EN
MENU
6 Shinararneri Street, Syunik region, Kapan, Armenia
BOOKING

Privacy policy

  • PROCESSING OF PERSONAL DATA

    PROCESSING OF PERSONAL DATA Article 8. Lawfulness of processing personal data 1. The processing of personal data shall be lawful, where: (1) the data have been processed in observance of the requirements of the law and the data subject has given his or her consent, except for cases directly provided for by this Law or other laws; or (2) the data being processed have been obtained from publicly available sources of personal data. Article 9. Data subject's consent 1. The data subject may give his or her consent in person or through the representative, where the power of attorney specifically provides for such a power. 2. The data being processed on the basis of consent shall be stored for the period objectively necessary for implementing the purposes of processing data or for the period prescribed by the consent. 3. The data subject shall have the right to withdraw his or her consent in cases and as prescribed by this Law, as well as other laws. 4. The data subject's consent shall be considered to be given and the processor shall have the right to process, where: (1) personal data are indicated in a document addressed to the processor and signed by the data subject, except for the cases when the document, by its content, is an objection against processing of personal data; (2) the processor has obtained data on the basis of an agreement concluded with the data subject and uses it for the purposes of operations prescribed by this Agreement; (3) the data subject, voluntarily, for use purposes, verbally transfers information on his or her personal data to the processor. 5. Personal data may be processed without the data subject's consent, where the processing of data is directly provided for by law. 6. The processor of personal data or the authorised person, for obtaining the data subject's written consent, shall notify the data subject of the intention to process the data. 7. The data subject shall give his or her consent in writing or electronically, validated by electronic digital signature; in case of an oral consent — by means of such reliable operations which will obviously attest the consent of the data subject on using the personal data. 8. The burden of proving the fact of obtaining data subject's consent and, in case of processing publicly available personal data, the fact that the data are publicly available shall lie upon the processor. 9. In case of incapacity or limited capacity of the data subject or of being a minor under the age of 16, consent for processing his or her personal data shall be given by a legal representative of the data subject. 10. In case of death of the data subject or declaring him or her dead by a judgement of the court, the consent to process his or her personal data shall be given by all legal heirs of the data subject, in case of not having heirs, the head of the community of the place of opening the succession, whereas in case of declaring him or her as missing, the trust manager of the property of the person declared as missing, where the data subject has not given such consent before that. 11. In case of death of the data subject, his or her personal data may be processed without consent, where data being processed are the name, gender, year, month and day of birth and death of the deceased person. In case of death of a figure in the fields of culture, arts, science, education, sport, religion and in other public field, data on his personal life may be processed without consent, where 50 years have elapsed from the day of death. Article 10. Notification to the data subject for obtaining consent to process personal data 1. The processor of personal data or the authorised person provided for in Article 14 of this Law shall, for obtaining the data subject's consent, notifies of the intention to process the data. 2. The notification shall include: (1) surname, name, patronymic of the data subject; (2) legal grounds and purpose of the processing of personal data; (3) list of personal data subject to processing; (4) list of operations to be performed upon personal data for which the subject's consent is requested; (5) scope of persons to whom personal data may be transferred; (6) name (surname, name, patronymic, position) of the processor or his or her representative requesting the data subject's consent and registered office or place of registration (actual residence); (7) information on requiring by the data subject rectification, destruction of personal data, terminating the processing of data or on carrying out other operation relating to the processing; (8) validity of the consent requested, as well as the procedure and consequences of withdrawing the consent. Article 11. Publicly available personal data 1. A regime of publicly available information of personal data (phone directories, address books, biographical directories, private announcements, declaration of income, etc.) may be established by the data subject's consent or in cases provided for by law. The name, surname, year, month and day of birth, place of birth, place of death, year, month and day of death, as well as the personal data which by conscious operations carried out by the data subject aimed at making publicly available becomes publicly available for certain scope of persons or public at large, shall be considered as publicly available. 2. Information on the data subject, except for information provided for by part 1 of this Article, may be removed from publicly available sources of personal data at the request of data subject or through judicial procedure. 3. The data being processed on the basis of an agreement may be removed from publicly available sources of personal data by mutual consent or through judicial procedure. Article 12. Characteristics for processing special category personal data 1. The processing of special category personal data without the person's consent shall be prohibited, except when the processing of data is directly provided for by law. 2. The processing of personal data provided for by part 1 of this Article shall immediately be terminated, where the grounds and purpose of processing of data were eliminated. Article 13. Characteristics for processing biometric personal data 1. Biometric personal data shall be processed only by the data subject's consent, except for cases provided for by law and where the purpose pursued by law is possible to implement only through processing of these biometric data. Article 14. Processing of personal data by authorised person assigned by processor of data 1. Personal data may also be processed by an authorised person assigned by the processor. 2. The assignment shall be in writing, which includes legal grounds and conditions for, purpose of the processing of personal data, the list of personal data subject to processing, the scope of data subjects, the scope of persons to whom personal data may be transferred, technical and organisational measures for the protection of personal data and other necessary information. 3. Personal data shall be processed only within the scope of the assignment. The processor of data shall be responsible for processing of personal data within scope of the assignment. Where the assignment does not comply with the requirements of the Law, the authorised person must inform in writing thereon to the processor of data and refuse the processing. 4. Personal data assigned by state administration or local self-government bodies, state or community institutions or organisations shall be processed in observance of the requirements of this Law. 5. Characteristics for processing personal data by the authorised person may be prescribed by other laws or by agreements concluded between the processor of data and authorised person, which may not affect the rights and responsibilities of other persons.

  • RESPONSIBILITIES OF PROCESSOR OF PERSONAL DATA

    RESPONSIBILITIES OF PROCESSOR OF PERSONAL DATA Article 18. Responsibilities of processor of personal data in the course of collecting personal data 1. In the course of processing personal data the processor shall be obliged to provide information provided for by Article 15 of this Law to the data subject at the request of the data subject. 2. In case of incomplete, inaccurate, outdated, unlawfully obtained personal data or those unnecessary for achieving the purposes of the processing, the processor of personal data shall be obliged to carry out necessary operations for making them complete, keeping up to date, rectifying or destructing. 3. The processor shall be obliged to explain to the data subject in writing the consequences for failure to provide personal data, including the rights of personal data subject. 4. Where the personal data have been obtained not from the data subject, except for cases provided for by law, as well as publicly available data, the processor, before processing such personal data, shall be obliged to provide the data subject with the following information: (1) name (surname, name, patronymic) of the processor or his or her authorised person (if any) and registered office or place of registration (actual residence); (2) purpose and the legal ground for processing personal data, the list of data being processed; (3) scope of potential users of personal data; (4) rights of the data subject prescribed by this Law. Article 19. Security measures for processing personal data and responsibilities of processor 1. The processor shall be obliged to destruct or block personal data that are not necessary for achieving the legitimate purpose. 2. In the course of processing personal data the processor shall be obliged to use encryption keys to ensure the protection of information systems containing personal data against accidental loss, unauthorised access to information systems, unlawful use, recording, destructing, altering, blocking, copying, disseminating personal data and other interference. 3. The processor shall be obliged to prevent the access of appropriate technologies for processing personal data for persons not having a right thereto and ensure that only data, subject to processing by him or her, are accessed by the lawful user of these systems and the data which are allowed to be used. 4. The requirements for ensuring security of processing of personal data in information systems, the requirements for tangible media of biometric personal data and technologies for storage of these personal data out of information systems shall be prescribed by the Decision of the Government of the Republic of Armenia. 5. In case other body exercising control is prescribed by law, this body, within the scope of powers reserved to it by law, may prescribe higher requirements other than that provided for by part 4 of this Article, prescribed by the Decision of the Government of the Republic of Armenia. 6. Use and storage of biometric personal data out of information systems may be carried out only through such tangible media, application of such technologies or forms, which ensure the protection of these data from the unauthorised access thereof, unlawful use, destruction, alteration, blocking, copying, dissemination of the personal data, etc. 7. Processors of personal data or other persons provided for by this Law shall be obliged to maintain confidentiality both in the course of performing official or employment duties concerning the processing of personal data and after completing thereof. 8. The control over the fulfilment of the requirements of this Article shall be exercised by the authorised body for the protection of personal data without the right to process personal data being processed in the information systems. 9. Legal persons processing personal data, for having recognised electronic systems for processing of personal data under their possession as having an adequate level of protection and including them in the register, may apply to the authorised body for the protection of personal data. Article 20. Responsibilities of processor of personal data in cases of written request of data subject or authorised body, familiarisation with personal data, revelation of violations by processor or authorised person 1. The processor shall be obliged to provide information to the data subject and authorised body as prescribed by Article 15 of this Law on the availability of personal data on the data subject, or to provide an opportunity to get familiarised with them within five working days upon receipt of the written request. 2. The processor shall be obliged to inform the data subject on the destruction of personal data within three working days upon destruction. The processor shall be obliged to provide an opportunity to the data subject to get familiarised with personal data relating to the data subject free of charge. In case personal data of the data subject is not complete or accurate or outdated or has been obtained unlawfully or is not necessary for achieving the purposes of the processing, the processor shall — after it is revealed by the processor or the authorised person or an application is received from the data subject or legal representative (or authorised person) — be obliged to immediately or, where there is no such an opportunity, within three working days, carry out necessary operations for completing, updating, rectifying, blocking or destructing them. 3. The processor shall be obliged to provide — on the basis of the written request of the authorised body for the protection of personal data — information necessary for the activities thereof within five working days upon receipt of the request. 4. Where the provision, rectification, blocking or destruction of personal data of the data subject on the basis of the written request of the data subject is rejected, the processor shall be obliged to provide the data subject and the authorised body — within five days following the receipt of the request — with a written reasoned decision by making a reference to the provisions of the Law which served as a ground for delivering a decision. 5. Where the authorised body considers the grounds for rejecting the provision, rectification, blocking or destruction of personal data unjustified, the processor shall be obliged to immediately provide, rectify, block or destruct personal data of the data subject or appeal the decision of the authorised body through judicial procedure. Article 21. Responsibilities of processor while eliminating violations of legislation committed in the course of processing personal data, rectifying, blocking or destructing personal data 1. In case the reliability or lawfulness of processing of personal data are challenged on the basis of the request of the data subject or the authorised body for the protection of personal data, the processor shall be obliged to block personal data concerning the data subject upon receipt of the request until the completion of control activities. 2. In case it is confirmed that personal data are inaccurate the processor shall be obliged to rectify personal data and unblock them on the basis of documents or other necessary documents submitted by the data subject or the authorised body for the protection of personal data. 3. In case unlawful operations performed upon personal data are revealed, the processor shall be obliged to immediately, but not later than within three working days eliminate the committed violations. In case it is impossible to eliminate the violations, the processor shall be obliged to immediately destruct personal data. The processor shall be obliged to inform the data subject or his or her representative on the elimination of violations or the destruction of personal data within three working days, and where the request is received from the authorised body for the protection of personal data — also this body. 4. In case of outflow of personal data from electronic systems the processor shall be obliged to immediately publish an announcement thereon, meanwhile reporting on the outflow the Police of the Republic of Armenia and authorised body for the protection of personal data. 5. In case the purpose of the processing of personal data is achieved, the processor shall be obliged to immediately terminate the processing of data, unless otherwise provided for by law. 6. In case of withdrawal of the data subject's consent given in writing, validated by signature, or electronically, validated by electronic digital signature, the processor shall be obliged to terminate the processing of personal data and destruct the data within ten working days following the receipt of the withdrawal, unless otherwise provided for by mutual consent of the data subject and the processor or by law. The processor shall be obliged to inform the data subject on the destruction of personal data within three working days upon destruction. Article 22. Procedure for exercise powers of authorised body through other body exercising control 1. In case other body exercising control is prescribed by law, this body exercising control shall provide the authorised body with the opinion on recognising electronic systems for processing of personal data of legal persons as having an adequate level of protection. 2. In case other body exercising control is prescribed by law, the authorised body shall transfer the applications on the protection of personal data, as well as information on the protection of personal data. 3. Other body exercising control shall, within the short time limit, forward its decisions delivered in the field of personal data protection or information on operations carried out for the protection of personal data to the authorised body. 4. Decisions, actions and inaction of other body exercising control may be appealed through judicial procedure. Article 23. Notification to the authorised body of processing of personal data 1. The processor, prior to the processing of personal data, shall have the right to notify the authorised body for the protection of personal data of the intention to process data. 2. At the request of the authorised body the processor shall be obliged to send notification to the authorised body. 3. The processor, prior to the processing of biometric or special category personal data, shall be obliged to notify the authorised body for the protection of personal data of the intention to process data. 4. The notification shall include the following information: (1) name (surname, name, patronymic) of the processor or his or her authorised person (if any), registered office or place of registration (actual residence); (2) purpose and legal grounds for processing personal data; (3) scope of personal data; (4) scope of data subjects; (5) list of operations performed upon personal data, general description of the ways of processing personal data by the processor; (6) description of measures which the processor is obliged to undertake for ensuring security of processing personal data; (7) date of starting the processing of personal data; (8) time limits and conditions for completing the processing of personal data. 5. The authorised body for the protection of personal data shall enter the information provided for by part 2 of this Article, as well as the information on the date of sending the given notification into the register of processors within thirty days following the receipt of the given notification. 6. Expenses related to the consideration of the notification on processing personal data by the authorised body for the protection of personal data, as well as to the entry of information into the register of processors may not be imposed on the processor. 7. In case when information submitted by the processor, provided for by part 2 of this Article, is incomplete or inaccurate, the authorised body for the protection of personal data shall have the right to require the processor to specify the submitted information prior to its entry into the register of processors. 8. In case of change of information provided for by part 2 of this Article, the processor shall be obliged to notify the authorised body for the protection of personal data of changes within ten working days after the changes are made

  • RIGHTS OF DATA SUBJECTՏ

    RIGHTS OF DATA SUBJECT Article 15. Right of data subject to information on his or her personal data 1. The data subject shall have the right to information on his or her personal data, processing of data, grounds and purposes for processing, processor of data, the registered office thereof, as well as the scope of persons to whom personal data may be transferred. 2. The data subject shall have the right to get familiarised with his or her personal data, require from the processor to rectify, block or destruct his or her personal data, where the personal data are not complete or accurate or are outdated or has been obtained unlawfully or are not necessary for achieving the purposes of the processing. 3. In case of doubts with regard to the rectification, blocking or destruction of personal data by the processor, the data subject shall have the right to apply to the authorised body for the protection of personal data to make clear the fact of his or her personal data being rectified, blocked or destructed and by the request to be provided with information. 4. Information on personal data shall be provided by the processor to the data subject in an accessible manner and must not contain personal data on other data subject. 5. Data subject shall be provided with personal data based on a written request of the data subject or a representative acting by virtue of a power of attorney, or of a legal representative. The request may be filed electronically validated by an electronic digital signature. 6. The data subject shall have the right to information on the processing of his or her personal data, including on: (1) confirming the fact of processing personal data and on the purpose of the processing; (2) ways of processing personal data; (3) subjects to whom personal data have been provided or may be provided; (4) list of personal data being processed and the source from which it has been obtained; (5) time limits for processing personal data; (6) potential legal consequences for the data subject due to processing personal data. 7. Information shall be provided to the data subject free of charge, unless otherwise provided for by law. Article 16. Rights of data subject when delivering decisions based on processing personal data 1. It shall be prohibited to deliver decisions not stemming from the purposes of processing personal data, which give rise to legal consequences for the data subject or otherwise affect his or her rights and legitimate interests, except for cases provided for by part 2 of this Article. 2. Decisions giving rise to legal consequences for the data subject or otherwise affecting his or her rights and legitimate interests based on processing of personal data may be delivered by the data subject's consent or in cases provided for by law. Article 17. Right to appeal actions or inaction of processor 1. Where the data subject considers that the processing of his or her personal data is carried out in violation of the requirements of this Law or otherwise violates his or her rights and freedoms, he or she shall have the right to appeal actions or inaction of the processor before an authorised state body for the protection of personal data or through judicial procedure. 2. The data subject shall have the right to compensation of damage as prescribed by law.