1. Governing Texts

1.1. Legislation

The Law of  the Republic of Uzbekistan on Personal Data of 2 July 2019 (only available in Russian and Uzbek here) ('the Law on Personal Data') is the first separate document in Uzbekistan regulating general data protection requirements for the processing of personal data. The Law on Personal Data states that the operator of a personal data database is a state body, individual or legal entity that processes personal data. This effectively means that provisions of the Law on Personal Data apply to financial institutions as well. At the same time, there is a separate Law of the Republic of Uzbekistan On Bank Secrecy 2003 (only available in Uzbek here) ('the Law on Bank Secrecy') which aims to protect financial information related to both individuals and legal entities. Moreover, certain provisions regarding confidentiality in various fields are contained in a number of laws and legal acts that are discussed below.

Relevant legislation includes:

• Criminal Code of the Republic of Uzbekistan No 2012-XII of 22 September 1994 (as amended) (only available in Russian and Uzbek here) ('the Criminal Code');
• Administrative Responsibility Code of Uzbekistan No 2015-XII of 22 September 1994 (as amended) (only available in Russian and Uzbek here) ('the Administrative Code');
• the Law on Personal Data;
• the Law on Bank Secrecy;
• Law of the Republic of Uzbekistan On Banks and Banking Activities No. ЗРУ-580 dated 5 November 2019 (only available in Uzbek here) ('the Law on Banks and Banking Activities');
• Law of the Republic of Uzbekistan On Payments and Payment Systems No. ЗРУ-578 dated 1 November 2019 (only available in Uzbek here) ('the Law on Payments and Payment Systems');
• Law on Countering Legalisation of Income from Criminal Activity, Financing Terrorism and Financing the Distribution of Weapons of Mass Destruction No. 660-II dated 26 August 2004 (only available in Russian here) ('the AML/CFT Law');
• Law of the Republic of Uzbekistan on Insurance Activity No. 358-II dated 5 April 2002 (only available in Uzbek here) ('the Law on Insurance Activity'); and
• Presidential Decree on Strategy for Reforming of the Banking System of the Republic of Uzbekistan for 2020-2025 No. УП-5992 dated 12 May 2020 (only available in Uzbek here) ('Decree No. 5992'); and
• Resolution of Board of the Central Bank of the Republic of Uzbekistan on Approval of the Regulation on Ensuring Information Security in Payment Systems of Payment System Operators and Payment Service Providers No.3268 dated 30 June 2020 (only available in Uzbek here) ('Regulation No. 3268').

1.2. Supervisory authorities

The Central Bank of the Republic of Uzbekistan ('the Central Bank') monitors the compliance by licensed organisation with internal control rules and the procedure for providing information related to countering the laundering of income derived from crime, financing the terrorism and financing the proliferation of weapons of mass destruction to an authorised state body. Moreover, the Central Bank is entitled to take punitive measures in the event a banking secrecy protection has not been complied with.

In accordance with the Law on Personal Data, the State Centre for Personalisation ('SPC') under the Cabinet of Ministers of the Republic of Uzbekistan is the authorised state body in the field of personal data. Accordingly, the SPC exercises, within the limits of its authority, control over compliance with the requirements of the Law on Personal Data and issues binding orders for legal entities and individuals to eliminate violations of the Law on Personal Data.

2. Personal and Financial Data Management

2.1. Legal basis for processing

In accordance with the Law on Personal Data, personal data can be processed in the following cases:

• the subject has consented to the processing of his/her data;
• there is a need to process personal data in order to fulfil a contract to which the subject is a party to;
• there is a need to process personal data in order to fulfil obligations of the owner and/or the operator - that are defined by law;
• there is a need to process personal data in order to protect the legitimate interests of the subject or another person;
• there is a need to process personal data in order to exercise rights and legitimate interests of the owner and/or operator or a third party or to achieve socially significant goals, provided that such processing does not violate the rights and legitimate interests of subjects of personal data;
• processing of personal data is for statistical or other research purposes, provided that personal data are depersonalised; and
• personal data is obtained from publicly available sources.

At the same time, financial institutions can transfer personal data to the prosecution, investigation and inquiry authorities in the presence of a criminal case against the client, to the court and enforcement agents of the State of Uzbekistan on the basis of a written request for cases that are in the court proceedings against a client or for enforcement proceedings initiated against the client, etc.

2.2. Privacy notices and policies

Generally, financial institutions provide customers with notice of the institution's privacy policies and customers by signing corresponding notes to provide their consent for the transfer of their personal data if there is a need to disclose their personal data to third parties for processing purposes.

2.3. Data security and risk management

Decree No. 5992 provides for the need to develop a banking system in Uzbekistan and lists the actions for the improvement of the risk management system. Decree No. 5992 also envisages the development of legal acts in accordance with the recommendations of the Basel Committee on Banking Supervision.

2.4. Data retention/record keeping

Retention periods for the personal financial data collected vary depending on the type of organisation that collects data and the type of document that contains personal financial data. For instance, the customer's profile shall be kept in a commercial bank for at least five years from the date of termination of relations with the customer. Information regarding foreign currency accounts of a customer of a commercial bank shall be kept for not less than ten years after closing the account.

3. Financial Reporting and Money Laundering

The AML/CFT Law lists the following measures aimed at countering the laundering of income received from criminal activity, financing the terrorism and the financing of proliferation of weapons of mass destruction:

• control that is carried out by an authorised state body, such as the Department on Combating Economic Crimes ('the Department') under the General Prosecutor's Office of the Republic of Uzbekistan;
• internal control;
• customer due diligence; and
• identification, assessment, and reduction of risks.

Each financial institution shall follow the rules regarding internal control on countering laundering of income from criminal activities, financing terrorism and the financing of proliferation of weapons of mass destruction. Such rules are developed by the controlling, licensing and registering of bodies together with an authorised stated body for each financial institution separately, e.g. commercial banks, audit organisations, etc. Generally, the rules require information obtained from customers to be kept confidential.

Entities carrying out financial operations or operations with other property must follow the procedure for the provision of information related to combating the laundering of income received from crime and the financing the terrorism to the Department in the event the operations of customers being performed or prepared are found to be suspicious during the process of internal control. The procedure for the provision of such information is that it shall be executed with the observance of measures, excluding violation of confidentiality of the document during delivery. An authorised state body and its employees are obliged to ensure the confidentiality and safety of the information that has become known to them, which constitutes commercial, banking, and other secrets.

4. Banking Secrecy and Confidentiality

The Law on Bank Secrecy states that the following information is deemed to be a bank secret:

• information on operations, accounts, and deposits of customers of the bank;
• information on the customer of the bank, which have been obtained by the bank as a result of rendering banking services to the clients;
• information on the existence, nature, and cost of the customer's property stored in the safes and premises of the bank;
• interbank transactions and deals made on behalf of a customer or in his/her favour;
• information on a customer of another bank that has become known as a result of the exchange of information between banks; and
• participants of the accumulative pension system.

The aforementioned types of information are prohibited from being disclosed to third parties, i.e. all other persons except the bank itself, its customer, and the Central Bank.

At the same time, the Law on Bank Secrecy lists certain circumstances where information that is deemed to be a bank secret can be transferred to third parties.

For instance, the information constituting a bank secret can be transferred to persons providing legal, accounting, auditing, consulting services to the bank, provided that such transfer is necessary for the service and such persons are obliged to refrain from disclosure and use of information constituting a bank secret for personal purposes or in the interests of third parties.

The bank may also disclose the information of the customer constituting a bank secret to the court in circumstances and to the extent necessary to protect its rights and legitimate interest in a dispute that has arisen between the bank and its customer.

Furthermore, the bank may provide the information constituting a bank secret to state tax authorities in cases relating to the taxation of the bank's customer.

Information on operations with money or other property constituting a bank secret in connection with counteracting the legalisation of income received from crime, financing the terrorism, and financing the proliferation of weapons of mass destruction may be provided by the bank to the authorised state body in circumstances listed in section 3.

The Accounts Chamber of the Republic of Uzbekistan and the Department are entitled to obtain information constituting a bank secret if such information is necessary for the implementation of tasks assigned to them.

Information constituting a banking secret can be disclosed to the prosecution, investigation and inquiry bodies if a criminal action has been brought against the bank's customer in order to ensure the recovery of damage or seizure of its property based on a reasoned decision of the investigator or inquiry officer with the approval of the prosecutor.

Moreover, information covered under bank secrecy may be provided to the court on the basis of its written request for cases that are in court proceedings against the bank's customer. Also, information constituting a banking secret may be provided to the state executor on the basis of his/her written request, including in the form of an electronic document, on enforcement proceedings initiated against the bank's customer.

In order to ensure the safety of the banks' activities, repayment of loans and other investments, banks can exchange information on their customers. A bank that has received the information on a customer of another bank is prohibited from disclosure and transfer such information to third parties.

Also, a provision of credit information to credit bureaus is not a violation of bank secrecy, provided that the credit information is transferred to the credit bureau based on a credit information exchange agreement.

5. Insurance

The Law on Insurance Activity states that the insurer, insurance agent, adjuster, insurance surveyor, and actuarial organisation are obliged to keep the information constituting a commercial or another secret of the customer confidential. Information on insurant, insured persons and beneficiaries, insured property, insurance amount, bank accounts, balances and cash flows on these accounts shall not be disclosed to third persons unless there is written consent of the insurant, as well as the insured persons and beneficiaries in relation to the information concerning them. However, the aforementioned information can be disclosed without obtaining the prior written consent of the insurant to the court, prosecutor, to the bodies of investigation in the event there is a criminal case, or to the state executors in case if there is a court decision in force on foreclosure or seizure of the property of the insurant.

In terms of personal data collection and processing, general provisions set out in the Law on Personal Data would also apply to the insurance industry.

At the same time, the Law on Insurance Activity states that law enforcement agencies, courts, medical, seismological, veterinary, hydro-meteorological and other organisations are required, upon the request of insurers, to provide relevant information and documents necessary to determine the causes and circumstances of the occurrence of insurance events as well as the amounts of insurance compensation by the insurer and the adjuster.

6. Payment Services

The Law on Payments and Payment Systems which entered into force on 1 February 2020 regulates payment service providers. The Law on Payments and Payment Systems applies to relations arising from the process of making payments and rendering payment services between individuals and legal entities that are providers and users of payment services. Specifically, the Law on Payments and Payment Systems sets out the requirements of payment systems, the procedure for licensing of payment system operators, the procedure for licensing of payment organisations, regulation of their activities, the procedure for the supervision of payment systems, requirements for the protection of information in payment systems.

The Law on Payments and Payment Systems provides that payment system operators and payment service providers have to ensure the confidentiality of the received information while providing the payment service and do not allow its disclosure to third parties.

Regulation No. 3268 lists the measures that payment system operators and payment service providers are required to take at all stages of the formation, transfer, storage, and processing of payment information.

7. Data Transfers and Outsourcing

Pursuant to the Law on Personal Data, the owner and/or the operator are entitled to entrust the processing of personal data to a third party if a personal data subject has consented to this in writing or in the form of an electronic document. Also, the owner and/or the operator are obliged to notify the personal data subject in writing or in the form of an electronic document in case of the transfer of his/her personal data to a third party.

The use of personal data by the employees of the owner and/or operator, as well as a third party related to the processing of personal data, should be carried out only in accordance with their professional, official, or labour duties.

8. Breach Notification

Not applicable.

9. Fintech

Not applicable.

10. Enforcement

In accordance with the Law on Banks and Banking Activities, violation of the requirements of the Law on Bank Secrecy, and the AML/CFT Law is deemed to be a gross violation. For gross violations, the Central bank is entitled to:

• impose a fine against a bank in the amount not exceeding twice the amount of income received from financial transactions carried out in violation of the legislation on banks and banking activities if it is possible to quantify such income, or 5% of the net profit earned by the bank for the previous financial year, or 1% of the total capital of the bank;
• revoke a license;
• impose a fine on a member of the supervisory board, board or key personnel of the bank in the amount not exceeding 100% of the remuneration received for the year preceding the month of the imposition of the fine;
• publish a report on violations, measures, and sanctions applied to violators in the mass media; and/or
• require the bank to comply with other orders.

The Law of 29 October 2021 No. ЗРУ-726 on Amendments and Additions to Some Legislative Acts (only available in Russian, Uzbek, and Tajik here) introduced new sanctions to the Code on Administrative Responsibility and the Criminal Code for violation of personal data protection laws. Accordingly, pursuant to Article 46-2 of the Code on Administrative Responsibility, illegal collection, systematisation, storage, modification, addition, use, provision, distribution, transfer, depersonalisation, and destruction of personal data, as well as non-compliance with the requirements for the collection, systematisation, and storage of personal data on technical means located on the territory of Uzbekistan and in databases registered in the State register of personal data databases, when processing personal data of Uzbek citizens using information technologies including the internet, entail imposition of a fine in the amount of seven basic calculation values (approx. €160) for individuals, and 50 basic calculation values (approx. €1,140) for officials.

In accordance with Article 141-2 of the Criminal Code, the same wrongdoings committed after application of administrative fines entail:

• a fine in the amount from 100 to 150 basic calculation values (approx. €2,282 to €3,425); or
• deprivation of a certain right for up to three years; or
• correctional labour for up to two years.

The same wrongdoings committed by prior conspiracy by group of persons, or repeatedly or by a dangerous recidivist, or committed from mercenary or other motives, or committed using one's official position, or entailing grave consequences, entail:

• a fine from 150 to 200 basic calculation values (approx. €3,425 to €4,565); or
• correctional labour from two to three years; or
• custodial restraint from one to three years; or
• imprisonment for up to three years.

11. Additional Areas of Interest

The process of obtaining tax information by third parties has been recently updated in Uzbekistan. For instance, upon the written consent of a borrower, a bank can request certain information from the borrower for the provision of a loan. Moreover, the following information constitutes a tax secret:

• passport data obtained from the internal affairs bodies;
• information on the ownership of real estate, obtained from the state registration authorities located on the corresponding territory of the land plot and other real estate;
• real estate purchase and sale agreements received from notaries;
• approval of property leases and rents; and
• information on the issuance of certificates of inheritance.

Anora Turakhujaeva Senior Associate
[email protected]
GRATA International, Tashkent