Armenia's data protection supervisory authority – the Personal Data Protection Agency (hereinafter, the Agency) – has escalated enforcement activity directed at organisations that process personal data within Armenian territory. International businesses operating in Armenia, or directing services at Armenian residents, now face a materially higher risk of formal investigation, administrative sanction, and mandatory remediation. The trigger for this alert is a coordinated wave of enforcement actions that took effect in early 2025 and that continues to expand in scope.
Armenia's data protection legislation imposes obligations on every data controller (an entity that determines the purposes and means of personal data processing) and every data processor (an entity that processes data on behalf of a controller) operating in the country. The Agency now conducts both scheduled and unannounced inspections, with compliance deadlines tied to the date of notification – typically 30 days for remediation of identified violations. International companies that have not yet mapped their Armenian data processing activities against local legislative requirements are at immediate risk of enforcement exposure.
This alert explains what changed, which business categories are affected, and the concrete steps international companies must take now.
What changed and when it took effect
Armenia's personal data protection legislative regime was substantially updated in the period leading up to 2025. The amendments strengthened the enforcement mandate of the Agency and introduced stricter requirements for cross-border data transfer – that is, the transfer of personal data to recipients located outside Armenia.
Several changes are directly relevant to international operators. First, the consent mechanism requirements tightened. A valid consent mechanism must now be specific, informed, freely given, and documented. Pre-ticked boxes and bundled consents no longer satisfy the standard under Armenian data protection legislation. Second, mandatory registration obligations for certain categories of data processing were reinforced. Third, the Agency was granted authority to impose administrative fines and issue binding corrective orders without prior warning in cases of serious or repeated violations.
These changes are in force. The Agency began active inspections under the new standards from the first quarter of 2025. Organisations that were notified of an inspection have a 30-day window to produce compliance documentation or face escalation to formal sanction proceedings.
International companies should also note that Armenian data protection legislation, while distinct from EU rules, shares structural similarities with the GDPR compliance model. Organisations already maintaining GDPR compliance programmes will find significant overlap – but also material differences, particularly regarding local registration requirements and the rules governing data transfer outside Armenia.
Which businesses are affected and the compliance threshold
The Agency's enforcement activity targets a broad range of business categories. Affected organisations include any entity that, regardless of where it is incorporated, processes personal data of Armenian residents or operates systems that collect such data within Armenian territory.
The following categories face the highest enforcement exposure:
- E-commerce platforms and digital service providers with Armenian user bases
- Financial institutions, payment service providers, and fintech operators
- Healthcare organisations and telemedicine platforms processing sensitive personal data
- Employers maintaining personnel records for employees based in Armenia
- Technology companies using cloud infrastructure to store or transfer Armenian resident data
The threshold for triggering full compliance obligations is low. Any systematic processing of personal data – even without a physical office in Armenia – is sufficient to bring an organisation within scope. A DPA (data processing agreement) between a foreign data controller and a local data processor does not shift the controller's obligations to the processor. The controller remains primarily liable.
Organisations that rely on a third-party data processor located in Armenia must verify that the processor operates under a written agreement that meets the requirements of Armenian data protection legislation. Absence of such an agreement is itself an enforceable violation.
For a detailed assessment of your company's exposure under Armenian data protection law, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
Organisations with Armenian data processing activities should treat this alert as a prompt for immediate internal review. The following actions are prioritised by urgency.
Map all data processing activities in Armenia. Identify every system, database, and workflow that collects, stores, or transmits personal data of Armenian residents. Include third-party processors. Document the legal basis for each processing activity.
Review and update consent mechanisms. Audit all consent collection points – website forms, app permissions, marketing opt-ins – against the current Armenian legislative standard. Replace any bundled or pre-ticked consent with specific, documented consent flows.
Audit cross-border data transfers. Identify every instance where personal data moves from Armenia to a recipient in another country. Confirm that each transfer rests on a permissible legal basis under Armenian data protection legislation. Transfers to countries without an adequate level of protection require additional safeguards.
Verify data processing agreements. Check that every arrangement with a local data processor is governed by a written DPA that complies with current legislative requirements. Update or replace agreements that pre-date the 2025 enforcement cycle.
Appoint a local point of contact. The Agency expects organisations under investigation to identify a responsible contact person promptly. Organisations without a designated local representative face practical difficulties in responding to inspection notices within the 30-day remediation window.
Companies operating across the CIS region should also review our analysis of data protection enforcement developments in Russia, where parallel regulatory trends are emerging. For AI-related data processing obligations in Armenia, our team covers the intersection of technology regulation and privacy in our AI and technology law practice for Armenia.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice in Armenia covers regulatory compliance, enforcement response, cross-border data transfer structuring, and consent mechanism design for international companies active in the CIS region. Engaging a lawyer in Armenia with cross-border experience is essential when enforcement timelines are short and the Agency moves without prior notice. As an international law firm in Armenia and across the CIS, Ferraz & Whitmore combines civil law expertise with a practical understanding of local regulatory expectations. Our team has advised technology companies, financial institutions, and multinational employers on data controller and data processor obligations across both civil law and common law systems. To discuss your Armenian data protection exposure and build an effective response strategy, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.