Introduction

The development of Armenian data protection legislation is grounded in European legal frameworks and international conventions. The primary legal foundations include the Constitution of the Republic of Armenia (Article 34) and the Law of the Republic of Armenia “On Protection of Personal Data” (May 18, 2015), developed in accordance with Council of Europe Convention No. 108, to which Armenia is a party.

Personal data is defined as “any information relating to a natural person that allows or may allow, directly or indirectly, the identification of a person’s identity”.

Armenian legislation recognizes three categories:

·  “Life data” – information concerning personal, family, physical, physiological, intellectual, or social circumstances;

·  “Biometric data” – information relating to physical, physiological and biological characteristics;

·  “Special categories of personal data” – information concerning race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health and sexual life.

The fundamental challenge of unambiguous data categorization remains unresolved. The traditional binary classification methodology proves inadequate for contemporary data processing scenarios.

The Court of Justice of the European Union’s ruling in “European Data Protection Supervisor v. Single Resolution Board” (C-413/23 P) establishes a significant interpretive framework addressing these classification challenges through the “relativity principle” of personal data determination.

The Banco Popular Case: Transformative Legal Principles

The litigation originated from the 2017 resolution of Spain’s Banco Popular. The Single Resolution Board (SRB) collected comments from affected shareholders and creditors, subsequently sharing them in pseudonymized form with Deloitte for analysis. The European Data Protection Supervisor challenged whether these comments constituted personal data requiring disclosure under Article 15(1)(d) of Regulation 2018/1725.

The Court established three principles that reshape personal data classification:

1. Opinions and Assessments are Inherently Personal Data

The Court ruled that personal opinions automatically constitute personal data without requiring content analysis. This departure from previous approaches eliminates case-by-case analysis of identifying potential, as personal expressions are inherently linked to their authors.

This principle affects data processing across sectors involving feedback collection, survey responses, and stakeholder consultations. Classification does not depend on the opinion’s substance, political nature, or sensitivity level.

2. Contextual Data Determination

The Court rejected absolute approaches to personal data classification, establishing that data status depends on specific processing circumstances. For the SRB, the comments constituted personal data due to identification capabilities and direct relationships with data subjects. For Deloitte, the same comments potentially were not personal data if pseudonymization effectively prevented identification.

This represents a fundamental shift in data protection analysis. Legal analysis must examine specific capabilities, technical measures, and organizational context of each processing entity. The same dataset can have different legal statuses depending on processing circumstances.

3. Controller-Centric Obligation Framework

Controllers’ disclosure obligations depend on data status from the controller’s perspective, not the recipient’s perspective. This creates asymmetric obligations where the SRB had to disclose Deloitte as a recipient even if pseudonymized data were not personal data from Deloitte’s perspective.

Controllers must assess obligations based on their specific relationship to the data, while recipients face different obligations based on their processing context and capabilities.

Practical Implications for Data Protection Practice

The relativity principle requires organizations to evaluate data status from multiple perspectives simultaneously. This affects privacy impact assessments, ongoing monitoring, and data subject rights fulfillment.

Organizations must develop assessment methodologies accounting for varying technical capabilities across processing entities. Protective measures like pseudonymization must be evaluated from each recipient’s or processor’s viewpoint in the data processing chain.

Legal practitioners must develop analytical frameworks handling contextual complexity. Traditional compliance assessments must evolve to accommodate relative determinations varying across processing contexts within the same data flow.

Implications extend to contractual arrangements, vendor selection, and relationship management. Organizations must evaluate identification capabilities of processors and partners, implementing contractual provisions addressing potential changes in data classification status.

Cross-Border Processing Complications

Cross-jurisdictional data transfers create additional complexity. Different legal frameworks may provide varying identification tools, affecting data classification across jurisdictions. Organizations must consider protective measure adequacy and how local legal frameworks might affect relative classification of transferred data.

Data Subject Rights Under Relative Classification

When data is personal for the controller but not the processor, exercising data subject rights becomes complex. Organizations must develop policies for handling access requests, erasure demands, and other rights exercises where data classification varies across the processing chain.

Conclusion

The European Court of Justice’s recognition of personal data’s relative nature marks a significant development in data protection law. Moving beyond binary classifications toward contextual analysis provides a framework for addressing complex modern data processing scenarios.

This development requires legal practitioners, businesses, and regulators to adopt sophisticated approaches to data protection compliance. While creating new challenges, the relativity principle represents a more realistic approach to privacy protection in complex technological environments.

Organizations implementing these principles will be better positioned for compliance and competitive advantage in an increasingly complex data processing landscape.