Data Privacy and GDPR
Data privacy requirements extend to personal data and not information on legal entities.
Personal data is defined as any information, which allows, either directly or indirectly, to identify a data subject – an individual, to whom personal data relates.
Personal data must be protected by those who own and/or process such data (data owners and/or processors) in cases and in the manner stipulated under the Law of the Republic of Azerbaijan “On Personal Data” (“Law”) as well as other legislative acts related to data privacy.
Owners and processors must be aware of strict requirements of the Law with respect to maintenance (collection and processing) and transfer of information comprising personal data. They must, inter alia, arrange for technical solutions, which shall ensure support of personal data protection (including prevention of their accidental and unauthorized destruction, loss, illegal access, change and other cases), register their personal data information systems with the Ministry of Transport, Communications and High Technologies, where required under the Law.
Along with the local legislation on personal data, entities operating in Azerbaijan might also be subject to the data privacy requirements of the EU General Data Protection Regulation 2016/679 (“GDPR”), which has become effective since 25 May 2018.
GDPR introduces multiple novelties in the area of personal data protection. It provides the list of legal grounds when personal data can be processed (collected, stored or otherwise processed) by controllers, joint controllers or processors of personal data. GDPR recognizes broader scope of rights of data subjects, such as right to be forgotten, right to withdraw consent, right to access personal data, right to object to processing of personal data, right to data portability, etc. Controllers and joint controllers are now required to disclose information on the processing of personal data (goals, means, recipients, etc.) to data subjects and where required, obtain their consent on such processing. GDPR provides specific requirements on the consent forms. It also stipulates requirements on employment of Data Protection Officers, notification of data protection breaches to the regulatory authorities, enumerates compliance measures, grounds for cross-border transfer of personal data and introduces severe fines up to 20 mln. EUR, or in the case of a group undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Not only the EU based establishments but also undertakings outside the EU may fall under the scope of application of GDPR, should they
i. orient their goods or services to data subjects in the EU; or
ii. monitor the behavior of data subjects in the EU.
Owners and processors of personal data in Azerbaijan shall keep in mind that even if they do not orient their businesses at EU, they may still fall under the scope of GDPR as joint controllers or processors, should they be assigned to process personal data by the controllers or control personal data processing jointly with other controllers who fall under GDPR.
Owners and processors of personal data should also remember that GDPR is not linked only to citizens of EU. It encompasses any individual present in the EU when his/her data are processed.
What you must know about processing of personal data in your company:
- Which categories of personal data do you process?
- For which purposes?
- What processing operations you perform on them?
- For how long do you store them?
- Where do you store them?
- How transparent is your data processing?
- How transferrable is your data?
- What are your safeguard mechanisms for ensuring data security?
- Did you obtain consents/make notifications to data subjects?
- Are there any recipients, either controllers, processors or joint controllers to whom you disclose personal data, including cross-border transfers?
- Do your counterparties comply with data privacy requirements?
How we can help you:
- Analyze your operations from the perspective of existence of processing of personal data;
- Prepare or review data privacy policies, including web-site policies on data privacy;
- Advise on GDPR and local data protection regulations;
- Provide comparative analysis between GDRP and local data protection regulations;
- Prepare or review data privacy notifications as well as consent forms for employees and/or other data subjects;
- Prepare or review contractual terms with counterparties on data privacy;
- Assist in registration of personal data information systems with the Ministry of Transport, Communications and High Technologies.