Data Protection Law in Azerbaijan: Personal Data Regulations

 

 

Personal data in Azerbaijan, its protection, transmission, the responsibility of data users and other aspects of data regulations are expressly regulated by the laws, specifically by the Personal Data Law of Azerbaijan. From the regulatory perspective of data protection in Azerbaijan, in this regard, emphasis is made on the differentiation of personal data, commercial secret and other forms of secret information such as bank secret, tax secret and state secret.

 

The Law on Personal Data of Azerbaijan, as the primary and special data protection law of Azerbaijan, identifies personal data as any data enabling to directly or indirectly identify the identity of a person. It is worth mentioning that the terms and conditions of collection and processing of personal data set forth in the Law shall fully apply to collection and processing of data characterizing biological features of the human organism and enabling to define it unambiguously. This data includes finger and hand-prints, face image, retina and iris, voice fragments and their acoustic parameters, DNA, body dimensions, description of specific marks and defects of the body, handwriting, and signature as well as other biometric data.

 

Per the said law regulating data protection in Azerbaijan, personal data shall be subject to protection from the moment of collection and in terms of access (collection) shall be divided into confidential and public categories. The subject of personal data in Azerbaijan has a right to change the confidentiality status of the data belonging to him/her and to identify data as public. It is the duty of the data owners and operators to provide the protection of personal data available to them. Legal entities, therefore, shall identify in which cases they are the owners or operators of such data and shall follow data protection rules.

 

Each subject of data has a right to know who is owning, using, or operating his/her data and on what purposes and content, to ask for the removal of or correction of data from systems, to get information on all third parties accessing data and about the authorization of information systems used for storage of data.

 

Overall, the Personal Data Law of Azerbaijan allows collection and processing of personal data only in case of availability of one of the following conditions:

- subject has given consent for collection and processing of personal data or those data are regarded to public category;

- personal data are processed on the basis of legislation which defines purposes and methods of processing;

- processing of personal data for scientific and statistical purposes carried out subject to their mandatory depersonalization;

- collection and processing of personal data is required for protection of life and health of the subject.

 

In practice, most of the employee information and personal data are subject to protection. Therefore, employers shall consider this while drafting employment agreement and obtain employee’s consent for storage, transmission (intra state or cross-border) and any use of such personal data of employees.

 

Except for cases of mandatory collection and processing of personal data, as provided for in data protection regulations of Azerbaijan, collection and processing of personal data about any person shall be allowed only with the written consent of the subject. It shall also be mentioned that, such written consent of the data subject shall have to follow some requirements to be considered as a proper consent. For example, such consent must include at least data allowing to identify the identity of the subject, data allowing to identify the owner or operator acquiring the consent of the subject, purpose of collection and processing of personal data, list of personal data, consent of the subject to which is granted and of operations for their processing, validity period of consent of the subject entity and terms and conditions of its withdrawal, terms and conditions of deletion or archiving of collected personal data in the respective information system upon completion of fixed period of storage or upon his/her death.

 

Formation of information resources of personal data in Azerbaijan and establishment of information systems, their maintenance may be carried out only on the basis of special permission (license) provided by Transportation, Communication and High Technologies. Information system of personal data shall mean information system which provides collection, processing and protection of personal data; while information resources of personal data shall mean information, resources accumulated under procedure and in the volume provided for in the legislation in the information systems of personal data as well as separately.

Information systems of personal data shall be subject to state registration in the Ministry of Transportation, Communication and High Technologies.

 

Following information systems of personal data shall not require state registration:

- information system of personal data related to state secret in accordance with the legislation of the Republic of Azerbaijan on state secret;

- information system of personal data related to subject entities who are in labor relationships with the owner or operator or required for their access to the working territory;

- information systems of personal data defined by the relevant authority of executive power and established depending on purpose of processing of personal data and maximal limit of number of subjects (less than 1000 subjects) in cases, which do not require state registration.

 

It shall also be mentioned that Law on Personal Data of Azerbaijan does not specifically cover the data related to the commercial secret. Regulations regarding the commercial data are provided by the Law on Commercial Secret of the Republic of Azerbaijan. At the same time state, tax and bank secret also regulated under specific laws. From legal perspective, the commercial secret shall have the commercial value and the owner shall provide specific means for protection of such information. Some information shall not be considered as commercial secrets such as registration information of legal entities (except name and share of shareholders), type of business, obtained licenses, auditor reports/opinions, personnel, obtained intellectual property, committed unlawful actions etc.   The owner of commercial secret may define necessary information as a commercial secret.

 

In accordance with the international treaties of the Republic of Azerbaijan for the exchange of tax and financial data, information on financial transactions, carried out by legal entities and individuals of these states on the territory of the Republic of Azerbaijan, through the State Tax Service, is submitted to the competent authorities of these foreign states.

 

Together with local regulations of personal data in Azerbaijan, international regulations shall also be taken into consideration. As per General Data Protection Regulation (GDPR) coming into force from 25 May, 2018 emphasis is made on protection of EU residents’ data not taking into account the residence of entity processing, obtaining or operating such data. Such an exterritorial effect of said Regulation needs to be learned by the entities having multinational business activities, especially by entities providing the services worldwide no matter of place of business.

 

Overall, general advice for the businesses operating in the Republic of Azerbaijan or intending to enter Azerbaijani market is that, they should consider that personal data protection regulations in Azerbaijan is specifically regulated by several laws having impact on the regulation of personal data (e.g. criminal laws), legal nature of information protection, and related detailed regulations need to be learned carefully case by case to secure the lawful operations with such data; thus, in some cases internal proper documentation would be sufficient, in other cases, special permission or registration of certain devices might be necessary.