Data & Privacy ยท Armenia
Data protection & privacy law in Armenia (2026)
Armenia shaded by its data & privacy status
Data protection in Armenia: comprehensive law, under Law of the Republic of Armenia on Personal Data Protection (ีี-49-ี, adopted 18 May 2015, as amended); supervised by the Personal Data Protection Agency (PDPA) under the Ministry of Justice.
Armenia has a comprehensive personal data protection law in force since 2015, substantially amended over subsequent years to align closer with GDPR principles and Convention 108+. The Personal Data Protection Agency (PDPA), a subdivision of the Ministry of Justice, serves as the supervisory authority with powers to investigate, fine, and order corrective measures. Armenia was the first state to ratify the modernised Council of Europe Convention 108+ in January 2022, and a further revised law entered into force on 9 August 2025 strengthening purpose limitation and pseudonymisation obligations.
Key points
The Law on Personal Data Protection (No. ีี-49-ี, 18 May 2015) is the principal instrument, covering collection, storage, use, transfer, and deletion of personal data by state bodies, legal entities, and individuals. A revised version entered into force 9 August 2025, introducing stricter purpose limitation, mandatory pseudonymisation for data used outside crime-prevention contexts, and enhanced notice obligations.
The Personal Data Protection Agency (PDPA), operating as a separate subdivision of the Ministry of Justice, is the appointed supervisory body (per Prime Minister Decision N 573-A, 3 July 2015). It maintains the registry of data processors, handles complaints, conducts inspections, and imposes administrative sanctions. It was recognised as a European national data protection authority by the European Conference of Data Protection Authorities in May 2016.
Armenia has been a Party to the Council of Europe Convention 108 since September 2012. On 25 January 2022, Armenia became the first country in the world to ratify the modernised Protocol amending Convention 108 (Convention 108+), reinforcing its commitment to internationally recognised data protection standards.
The law grants data subjects rights to access, rectify, and erase personal data. Controllers must process data lawfully, for specified purposes only, and collect no more data than necessary (proportionality/data minimisation). Consent is a primary lawful basis, and special categories of data (biometric, health, etc.) require PDPA notification before processing.
The PDPA initiated its first administrative enforcement action in 2023. Administrative fines currently range from 50,000 to 500,000 AMD (approximately USD 130-1,300), widely considered low. The agency is significantly under-resourced with only 7-8 staff, and strengthening its independence and enforcement capacity is flagged as a priority in the EU-Armenia CEPA Implementation Roadmap.
Armenia is not an EU member but has progressively aligned its data protection framework with GDPR principles through successive amendments, partly driven by its EU Comprehensive and Enhanced Partnership Agreement (CEPA). Remaining gaps identified include PDPA structural independence, adequacy of sanctions, and clarity of controller/processor distinctions. A draft Cybersecurity Law pending as of early 2025 may introduce additional data-security requirements.
Timeline - major decisions & events
Armenia's parliament enacted a dedicated Cybersecurity Law establishing mandatory standards for critical-infrastructure operators, incident-notification obligations, and a new autonomous Regulatory Authority for Information Systems. The law directly reinforces data-confidentiality and integrity obligations under the Personal Data Protection Law.
Ministry of High-Tech Industry of the Republic of Armenia โThe Personal Data Protection Agency published an updated list recognising 53 states as providing an adequate level of personal data protection, giving Armenian controllers a clear legal basis for cross-border data transfers to those countries.
Personal Data Protection Agency of Armenia โThe PDPA joined civil society organisations in formally opposing proposed amendments to the Law on Police that would have expanded police data-collection powers, finding the measures lacked necessity and proportionality analysis and offered insufficient oversight, a significant regulatory pushback on executive surveillance expansion.
Chambers Data Protection & Privacy 2025 โ Armenia โArmenia published a draft Law on Freedom of Information and Public Information as part of its Open Government Partnership 2022-24 Action Plan (commitment AM0046); civil-society criticism of regressions in access rights prompted the government to commit to a revised, standalone data-policy statute with targeted amendments to the Personal Data Protection Law.
Open Government Partnership โ Armenia Commitment AM0046 โArmenia became the first country to ratify the updated Council of Europe Convention 108+ in 2022 (16th overall), binding itself to GDPR-comparable standards including rules on algorithmic decision-making, data-breach notification, and profiling, a landmark step in alignment with EU data-protection norms.
Council of Europe โ Data Protection โArmenia's principal data-protection statute took effect, establishing GDPR-aligned principles (lawfulness, purpose limitation, data minimisation, security), creating the Personal Data Protection Agency under the Ministry of Justice, and granting data subjects rights of access, correction, and erasure.
Ministry of Justice of the Republic of Armenia โParliament adopted the new omnibus personal data law, replacing the obsolete 2002 statute. The law covers all processing by state bodies, local governments, organisations, and individuals, and was adopted to align Armenia's framework with modern international standards including Council of Europe requirements.
ARLIS โ Armenian Legal Information System โArmenia's ratification of Convention 108, the first binding international data-protection treaty, entered into force, integrating international obligations on automated personal-data processing into domestic law and laying the normative groundwork for the 2015 legislative overhaul.
Council of Europe โ Data Protection: Armenia โArmenia - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ