Page 1

About personal information
Law of the Republic of Azerbaijan
This Law relates to the collection, processing and protection of personal data
relations, personal data section of the national information space
formation, as well as cross-border transmission of personal data
regulates issues, state and local self-government operating in this area
defines the rights and responsibilities of bodies, legal entities and individuals.

Chapter I. General Provisions
Article 1. Purpose of the law
The main purpose of this Law is to collect, process and
legislative bases and general principles of protection, the state in this area
rules and requirements of regulation, information resources of personal data
formation, creation of information systems, provision of information and
transfer rules, rights, obligations and persons involved in this process
from defining the basis of responsibility, basic human and civil rights and
to protect their freedoms, including the right to privacy and family life
consists of doing.
Article 2. Basic concepts used in the law
2.1. The main concepts used in this Law have the following meanings:
2.1.1. personal information - directly or indirectly the identity of the person
any information that allows identification;
2.1.2. subject of personal data (hereinafter - the subject) - about the individual
information is collected, processed and protected, identified
or a designated individual;
2.1.3. personal data information system - defined by law
collection, processing and protection of personal data in the prescribed manner
providing information system;
2.1.4. information resources of personal data - defined by the legislation
in information systems of personal data in the established order and volume, as well as
information resources collected separately;
2.1.5. personal identification number - to personal data information systems
issued in the prescribed manner to the person whose personal information has been entered and
allowing unambiguous identification of relevant information about the person
single unique code;

Page 2

2.1.6. Personal data of a special category - race or nationality of the individual
affiliation, family life, religious beliefs and convictions, health or
information related to the conviction;
2.1.7. Collection of personal data - personal data about the subject
obtaining in accordance with the law in a documented manner;
2.1.8. processing of personal data - carried out on personal data
operations (writing, systematization, updating of personal data,
replacement, removal, anonymization, storage, transmission, destruction
making);
2.1.9. owner of personal data (hereinafter - the owner) information on personal data in the manner prescribed by law
the right of full ownership, use, disposal over the system or reserve
the state that determines the purpose of the processing of personal data and
or local self-government body, legal entity or individual;
2.1.10. personal data operator (hereinafter - the operator) - individual
an individual who collects, processes and protects data
the owner of the data or his functions to a certain extent and
state or local self-government body, legal or physical
person;
2.1.11. user of personal data (hereinafter - the user) - only himself
within the scope of its authority in order to obtain the information necessary for
from personal data in the manner and amount determined by the owner
state or local self-government body, legal or physical, granted the right to use
person;
2.1.12. Dissemination of personal data - mass information of personal data
means, as well as disclosure by information systems or personal data
allowing people to get acquainted in any other way;
2.1.13. transfer of personal data - personal data in accordance with the legislation
with material carriers or information on the basis of a request in the prescribed manner
presentation to users through technologies;
2.1.14. Prohibition of collection and processing of personal data suspension of any operation related to personal data;
2.1.15. anonymization of personal data - personal data, its
placing the subject in a situation that does not allow to identify him;
2.1.16. cross-border transmission of personal data - personal data
state of the Azerbaijan Republic in the order established by the legislation
international organizations related to the border, state or local of other countries
transfer to self-government bodies, legal entities or individuals;
2.1.17. destruction of personal data - individual in the information system
data deletion, the content of which can not be restored later

Page 3

conditioning or destruction of material carriers containing personal data
making.
2.2. Information, information technologies, information used in this Law
systems and resources, corporate information systems and other concepts
relations in the field of collection, processing and protection of information
in the meanings established by the laws of the Republic of Azerbaijan regulating
is used.
Article 3. Legislation of the Azerbaijan Republic in the field of personal data
3.1. Legislation in the field of personal data of the Republic of Azerbaijan
According to the Constitution, the Republic of Azerbaijan is an international party
agreements, this Law, as well as other normative legal acts.
3.2. Ensuring the national security of the Republic of Azerbaijan, as well as the rule of law
In order to make, carry out reconnaissance and counter-intelligence, operational-search activities
Collection and processing of personal data in connection with the conduct of state secrets
rules of protection of personal data made and collected in the national archive fund
It is determined by the relevant legislation of the Azerbaijan Republic.
3.3. The provisions of this Law apply exclusively to personal data by individuals
does not apply to collection and processing for personal and family needs.
Article 4. Basics of collection, processing and protection of personal data
principles
4.1. Formation of information resources of personal data, their information
The establishment of these systems is enshrined in the Constitution of the Republic of Azerbaijan
respect for fundamental human and civil rights and freedoms, the rule of law,
exercise in accordance with the principles of confidentiality, compulsory coordination of voluntariness
are hold.
4.2. Human life in the process of collecting, processing and protecting personal data
and a way to endanger his health and humiliate his honor and dignity
not given.

Chapter II. Categories of personal data, their collection,
regulation of development and protection
Article 5. Legal regime and protection of personal data
5.1. Personal data is protected from the moment it is collected and accessed (obtained) for this purpose
) are divided into confidential and open categories.
5.2. Confidential personal information complies with the requirements of the legislation
level owner, operator and users with access to this information
should be protected by. Confidential personal information is determined by law
may be transferred to third parties only with the consent of the subject, except as otherwise provided
can.

Page 4

5.3. Anonymized in the manner prescribed for the category of open personal data,
information declared open by the subject or created for public use
The system includes information about him entered with the consent of the subject. Of the person
first name, last name and patronymic are permanently open personal information. Open category individual
confidentiality of information is not required.
5.4. Special category information, their nature and Article 11.1 of this Law
subject to the requirements of the article, both confidential and open personal information
can be attributed to the category.
5.5. Personal data protection is provided by owners and operators
should be. In the field of collection, processing and protection of personal data
natural persons during the period of activity and after resignation
they must make a written commitment not to disclose the information.
5.6. Society in telecommunications, postal services, addresses and other areas
general purpose information systems for the purpose of paying for information provision
information provided by the subject on the basis of his written consent (name, surname, patronymic,
date and place of birth, sex, citizenship, phone number and e-mail address, residence
and location, specialty and place of work, type of activity, marital status, photo and
other information) can be included.
5.7. Personal data is accessed from open sources in public information systems
the content of the data entered by the operator of that information system and
inform the subject of the source of acquisition. This information is the subject, the court and
or from that information system at the written request of the relevant executive authority
should be removed without delay.
5.8. Owner or operator of personal data protection (including random
and unauthorized destruction, loss, unlawful interference, alteration, and
technical organization, which guarantees the prevention of other cases)
must take action.
5.9. Requirements for the protection of personal data of the relevant executive authority
is determined by.
5.10. Rules for archiving personal data of the Republic of Azerbaijan
determined by the relevant legislation.
Article 6. The state in the field of collection, processing and protection of personal data
basic forms of regulation
6.0. State in the field of collection, processing and protection of personal data
Regulatory measures include:
6.0.1. formation of the personal data section of the national information space
and ensuring its security, threats and protection in this area
level assessment;
6.0.2. legal bases of collection and processing of personal data
determination;

Page 5

6.0.3. key human and during the collection and processing of personal data
ensuring civil rights and freedoms;
6.0.4. activities for the collection and processing of personal data
licensing;
6.0.5. state registration of information systems of personal data
conducting;
6.0.6. information systems of personal data, as well as relevant information
certification of technology tools;
6.0.7. creation and application of personal data information systems
standardization of legal and technical documentation in the field;
6.0.8. information resources and systems of personal data and their
implementation of state examination of project documents;
6.0.9. interdepartmental personal data information systems
state regulation in the field of creation and management.

Chapter III. Subject rights
Article 7. Rights of the subject
7.1. The subject has the following rights:
7.1.1. availability of personal information about himself in the information system,
to obtain information about their owner or operator;
7.1.2. collection of personal information about himself in the information system,
require legal justification for its development and transfer to third parties
to collect, process and disclose this information to third parties
information on the legal consequences of the transfer for the subject
to buy;
7.1.3. personal data collected about himself in the information system
to get acquainted with the content;
7.1.4. collection of personal information about himself in the information system and
purpose of development, duration of development, methods, with its personal data
exchange of information, including persons authorized to get acquainted
to know the scope of the intended information systems;
7.1.5. an individual collected and processed in the information system about himself
clarification of information and cases specified by the legislation
except to demand the destruction of, as well as that information
to apply for transfer to the archive in accordance with the established procedure;
7.1.6. Prohibition of collection and processing of personal data about himself
to demand installation;

Page 6

7.1.7. an individual collected and processed in the information system about himself
get information about the sources of data acquisition, those
to demand proof of the legality of the information;
7.1.8. an individual collected and processed in the information system about himself
to require data protection;
7.1.9. information containing personal information collected and processed about him
Existence of the certificate of conformity of systems and the state examination
receive information on holding;
7.1.10. this Law and other normative legal acts of the Azerbaijan Republic
to exercise other rights defined by
7.2. The collection and processing of personal data is defined by law
except for the cases when it is obligatory in accordance with the established procedure
the right to object to the collection and processing of information about him
has. Submit the subject's objection in writing to the owner or operator
should be. Substantiation of the subject's objection is not required. Owner or
the collection of personal data provided by the operator upon receipt of such objection and
should stop processing immediately.
7.3. Collection and processing of personal data through information technology
if the decision taken as a result violates the interests of the subject, in accordance with the legislation
except for the cases when it is obligatory in accordance with the established procedure
the right to object to the collection and processing of information in such a manner
There are. Information technology of personal data of the owner or operator
In case of objection to the processing of information through the subject
obtain consent to the processing of other methods or postpone the processing of personal data
should stop without dropping.
7.4. Illegal collection and processing of personal data about the subject,
failure to ensure protection, as well as non-compliance with the requirements of this Law
in case of violation of his rights as a result, to the relevant executive authority and
or to sue, as well as moral and material damage inflicted on him
has the right to demand payment in court.
7.5. The subject shall transfer the rights specified in Articles 7.1-7.3 of this Law to the owner
or submit a written application and an identity document to the operator in paper format
or by submitting an electronic request with an enhanced electronic signature.

Chapter IV. Collection and processing of personal data
Article 8. Collection and processing of personal data about the subject
consent
8.1. Individual in accordance with the legislation of the Republic of Azerbaijan
except in cases of compulsory collection and processing of data
only the subject of the collection and processing of personal data about which person
electronic document with written, including amplified electronic signature, issued by
in the form of consent or on the basis of information provided by him in writing.

Page 7

8.2. The written consent for the processing of personal data of the subject includes the following
should be:
8.2.1. information allowing to identify the subject;
8.2.2. the identity of the owner or operator with the consent of the subject
information that allows to identify;
8.2.3. the purpose of collecting and processing personal data;
8.2.4. personal data approved for processing by the subject and
lists of their development operations;
8.2.5. the period of validity of the subject's consent and the conditions for its revocation;
8.2.6. defined in the relevant information system of personal data
after the expiration of the period of detention or after the death of the subject
The personal data collected about him is determined by the legislation
terms of destruction or archiving in the order.
8.3. In case of death of the subject, determined by the legislation of the Republic of Azerbaijan
When declared dead in the prescribed manner, unaccounted for missing, ability to act
to give his consent when he is deemed not to have, as well as when he has not reached the age of majority
in cases of inability to obtain the consent required by this Law
by one of the heirs, legal representatives, parents or guardians
is given.
8.4. Consent to the collection and processing of his personal data from the subject
It is the responsibility of the owner or operator to provide proof of receipt
falls on. Subject to the processing of personal data on deceased persons
if it is not prohibited in his / her health, such information shall be determined by legislation
can be processed.
8.5. An owner who collects and processes open personal data
or open personal data of that information at the request of the operator entity
must prove that it belongs to the category.
Article 9. Basic conditions for the collection and processing of personal data
9.1. The purpose of the collection and processing of personal data is the owner or
must be clearly stated by the operator, the collection and processing of that information
for these purposes, as well as the logistics and organization of the owner or operator
must be able to. Personal information is only legitimate, predetermined
shall be collected for the purposes stated and declared and in accordance with the stated purposes
methods should be developed.
9.2. The volume and nature of the personal data collected and processed are stated
must be in accordance with the purposes and powers of the owners.
9.3. Personal information must be accurate, complete and updated as necessary.

Page 8

9.4. When the objectives of collecting and processing personal data are achieved and
When necessary, their data are destroyed without delay
should be done.
9.5. Terms of collection and processing of personal data established by this Law
characterizing the biological features of the human body and its identity is unambiguous
information that allows you to identify as - fingerprints and palm prints, face
description, iris and retina of the eye, sound fragment and its acoustic parameters,
Results of deoxyribonucleic acid (DNA) analysis, body size, body specific
description of signs and defects, writing line and signature, as well as other biometric
applies to the collection and processing of data in full.
9.6. The collection and processing of personal data is only one of the following conditions
can be performed when:
9.6.1. the subject's consent to the collection and processing of personal data
or when this information is in the public category;
9.6.2. the purposes of their collection and processing of personal data and
when developed on the basis of the legislation defining the methods;
9.6.3. Their absolute personal data for scientific and statistical research purposes
when processed by anonymity;
9.6.4. the collection and processing of personal data in the life of the subject and
when necessary to maintain health.
9.7. For the collection and processing of special category data, the following cases
not allowed, except:
9.7.1. collection and processing of special category data by law
if it is obligatory in certain cases;
9.7.2. Special category information is provided in Article 5.3 of this Law
if it belongs to the category of open data in the prescribed manner;
9.7.3. collection and processing of special category data by the subject,
protection of life and health of another person or group of relevant persons
if necessary for and for the subject to obtain such information
if it is not possible to obtain consent;
9.7.4. relating to members of public associations and other non-profit organizations
those that collect and process special categories of data
in order to achieve their legitimate goals by organizations and third
if it is not given to a person without the consent of the subject.
9.8. A special category in cases provided for in Article 9.7 of this Law
those when the reasons for data collection and processing are eliminated
The data should be banned immediately, as it is the subject of a special category of data
consent to the storage or archiving of information in the information system
otherwise, this information must be destroyed without delay.

Page 9

9.9. The owner collects and processes personal data on a contractual basis,
to entrust the operator with the provision of protection of personal data or
has the right to act as an operator.
9.10. In public and corporate information systems on personal data
Personal data collected and processed may be provided to third parties on a paid basis
can. Personal data collected and processed in corporate information systems
Procedure for transfer to third parties on a paid basis by the relevant executive authority
is determined by.
9.11. Use of these systems in corporate information systems of personal data
Services are provided to eligible users.
9.12. Collection of personal data in information systems and resources,
processing, submission and execution of inquiries, registration and consideration of applications
results, as well as the management and protection of information systems
collection of transaction records in relevant control-audit journals
provided by the owner or operator.
9.13. Personal data received by the operator during scientific and statistical research
anonymize. State secret of the results of processing of anonymous data
protection of such information is a state secret
is carried out in accordance with the legislation of the Republic of Azerbaijan on
9.14. Formation of information resources of personal data and information
creation of systems, provision of services to them only in Azerbaijan
Implemented on the basis of a special agreement (license) in accordance with the legislation of the Republic
are hold.
Article 10. Duties of the owner and the operator
10.1. Responsibilities of the owner during the collection and processing of personal data
the legality and security of the collection and processing of personal data
consists of providing. Collection and processing of personal data, those
material and as a result of incomplete protection of data
moral damage and its amount is determined by the court, in the legislation
paid by the owner in the prescribed manner.
10.2. The operator during the collection and processing of personal data of the owner
in the performance of his duties, the duties established for the operator by this Law
applies to the owner.
10.3. The responsibilities of the operator are governed by this Law and the legislation of the Republic of Azerbaijan
the terms of the contract concluded between the operator and the owner in accordance with the requirements
is determined by.
10.4. The responsibilities of the operator in the collection and processing of personal data are individual
legality of data collection and processing, their security
to fulfill the conditions arising from the provision, as well as the contract concluded with the owner
consists of delivering.

Page 10

10.5. Operator in the manner prescribed by the legislation of the Republic of Azerbaijan
create conditions for intelligence and counter-intelligence, search operations,
resolve relevant organizational and technical issues and conduct these activities
must comply with the confidentiality of the methods used.
10.6. The owner is entrusted to him by this Law of the relevant executive authority
must comply with the requirements for the performance of duties and within 7 working days
must inform him in time.
Article 11. Features of personal data collection
11.1. Achieve development goals only from the owner or operator entity
has the right to receive personal information necessary for
11.2. When collecting personal data from the owner or operator, the subject must:
must state:
11.2.1. information identifying the owner or operator;
11.2.2. the purpose of the processing of personal data and the legal nature of that purpose
justification;
11.2.3. in the information system of personal data collected and processed
level of protection;
11.2.4. availability of state certificate of conformity of information systems and state
information on examination;
11.2.5. information, including intended users of personal data
the scope of the information system to be exchanged;
11.2.6. information on the rights of the subject established by this Law.
11.3. If the submission of personal data is required by law, the owner
or compulsory submission of personal data to the operator
provide information on the legal consequences of the refusal.
Article 12. Subject inquiry
12.1. The owner or operator provides information about him to the subject free of charge
as well as ensure the rights specified in Article 7.1 of this Law
should.
12.2. The subject has the rights specified in Articles 7.1.5 and 7.1.6 of this Law
to take the necessary measures when applying with a request in order to ensure
must submit relevant documents.
12.3. The subject informs the owner about the information collected and processed about him
or when the operator is approached with a request, the owner or operator at his request
should be considered by, executed in accordance with the subject of the request, in that information
personal information about other persons should not be reflected.

Page 11

12.4. No later than the date of receipt of the request by the owner or operator
Must respond within 7 working days to contact a third party
if necessary, the execution period of the request may be extended for another 7 working days.
12.5. In connection with personal data at the request of the owner or operator entity
necessary measures (clarification of information, collection and processing of information
prohibition, etc.) should be taken about those measures previously in respect of this subject
inform the third party to whom the personal data is transmitted within 3 working days.
12.6. Legislation on the execution of the request of the owner or operator entity
in case of refusal on the established grounds, 5 working days from the date of receipt of the request to the subject
must give a reasoned answer before passing.
Article 13. Provision of personal data
13.1. Except as provided in Article 8.3 of this Law
data by third parties to the owner or operator, as well as they
The transfer of personal data to any third party by the subject only in writing
allowed by consent.
13.2. Submission of personal data without the consent of the subject only in the following cases
allowed:
13.2.1. when personal information of open category is provided;
13.2.2. Confidential personal information from state or local governments
when and in connection with the performance of the duties entrusted to them by
defined by the legislation for personal data information systems
when the requirements are met;
13.2.3. protection of life and health of the subject
when necessary for its purposes and to obtain its consent without delay
if not possible.
13.3. Consent to the transfer of personal data may be revoked by the subject.
Withdrawal of the consent of the subject to the provision of personal data
from the moment it is known to the owner, operator and third parties
they must stop providing information immediately.
Article 14. Transboundary transfer of personal data
14.1. Transboundary transfer of personal data to the requirements established by this Law
in compliance with and taking into account the features specified in this Article
are hold.
14.2. Transboundary transmission of personal data is prohibited in the following cases:
14.2.1. Creating a threat to the national security of the Republic of Azerbaijan;
14.2.2. the legislation of the country where the personal data is transmitted
information is determined by the legislation of the Republic of Azerbaijan
if it does not provide legal protection at the level of.

Page 12

14.3. The subject agrees to the cross-border transmission of personal data, as well as personal
data transmission is necessary to protect the life and health of the subject
where there is cross-border transmission of personal data, their legal protection
can be implemented regardless of the level.
14.4. Security of this data during cross-border transmission of personal data
provided by the owner or operator.

Chapter V. Collection, processing and protection of personal data
state regulatory measures in the field
Article 15. Registration of information systems of personal data

15.1. Enforcement of this Law, including information systems of personal data
Relevant executive power of information systems existing before the entry into force
must be registered with the state body. Personal data information
state registration of systems and cancellation of state registration
The rules are approved by the relevant executive authority.
15.2. Except as provided in Article 3.2 of this Law
individual without state registration of the information information system
data collection and processing is not allowed.
15.3. From the state registration of the following personal data information system
not required to hold:
15.3.1. to the legislation of the Azerbaijan Republic on the state secret
information system of personal data related to state secrets accordingly;
15.3.2. relating to subjects having an employment relationship with the owner or operator
or personal information necessary for their release into the work area
information system;
15.3.3. determined by the relevant executive authority, individual
the maximum set for the purpose of data processing and the number of subjects
depending on the limit, in cases where state registration is not required
information systems of personal data created.
15.4. State registration of personal information information system written by the owner
is carried out within 1 month on the basis of the application. State of information systems
information system of personal data in the application for inclusion in the register
The following basic information is provided:
15.4.1. information identifying the owner;
15.4.2. legal bases of information system creation;
15.4.3. the purpose and intended methods of processing personal data;
15.4.4. categories of personal data processed in the information system;
15.4.5. categories of subjects;

Page 13

15.4.6. individual of the owner during the operation of the information system
general description of the measures undertaken in connection with data protection;
15.4.7. date of commencement of collection and processing of personal data;
15.4.8. circle of users of personal data;
15.4.9. control and audit of collection and processing of personal data
mechanisms;
15.4.10. other related information systems, information with those systems
methods of exchange and categories of information exchanged;
15.4.11. which can be shown to the population using information systems
scope of electronic services;
15.4.12. ensuring the rights of the subject specified in Article 7.1 of this Law
making rules;
15.4.13. an individual transferred across borders to other states, as well as to international organizations
data categories.
15.5. State registration of personal data information system
If there is a change in the information in the application, within 3 working days
must be notified in writing to the relevant executive authority.
15.6. When the state registration of the personal data information system is canceled, the same
information in the information system should be banned immediately and without delay
must be destroyed in accordance with the procedure established by the relevant executive authority.
Article 16. State register of information systems of personal data
16.1. Information submitted in accordance with Article 15.4 of this Law, individual
state registration or cancellation of state registration of information information system
information on making information by the relevant executive authority
should be included in the state register of systems.
16.2. Maintenance of the state register of information systems of personal data
rules are determined by the relevant executive authority.
Article 17. Relevant in the field of collection, processing and protection of personal data
powers of the executive authority
17.1. Information included in the state register of the relevant executive authority
This includes the collection, processing and protection of personal data in systems
Information on the requirements of the law, as well as data and methods of their processing
verifies the system's compliance with the stated objectives.
17.2. The relevant executive authority has the following rights:
17.2.1. in the performance of the duties assigned to him by this Law
to owners or operators in accordance with the legislation

Page 14

to make inquiries, as well as from state bodies, owners or
to receive necessary information from operators free of charge;
17.2.2. state registration of personal data information systems
information provided by the owner during the transfer, including information
to check the conformity of the systems to the project, in the prescribed manner
to organize the state examination of information systems;
17.2.3. dealing with the collection, processing and protection of personal data
requirements of this Law from state bodies, legal entities and individuals
to demand the elimination of violations;
17.2.4. in the field of collection, processing and protection of personal data
in the prescribed manner by persons who have violated the requirements of the relevant legislation
to take measures to bring to justice;
17.2.5. Other defined by the legislation of the Azerbaijan Republic
to exercise rights.
17.3. An individual obtained in the course of the activity of the relevant executive authority
ensure the confidentiality of information.
17.4. In connection with actions (inaction) of the relevant executive authority
An appeal may be filed in accordance with the legislation of the Republic of Azerbaijan
can.
Article 18. Section on personal data of the national information space
18.1. Formation of the section on personal data of the national information space,
use and development is carried out on the basis of a single scientific and technical concept.
18.2. In the national information space of information systems of personal data
interact in a sustainable and secure manner, and this
information in their collateral to prevent retail in the area
technologies and safety standards apply.
18.3. Separately distributed in the personal data section of the national information space
coordination of information about the same subject in information systems, in this area
individual identification to prevent fragmentation and duplication
number is applied. Individual data of individual owners and different purposes
integration of information systems and resources, defined by legislation
is not allowed, except in cases where
18.4. Enter personal identification number into personal data information systems
The rules of making and use by the relevant executive authority
is determined.
Article 19. Liability for violation of the legislation on personal data
Persons guilty of violating this Law of the Republic of Azerbaijan
are liable in accordance with the legislation.

Page 15

President of the Republic of Azerbaijan
Ilham Aliyev
Baku city, May 11, 2010
№ 998-IIIQ
Published in the "Azerbaijan" newspaper (June 6, 2010, № 121)
(«VneshExpertService» LLC).
Published in the Collection of Legislation of the Republic of Azerbaijan (June 30)
2010, № 6 (156), Article 480) (VneshExpertService LLC).

