data if it is found to be inaccurate, incomplete, unlawfully obtained, or unnecessary for the purposes of processing.
What personal data do organizations as an employer have the right to process?
Organizations, as employers, are also processors of personal data, and they do not have the right to collect such personal data that unrelated to the employment relationship.
Is the video recording carried out by the employer at the workplace for the purpose of checking the quality of work performance, without your consent, considered a violation of the right to protection of personal data?
The installation of workplace video surveillance systems should be limited to exceptional circumstances, primarily for the purpose of ensuring the safety of individuals and property when alternative methods are insufficient. All employees in both public and private institutions must receive written notification about the procedures for workplace video surveillance and their associated rights. Clear warning signs must be prominently displayed in visible areas where video surveillance is in operation.
Why is the protection of personal data especially pivotal in IT organizations?
IT organizations should prioritize raising employee awareness and providing training on best practices for information security. This approach fosters a security-oriented culture and ensures that employees comprehend their roles and responsibilities in safeguarding sensitive information. By demonstrating a strong commitment to data privacy and making diligent efforts to uphold it, companies can cultivate trust among individuals and organizations. When users have confidence that their data is being handled responsibly, they are more inclined to engage with online services, share information, and participate in digital transactions.
Adhering to applicable laws and regulations is especially crucial in this context. IT companies must comply with industry standards, adopt best practices, and, when necessary, obtain certifications that demonstrate compliance with international standards.
Does a video recording during public events violate your right to personal data protection?
In such cases, it might be presumed that participating in a public event automatically implies consent to be filmed, eliminating the need for additional awareness. However, the right to personal data protection necessitates that individuals are duly informed. Therefore, the data processor (event organizer) must respect the right to personal data protection by ensuring that participants are genuinely informed about the potential appearance of their images on various platforms and the dissemination of information regarding the event. As per international best practices in personal data protection, it is recommended to implement precautionary measures, either verbally or in writing, to fulfill these requirements.
What should be done if your personal data is processed without legal bases and purposes?
If the subject of personal data considers that the processing of his personal data is carried out in violation of the requirements of the law or violates his rights and freedoms, then he has the right to appeal the processor’s actions or inaction to an authorized body for personal data protection or in court.
Whom can you turn to for advice, which state body in RA implements the protection of personal data?
The state authorized body in the field of personal data protection is the Personal Data Protection Agency of the Ministry of Internal Affairs of the Republic of Armenia (hereinafter referred to as “the Agency for Personal Data Protection”).
The National Security Agency exercises its powers in 2 ways:
- Based on the request of the data subject (If the data subject considers that the processing of his personal data is carried out in violation of the requirements of the law, he has the right to appeal the processor’s actions or inaction or decisions to the authorized body for personal data protection).
- On his own initiative or on the basis of an application (checks compliance of personal data processing with the requirements of the law).
What liability is envisaged for violating the “Law on Protection of Personal Data”?
A fine is set for violating the law, the amount of which varies from 50,000 AMD to 500,000 AMD for different violations.
*A person who has committed the provided actions is released from administrative responsibility if he has eliminated the violation he committed within the specified period or before making a decision on being held accountable and has provided evidence of this.
Therefore, given that personal data protection is an evolving legal domain and holds particular significance in today’s societal advancements, the study of this field has become increasingly important. Consequently, obtaining accurate advice on the legal regulations governing personal data protection is crucial.
We are pleased to offer guidance on the relevant legislation, assist in developing internal policies or documents pertaining to data processing, advocate for the interests of your company, and provide comprehensive support in navigating this field.
