Consultation on General Data Protection Regulation

06/06/2018

The General Data Protection Regulation (GDPR) entered into force starting from 25 May 2018, replacing Directive 95/46/EC on personal data protection. One of the most important innovations of the Regulation is enshrining the principle on extra-territorial applicability, according to which the Regulation may be applicable to the processors of personal data in countries not deemed to be EU member states. The entry into force of the Regulation has recently sparked some public interest in the Republic of Armenia and has become a matter of discussion, taking into account just the principle of extra-territorial applicability. Armenian organisations are mainly concerned about the circumstance of whether the Regulation is applicable to them or not.

Taking into account the above-mentioned and based on its competence of providing consultations prescribed by point 15 of part 3 of Article 24 of the Law of the Republic of Armenia “On protection of personal data”, the Personal Data Protection Agency of the Ministry of Justice of the Republic of Armenia presents below the cases in which the Regulation is applicable to the processors of personal data (processors of personal data of the Republic of Armenia) in countries not deemed to be EU member states; for example, if Armenian processors or the person authorised thereby have subsidiaries – daughter companies, branch etc.).

However, the scope of territorial applicability of the Regulation has expanded and it also includes controller or processor not established in the EU. In this respect, part 2 of Article 3 of the Regulation defines that the Regulation applies the processing of data subjects who are in the Union by a controller or processor not established in the Union, where the activities for processing are related to:

(a)       the offering of goods or services to data subjects who are in the Union, irrespective of whether a payment of the data subject is required; or

(b)       the monitoring of the behaviour of data subjects who are in the Union; moreover, their behaviour must take place within the Union.

To clear up the issue on offering goods and services to data subjects who are in the Union by processors or controller not established in the Union, the intention of the controller or processor and obviousness of that intention regarding offering goods and services to data subjects who are in the Union shall be used as criteria.

As for the monitoring of the behaviour of individuals who are in the Union, it relates to the cases, where, for example, processing of personal data is related to the monitoring of the behaviour of individuals on the Internet via technical resources (cookies, IP address) that analyse and predict the preferences, behaviour of individuals to do targeted advertising against them.

By means of the submitted table, you can check whether the Regulation is applicable to your organisation or not.