The need to ensure personal data protection by IT entities

Entrepreneurial activities in the field of information technologies have played a significant role in the rapid growth of the Republic of Armenia’s GDP in 2022 and are a crucial part of its economy. As a result, the tax benefits provided through certification under the state support program for legal entities and individual entrepreneurs engaged in high-tech activities have been extended.

This state support program, although subject to certain restrictions, aims to focus the attention of registered legal entities and individual entrepreneurs in Armenia engaged in high-tech activities in collaboration with foreign partners. Even when foreign entrepreneurs relocate to Armenia, they continue to collaborate with foreign parties through a legal entity or individual entrepreneur established in Armenia.

In essence, both certified and uncertified resident entities in Armenia involved in high technology primarily cooperate with foreign counterparts, most of whom are residents of European Union countries. Consequently, high-tech activities involve the processing of operational and substantive data, particularly personal data.

This aspect underscores the importance of ensuring personal data protection for registered legal entities and individual entrepreneurs in Armenia engaged in high-tech activities. For the purposes of this article, operational-level data refers to data necessary for system development (commonly known as ‘code’), while substantive-level data pertains to information related to specific individuals. In other words, in this context, substantial-level data is synonymous with personal data.

European countries have implemented stricter controls over the protection of personal data. Hence, resident entities in Armenia engaged in high-tech activities must comply with the minimum requirements for personal data protection.

Personal data.

The main document regulating the protection of personal data in the European Union is General Data Protection Regulation (hereinafter referred to as ‘GDPR’), which defines personal data as any information relating to an identified or identifiable natural person (‘data subject’)’.

The type of personal data can be determined by the difficulty of obtaining, the degree of secrecy and the rights to use by third parties.

Personal data are divided into

1. general personal data,
2. special personal data which includes
3. personal data revealing racial or ethnic origin,
4. political opinions,
5. religious or philosophical beliefs,
6. trade union membership,
7. genetic data and biometric data processed for the purpose of uniquely identifying a natural person,
8. data concerning health,
9. data concerning a natural person’s sex life or sexual orientation.

Processing of data is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

GDPR provides for clear and transparent delimitation of each of the subjects involved in the process of processing personal data:

• ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data,
• ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Therefore, Data Subject means the natural person whose data is being processed.

Data Processing.

Data processing should be carried out in accordance with the following principles:

Lawfulness

Processing of personal data is considered lawful if it is based on one of the legal grounds specified in Article 6 of the GDPR. Among these legal grounds, consent is the most prominent, defined as the voluntary, specific, informed, and unambiguous indication of an individual’s wishes to agree to the processing of their data. Consent can be given explicitly through written or oral statements, including electronic means where it is commonly indicated by ticking a box, or it can be implied through affirmative actions. However, silence or inaction, such as pre-ticked boxes, cannot be regarded as consent.

Consent can be revoked at any time, but the revocation does not affect the legality of the processing that occurred prior to the withdrawal. In the case of processing data related to minors under the age of 16, consent must be obtained or authorized by the person holding parental authority. Member States have the option to lower the age of consent, but it cannot be set below 13 years old.

When it comes to processing sensitive data, explicit consent is required, meaning

that implied consent is not sufficient.

Fairness

The GDPR does not provide a specific definition of “fairness.” Consequently, this principle should be understood as encompassing the broader concepts of justice and equity. Processing of personal data is considered unfair if it is conducted in a manner that could mislead the data subject or pose a threat to their privacy, even if consent has been obtained. The purpose of this principle is to introduce a sense of practical reasoning within the stringent framework of the GDPR.

Transparency

In line with the principle of transparency, it is necessary to provide the data subject with comprehensive information regarding the processing of their personal data. This requirement applies regardless of the legal basis for the processing and whether the data was obtained directly from the individual or through other means, such as web crawling. The information should be presented in an easily accessible and understandable format, using clear and straightforward language.

The information should cover the following aspects:

• identification of the data processing controller,
• explanation of the purposes for which the data will be processed,
• indication of the categories of recipients with whom the data may be shared (if applicable),
• disclosure of the possibility of transferring data to countries outside the European Economic Area,
• specification of the storage period for the data,
• clarification of the data subject’s rights in relation to their personal data.

By providing this information, organizations can ensure transparency and enable data subjects to have a clear understanding of how their personal data is being processed.

Purpose limitation

The processing of personal data must adhere to the principles of being ‘specified, explicit, and legitimate’ in terms of its purposes. It is recommended to define and specify these purposes prior to commencing the processing, and ensure their adherence throughout the entire lifecycle of the personal data. Once the purpose of processing is established, it is not permissible to process the data for a purpose that is incompatible with the original one. Conversely, if a new purpose arises that is compatible with the initial purpose, the data may be processed for this new and different purpose. Notably, the GDPR makes an explicit exception for scientific research, considering it always compatible with the initial purpose. This means that data lawfully collected for any purpose can be reused for scientific research, as long as all other data protection principles are upheld.

Data minimization

According to the principle of data minimization, personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. This means that data that are not necessary to achieve the intended purpose cannot be lawfully collected, stored, or otherwise processed. This principle is therefore largely incompatible with data-intensive operations performed on personal data, where every piece of data is valuable, but none (or very few) are necessary to achieve the intended purpose.

Accuracy

Personal data shall also be ‘accurate and, where necessary, kept up to date’.

This principle is closely linked to the rights of data subjects to access and correct their personal information. It is also aligned with ethical standards and best practices recognized by the research community.

Storage limitation

In line with the principle of storage limitation, personal data should only be retained in a format that allows the identification of data subjects for as long as necessary to fulfill the purposes for which the data are processed. Various regulations exist at the country and sector levels regarding ‘data retention’, which specify the duration for which certain types of personal data can be stored for specific purposes. For example, contracts may often be stored in non-anonymized form for a period of five years after their termination.

However, when personal data is exclusively used for scientific research purposes and appropriate safeguards are in place, such as authentication procedures, it is possible to retain the data for longer periods. The GDPR allows for extended archival of personal data for scientific research, although national laws may impose stricter requirements in this regard.

Integrity and confidentiality

In order to maintain appropriate security, personal data must be processed in a manner that safeguards against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage. This entails implementing suitable technical and organizational measures. These security measures are essential for all instances of personal data processing. Furthermore, specific cases may require an elevated level of security. It should be emphasized that ensuring the integrity of research data is not only a legal requirement but also a fundamental aspect of research ethics and professional conduct.

Accountability

The controller bears the responsibility for adhering to and being able to provide evidence of compliance with all the principles outlined in the GDPR. In simpler terms, the burden of proof lies with the controller. It is not the data subject’s obligation to demonstrate any violations of the GDPR principles, but rather the controller’s duty to demonstrate their adherence to these principles.

Any entity in the field of information technology that engages in cooperation with customers from the European Union, collects, or processes personal data of EU users must align its information processing methods with the requirements of the GDPR. It is also crucial to give due attention to the privacy policy and specific terms of use of the platform. Additionally, mechanisms should be established to handle potential user requests effectively.

To summarize the aforementioned recommendations, we advise the following:

1. Familiarize yourself with the legislation governing the processing of personal data.
2. Discuss the usage and legality of personal data, particularly data of a substantial level, before entering into an agreement for the provision of information technology services.
3. Conduct operations in line with the principles governing the processing of personal data.