Collection of personal data: the issues of formulation and request of the consent of the subject of data : whether the regulations set forth in Articles 9 and 10 of the RA Law on Protection of Personal Data are sufficiently clear for the data subject to understand the purpose of and give his informed consent for processing his personal data

Abstract

Everyone shall have the right to protection of data concerning him or her. Everyone shall be free to give his or her consent, and most of all, everyone should be aware of what information he/she provides and the purpose for which he/she restricts the right to privacy. At first, the disclosure of personal data must have legal grounds about which the data subject must be informed. This ground can be either contractual in which case there is a mutual agreement on disclosing the data or provided by law, such as state security, public safety, the monetary interests of the State or the suppression of criminal offences, protecting the data subject or the rights and freedoms of others. However, in both cases, the data subject and data collector should be aware of the grounds on which the data can be collected. In this case, the law must be precise and give no grounds for ambiguity. Second, Personal data undergoing automatic processing shall be stored for specified and legitimate purposes and not used in a way incompatible with those purposes. The purpose of collecting information is stated in the notice, which enables the person to be aware of the purpose of providing the information. Taking into account the importance of the purpose of data collection, and the possibility of excluding personalization and possible contractual risks, the approach to law regulation should be different. For instance, if the agreement (purpose) does not need a wide scope of due diligence documents, there is no need to require such documents. The aforesaid statement can also be made for data minimization, as there is a considerable link between purpose limitation and data minimization. For instance, to reach the goal of the transaction the processor should require as minimal personal information as possible. That can be a good reason why, in a Bank, transactions for currency exchange, bank transfer, or lending a credit are treated in different ways. The data also should be accurate, both in a form and in value. The data subject should be aware of all third parties that might get the personal information not only while giving consent, but also should be notified about such transfers when some time has passed since giving consent. In that case, when there is a personal data change, the data subject can be obliged to notify about the change of outdated data. When there is no need to keep the personal data for achieving the purpose of data collection, the data collector has to erase the information or if the information is used for statistics or research makes it impossible to identification. Moreover, keeping extra information is expensive, as that information must be secured. Security measures for keeping the personal information should be defined in the Notification that shall be sent to data subject for getting confirmation. As the data subject should have the right to be informed about measures for his/her data protection. Finally, perhaps there is a need for updates among definitions mentioned by RA Law on Protection of Personal Data, as artificial intelligence is developing day by day, and there are new ways of communication and transactions. While defining such terms, it is crucial to follow up on the principles of data processing. Without such compliance, data collection can be qualified as not informed or not freely given.