Skip to main content

GENERAL DATA PROTECTION REGULATION (GDPR) AND ITS IMPLICATIONS ON AZERBAIJANI ORGANIZATIONS


The EU's General Data Protection Regulation (GDPR) comes into force this week. The GDPR is one of the important legal documents in Data Protection law which shall be applicable in whole EU by the 25th of May 2018. The GDPR shall be directly applicable to all EU states by replacing Data Protection Directive. 
However, by application of its extra-territorial jurisdiction, the GDPR shall have an impact not only on the EU states, but on all states in the world. The GDPR shall apply to all organizations that collect, control and/or process personal information (PI) of EU Citizens, no matter where these organizations are incorporated in the world. In other words, the GDPR protects all PI of EU natural persons such as name, address, ID numbers, web data (location, IP address, cookie data and RFID tags), biometric data health and genetic data, racial or ethnic data and political opinions or personal lifestyle preferences. 

As the GDPR has an extra-territorial jurisdiction, azerbaijani organizaitons also have to be aware of its requirements and take certain necessary measures, in order to avoid legal obstacles to be occurred. So, the organizations established in Azerbaijan that store or process PI about EU residents should comply with the GDPR rules, even though they do not have a business establishment or presence in the EU. It means that no matter if an azerbaijani organization is incorporated  in EU or not, that should abide by the personal data protection rights of EU residents, if it does control and/or process such a PI information. Moreover, the EU organizations which are being functioned or operated in the territory of Azerbaijan, are also obliged to conform to the GDPR policy and requirements.  

In order to act in accordance with the GDPR rules, all organizations, including azerbaijani organizations are required to receive a clear and simple consent for the collection, storage and processing of PI of an EU resident that is stored, controlled and/or processed. The purpose for such an use in a consent form must be clearly  and simply explained  to EU residents whose IP is used. In addition, all organizations have to obtain a consent for children's IP rights only from the holders of parental responsibility which is one of the GDPR requirements. 

However, such a consent may be withdrawn at any time, if an organization decides to delete the information about this person. Such a requirement is directly linked to the rights of data subjects, strictly speaking, data subjects have the rights to request access to review their PI and to receive it in a portable version collected by organizations, or to ask their information to be deleted, or to be forgotten, or to be corrected if there are any inaccuracies.  

Thereby, azerbaijani organizations are advised to implement the following measures, in order to conform to the GDPR requirements: 

- To prepare internal policies in accordance with the GDPR 
- To have to undertake data flow analysis to realize if any EU resident PI is being stored and controlled and/or processed in organizations' IT systems, websites and email lists. 
-  If there is any EU resident in the system, by receiving his/her consent to keep their personal data and use it for the purposes of marketing updates, email notifications related to any event.  
- To implement advanced IT web and technology solutions for the protection of IP and the compliance with the GDPR requirements, and safeguard the EU data subjects rights (to be informed, to be reviewed, to be forgotten and to be corrected). 
- To notify their customer and data protection authority within 72 hours of first having become aware of a breach which could jeopardize the PI protection of the EU residents. 
- To preclude all EU residents from the system if there is not any reason for the storage of his/her PI. 
- To conduct relevant trainings on the policies and procedures prepared in accordance with the GDPR requirements. 
- In case, if needed, to appoint a Data Protection Officer (DPO) 

Lastly, worth to be noted, taking into consideration that the PI of EU residents are mostly stored in the IT system of the big organizations, such as banks, insurance companies, oil and gas companies etc., they shall have to ensure the internal data protection policy and procedures to be strictly in compliance with the GDPR rules.






















Comments

Post a Comment

Popular posts from this blog

Corporate Governance System of Azerbaijan

Corporate Governance System of Azerbaijan Summary  Corporate governance is the system of rules, practices and processes by which a company is directed and controlled. Corporate governance involves balancing the interests of a company's stakeholders, such as shareholders, senior management executives, customers, suppliers, government.  How the corporate governance system in Azerbaijan is directed and controlled ? What are advantages and disadvantages of the corporate governance systems ? Facets in Corporate Governance system of Azerbaijan It is well known that there are two main set of rules on the supervision of corporate governance; one-tier boards and two-tier boards. In the one-tier board system not only the management of companies, but its control (supervision) of directors of companies lies in the hands of a management, it is an additional task for the board itself, by contrast, in the two-tier system the control (supervision) of directors of companies ...
Post a Comment
Read more

INTERACTION (my reply to the reader's letter)

I have recently received the below mentioned letter on the article   (the contractual aspects of Fifty Shades of Grey trilogy)  written previously by me.  First of all, let me express my gratitude that you have read and spent countless hours by analyzing this article. It is very delightful to receive such an analyzed opinion for this issue. Please be ensured that the confidentiality of this letter shall be observed and the letter is being published in an original copy:  Здравствуйте, Тогрул Пишет вам постоянная читательница вашего блога. Нет, я совершенно не разбираюсь в юриспруденции, я вообще блондинка, причем, это не метафора, а реальный оттенок моих волос. Ну, как реальный, крашеная… Зачем я все это вам рассказываю? : D  Итак, я искала информацию по брекзиту, а набрела на такой интересный анализ, с тех пор периодически проверяю вашу страницу на наличие обновлений.   Надо сказать, что пока я читала роман «Пятьдесят оттенков серого», я под...
Post a Comment
Read more

ROLE OF PRINCIPLE OF PARTY AUTONOMY IN ARBITRATION

Summary The principle of party autonomy plays a significant role in arbitration. By applying this principle parties decide on provisions of a contract, applicable law and the other. But, can the principle of party autonomy be limited? Can the scope of the principle be extended to arbitral tribunal when parties make no choice of law? Does arbitral tribunal have a power to decide on an applicable law? These issues are very crucial in arbitration. Principle of Party Autonomy By applying this principle parties agree on the provisions of a contract; rights and obligations of parties, performance form of the contract etc. It is not always possible to predict the right intention of parties. Therefore, arbitral tribunal, most of the time, refer to the provisions of applicable law chosen by parties. According to this principle, the parties are free to make their own contract and choose an applicable law.      However, in the absent of choice by parties, does a...
Post a Comment
Read more