Law on Personal Data Protection of the Republic of Armenia

Regulation Summary

Timeline

October 18, 2015 – Law on Personal Data Protection enacted.
July 1, 2016 – Full enforcement begins.

What Businesses Are Affected?

Organizations processing personal data in Armenia.
Foreign companies handling Armenian residents' data.
Public and private sector entities collecting personal data.
Website operators gathering data from Armenian users.

Exemptions

Personal data processed for national security and law enforcement.
Personal or household data use.
Data processing for journalistic, literary, or artistic purposes.

Responsibilities for Businesses

Obtain clear and informed consent before data processing.
Implement security measures to protect data from unauthorized access.
Maintain accurate records of data processing activities.
Appoint a Data Protection Officer (DPO) when required.
Report data breaches to the PDPA within 72 hours of becoming aware of the breach.
Ensure data accuracy and provide rectification options.

Specific Responsibilities for Website Owners

Display a clear and accessible privacy policy.
Obtain user consent for cookies and tracking technologies.
Provide mechanisms for users to exercise their data rights.
Implement security measures to safeguard user data.

Additional Requirements

Parental consent is required for processing children’s data.
Restrictions on cross-border data transfers.
Explicit consent required for processing sensitive data.

Data Subject Rights

Right to access personal data.
Right to rectification and erasure (Right to be Forgotten).
Right to restrict or object to processing.
Right to data portability.
Right to challenge automated decision-making and profiling.

Enforcement

Supervised by the Personal Data Protection Agency (PDPA).
Fines: Up to 5,000,000 AMD (~$12,500 USD) for violations.
Additional penalties include operational restrictions and data processing bans.