General Protection of Personal Data and Privacy

While the roots of the constitutional right to personal data protection can be found in Article 34 of the Constitution of the Republic of Armenia, the primary regulation governing data protection in Armenia is the Law on Personal Data Protection of 2015 (Data Protection Law), which regulates the collection, processing, storage, transfer, and protection of personal data to safeguard individuals’ rights and freedoms. The law broadly defines personal data to extend to any and all data that may be used to identify an individual directly or indirectly. Special types of personal data, such as biometric or sensitive data, are subject to heightened processing requirements.

Although the main law governing data protection in Armenia is the Data Protection Law, other laws regulate personal data that constitute a state, banking, notarial, attorney-client, or insurance secrecy, as well as data used in activities related to national security or defence, the fight against money laundering and terrorism, operational-investigative activities, or judicial proceedings.

Armenia is a signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and its amending protocol. Armenia has also ratified the European Convention on Human Rights (ECHR), particularly Article 8, which guarantees the right to respect for private and family life. Several constitutional provisions reinforce privacy rights, including Article 31 (private and family life), Article 32 (privacy of home), and Article 33 (freedom and confidentiality of correspondence).

Article 5(3) of the Constitution regulates the interplay between national and international instruments, with ratified international treaties superseding national law when controversial. Given its unitary state structure, Armenia’s regulatory landscape is centralised, unlike federal systems like the US or supranational frameworks like the EU. Armenia is not an EU member; thus, the GDPR does not apply directly but has heavily influenced the Armenian legal framework regarding data protection and privacy.

Sectoral Laws

In addition to the Data Protection Law that outlines the key principles of data protection and processing, several sectoral laws contain specific obligations to ensure the adequacy of data protection in their respective sectors. Such sectoral laws have been outlined below.

• Law on Medical Care and Services to the Population: This law regulates the particularities of processing and protecting patients’ personal data.
• Law on Electronic Communications: Obligates operators and service providers operating in the sphere of electronic communication to keep the personal data of their clients confidential except for cases provided by law, namely in cases of calls (communications) made to the emergency response services – 112 (911), fire service 101, Police of the Republic of Armenia 102, and ambulance 103.
• Law on Advocacy: Ensures the secrecy of attorney-client privilege, including in cases where such privilege involves personal data.
• Law on Freedom of Information: Regulates the process of providing and receiving information, as well as the limitations on such process based on grounds related to breach of privacy, among other things. 
• Law on Banking Secrecy: Regulates protection of personal data deemed banking secrecy under Armenian law.
• Law on Circulation of Credit Information and Activities of Credit Bureaus: Aims to ensure protection and regulating the processing of personal data by credit bureaus.
• Law on Insurance and Insurance Activity: Requires Insurance companies to include provisions in their codes of conduct regarding the procedure for the retention and secure use of customers’ personal data.
• Law on Combating Money Laundering and Terrorism Financing: Regulates the retention and reporting of personal data by certain financial institutions, notaries, and advocates in connection with combating money laundering and terrorism financing.
• Labor Code: Provides the general framework for processing and protecting employees’ personal data.
• Code on Administrative Offenses: Regulates liability for violating the requirements of the Data Protection Law, where such violations do not contain criminal offences.
• Criminal Code: Sets out the crimes related to privacy and data protection violations, namely breaching the privacy of personal and family life, publishing medical secrets, violating the confidentiality of correspondence, telephone conversations, and other forms of communication, violating the inviolability of the home, and refusing to provide information to a person. This Code contains further regulations on computer crimes that deal with computer data. Computer data may include personal data, making these regulations applicable to personal data.

Key Regulators in Armenia

PDPA

In Armenia, the primary regulator for data protection is the Personal Data Protection Agency (PDPA), supported by other bodies that play complementary roles in specific sectors. Data Protection Law outlines the following powers of the PDPA, among others:

• conduct inspections on its own initiative or based on submitted requests to assess compliance with data protection requirements;
• impose administrative penalties in cases of violations, as prescribed by law;
• order the blocking, suspension, or termination of personal data processing that breaches legal requirements;
• require data controllers to rectify, amend, block, or destroy personal data when legal grounds exist;
• prohibit personal data processing, partially or fully, following the review of notifications from data controllers;
• maintain a register of personal data controllers;
• recognise electronic systems of legal entities as ensuring adequate data protection and include them in the official register;
• inspect data processing devices, documentation, data records, and software used in processing;
• review complaints from individuals regarding data processing and issue decisions within its mandate; and
• refer suspected criminal violations uncovered during its operations to law enforcement authorities.

Other regulators

The Data Protection Law provides that where another authority is designated by legislation to supervise personal data processing in specific sectors, that authority shall exercise its powers in accordance with the procedures established by the Data Protection Law. This provision was originally introduced to enable the Central Bank of Armenia (CBA) to oversee personal data protection within the financial sector, particularly banking secrecy.

In practice, the CBA has relied on its own regulatory framework to handle data breaches within the financial sector. Consequently, it does not function as a personal data regulator concerning banking secrecy, as the CBA has not enacted the procedural requirements established by the Data Protection Law. Currently, in the event of data breaches, the CBA notifies the PDPA to manage the situation.

Separately, the Competition Protection Commission (CPC) has, in a limited number of cases, acted on issues involving the use of personal data – particularly where data was used for advertising purposes. Nevertheless, the CPC approached these matters through the lens of unfair competition rather than addressing them as standalone violations of data protection law.

Administrative Proceedings under the Data Protection Law

Administrative proceedings for violations of the Data Protection Law are primarily initiated by the PDPA within the scope of its authority to monitor compliance and enforce the legal requirements governing the processing of personal data.

The PDPA is empowered to verify compliance with data protection legislation either on its own initiative or in response to a submitted application. Where violations are identified, the PDPA may impose administrative sanctions in accordance with the law. These enforcement powers are exercised within the framework of formal administrative proceedings.

Individuals who believe their right to personal data protection has been infringed – for example, if their data has been processed unlawfully, without their consent or legal basis – may file an application with the PDPA to initiate an administrative review.

In addition, public organisations or individuals may report suspected violations of personal data protection to the PDPA, affecting an indeterminate group of persons or the general public. The PDPA may also independently identify such violations during its research or analytical activities. In such cases, where no specific individual is the subject of the breach, the PDPA may initiate administrative proceedings ex officio.

Sanctions for Violations of Data Protection Law

The Code on Administrative Offenses outlines administrative fines for violations of various personal data protection rules under Armenian law. These include unlawful collection, processing, use, or transfer of personal data; failure to provide required information to data subjects; not notifying the authorised body; lack of encryption; and failure to ensure data security. Fines range from AMD50,000 (approximately USD128) to AMD500,000 (approximately USD1280), depending on the violation. However, individuals may be exempt from liability if they eliminate the violation within a set period and provide proof to the authorised body before a decision is made.

The GDPR establishes a robust enforcement regime, authorising administrative fines of up to EUR20 million or 4% of global annual turnover, whichever is higher. In contrast, Armenia’s Code on Administrative Offenses imposes significantly lower fines, typically ranging from AMD50,000 to AMD500,000 (approximately USD130 to USD1,300). Moreover, the Armenian framework includes an exemption mechanism allowing individuals to avoid penalties if they rectify violations before final adjudication.

Armenia’s Criminal Code provides additional sanctions for more serious offences involving criminal conduct. It criminalises acts such as breaches of communication confidentiality, violations of medical secrecy, and certain computer crimes involving personal data. However, the penalties prescribed – even in the criminal context – are generally modest. Typically, fines are set at 20 times the average monthly salary for natural persons and at 20% of the gross annual income for legal entities, calculated based on the year preceding the offence. Enforcement has also been limited, with few recorded prosecutions for data breaches to date.

Overall, compared to the GDPR, Armenia’s enforcement regime appears relatively weak, both in terms of deterrent capacity and practical implementation.

Notable Administrative Proceedings

While detailed information on the administrative proceedings undertaken by the PDPA is not publicly accessible, general inferences on notable cases can be drawn from the PDPA’s annual reports.

According to the 2016 report, several significant cases involved the use of video surveillance in schools. The PDPA identified violations where surveillance was conducted without a clearly defined purpose or where the volume of data collected was disproportionate to the intended purpose. Additionally, the absence of adequate warning signs was considered a breach of applicable data protection principles. Another case from the same period involved video surveillance in paid parking areas, where the collected footage could identify individuals or license plates. The PDPA required that image quality be reduced to avoid the unnecessary collection of personally identifiable information.

The 2019 report highlighted the PDPA’s focus on the lawfulness of mass media processing of personal data. The agency stressed that when processing or publishing personal data, especially regarding an individual’s private or family life, media outlets and journalists must clearly define the purpose and evaluate whether a legitimate public interest exists to justify the limitation of the right to privacy. In this context, the PDPA also addressed the right to be forgotten, recommending the establishment of self-regulatory mechanisms. These would allow individuals, upon request, to limit or disable access to content infringing on their private life once the original purpose of publication has been fulfilled, especially on platforms under the media outlet’s control.

Notably, the 2023 annual report marked a turning point, as the PDPA initiated its first administrative proceedings that resulted in the imposition of administrative fines.

It is important to note that in most cases where PDPA’s administrative acts were challenged in court, the courts eventually annulled those acts.

Regulation of AI in Armenia

Armenia has not yet implemented comprehensive legislation specifically regulating artificial intelligence. However, the country has recognised AI’s transformative potential and has signalled its intention to sign the Council of Europe’s Framework Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law, the first multilateral treaty focused on artificial intelligence. In December 2024, the Government of Armenia passed a resolution to approve the signing of the Convention and instruct the Minister of Foreign Affairs of the Republic of Armenia to organise the signing of the international agreement.

Armenia is a signatory to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and the Protocol, amending it to harmonise its legal framework to European standards. This is especially relevant in the context of Armenia’s commitments under the Comprehensive and Enhanced Partnership Agreement (CEPA) with the EU.

Despite these international commitments, Armenia’s current domestic legal framework – particularly the Data Protection Law – contains no provisions specifically tailored to the regulation of AI-related data processing. The existing safeguards were not designed with AI systems in mind and, therefore, provide only indirect protection in AI contexts.

General safeguards under the Data Protection Law include the following.

• Lawful basis for processing: The processing of personal data requires the data subject’s consent unless justified by other legal grounds.
• Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and must not be processed further in ways incompatible with those purposes.
• Data subject rights: Individuals have the right to access, rectify, block, or delete their personal data.
• Data security: Data controllers and processors are required to implement appropriate security measures, including encryption, to protect personal data from unauthorised access, alteration, disclosure, or destruction.

A crucial interpretive development came from the Armenian Court of Cassation in 2012, which held that the source of information under Armenian law must be a natural or legal person. This precedent has significantly limited the applicability of the Armenian regulatory framework to AI-generated content or machine-led data operations, as AI systems themselves do not fall within these categories.

While binding regulation is lacking, AI-related practices are partially addressed through secondary norms and soft law instruments. For instance, the Media Ethics Observatory of Armenia has adopted the Code of Ethics of Armenian Media and Journalists, signed by 91 media outlets. The Code includes a provision stating that editors and journalists must avoid disclosing anonymous sources and sensitive personal data when using AI tools.

To date, no sector-specific or binding legislative measures provide detailed regulation of AI systems in Armenia.

Please refer to 1.5 Regulation of AI in Armenia.

Recent Trends in Privacy Litigation in Armenia

A notable recent trend in privacy litigation in Armenia has emerged from the increased enforcement activity of the PDPA, particularly with respect to the imposition of administrative fines on data controllers and processors. The first such enforcement case was initiated in 2023, marking a significant shift in the PDPA’s enforcement strategy.

Prior to 2023, domestic litigation involving the PDPA primarily focused on challenges to the agency’s assessments of the lawfulness of data processing by both private and public entities. However, the cases initiated in 2023 represent a new phase in the litigation landscape, as they directly challenge the PDPA’s decisions to impose administrative sanctions. These proceedings remain in their early stages, and as of April 2025, no final judgments have been issued, and no major developments have been recorded.

Impact of Supranational and International Developments on Domestic Litigation

Although Armenia is not a member of the European Union, and the jurisprudence of the Court of Justice of the European Union (CJEU) is not binding, CJEU case law under the GDPR – particularly Articles 82 and 83 – may offer persuasive authority for Armenian courts interpreting similar provisions under domestic law. However, the practical influence of CJEU decisions remains limited, given the absence of direct legal effect.

In contrast, the European Court of Human Rights (ECtHR) plays a direct and significant role in shaping Armenia’s legal landscape. As a signatory to the European Convention on Human Rights, Armenia is obliged to comply with ECtHR judgments, including those concerning Article 8 of the Convention (right to respect for private and family life), which often serves as the legal basis for privacy-related complaints.

Where the ECtHR finds a violation of Convention rights by Armenia, the resulting enforcement mechanisms may include:

• individual measures, such as compensation payment, reopening criminal or administrative proceedings, or deletion of unlawfully obtained data; and
• general measures may involve amending legislation, reforming institutional practices, or implementing systemic safeguards to prevent similar violations.

Under Armenian law, ECtHR judgments, unilateral declarations, and friendly settlements may serve as grounds for reopening criminal, civil, and administrative proceedings.

The most recent example of an ECtHR judgment against Armenia is the Minasyan and Others v Armenia judgment, delivered on 7 April 2025, where the ECtHR found violations of privacy rights due to the failure of Armenian authorities to carry out their positive obligations under Article 8 of the European Convention.

As of April 2025, Armenia does not yet have a substantial body of privacy-related case law comparable to that of the European Union, particularly the jurisprudence of the Court of Justice of the European Union (CJEU) under the General Data Protection Regulation (GDPR) – notably Article 82 (right to compensation and liability) and Article 83 (general conditions for imposing administrative fines).

The limited development of privacy litigation in Armenia is partly attributable to the fact that many data controllers and processors operating in Armenia are foreign entities without a local presence. This creates significant challenges in establishing personal jurisdiction over potential defendants under Armenian law. As a result, legal recourse against these entities within Armenia is often procedurally unfeasible.

This jurisdictional gap has become particularly relevant in light of digital security concerns. For example, the Media Diversity Institute has reported that Armenia has been the target of state-sponsored cyberattacks, including the use of NSO Group’s Pegasus spyware in 2020. Such incidents raise serious privacy and data protection issues but remain largely unaddressed through domestic litigation.

In response, Armenian data subjects whose rights have allegedly been violated often pursue legal remedies abroad. Several cases involving Armenian claimants have reportedly been initiated in UK courts, particularly in London. However, these cases are relatively recent, and as of now, no significant rulings have emerged that would shape or influence privacy law in Armenia.

Collective Redress Mechanisms in Armenia

In Armenia, collective redress mechanisms – particularly in the context of data protection and privacy – remain underdeveloped and are not formally institutionalised, in contrast to the frameworks established in EU member states under the Representative Actions Directive (Directive (EU) 2020/1828).

Currently, the PDPA allows public organisations or individuals to report suspected violations of data protection law, including those affecting an indeterminate group of people or the general public. However, this reporting mechanism does not amount to a formal collective redress procedure, and neither administrative nor judicial mechanisms currently support structured group claims in the field of data protection.

That said, Armenian civil procedure explicitly permits class actions. Under the applicable legal framework, a group of 20 or more plaintiffs may bring a joint lawsuit against the same defendant, provided the claims arise from the same cause of action. While this creates a theoretical basis for collective redress, including in cases involving data breaches or privacy violations, such claims remain largely untested in practice.

The absence of procedural mechanisms tailored specifically to data protection claims contributes to the limited use of class actions in this domain.

In Armenia, there is currently no dedicated law specifically regulating the Internet of Things (IoT), largely due to its relatively limited use in the country. Although the Data Protection Law does not explicitly reference IoT, its provisions apply to any processing of personal data, including data collected and processed by IoT devices and services.

The general rights and obligations of data holders and data processing services under Armenian law are outlined below.

• Consent: Prior to processing, data controllers must obtain informed consent from data subjects, specifying the purpose, scope, and duration of processing, unless other lawful grounds exist under law, or the data is obtained from publicly accessible sources.
• Notification: Controllers intending to process biometric or special category personal data must notify the PDPA, which also requires notification upon request. 
• Security Measures: Data holders and data processing services must implement appropriate safeguards to protect personal data, including encryption and access controls, as appropriate.
• Data Minimisation: Ensure that only data necessary for the specified purpose is collected and processed by erasing or blocking personal data that is not necessary to achieve the lawful purpose of processing.

Although Armenia’s current data protection law does not specifically address IoT technologies, the general data protection principles continue to apply. However, unlike international frameworks such as the EU’s Data Act, which clearly outlines the rights and obligations of users, data holders, and data processors in the context of connected products or services, Armenia’s regulatory framework does not provide precise allocations of responsibility between data holders and data processing services.

The Data Protection Law establishes conditions for the lawful processing of personal data. Particularly, the processing of personal data is lawful if:

• the data are processed in compliance with the requirements of the law, and the data subject has given their consent, except for cases directly provided for by this Law or other laws; or
• the processed data have been obtained from publicly accessible sources of personal data.

Further, the Data Protection Law regulates the principles of data processing.

• Lawfulness: Data processing must comply with legal requirements and not be used for purposes other than the lawful and specific purpose of processing without the data subject’s consent.
• Proportionality: Only the minimum necessary data should be processed, prohibiting unnecessary collection.
• Reliability: Data must be authentic, complete, concise, clear, and up to date.
• Minimum Engagement: If state and municipal authorities can access data subjects’ personal data via electronic systems, no action is required from data subjects to provide such personal data.

Data subjects have robust rights under the Data Protection Law, including:

• accessing their personal data;
• requesting rectification, blocking, and destroying incomplete, outdated, unlawfully acquired, or unnecessary personal data;
• receiving information on the purpose of their data processing, methods of processing, source of acquiring the personal data, and scope of persons to whom the personal data has been or can be transferred; and
• challenging the actions and decisions of processors and controllers before the PDPA or a court if the data subjects believe such processing breaches the law or their rights and freedoms.

Additionally, Data Protection Law provides for regulatory oversight of the PDPA (for more information, please refer to 1.2 Regulators) and the obligations of data processors and controllers when processing personal data (for more information, please refer to 3.1 Objectives and Scope of Data Regulation).

To conclude, in Armenia, data regulation and data protection are intricately linked, with the Data Protection Law serving as the backbone. By setting out principles, obligations, and oversight, the law ensures that data processing is lawful and protective, particularly for personal data. The PDPA further bridges regulation and protection, ensuring enforcement and rights protection. This framework, while focused on personal data, reflects a balanced approach to governance, ensuring data security in a global context.

Please refer to 3.1 Objectives and Scope of Data Regulation.

The Personal Data Protection Agency (PDPA) serves as the primary enforcement body under Armenia’s Code on Administrative Offenses and its commitments under Convention 108 for the protection of personal data. However, its enforcement powers are currently limited and insufficient, a concern highlighted in the EU-Armenia CEPA Implementation Roadmap, which lists the strengthening of data protection enforcement as a critical area for reform.

Structural and Operational Constraints

Despite being formally recognised as an independent authority, the PDPA operates as a separate subdivision within the Ministry of Justice, with its personnel classified as civil servants under Armenian law. This institutional arrangement raises questions about its functional independence and autonomy.

Resource Limitations

• The agency lacks its own technical infrastructure and operates without dedicated facilities or buildings.
• It is significantly understaffed, employing only 7-8 individuals to serve a population of approximately 3 million. In contrast, Georgia, with a similar population size, initially employed around 50 personnel in its data protection authority and gradually increased its capacity to around 100 personnel.
• The lack of legal and human resources hampers the PDPA’s ability to defend its decisions in court, often resulting in annulment of its enforcement actions when challenged.

Need for Reform

Due to these constraints, the PDPA faces difficulties in ensuring effective compliance with Armenia’s data protection framework. Strengthening its institutional independence, staffing, and litigation capacity is essential to aligning Armenia’s enforcement practices with European data protection standards.

For further details on the institutional setup and functions of enforcement bodies, please refer to 1.2 Regulators.

While there is no standalone law specifically regulating cookies in Armenia, their use is generally governed by the principles of the Data Protection Law, particularly the requirement of using informed consent when processing personal data. The consent may be withdrawn at any time in accordance with the Data Protection Law and other laws.

Although neither the Data Protection Law nor the Law on Advertising specifically regulates personalised advertising, the general legal principles remain applicable. Under the Data Protection Law, the processing of personal data is lawful only with the data subject’s consent, which may be given in written, electronic (including via digital signature), or oral form. For the purposes of personalised advertising, advertisers are required to obtain explicit consent from the data subjects.

The PDPA has issued an advisory opinion on personalised advertising, emphasising the importance of obtaining clear and informed consent from data subjects. The PDPA recommends that data processors implement opt-in or opt-out mechanisms for subscribers to consent to data processing. Additionally, the advisory urges data processors to delete the personal data of subscribers who choose not to grant their consent, ensuring compliance with data protection laws and safeguarding the rights of data subjects.

The Competition Protection Commission has identified unfair competition cases where personalised advertising was conducted without obtaining such explicit consent.

In Armenia, the protection of employees’ personal data is mainly regulated by the Labor Code, which includes a specific section dedicated to this issue. Employees’ personal data refers to information necessary for managing work-related matters, such as employment, training, job promotions, and ensuring personal safety. The processing of this data involves collecting, storing, organising, transferring, or using the information for any legitimate work-related purposes.

Employers are required to process personal data in compliance with legal provisions designed to protect employees’ rights and freedoms. The data must be collected only for specific purposes directly related to employment, and employee consent is mandatory unless the data is sourced from third parties. Employers are prohibited from collecting sensitive data about employees’ political, religious beliefs, or personal lives unless such information is relevant to the employee’s job role. Even in such cases, explicit written consent must be obtained. Additionally, employers cannot make decisions solely based on the automated processing of personal data.

The law stipulates that employees have the right to access their personal data held by their employer. They can request corrections for inaccurate or incomplete data and challenge any unlawful processing of their information. Employees are also entitled to receive copies of their personal data unless specific legal exceptions apply.

Employers are prohibited from disclosing personal data to third parties without the employee’s consent, except when necessary to protect the employee’s life or health or when explicitly authorised by law. Confidentiality must be maintained, and access to personal data shall be restricted to those who need it to perform their duties.

Finally, individuals or organisations that fail to comply with the established rules for processing and protecting employees’ personal data shall be liable under Armenian law.

Guide on the Protection of Personal Data in Employment Relations ("the Guide")

In addition to the regulations set out in the Labor Code, employment data privacy is further detailed by the PDPA in the Guide. For example, the Guide clarifies that employee supervision is not a lawful purpose for data processing. It also emphasises that processing special category personal data to ensure compliance with work duties does not give the employer the right to interfere in the employee’s private life. For instance, if an employee visits a doctor during working hours (with prior arrangement), the employer cannot request the diagnosis. Such a request is unlawful even if the employer has reasonable suspicions that the employee is using work hours for non-work purposes. In such cases, the employer may only request information confirming the doctor’s visit.

The Guide also provides further examples of best practices concerning work email surveillance, recording calls in the workplace, processing biometric data, and transferring employees’ personal data to third parties and internationally. In another comprehensive guide on video surveillance, the PDPA explains that videotaping in the workplace should only be used as a last resort when other measures cannot achieve the same objective. Employers must explicitly notify employees when installing video cameras. Cameras may record the entrance and exit of the workplace, hallways, and locations of valuable goods and storage areas. However, surveillance devices cannot record employees’ workspaces except in special circumstances. Surveillance is prohibited in rest and break rooms, restrooms, and changing rooms.

Armenia’s regulatory framework does not specifically address data processing during asset deals. However, the Data Protection Law defines databases as collections of personal data organised based on specific criteria. This definition is also included in the Law on Copyright and Related Rights, which permits the transfer of proprietary rights to databases fully or partially.

In practice, sellers typically require a non-disclosure agreement to ensure confidentiality and limit the number of purchaser representatives who may access personal data during asset deals. If the data processor changes from the seller to the purchaser, data subjects must be notified to ensure their informed consent, initially granted to the seller, remains valid.

The Data Protection Law contains a dedicated section regulating the transfer of personal data to third parties and across borders. It specifically provides that personal data may be transferred to another country either with the data subject’s consent or where the transfer is necessary to fulfil the purposes of data processing.

Importantly, international data transfers can occur with or without prior authorisation from the PDPA. Prior authorisation is not required if the receiving country ensures an adequate level of data protection. Adequate protection is deemed to exist when:

• the transfer is carried out in accordance with international treaties; or
• the transfer is made to a country included in the official list published by the PDPA as providing adequate protection.

The PDPA must regularly review and update this list at least once a year, publishing any changes in the official bulletin and on its website.

Transfers to countries that do not provide adequate protection require prior authorisation from the PDPA. Such transfers are allowed if they are based on a contract that includes data protection safeguards approved by the PDPA.

To obtain authorisation:

• the data processor must submit a written application to the PDPA before the intended transfer;
• the application must specify the destination country, the recipient’s details, a description of the personal data concerned, the purposes of processing and transfer, and the relevant contract or draft contract; and
• the PDPA must approve or reject the application within 30 days, although it may request additional information if necessary.

Countries are included on the adequate protection list based on several factors, including the strength of national legislation, the existence of a supervisory data protection authority, the application of Convention 108, and the availability of effective remedies for data subjects in the event of data breaches.

Transfers to countries lacking adequate protection require prior approval of PDPA. For more information, please refer to 5.1 Restrictions on International Data Transfers.

Data Protection law does not impose strict data localisation obligations—that is, there is no general requirement for personal data to be stored or processed exclusively within the country’s borders.

In practice, local data controllers often use cloud service providers due to their superior technical capacity to ensure compliance with data protection standards. As a result, data is frequently stored outside Armenia without contravening existing legal requirements.

Data protection experts have been debating the potential benefits of requiring simultaneous data storage on local servers, particularly to enhance oversight and ensure data availability for local authorities. However, these discussions have not yet resulted in any legal requirement for local storage or mirrored data hosting.

It is important to note that the current Data Protection Law does not preclude the possibility of data localisation requirements being introduced through sector-specific legislation – albeit no such requirements have been established in sectoral laws or regulations.

Blocking statutes are typically designed to protect national sovereignty, sensitive information, and key economic interests. Their main functions include:

• restricting the transfer of sensitive data to foreign jurisdictions, particularly where national security, state secrets, or industrial strategies are at stake; and
• preventing the extraterritorial application of foreign laws by blocking foreign governments or entities from accessing data stored within the country.

Although Armenia does not have formal blocking statutes, certain provisions within its Data Protection Law may function as de facto blocking mechanisms, particularly when transferring data to countries that do not meet the required level of protection. Such provisions can serve to protect Armenia’s national sovereignty and security against extraterritorial applications of foreign laws. For example, Armenian entities may resist compliance with foreign data protection requests when they conflict with Armenian legal frameworks or undermine national interests.

Limited developments have been made in relation to regulation of the international transfer of personal data. On 8 July 2024, the PDPA published the most recent list of states with an adequate level of personal data protection. As of now, the list includes 53 states.