The Resolution, following the common practice in the Uzbek legal system, also endorses two additional regulations:

• Regulation on determining the levels of protection of personal data during their processing (Regulation No.1); and

• Regulation on requirements for material carriers of biometric and genetic data and technologies for storage of such data outside of databases of personal data (Regulation No.2) (collectively, the Regulations).

1. Background

The Cabinet of Ministers of the Republic of Uzbekistan (Government) is one of the regulatory bodies responsible for overseeing personal data protection, as stated in Article 6 of the Personal Data Law. When the Personal Data Law was enacted in 2019, it included a provision, granting the Government the authority to establish:

• levels of personal data protection during their processing, taking into account security threats;

• requirements to ensure the protection of personal data during their processing, with the implementation of these requirements guaranteeing the designated levels of personal data protection; and

• requirements concerning the physical carriers of biometric and genetic data, as well as the technologies used for storing such data outside personal data repositories.

However, until recently, the Government had not established the levels of protection or the abovementioned through its bylaws. In order to fulfill this authority, the Government adopted the Resolution. The Regulations approved by the Resolution specifically address these matters.

Uzbekistan is not the first country in implementing regulations regarding data protection. Similar provisions can also be found in the legislation of other CIS countries, including the Russian Federation and Kyrgyzstan. The Regulations largely mirror the provisions of Russian legislation, while also incorporating specific distinctions that are unique to the Uzbek legal framework.

2. Scope of the Regulations

The Regulations do not explicitly specify the subjects to whom they apply. However, based on the wording of both Regulations it can be inferred that the requirements outlined in the Regulations must be complied with by both the owners and operators of personal data database.

Regarding the types of personal data, Regulation No. 1 identifies four categories of personal data that can be processed in personal data databases:

• special data;
• biometric data;
• genetic data; and
• publicly available data.

This exhaustive list of types of personal data is not provided in the Personal Data Law itself. Therefore, it can be assumed that Regulation No. 1 only applies to the four abovementioned types of personal data. As for Regulation No. 2, it specifically addresses biometric and genetic data.

3. Definitions

The Regulations primarily rely on the existing definitions provided in the Personal Data Law. However, in addition to those, the Regulations introduce new terms and provide the following definitions for them:

Application software: A set of programs (Access, Oracle, etc.) designed to perform a class of tasks in a particular subject area.

System software: A set of programs (operating systems, drivers, utilities, archivers, etc.) that ensure the operation of a computer and computer networks.

Material carriers storing data in electronic form: Flexible magnetic disks, optical disks, hard (fixed) magnetic disks, electronic memory disks (flash), and electronic means of authentication (tokens, tablets, etc.).

Material carriers: Material carriers on which information constituting personal data is recorded, including dimensional objects, and documents containing personal data.

Material objects made of paper or plastic: Text, graphics, and other data printed on paper, plastic cards, etc.

4. Levels of protection of personal data

The processing of personal data must be carried out in a way that ensures the confidentiality and security of the data. According to Article 12 of the Personal Data Law, the use of personal data by the owner, operator, or a third party may be carried out if they guarantee the necessary level of personal data security. When processing personal data, both the owner and operator are required to implement organizational and technical measures to protect the personal data, taking into account potential security threats.

Regulation No.1 establishes the following aspects:

• types of threats to the security of personal data during their processing;
• levels of protection of personal data during their processing; and
• requirements for personal data security levels.

It is important to note that Regulation No. 1 is a recent addition to the personal data protection framework, having come into force on January 7, 2023. Therefore, there may still be unresolved questions regarding its application, interpretation of its provisions, and practical enforcement of the requirements.

4.1 Threats to the security of personal data during processing

According to Regulation No. 1, threats to the security of personal data are defined as "a set of conditions and factors that create a risk of unauthorized, including accidental, access to databases, which may result in alteration, addition, use, presentation, distribution, transfer, depersonalization, destruction, copying of personal data, as well as other unlawful actions." In other words, threats encompass any factors and conditions that have the potential to compromise the confidentiality and security of personal data, leading to possible unauthorized access or misuse.

Regulation No.1 classifies threats into the following three types:

• Type I threats (System software threats): threats that arise from undisclosed vulnerabilities in the system software of the personal data database.
• Type II threats (Application software threats): threats that arise from undisclosed vulnerabilities in the application software of the personal data database.
• Type III threats (System and application software threats): threats that arise from undisclosed vulnerabilities in both the system and application software of the personal data database.

Russian legislation also includes a similar classification of threats to the security of personal data. Russia has established its own certification scheme to verify the absence of these threats. Additionally, there exists a list of various types of threats to the security of personal data. Examples of such threats include the breach of cloud server availability, cross-site scripting, cross-site request spoofing, and the breach of user data isolation within a virtual machine, among others.

In contrast, the current Uzbek legislation does not have a certification scheme or a specific list of threats to the security of personal data. Consequently, Regulation No. 1 grants the owners and operators the discretion to determine and address the types of threats to the security of personal data on their own.

4.2. Determining the levels of protection of personal data during processing and security requirements

Regulation No. 1 establishes four levels of protection that must be implemented when processing personal data in databases. These levels of protection are determined based on factors such as the types of threats, types of personal data being processed, and categories of data subjects involved.

The first level of protection is applicable in the presence of one or more of the following conditions:

• the existence of system software threats related to the databases and processing of special, biometric, and/or genetic personal data in those databases; and
• the existence of application software threats related to databases and processing of special personal data of more than 50,000 subjects who are not employees of the owner and/or the operator.

The second level of protection in the presence of one or more of the following conditions:

• the existence of system software threats related to the databases and processing of publicly available personal data in databases;
• the existence of application software threats related to the databases and processing of special data of employees of the owner and/or the operator, or special data of less than 50,000 subjects who are not employees of the owner and/or the operator;
• the existence of application software threats related to databases and processing of biometric and/or genetic data in the databases;
• the existence of application software threats related to the databases and processing of publicly available data by more than 50,000 subjects who are not employees of the owner and/or operator in the databases; and
• the existence of system and application software threats related to databases and processing of special data of more than 50,000 subjects who are not employees of the owner and/or the operator in databases.

The third level of protection in the presence of one or more of the following conditions:

• the existence of application software threats related to the databases and processing of publicly available data of the owner and/or operator's employees or publicly available data of less than 50,000 subjects who are not employees of the owner and/or operator;
• the existence of application software threats related to databases and processing of special data of the owner's and/or operator's employees, and/or special data of less than 50,000 subjects who are not employees of the owner and/or operator; and
• the existence of system and application software threats to databases and processing of biometric and/or genetic data.

The fourth level of protection must be established in the presence of system and application software threats to databases and the processing of publicly available data in the database.

4.3. Requirements for personal data security levels

Regulation No. 1 provides requirements (measures) that owners and operators must meet for each level of protection to ensure the security of personal data.

In order to ensure the first level of protection, the following requirements must be met:

• the fulfillment of the requirements specified for the second level of protection;
• the automatic registration of changes in the authorization of the owner's and/or operator's employees to access the personal data stored in the databases in the electronic security log;
• establishment of a structural subdivision responsible for ensuring the security of personal data in databases or assigning the functions for ensuring such security to one of the existing structural subdivisions.

In order to ensure the second level of protection, the following requirements must be met:

• the fulfillment of the requirements specified for the third level of protection;
• restricting access to the electronic message journal solely to the officials (employees) or authorized personnel who require access to the information within the journal for the performance of their job (labor) duties.

In order to ensure the third level of protection, the following requirements must be met:

• fulfillment of the requirements specified for the fourth level of protection;
• appointment of an official (employee) responsible for ensuring personal data security in the databases.

To ensure the fourth level of protection, the following requirements must be met:

• Organizing a security regime for the premises where databases are located, to prevent unauthorized entry or access by individuals without the proper authorization; the possibility of an uncontrolled break-in or stay in these premises by persons who do not have the right of access to these premises;
• ensuring the security of the physical media containing personal data;
• approval by the head of the owner and/or the operator of the document that specifies the list of individuals who require access to the personal data processed in the databases as part of their official (labor) duties;
• utilizing data protection measures that have undergone evaluation to verify compliance with the legal requirements in the field of information security, whenever the use of such measures is necessary to safeguard personal data from existing threats.

Regulation No. 1 provides a broad definition of threat. Determining what constitutes a threat can be done on a case-by-case basis. To ensure compliance with the requirements of Regulation No. 1, it is crucial for organizations to identify threats at the onset of personal data processing. Although there is no certification scheme specified in the legislation, organizations have the option to seek the written position of the Regulator (State Personalization Agency) regarding the absence of threats.

5. Requirements in relation to the processing of biometric and genetic data

Regulation No. 2 establishes requirements for material carriers that store such data and technologies used for storing biometric and genetic data outside the personal data database.

5.1. Requirements regarding material carriers, which contain biometric and genetic data

According to Regulation No. 2, the determination of the type of material carrier used for processing biometric and genetic data is the responsibility of the owner and/or the operator. The requirements for material carriers containing biometric and genetic data are as follows:

5.1.1. Marking the material carriers

According to Regulation No. 2, when processing biometric and genetic data, material carriers containing such data must be marked with labels such as "confidential" or "for professional use." Although the legislation does not explicitly define the meaning of these labels, they serve to indicate that access to the material carriers is restricted.

5.1.2. Protection of biometric and genetic data

When storing biometric and genetic data in electronic form, it is required to encrypt and protect these data using cryptographic methods or any other appropriate means. The cryptographic protection of information is governed by the Regulation on cryptographic protection of information in the Republic of Uzbekistan (only available in Russian here).

​​​​​​​5.1.3. Recording of material carriers

When processing biometric and genetic data, the owner and/or operator must maintain records of material carriers on which these data are stored. The records should include the identification data of the device used during the process of biometric and genetic data in the database such as IP address, MAC address, and other relevant identifiers. This requirement ensures traceability and accountability in the handling of biometric and genetic data.

​​​​​​​​​​​​​​5.1.4. Measures for the security of biometric and genetic data

Regulation No. 2 stipulates that the owner and/or operator must implement security measures to prevent the theft, erasure, destruction, unauthorized acquisition, alteration, and uncontrolled disposal of material carriers containing biometric and genetic data.

When taking such safety measures, the following requirements must be met for the storage of biometric and genetic data:

• comply with fire safety regulations, sanitary norms, rules, and hygienic standards, and be protected against the risk of flooding;
• have robust protection mechanisms in place to prevent unauthorized access;
• the data should be stored in safes, metal shelves, or metal racks;
• the storage rooms must be equipped with security alarms and video surveillance systems, with entrance doors and windows connected to the security service.

​​​​​​​5.1.5. Deletion of biometric and genetic data

When personal data, specifically biometric and genetic data, is deleted from material carriers, the material carriers themselves will not be written off. Instead, they can be reused for future personal data processing, with the exception of material carriers designated for one-time use and those that are worn out. It is important to note that such reusable material carriers must be destroyed.

​​​​​​​​​​​​​​5.1.6. Term of use of a material carrier

A material carrier can be used for a duration determined by the owner and/or operator who recorded the biometric and genetic data on the material carrier. However, the period of use should not exceed the timeframe specified by the manufacturer of the material carrier.

​​​​​​​5.1.7. Copying of biometric and genetic data

The copying of biometric and genetic data is conducted using authorized technical devices specifically designated for the processing of such data. The copying process should involve the direct participation of responsible employees of the owner and/or operator.

​​​​​​​​​​​​​​5.1.8. Personal data other than biometric and genetic data

In cases where material carriers contain both biometric and genetic data as well as other types of personal data, the additional personal data should be signed using an advanced qualified electronic signature or protected using other information technologies. By implementing such measures, the owner and operator are responsible for maintaining the integrity and unalterability of the data recorded on the material carrier.

​​​​​​​5.2. Requirements regarding technologies for storing biometric and genetic data outside the database of personal data

It is important to note that Regulation No. 2 does not provide a specific definition for "technologies for storing biometric and genetic data outside the database of personal data." However, according to Article 26 of the Personal Data Law, the storage of biometric and genetic data outside information systems is only permitted using material carriers that prevent unauthorized access. Based on this, it can be inferred that the requirements outlined in the Regulation No. 2 apply to material carriers such as flash or magnetic disks, hard disks, etc.

In general, Regulation No. 2 outlines four requirements for technologies used to store biometric and genetic data outside databases. The Regulations impose the following obligations on the owner and operator of the database:

• the owner and/or operator must ensure that authorized personnel have access to the personal data stored on material carriers;
• the use of electronic signatures or other information technologies must be employed to maintain the integrity and invariability of biometric and genetic data; and
• the possibility of verifying the subject's written consent for the processing of biometric and genetic data, or other grounds for processing biometric and genetic data provided by legislation.

Apart from these, the last requirement is the registration of instances where personal data is recorded without authorization and is repeatedly recorded after their retrieval from the database.

According to the Regulations, individuals found guilty of violating these requirements will be held accountable in accordance with the existing legislation. Uzbek legislation establishes administrative and criminal liability based on the nature and severity of the violation. Compliance with the requirements outlined in the Regulations safeguards organizations from potential claims arising from violations of the law.

Abdumalik Mukhtorov Junior Associate
[email protected]
Azizbek Suyunboev Junior Associate
[email protected]
Azizov & Partners Firm of Advocates, Tashkent