Personal Data Protection in Armenia: Key Legal Overview

The Law of the Republic of Armenia “On Personal Data Protection” establishes the legal framework governing the processing of personal data and safeguards the rights of individuals (data subjects). It applies to all entities—state bodies, legal entities, and individuals—engaged in the collection and processing of personal data.

Personal data is broadly defined as any information that directly or indirectly identifies a natural person. Processing covers all operations involving such data, including collection, storage, use, transfer, and deletion, whether automated or not.

The Law is based on several core principles:

• Lawfulness and purpose limitation – data must be processed for legitimate and specified purposes;
• Proportionality – only data necessary for the intended purpose may be processed;
• Accuracy – data must be complete and up to date;
• Data minimization – unnecessary duplication or excessive collection is prohibited.

Processing is generally lawful where the data subject has provided consent, except in cases involving publicly available data or other legal grounds предусмотренные законом. Consent must typically be obtained in written or electronic form.

The regulatory oversight is exercised by the Personal Data Protection Agency (PDPA), which must be notified in certain cases, including the processing of biometric or special category data (e.g., health, political views, or biometric identifiers).

Data subjects are granted key rights, including:

• access to their personal data;
• request for rectification or deletion;
• the right to challenge unlawful processing before the regulator or courts.

At the same time, data processors are subject to strict obligations, such as ensuring data security, maintaining confidentiality, implementing technical safeguards, and conducting proper data management practices.

While the Law does not clearly define its extraterritorial scope, it is generally understood that entities processing personal data in Armenia or transferring it abroad must comply with its requirements.

Armenia’s data protection regime is steadily aligning with international standards, requiring businesses—particularly in IT, digital, and fintech sectors—to implement robust compliance frameworks, including data governance policies, consent management, and cybersecurity measures.