Data & Privacy - San Marino

Law No. 171 of 21 December 2018 is the principal data-protection statute, replacing the earlier Law No. 70 of 23 May 1995. It establishes lawful bases for processing, data-subject rights, and obligations for controllers and processors, mirroring GDPR structure.

The Autorità Garante per la Protezione dei Dati Personali (Garante Privacy), headquartered at Scala Bonetti n. 2, San Marino, serves as the independent DPA with investigative, corrective, advisory, and authorisation powers, including the ability to impose processing bans and fines.

Law 171/2018 guarantees rights of access, rectification, erasure, restriction of processing, data portability, objection, and protection against solely automated decision-making including profiling — substantially equivalent to GDPR Chapter III rights.

San Marino deposited its instrument of ratification of the Protocol amending Convention 108 (Convention 108+) in November 2023, becoming the 31st State Party to the only globally binding treaty on personal-data protection.

San Marino has not received a formal EU adequacy decision under GDPR Article 45. Personal-data transfers from EU/EEA to San Marino therefore require alternative safeguards (e.g. standard contractual clauses). The European Commission's current adequacy list does not include San Marino as of 2026.

The Garante Privacy was admitted as a permanent member of the Conference of the European Data Protection Authorities on 10 May 2023, reflecting the alignment of San Marino's framework with European standards.