Data protection & privacy laws in Armenia (2026)

The Law on Personal Data Protection (No. ՀՕ-49-Ն, 18 May 2015) is the principal instrument, covering collection, storage, use, transfer, and deletion of personal data by state bodies, legal entities, and individuals. A revised version entered into force 9 August 2025, introducing stricter purpose limitation, mandatory pseudonymisation for data used outside crime-prevention contexts, and enhanced notice obligations.

The Personal Data Protection Agency (PDPA), operating as a separate subdivision of the Ministry of Justice, is the appointed supervisory body (per Prime Minister Decision N 573-A, 3 July 2015). It maintains the registry of data processors, handles complaints, conducts inspections, and imposes administrative sanctions. It was recognised as a European national data protection authority by the European Conference of Data Protection Authorities in May 2016.

Armenia has been a Party to the Council of Europe Convention 108 since September 2012. On 25 January 2022, Armenia became the first country in the world to ratify the modernised Protocol amending Convention 108 (Convention 108+), reinforcing its commitment to internationally recognised data protection standards.

The law grants data subjects rights to access, rectify, and erase personal data. Controllers must process data lawfully, for specified purposes only, and collect no more data than necessary (proportionality/data minimisation). Consent is a primary lawful basis, and special categories of data (biometric, health, etc.) require PDPA notification before processing.

The PDPA initiated its first administrative enforcement action in 2023. Administrative fines currently range from 50,000 to 500,000 AMD (approximately USD 130–1,300), widely considered low. The agency is significantly under-resourced with only 7–8 staff, and strengthening its independence and enforcement capacity is flagged as a priority in the EU-Armenia CEPA Implementation Roadmap.

Armenia is not an EU member but has progressively aligned its data protection framework with GDPR principles through successive amendments, partly driven by its EU Comprehensive and Enhanced Partnership Agreement (CEPA). Remaining gaps identified include PDPA structural independence, adequacy of sanctions, and clarity of controller/processor distinctions. A draft Cybersecurity Law pending as of early 2025 may introduce additional data-security requirements.