Stay Compliant with Data Privacy Requirements
Deloitte Tax & Legal Alerts
Data privacy requirements extend to personal data and not information on legal entities.
Personal data is defined as any information, which allows, either directly or indirectly, to identify a data subject – an individual, to whom personal data relates.
Personal data must be protected by those who own and/or process such data (data owners and/or processors) in cases and in the manner stipulated under the Law of the Republic of Azerbaijan “On Personal Data” (“Law”) as well as other legislative acts related to data privacy.
Owners and processors must be aware of strict requirements of the Law with respect to maintenance (collection and processing) and transfer of information comprising personal data. They must, inter alia, arrange for technical solutions, which shall ensure support of personal data protection (including prevention of their accidental and unauthorized destruction, loss, illegal access, change and other cases), register their personal data information systems with the Ministry of Transport, Communications and High Technologies, where required under the Law.
Along with the local legislation on personal data, entities operating in Azerbaijan might also be subject to the data privacy requirements of the EU General Data Protection Regulation 2016/679 (“GDPR”), which has become effective since 25 May 2018.
GDPR introduces multiple novelties in the area of personal data protection. It provides the list of legal grounds when personal data can be processed (collected, stored or otherwise processed) by controllers, joint controllers or processors of personal data. GDPR recognizes broader scope of rights of data subjects, such as right to be forgotten, right to withdraw consent, right to access personal data, right to object to processing of personal data, right to data portability, etc. Controllers and joint controllers are now required to disclose information on the processing of personal data (goals, means, recipients, etc.) to data subjects and where required, obtain their consent on such processing. GDPR provides specific requirements on the consent forms. It also stipulates requirements on employment of Data Protection Officers, notification of data protection breaches to the regulatory authorities, enumerates compliance measures, grounds for cross-border transfer of personal data and introduces severe fines up to 20 mln. EUR, or in the case of a group undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Not only the EU based establishments but also undertakings outside the EU may fall under the scope of application of GDPR, should they
i.orient their goods or services to data subjects in the EU; or
ii.monitor the behavior of data subjects in the EU.
Owners and processors of personal data in Azerbaijan should be aware that even if they do not orient their businesses at EU, they may still fall under the scope of GDPR as joint controllers or processors, should they be assigned to process personal data by the controllers or control personal data processing jointly with other controllers who fall under GDPR.
Owners and processors of personal data should also remember that GDPR is not linked only to citizens of EU. It encompasses any individual present in the EU when his/her data are processed.