Law: Law of the Republic of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data (only available in Russian here) ('the Law on Personal Data')
Regulator: The State Personalisation Centre of Uzbekistan and the Cabinet of Ministers of the Republic of Uzbekistan
Summary: The Law on Personal Data came into effect on 1 October 2019 and is the first unified data protection law in the Republic of Uzbekistan. The Law on Personal Data outlines requirements on data subjects' consent, the purposes of processing, and notifying data subjects when transferring their personal data to a third party. In addition, personal data should be stored by operators, data owners and/or third parties in databases, however the Law on Personal Data does not specify whether these need to be located in Uzbekistan. Furthermore, the Law on Personal Data excludes biometric, educational, criminal and health information, previously included in a draft version, from its application. More recently, the Law of the Republic of Uzbekistan of 15 April 2022 No. RK-764 on Cybersecurity (only available in Uzbek and Russian here) ('the Law on Cybersecurity') was enacted and entered into force on 17 July 2022. The Law on Cybersecurity regulates relations in the field of cybersecurity, establishes requirements for cybersecurity of information systems, and establishes an authority specifically for the sector.
Finally, the Cabinet of Ministers adopted, on 5 October 2022, Resolution No. 570 on the approval of certain normative legal documents in the field of processing of personal data ('the Resolution'), which entered into enforced on 7 January 2023. In particular, the Resolution approved two Regulations, namely, the Regulation on determining the levels of protection of personal data during their processing and the Regulation on the requirements for physical objects containing biometric and genetic data and technologies for storing such data outside personal databases.