Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkmenistan - Data Protection Overview
Back

Turkmenistan - Data Protection Overview

November 2022

1. Governing Texts

The legislation of Turkmenistan on personal information and its protection is based on the Constitution of Turkmenistan (only available in Russian here) and consists of the Law of Turkmenistan of 20 March 2017 on Information on Private Life and its Protection No. 519-V (only available in Russian here) ('the Law on Information') and other regulatory legal acts. The Law on Information sets the procedure for collecting, processing, and protecting personal information. Also, the Law on Information sets out the rights and obligations of the data subject and the operator and provides for sanctions for failure to comply with personal data protection requirements.

1.1. Key acts, regulations, directives, bills

The main document governing issues of data protection is the Law on Information. Additional technical provisions can also be found in various statutory documents, such as the Civil Code of Turkmenistan of 17 July 1998 No.294-1 (only available in Russian here), the Criminal Code of 10 May 2010 No. 104-IV (only available Russian here) ('the Criminal Code'), the Code of Turkmenistan of 29 August 2013 No. 422-IV on Administrative Offenses (only available in Russian here) ('the Administrative Code'), and others. However, the main principles, rights, and obligations are contained in the Law on Information.

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law on Information governs relations connected with the collection, processing, and protection of personal information carried out by operators. 

2.2. Territorial scope

The Law on Personal information does not specify its territorial scope.

2.3. Material scope

The Law on Information covers personal data, special categories of personal data, biometric data, dissemination of personal information through the media, cross-border transfer of personal information, anonymisation of personal information, etc.

The Law on Information does not apply to relations arising in the following cases:

  • when collecting, processing, and protecting personal information by the subject for personal and family needs, if this does not violate the rights of other legal entities or individuals and the requirements of the laws of Turkmenistan;
  • formation, storage, accounting, and use of archival documents containing personal information, in accordance with the legislation of Turkmenistan on archives and archival affairs;
  • the collection, processing, and protection of personal information related to state secrets in accordance with the Law of Turkmenistan on State Secrets; or
  • the collection, processing, and protection of personal information in the course of operational-search activities, as well as the implementation of security measures to ensure the safety of protected persons and objects within the limits established by the laws of Turkmenistan.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Law on Information establishes the Cabinet of Ministers of Turkmenistan ('the Cabinet of Ministers') as the main regulator in the field of protecting personal data.

3.2. Main powers, duties and responsibilities

The functions of the Cabinet of Ministers include:

  • development of the main directions of state policy in the field of information about personal life;
  • management of the activities of central and local executive authorities in the field of information about a personal life;
  • approval of the procedure for operators to determine the list of personal information necessary and sufficient for the implementation of their tasks; and
  • approval of the procedure for the operator, as well as any third party, to take measures to protect personal information.

The Cabinet of Ministers have the right to form an authorised body for the protection of the rights of subjects, as well as to determine its status and powers.

4. Key Definitions

Personal data: The Law on Information uses the concept of information on personal life (personal information) rather than personal data and defines it as any data relating to the physical person determined or based on such data, fixed on electronic, paper, or other material medium. For the purposes of this overview, such a physical person will be referred to as a 'data subject'.

Sensitive data: The Law on Information does not provide for the concept of sensitive data. However, it defines special categories which is information concerning nationality, skin colour, attitude to religion, political convictions, health status, and intimate life.

Data controller: The Law on Information does not provide a concept for a data controller, although the functions of an operator resemble the functions of a data controller. The operator of a database of personal data is a state body, other legal entity, or physical person performing collection, processing, and protection of personal data, and also determining the purposes and content of these actions.

Data processor: The legislation of Turkmenistan does not provide for the concept of a data processor. Therefore, the meaning of data processor may be applicable to any third party, as well as the operator itself.

Processing of personal data: The actions aimed at accumulating, storing, refining, using, distributing, depersonalising, blocking, or destroying personal data.

Third party: A person who is not the data subject or the operator but connected through removed circumstances or a legal relationship to the collection, processing, and protection of personal data of the person.

Data subject: An individual to whom the personal information (personal data) relates.

Biometric data: Information characterising the physiological and biological characteristics of a person and allowing to establish the identity of the person to whom the information about personal data belongs.

Health data: The Law on Information does not define health data, although it does refer to information on the state of health as a special category of personal information.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

In the case of a revocation of consent by the data subject to the collection and processing of their personal information, the operator is obliged to stop the specified actions and destroy the personal information in a period not exceeding three working days from the date of receipt of the revocation. The destruction of personal information is to be notified to the data subject.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Compliance with law/International treaty

In cases of the subject's failure to fulfil their obligations to provide personal information in accordance with the laws of Turkmenistan, it will also be allowable to collect and process information for the implementation of state statistical activities or the implementation of international treaties ratified by Turkmenistan.

Compliance with law enforcement/enforcement proceedings

Collection and processing of personal data can be performed when carrying out law enforcement/enforcement proceedings. 

5.4. Interests of the data subject

Collection and processing of personal data without prior consent of the data subject can be carried out for protection of life, health, or other vital interests, if obtaining the consent of the data subject is impossible.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Collection and processing of personal data without prior consent of the data subject can be carried out for legitimate interests, including constitutional rights and freedoms of the data subject or other persons, if obtaining the consent of the data subject is impossible.

5.7. Legal bases in other instances

The Collection and processing of personal data is possible when carrying out legal professional activities of a journalist or the activities of a mass media or scientific, literary, or other creative activity, subject to the observance of human and civil rights and freedoms.

6. Principles

Pursuant to Article 5 of the Law on Information, collection, processing, and protection of personal information is carried out in accordance with the following principles:

  • observance of constitutional rights and freedoms of a person and citizen;
  • the legality of the purposes and methods of collecting and processing personal information;
  • compliance of the purposes of collecting and processing personal information with the purposes predetermined when collecting personal information, as well as the powers of the operator;
  • ensuring the safety of the individual, society, and state;
  • compliance of the methods of collecting and processing personal information and the volume of nature of the personal information collected with the purposes of their collection and processing;
  • the reliability of personal information, its sufficiency for the purposes of collection and processing, and the inadmissibility of the collection and processing of personal information that is excessive in relation to the purposes determined when collecting personal information; and
  • confidentiality of personal information of limited access.

7. Controller and Processor Obligations

According to the Law on Information, an operator has a right to collect and process personal information in the manner prescribed by the Law on Information and other regulatory legal acts of Turkmenistan. The Law on Information states that the collection and processing of personal data is carried out by the operator with the written consent of the data subject. Also, the operator shall notify the data subject, within one working day, of the transfer of their personal information to a third party.

Regarding the responsibilities of the operator, the Law on Information provides that the operator is obliged to:

  • approve a list of personal information necessary and sufficient for exercising the tasks;
  • take and comply with necessary measures, including legal, organisational, and technical measures, to protect personal information in accordance with the laws of Turkmenistan;
  • provide the data subject within one working day at their request with any personal information belonging to the data subject;
  • comply with the laws of Turkmenistan on personal information and their protection;
  • take measures to destroy personal information where the goal of collecting and processing it has been achieved, as well as in other cases established by the Law on Information and other regulatory legal acts of Turkmenistan;
  • present evidence of the data subject's consent to the collection and processing of personal information in cases provided for by the legislation of Turkmenistan;
  • provide a reasoned response in cases of refusal to provide information to the data subject within a period not exceeding one working day from the day of receiving the application;
  • provide information on the availability of the data subject's personal information and create an opportunity for them to familiarise themselves with it; and
  • specify whether to block or destroy the data subject's personal information if personal information is incomplete, outdated, inaccurate, or not necessary for the purposes of collection and processing.

Processor

As the Law on Information states, operators, and third parties who gain access to personal information of limited access should ensure the confidentiality of such information by complying with the requirements to prevent dissemination.

7.1. Data processing notification

The Law on Information does not provide for data processing notification.

7.2. Data transfers

The transfer of personal data is permitted if it does not violate the rights and freedoms of the data subject and does not affect the legitimate interests of other legal entities and individuals.

The transfer of personal data in cases that go beyond the predetermined goals of their collection is carried out with the consent of the data subject.

The transfer of personal data as a result of legal activities in cases provided for by the laws of Turkmenistan is allowed without the consent of the data subject.

The Law on Information also stipulates provisions regarding cross-border transfers of personal information. According to the Law on Information, cross-border transfer of personal information is the transfer of data to the territory of foreign countries. Personal information is subject to cross-border transfer restrictions in cases where the information is contained in personal data databases located in the territory of Turkmenistan.

In addition, cross-border transfers of personal information to the territory of foreign states are only to be carried out if these states ensure the protection of said information.

7.3. Data processing records

The Law on Information does not provide for the requirement for operators to maintain data processing records.

7.4. Data protection impact assessment

The Law on Information does not provide for requirements/recommendations for operators to carry out a Data Protection Impact Assessment ('DPIA').

7.5. Data protection officer appointment

The legislation of Turkmenistan does not contain requirements as to the appointment of a data protection officer ('DPO').

7.6. Data breach notification

In case of revealing inaccurate personal information or illegal actions with them, the operator, together with the data subject, within a period not exceeding three working days, is obliged to eliminate the violations, and if it is impossible to eliminate them, destroy the specified personal information, which is to be notified to the data subject.

7.7. Data retention

The storage period for personal information is determined by the date the goals of their collection and processing were achieved, unless otherwise provided by the laws of Turkmenistan.

If the goal of collecting and processing personal information is achieved, the operator is obliged to immediately stop the said actions and notify the data subject accordingly.

If the subject revokes the consent to the collection and processing of his personal information, the operator is obliged to stop these actions and destroy the personal information within a period not exceeding three working days from the date of receipt of the said revocation. The subject shall be notified of the destruction of personal information.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Pursuant to Article 21 of the Law on Information, the collection and processing of special categories of personal information concerning nationality, skin colour, attitude to religion, political convictions, state of health, and intimate life is not allowed, except for the following cases:

  • the subject has consented in writing;
  • the personal information is publicly available;
  • the personal information concerns the health of the subject and its collection and processing is necessary to protect life, health, or other vital interests of the subject, or the life, health, or other vital interests of others and obtaining the consent of the subject is impossible;
  • collection and processing is carried out for medical purposes, provided that the employees of the health authorities are obliged to keep medical secrecy in accordance with the legislation of Turkmenistan;
  • collection and processing are necessary in connection with administration of justice;
  • it is carried out by the relevant public association or religious organisation acting in accordance with the legislation of Turkmenistan to achieve the goals stipulated by their constituent documents, provided that the personal information of the members (participants) of the public association or religious organisation will not be disseminated without their written consent; and
  • collection and processing is carried out during operational investigative activities, as well as during execution of criminal sentences in accordance with the laws of Turkmenistan.

The collection and processing of personal information about criminal records is carried out by state bodies within the limits of the authority in cases and in the manner determined by the laws of Turkmenistan.

7.10. Controller and processor contracts

There is no specific requirement as to the conclusion of the agreement between an operator and other third parties. However, since the operator is responsible for the confidentiality of all the data that they have, the operator should ensure that the third party complies with the provision of non-disclosure. As a rule, this is created by means of signing corresponding non-disclosure or equivalent agreements.

Furthermore, pursuant to Article 7 of the Law on Information, the operator is not entitled to conclude an agreement on transferring to another party the performance of the collection and processing of personal information.

8. Data Subject Rights

Regarding the responsibilities of the operator, the Law on Information provides that the operator is obliged to:

  • take measures to protect the rights of the data subject and within one working day:
    • clarify personal information on the basis of relevant documents confirming their accuracy, or destroy it if it is impossible to clarify it;
    • block personal information relating to the data subject in the event that the availability of the information is in violation of the conditions for their collection or processing;
    • destroy personal information where confirmation of the fact of their collection or processing is in violation of the legislation of Turkmenistan, as well as in other cases provided for by the Law on Information and other regulatory legal acts of Turkmenistan; and
    • remove the blocking of personal information where violations of conditions for its collection and processing have been shown to be unfounded.

The information must be provided to the data subject free of charge and in an accessible form, and it should not contain personal information relating to other data subjects.

As provided in Article 26 of the Law on Information, a data subject has the following rights, to:

  • be made aware of the fact that the operator or the third party has the data subject's personal information, as well as receive information containing confirmation of the fact, purpose, sources, methods of collecting and processing of personal information;
  • be provided a list of the personal information;
  • be made aware of the terms of processing personal information, including the period of its storage;
  • require the operator to clarify the data subject's personal information if there are grounds confirmed by relevant documents;
  • require the operator, as well as the third party, to block access to the data subject's personal information in the event of the availability of information about a violation of the conditions for its collection and processing;
  • require the operator, as well as the third party, to destroy the data subject's personal information, the collection and processing of which were made in violation of the laws of Turkmenistan, as well as in other cases provided for by the Law on Information and other regulatory legal acts of Turkmenistan;
  • require the operator, as well as the third party, to clarify, block, or destroy personal data if it is incomplete, outdated, unreliable, or not necessary for the purposes of collection and processing;
  • withdraw consent to the collection and/or processing of personal information, except where this contradicts with the laws of Turkmenistan;
  • agree to or deny the operator from distributing or disseminating the data subject's personal information to publicly available sources; and
  • protection of the data subject's rights and legitimate interests, including compensation for moral and material harm.

8.1. Right to be informed

Where the personal information was not received from the data subject (unless it was obtained on the basis of the law or if personal information is publicly available), the operator must provide the following information to the data subject before collecting and processing such personal information:

  • name (last name, first name, and middle name) and address;
  • the purpose of collecting and processing personal information and its legal basis;
  • intended users of the personal information; and
  • the rights of the data subject, as established by the Law on Information.

8.2. Right to access

Pursuant to Article 22 of the Law on Information, everyone has the right to access personal information relating to themself.

8.3. Right to rectification

Rectification of personal data can be carried out by the operator on the basis of a request of the data subject or in other cases provided by the laws of Turkmenistan.

8.4. Right to erasure

The data subject has a right to require the operator, as well as a third party, to destroy their personal information, the collection and processing of which was carried out in violation of the laws of Turkmenistan, and/or personal data that is incomplete, outdated, unreliable, or not necessary for the purposes of collection and processing.

8.5. Right to object/opt-out

The data subject has the right to withdraw consent to the collection and processing of their personal information. The data subject cannot withdraw consent to the collection and processing of their personal information in cases where this is contrary to the laws of Turkmenistan, or if there is an unfulfilled obligation.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties 

According to the Criminal Code, illegal dissemination of information on which the legislation of Turkmenistan imposes permissive restrictions, by the owner or possessor of the personal data, including sources of information containing personal information of citizens, is punished by a fine in the amount of 40 to 70 average monthly wages with deprivation of the right to hold certain positions or engage in certain activities for up to two years, or correctional labour for up to one year with deprivation of the right to hold certain positions or engage in certain activities for up to two years.

As the Administrative Code sets out, illegal collection, storage, or dissemination of information about private life, constituting a personal or family secret of another person, without their consent, shall entail the imposition of a fine of between five to ten sizes of the basic value (approx. €145 to €290), or administrative arrest for up to 15 days.

In addition, illegal collection, storage, or dissemination of information about private life, constituting a personal or family secret of another person, without their consent, if the offence is repeated again within one year after the application of an administrative penalty, is punished with a fine of between five to ten average monthly wages, or correctional labour for up to one year.

9.1 Enforcement decisions

Not applicable.