Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Uzbekistan - Data Protection Overview
Back

Uzbekistan - Data Protection Overview

October 2022

1. Governing Texts

The legislative history of data protection in Uzbekistan can be divided into two periods. The first period started with Law of Uzbekistan of 24 April 1994 No 400-I on Guarantees and Freedom of Access to Information (only available in Uzbek and Russian here) ('the Law on Information'), and lasted for 16 years, until the enactment of Law of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data (only available in Uzbek and Russian here) ('the Law on Personal Data'), which initiated the second period.

1.1. Key acts, regulations, directives, bills

Legislative history

The Law on Information

During the first period, the Government of the Republic of Uzbekistan ('the Government') issued fragmented rules on data protection amongst general laws and sector-specific regulations. The Law on Information extended the provisions of Article 29 of the Constitution of the Republic of Uzbekistan of 8 December 1992 (as amended) on freedom of speech, expression, and information. Besides regulating the process of obtaining information (Articles 6 and 7 of the Law on Information), the Law on Information stated that some types of information were 'not to be provided' by the entities, namely the information which contains 'state and other protected by law secrets' (Article 9 of the Law on Information).

The next act of the Supreme Assembly during this first period was Law of the Republic of Uzbekistan of 12 December 2002 No. 439-II on Principles and Guarantees of Freedom of Information (only available in Uzbek and Russian here) ('the Freedom of Information Law'), which introduced several more concepts on the protection of information. Among others, the Freedom of Information Law gave legal definitions to the notions of information, informational resources, protection of information, and confidential information. It also provided for the specific ground for refusal to provide information if it is confidential or if, as a result of its disclosure, damage may be caused to the rights and legitimate interests of an individual and to the interests of society and the State (Article 10 of the Freedom of Information Law). In turn, the personal data of individuals was deemed confidential. It was prohibited by law, without the concept of an individual, to collect, store, process, distribute, or use information about personal life and that which violates the privacy of personal life and correspondence. The persons involved in any type of processing were to bear statutory responsibility for violating the procedure for using the information on individuals (Article 13 Freedom of Information Law). However, the Freedom of Information Law did not provide for that procedure nor did it enumerate any other information deemed ipso jure confidential.

The Law on Informatisation

The final important law which remains significant even today is Law of the Republic of Uzbekistan of 11 December 2003 No. 560-II on Informatisation (only available in Uzbek and Russian here) ('the Law on Informatisation'). One of the main objectives of the Law on Informatisation was to create informational resources, IT, and information services markets. To achieve this, the Law on Informatisation:

  • established title of ownership on informational resources and information systems (Article 9 of the Law on Informatisation), thus providing their negotiability;
  • categorised information resources into publicly available and limited access. Confidential information and information to which access is limited by its owner were in the category of information with limited access. Neither the Law on Informatisation, nor subsequent legislation, established the procedure for the assignment of information resources to access categories which were initially planned to be followed by the owners;
  • obliged the owners of websites and webpages, including bloggers, not to exploit their respective data subjects with a view to disclosing information that contains State and other secrets protected by law. In the case of non-compliance, the Agency of Information and Mass Communications ('the Information Agency') and the Center for Mass Communications ('the Information Center') have the right to restrict access;
  • obliged State bodies, legal entities, and individuals to ensure the protection of information resources and information systems containing information on State secrets and confidential information;
  • excepted the procedure for the formation and use of information resources that contain personal data of individuals from its scope of application;
  • exempted the use of information resources for concluding contracts from its scope of application;
  • gave the right of unlimited access to individuals to the information resources which contain their personal data only with a view to making corrections to it. The Law on Informatisation also stated that in cases established by the legislation, individuals would have restricted access to their personal data; and
  • outlined the right to include information resources into the international information networks and the Internet. However, the resources containing the information resources with limited access were to establish sufficient security measures in the first place.

Moreover, the Law on Informatisation addresses the protection of information resources and information systems.

The Law on Electronic Document Management and the Law on E-Commerce

More specific rules on the protection of information (and personal data) were later developed in Law of the Republic of Uzbekistan of 29 April 2004 No. 611-II on Electronic Document Management (only available in Uzbek and Russian here) ('the Law on Electronic Document Management'), Law of the Republic of Uzbekistan of 29 April 2004 No. 613-II on Electronic Commerce (only available in Uzbek and Russian here) ('the Law on E-Commerce'), and numerous other government regulations.

The Law on E-Commerce stated that e-commerce providers must ensure the storage of electronic documents and electronic messages and prohibited the use of personal data:

  • for purposes other than the objectives of the contract;
  • for transferring to third parties; and
  • to distribute commercial offers and advertising, without the consent of the owner.

Information intermediaries follow more specific standards of protection.

The Law on Electronic Document Management left the question of document protection open, allowing the Government to adopt two further sets of rules, namely:

  • rules on geographical location of the main servers:
    • the hosting of the main server and reservation of any level is allowed only in the territory of Uzbekistan;
    • an information intermediary is required to place its information system on servers located in the territory of Uzbekistan;
    • the seller is required to ensure the storage of electronic documents and electronic messages, and the electronic trading platform should securely exchange documents (messages) and store them on servers located on the territory of Uzbekistan; and
    • the storage of documents, messages, and other information related to agreements concluded in electronic commerce should be carried out on the territory of Uzbekistan. The seller and/or the information intermediary is required to ensure the safety of personal data, both of buyers and other individuals who became known to them during the conclusion of electronic commerce agreements, and the protection of their information systems, databases, means, and environment for storing electronic documents and messages from unauthorised access; and
  • rules on the content of open (publicly available) data, information included in the open data set must meet the following requirements:
  • information provided for posting on the State Portal shall not contain information constituting State, military, or official secret, or other information having access restrictions;
  • it shall not contain other information prohibited by law;
  • it shall not contain false information;
  • it shall not disclose information containing State, banking, commercial, tax, or other secret protected by law, as well as confidential information; and
  • it shall not provide access to personal data of individuals.

Current legislation

As noted above, the following legislation is therefore relevant to the field of data protection:

  • the Law on Personal Data;
  • the Law on Information;
  • the Freedom of Information Law;
  • the Law on Informatisation;
  • the Law on Electronic Document Management;
  • the Law on E-Commerce;
  • Law of the Republic of Uzbekistan of of 15 April 2022 No. RK-764 on Cybersecurity (only available in Uzbek and Russian here);
  • Law of the Republic of Uzbekistan of 26 August 2004 No. 660-II on Countering Legalisation of Proceeds from Crime, the Financing of Terrorism, and the Financing of the Proliferation of Weapons of Mass Destruction (only available in Uzbek and Russian here);
  • Law of the Republic of Uzbekistan of 4 April 2006 No. ZRU-30 on Protection of Information in the Automated Banking System (only available in Uzbek and Russian here); and
  • Law of the Republic of Uzbekistan of 1 November 2019 No. ZRU-578 on Payments and Payment Systems (only available in Uzbek and Russian here) ('the Law on Payments and Payment Systems');and
  • Law of the Republic of Uzbekistan of 24.11.2020 No. ZRU-649 on State Genomic Registration (only available in Uzbek and Russian here) ('the Law on State Genomic Registration').

The President of the Republic of Uzbekistan has issued the following decrees:

  • Decree of the President of the Republic of Uzbekistan of 21 November 2018 No. PP-4024 on Measures to Improve the Control System for the Implementation of Information Technologies and Communications (only available in Uzbek and Russian here); and
  • Decree of the President of the Republic of Uzbekistan of 2 February 2019 No. UP-5653 on Additional Measures to Further Developing the Sphere of Information and Mass Communications (only available in Uzbek and Russian here).

The Cabinet of Ministers of the Republic of Uzbekistan ('the Cabinet of Ministers') has issued the following decrees:

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 10 July 1998 No. 293 on Additional Measures to Increase the Efficiency of Using the Frequency Spectrum, Forming, and Distribution of TV and Radio Programs and Data Transfer (only available in Uzbek and Russian here);
  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 26 March 1999 No. 137 on Approval of the Regulation on the Procedure for Preparing and Distributing the Information Resources of the Republic of Uzbekistan on the Data Transfer Networks, including the Internet (only available in Uzbek and Russian here);
  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 22 November 2005 No. 256 on Improvement of the Regulatory Legal Framework in the field of Informatisation (only available in Uzbek and Russian here);
  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 21 April 2009 No. 116 on Order of Submission and Posting of Information on the Government Portal of the Republic of Uzbekistan on the Internet (only available in Uzbek and Russian here);
  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 7 November 2011 No. 296 on Measures for the Implementation of the Resolution of the President of the Republic of Uzbekistan of 8 July 2011 No. PP-1572 on Additional Measures for the Protection of National Information Resources (only available in Uzbek and Russian here);
  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 2 June 2016 No. 185 on Measures to Further Improve the Implementation of Transactions in Electronic Commerce (only available in Uzbek and Russian here);
  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 2 August 2016 No. 249 on Approval of the Regulation on the Organisation of Activities of Information Intermediaries-Organisers of Electronic Fairs, Auctions, and Competitions (only available in Uzbek and Russian here);
  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 1 May 2018 No. 318 on Approval of the Regulations on the Ministry for the Development of Information Technologies and Communications of the Republic of Uzbekistan and the Inspection for Control in the Field of Communications, Informatisation, and Telecommunication Technologies under the Ministry for the Development of Information Technologies and Communications of the Republic of Uzbekistan (only available in Uzbek and Russian here);
  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 5 September 2018 No. 707 on Measure to Improve Information Security in the Global Information Network Internet (only available in Uzbek and Russian here);
  • Resolution of the Cabinet of Ministers of the Republic of Uzbekistan of 8 February 2020 No. 71on Approval of the Regulation on the Procedure for Registering Personal Databases in the State Register of Personal Databases (only available in Uzbek and Russian here) ('the Standard Procedure for Registering Personal Databases'); and
  • Resolution of the Cabinet of Ministers of the Republic of Uzbekistan of29 November 2021 No. 717 on Approval of the Regulations on the Organization of a Special Regime for the Support of Artificial Intelligence Technologies and the Procedure for its Activities (only available in Uzbek here).

Finally, the following orders and decrees have also been issued:

  • Order of the Minister for the Development of Information Technologies and Communications of the Republic of Uzbekistan of 30 June 2020 No. 3275 on Approval of the Rules for the Provision of Data Network Services (only available in Uzbek here);
  • Decree of the Ministry for the Development of Information Technologies and Communications of the Center for Coordination and Development of the Securities Market at the State Committee for Competition of the Republic of Uzbekistan of 11 December 2015 No. 2739 on Approval of the Regulation on the Procedure for Ensuring the Safety of Electronic Records in Accounting Registers (only available in Uzbek and Russian here) ('the Regulation on Accounting Registers'); and
  • Decree of the Management Board of the Central Bank of the Republic of Uzbekistan of 10 March 2020 No. 3224 on Approval of the Regulation on the Protection of Information in Automated Systems of Commercial Banks of the Republic of Uzbekistan (only available in Uzbek and Russian here) ('the Decree on Automated Systems').

1.2. Guidelines

No guidelines have been published by the relevant authorities at the moment.

1.3. Case law

Not applicable.

2. Scope of Application 

2.1. Personal scope

In terms of the Law of Personal Data, it applies to relations arising from the processing and protection of personal data (Article 3 of the Law on Personal Data). The participants in the processing of personal data include the operator of a database and the owner of a database, as well as any representatives or third parties (Article 9 of the Law on Personal Data). An owner and/or operator may be a State body, an individual, or a legal entity (Article 4 of the Law on Personal Data).

At the time of publication, the scope of application of the laws and regulations covers substantially different entities, for example, commercial banks, telecommunication operators and providers, information and investment intermediaries, and sellers in e-commerce. This is primarily because data protection legislation has been regulated by sector-specific government regulations before the enactment of the Law on Personal Data, and secondly because during that period, laws provided only declaratory provisions with unspecific enforcement mechanisms. The situation did not change even after the enactment of the Law on Personal Data as those regulations are still in force. However, they are mostly in line with the Law on Personal Data.

2.2. Territorial scope

The Law on Personal Data does not explicitly define its territorial scope.

2.3. Material scope

The Law on Personal Data covers the following types of processing:

  • collection;
  • systematisation;
  • storage;
  • modification;
  • supplementation;
  • use;
  • provision;
  • distribution;
  • transfer (including cross-border);
  • depersonalisation; and
  • erasure.

The Law on Personal Data does not specifically exempt particular types of processing, rather it provides whole categories of data that are not within its scope of application. Those categories are (Article 3 of the Law on Personal Data):

  • when an individual processes the personal data for personal, domestic purposes, and unrelated to their professional or commercial activity;
  • the formation, storage, and use of documents of the National Archival Fund and other archival documents containing personal data;
  • the processing of personal data related to State secrets; and
  • the processing of personal data obtained in the course of operational search, intelligence and counterintelligence activities, and law enforcement activities.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulators are the Cabinet of Ministers and the State Personalisation Center ('the SPC') under the Cabinet of Ministers. Several other functions in the sphere of information (data) protection are carried out by the following State bodies:

3.2. Main powers, duties and responsibilities

Cabinet of Ministers

The Cabinet of Ministers carries out the following functions:

  • monitoring implementation of a unified State policy and programs in the field of personal data;
  • determining the procedure for maintaining the State Register of Personal Data Databases ('the State Register');
  • approving the procedure for registering databases of personal data in the State Register;
  • coordinating the activities of State administration and economic management bodies, and local government authorities in the field of personal data; and
  • on the basis of data provided by the SPC, setting:
    • security levels during the processing of personal data, depending on security threats;
    • protection requirements during the processing of personal data; and
    • requirements for material carriers of biometric and genetic data, and technologies for storing such data outside of databases of personal data.

State Personalisation Center

In the field of personal data, the SPC carries out the following functions:

  • implementing State policy;
  • participating in the development and implementation of State and other programs;
  • adopting:
    • the Standard Procedure for Registering Personal Databases; and
    • the Standard Procedure for Organising the Activities of a Structural Unit or an Authorised Person of the Owner (or Operator), Ensuring the Processing of Personal Data and Their Protection ('the Standard Procedure for Processing Personal Data'). Although a draft resolution of the Cabinet of Ministers on the approval of the Standard Procedure for Processing Personal Data (only available in Uzbek here) was introduced and discussed in 2019, such standard is yet to be approved;
  • maintaining the State Register, and issuing a Certificate of Registration of a Personal Data Database in the State Register;
  • exercising state control over compliance with the requirements of the legislation and makes proposals to the Cabinet of Ministers on improving the regulatory framework;
  • sending the information in relation to the scope of their activities the State security authorities;
  • determining a necessary level of security of personal data, and analysing the volume and content of processed personal data, the type of activity, and any threats to the security of personal data;
  • executing orders to eliminate violations of the legislation on personal data which are binding upon legal entities and individuals; and
  • cooperating with competent authorities of foreign states and international organisations.

4. Key Definitions

Data controller: The Law on Personal Data does not provide for this specific term, but it refers to the 'owner of a database.' An owner is defined as a State body, an individual, and/or legal entity that has the right to own, use, and dispose of the personal database (Article 4 of the Law on Personal Data).

Data processor: The Law on Personal Data does not provide for this specific term, but the meaning of it can be covered by the notion of the 'operator.' Operator a State body, an individual and/or a legal entity that processes personal data (Article 4 of the Law on Personal Data).

Personal data: Information recorded on electronic, paper, or other tangible medium of expression relating to a specific individual or enabling the identification thereof.

Sensitive data: Information to be protected due to the fact that its disclosure, modification, erasure, or concealment may harm the participants of the securities market (Regulation on Accountability Registers). The Law on Personal Data does not provide for this specific term, but refers to 'special personal data' in Article 25 of the Law on Personal Data. Special personal data is data relating to:

  • racial or social origin;
  • political, religious, or ideological beliefs;
  • membership in political parties and trade unions;
  • physical or mental health;
  • information about private life; and
  • criminal record.

Health data: The Law on Personal Data does not provide for this specific term, but health data is covered in the definition of special personal data, which includes data relating to physical or mental health.

Biometric data: Personal data which describes anatomical and physiological characteristics of the data subject (Article 26 of the Law on Personal Data).

Pseudonymisation: Referred to as 'depersonalisation,' the actions, as a result of which, personal data becomes impossible to determine whether personal data belongs to a particular subject (Article 16 of the Law on Personal Data).

Genomic data: personal data, including encoded information about certain fragments of deoxyribonucleic acid (DNA) of a person or an unidentified corpse (Article 3 of the Law on State Genomic Registration).

Databases of personal data: A database in the form of an information system containing personal data (Article 4 of the Law on Personal Data).

Publicly available personal data: Personal data that is freely accessible with the consent of the data subject or which is not confidential (Article 29 of the Law on Personal Data).

Genetic data: Personal data related to the inherited or acquired characteristics of the data subject, which are known as a result of the analysis of the biological sample of the data subject or of another element that allows obtaining equivalent information (Article 26 of the Law on Personal Data).

Data subject: The natural person to whom the personal data relates (Article 4 of the Law on Personal Data).

5. Legal Bases

5.1. Consent

The Law on Personal Data does not provide the definition to the term 'consent,' but specifies the form in which it should be taken in Article 21 of the Law on Personal Data.

The data subject may agree to the processing of personal data in any form that allows confirmation of its receipt.

For the processing of special personal data (data on racial or social origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data relating to physical or mental health, information about private life, and criminal record), the consent of the subject in writing is required, including in the form of an electronic document.

The subject in writing, including in the form of an electronic document, is mandatory if the controller/processor uses exclusively automated processing.

In the event of incapacity or limitation of the legal capacity of the subject, written consent, including in the form of an electronic document, to the processing of their personal data is given by their legal representative.

Furthermore, the data subject may withdraw consent in the form in which consent was given, or in writing, including in the form of an electronic document.

5.2. Contract with the data subject

According to the Law on Personal Data, data processing can be carried out in order to fulfil the contract to which the subject is a party, or to take measures at the request of the subject before concluding such a contract (Article 18 of the Law on Personal Data).

Moreover, exclusively automated processing is allowed when there is an agreement between controller/processor and the subject, or for the purposes of fulfilment of the conditions of a previously concluded agreement (Article 24 of the Law on Personal Data).

5.3. Legal obligations

According to Article 18 of the Law on Personal Data, the processing of personal data can be carried out in order to fulfil the obligations of the owner and/or operator as defined by legislation.

5.4. Interests of the data subject

Article 18 of the Law on Personal Data stipulates that processing of personal data can be carried out for the protection of the interest of the data subject or another person.

Furthermore, if it is necessary to process personal data in order to protect the rights and legitimate interests of the data subject, such processing is allowed without their consent, until the moment when it becomes possible to obtain consent (Article 18 of the Law on Personal Data).

5.5. Public interest

The Law on Personal Data does not provide any specific norms on public interest. However, Article 18 stated that the processing of personal data can be carried out to achieve socially significant purposes, provided that this does not violate the rights and legitimate interests of the data subjects.

5.6. Legitimate interests of the data controller

Article 18 of the Law on Personal Data specifies that processing of personal data can be carried out to exercise the rights and legitimate interests of the owner and/or operator, or a third party, provided that this does not violate the rights and legitimate interests of the data subjects.

5.7. Legal bases in other instances

Additional legal bases

Article 18 of the Law on Personal Data outlines that processing of personal data can also be carried out:

  • for statistical or other research purposes, subject to the mandatory depersonalisation of personal data; or
  • if the personal data is obtained from publicly available sources.

Special personal data

Article 25 of the Law on Personal Data provides the processing of special personal data is prohibited, except:

  • in order to ensure State security from external and internal threats by the authorised State body;
  • if the data subject has given their consent in writing, including in the form of an electronic document, to the processing of their special personal data;
  • if special personal data is published by the subject in publicly available sources;
  • in order to protect the rights and legitimate interests of the data subject or other persons;
  • when carrying out the activities of courts and relevant law enforcement agencies in the framework of an initiated criminal case and enforcement proceedings;
  • when the prosecutor's office implements measures aimed at countering the legalisation of proceeds from criminal activity and the financing of terrorism;
  • when carrying out the activities of State statistics bodies, as well as when other State bodies use personal data for statistical purposes, with the obligatory condition of their depersonalisation;
  • when providing medical and social services or establishing a medical diagnosis, treatment, on the condition that such data is processed by a medical worker or another person of a health care institution who is entrusted with the responsibility to ensure the protection of personal data;
  • when exercising rights and fulfilling obligations in the field of labour relations;
  • while ensuring the protection of the legitimate interests of the data subject or a third party, in the event of incapacity or limited legal capacity of the data subject;
  • when disclosing personal data, including personal data of candidates for elected public office;
  • when carrying out activities by a non-governmental non-profit organisation, religious organisation, political party, or trade union, provided that the processing concerns exclusively the personal data of members or employees of these organisations and associations, and personal data is not transferred to a third party without the consent of the data subjects;
  • when processing personal data of children left without parental care, when they are placed in families of citizens and other measures to ensure guardianship and guardianship;
  • when processing personal data in order to ensure State security; and.
  • when processing data on convictions by State bodies, as well as by other persons within the limits of their authority.

Biometric and genetic data

Biometric and genetic data that is used to establish the identity of a subject can be processed only with the consent of the data subject, with the exception of cases related to the implementation of international treaties of the Republic of Uzbekistan, administration of justice, enforcement proceedings, as well as in other cases provided for by law (Article 26 of the Law on Personal Data).

Genomic data

Starting from 2023, a procedure will be introduced by which the state will carry out genomic registration that will include the processing of genomic data. Notably, the accounting and storage of such genomic data will be contained in a single database.

Genomic data obtained during the state genomic registration will be used for the purposes of:

  • prevention, disclosure and investigation of crimes, as well as identification of persons who committed them;
  • search for missing persons;
  • identification of unidentified corpses (remains, body parts); and
  • establishing biological kinship.

The transfer of genomic data to third parties is prohibited. Furthermore, the transfer of genomic data outside the territory of the Republic of Uzbekistan is prohibited, except in cases of transfer of genomic data within the framework of individual criminal cases in accordance with international treaties and laws of the Republic of Uzbekistan.

Genomic data can be blocked, depersonalised, or destroyed. Moreover, blocking of genomic data stored in a single database of genomic data is carried out by an authorised state body, if there is information about violations of the conditions for its processing. The authorised state body carries out depersonalisation of genomic data stored in a single database of genomic data, in order to increase its security and reduce the level of possible damage in cases of transmission of genomic data (Article 23-30 of the Law on State Genomic Registration).

Publicly available data

Article 29 of the Law on Personal Data notes that in order to provide information to the population, publicly available sources of personal data may be created, including biographical directories, telephone, address books, and public electronic information resources. The publicly available sources of personal data, with the written consent of the data subject, may include their last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession, and other data reported by the data subject.

6. Principles

Article 5 of the Law on Personal Data outlines a number of basic principles, including the legality of processing, as well as accuracy, reliability, confidentiality, and security of personal data.

7. Controller and Processor Obligations

The owner (or operator) has the right to process personal data, and during the processing, they are obliged to (Article 31 of the Law on Personal Data):

  • comply with personal data legislation;
  • provide information regarding the processing of the data subjects' personal data upon their request;
  • approve the content of personal data necessary and sufficient to perform tasks;
  • take measures to erase personal data;
  • provide evidence of the consent of the data subject to the processing;
  • alter personal data subject to documentary confirmation of the reliability of the new data or erase it, in case it is impossible to introduce those alterations;
  • temporarily suspend processing or erase personal data if there is information about a violation of the conditions for their processing;
  • provide the opportunity for the data subjects to submit documents in an electronic form to temporarily suspend the processing and/or erasure of their personal data;
  • notify the data subject in writing, as well as other participants in the processing of personal data in cases of changes, erasure of and restrictions of access to personal data;
  • notify the data subject in writing in cases where there is a transfer of personal data to a third party;
  • register owned and/or processed databases of personal data; and
  • take the necessary legal, organisational, and technical measures to protect personal data.

The obligations of the owner (or operator), as well as a third party, to protect personal data, arise from the moment the personal data is collected, and is valid until the data is erased or depersonalised. According to the Law on Personal Data, the owner and the operator have the same set of rights and responsibilities.

When processing personal data for historical, statistical, sociological, scientific research, the owner and operator, as well as a third party, are obliged to depersonalise such data (Article 16 of the Law on Personal Data).

Moreover, it should be noted that Uzbekistan has created a preferential regime for all subjects working on artificial intelligence ('AI'). In particular, the legislation allows them to obtain depersonalised data from governmental resources for development and support of AI technologies.

7.1. Data processing notification

Databases of personal data are subject to registration in the State Register (Article 20 of the Law on Personal Data). Such registration is carried out free of charge by filing an online notification through the User Identification System (available in Russian here). However, at the request of the owner (or operator), the application for registration may also be submitted in print form. In the application, the operator or owner indicates, inter alia, the following information (the Standard Procedure for Registering Personal Databases):

  • the purpose of processing personal data;
  • the ability of remote management of databases;
  • whether this data is the property of the owner (or operator);
  • whether permission has been obtained from the data subject;
  • whether there is a possibility of cross-border transfer of personal data;
  • whether there is a person (an employee) who is responsible for the processing of personal data; and
  • a list of processed personal data of the data subject, which may contain biometric, genetic, and other data.

The data subject is to be notified in writing about the purposes of the processing and their rights during the processing of personal data. In the case of the transfer of personal data to a third party, the owner (or operator) must notify the entity in writing within three days. It is worth noting that the amendments and additions to the databases are also subject to registration within ten days from the date of their introduction. In this case, the registration number of the database remains unchanged.

Submitted applications are reviewed by the SPC, and a decision on the registration or refusal thereof will be made within 15 days from the date of application (Rule 15 of the Resolution). The SPC may request additional information from the owner and/or operator in the case of incomplete applications, and the SPC can refuse to register a database on the ground of an incomplete submission (Rules 19 and 20 of the Resolution). Once the decision to register has been made, the SPC will register the database in the State Register with a unique registration number as well as issue a certificate of registration (Rules 16 and 17 of the Resolution).

The owner and/or operator is obliged to notify the SPC of any changes and/or additions to the information provided for registration within ten days from the date of occurrence (Article 20 of the Law on Personal Data and Rule 23 of the Standard Procedure for Registering Personal Databases). Furthermore, the owner and/or operator is also obliged to notify the SPC when it terminates the processing of personal data within ten days from the date of termination (Rule 27 of the Standard Procedure for Registering Personal Databases).

Databases of personal data are excluded from the State Register, inter alia:

  • upon suspension or termination of the activities of the owner (or operator);
  • upon the expiration of the processing of personal data or the term for their termination; and
  • based on a court decision to suspend the processing of personal data of the owner (or operator).

After removing the database from the State Register, its registration number cannot be used later.

Exemptions

Databases that contain the following personal data are not subject to registration:

  • related to the participants (members) of a public association or religious organisation, and processed accordingly by a public association or religious organisation, provided that personal data will not be distributed or disclosed to a third party;
  • data which is made publicly available by the data subject;
  • data which only includes the data subject's full name;
  • data which is necessary for the purpose of a single pass of the data subject to the territory on which the owner (or operator) is located, or for other similar purposes;
  • data included in information systems of personal data which have the status of State automated information systems;
  • data which is processed without the use of automation; and
  • data which is processed in accordance with labour legislation.

The procedure for registration is set out in Chapter 3 and Appendix 1 of the Standard Procedure for Registering Personal Databases as well as the Manuals for submitting an application (only available in Uzbek here) ('the Manuals'). Furthermore, applicants should file their submissions in compliance with the sample form provided in Appendix 2 of the Standard Procedure for Registering Personal Databases.

In particular, applicants should first register their personal details through the User Identification System, which can be accessed in Uzbek and Russian here, before submitting an application via the State Register website here.

7.2. Data transfers

The owner (or operator) can transfer personal data from Uzbekistan to the territory of foreign states which can ensure adequate protection of the rights of the data subject (Article 15 of the Law on Personal Data). Cross-border transfers to states that do not provide adequate protection may be carried out in the following cases:

  • with the data subject's consent;
  • to protect the constitutional and public order, the rights and freedoms of citizens, health, and morality of the population; and
  • if stipulated by international treaties to which Uzbekistan is a signatory.

The owner (or operator) also has the right to entrust the processing of personal data to a third party in the following cases:

  • with the written consent of the subject (including in the form of electronic document);
  • if the decision is made pursuant to an agreement between the owner and the data subject;
  • to fulfil of the conditions of a previously concluded agreement; or
  • as prescribed by law.

Notably, the Law on Personal Data was amended by Law of 14 January 2021 No. ЗРУ-666 on Amendments and Additions to Some Legislative Acts (only available in Uzbek here) to introduce a new data localisation rule in Article 27-1 of the Law on Personal Data. Accordingly, the owner and/or operator, when processing personal data of citizens of the Republic of Uzbekistan using information technologies, including via a global information network, is obliged to:

  • ensure databases of personal data is collected, systematised, and stored using technical means physically located on the territory of the Republic of Uzbekistan; and
  • register such databases in the prescribed manner in the State Register.

In this regard, on 25 February 2021, the SPC issued a statement (only available in Uzbek here) to clarify the impact of the data localisation rule and confirmed that it will introduce a normative document on the implementation and technical conditions of the data localisation rule.

7.3. Data processing records

The Law on Personal Data does not provide any provision that controllers/operators should maintain a record of processing activities.

7.4. Data protection impact assessment

The Law on Personal Data does not provide any provision that controllers/operators should carry out Data Protection Impact Assessments.

7.5. Data protection officer appointment

The owner (or operator) is responsible for determining a structural unit or an officer responsible for the work related to the processing and protection of personal data and ensures that it works in accordance with the Standard Procedure for Processing Personal Data (Article 31 of the Law on Personal Data).

The employees of the owner (or operator), as well as of a third party, are required to carry out the processing only in accordance with their professional, official, or labour duties, and to prevent the disclosure of personal data that they have become trusted with or has become known to them in connection with the performance of their respective duties.

An appointed structural unit or official is required to ensure that work related to personal data is carried out in accordance with the standard procedure for processing personal data (Article 31 of the Law on Personal Data).

If adopted, Article 5 of the Draft Standard Procedure provides that the structural unit or official is responsible for ensuring the security of personal data in the information systems of the owner and/or operator. Furthermore, the Draft Standard Procedure would require the structural unit or official to select and implement methods for protecting information, and organisations that have a license issued in the prescribed manner to carry out activities for the technical protection of confidential information may be engaged for this purpose (Article 18 of the Draft Standard Procedure).

7.6. Data breach notification

There are no data breach notification requirements under the Law on Personal Data.

However, according to the Article 57 of the Law on Payments and Payment Systems, in the event of a breach of the information security regime, payment system operators and payment service providers promptly report to the Central Bank on a violation and the measures taken to minimise its consequences. The Central Bank carries out the formation and maintenance of a database of violations of the information security regime of payment systems. Besides that, commercial banks immediately notify the Central Bank on the accident (connected to data protection) in writing or electronically (Item 32 of the Decree on Automated Systems).

7.7. Data retention

In general, Article 17 of the Law on Personal Data provides that personal data is subject to destruction by the owner and/or operator, as well as by a third party:

  • upon achieving the purpose of processing personal data;
  • if there is a revocation of the data subject's consent to the processing of personal data;
  • upon expiration of the period for processing personal data, determined by the consent of the data subject;
  • upon entry into legal force of a court decision.

Furthermore, the use and storage of biometric and genetic data in electronic form outside information systems can only be carried out on tangible media that exclude unauthorised access to them (Article 26 of the Law on Personal Data).

In addition, the existing regulations impose the following obligations on the accounting of log files, without providing detailed mechanisms of implementation:

  • the internet service provider of a public point of access is obliged to organise the accounting of the used internet web resources (log files) and their storage for three months;
  • the organiser of the WiFi service is obliged, together with the operator and/or provider, to take hardware and technical measures to identify the users, as well as to organise the accounting of used web resources (log files) in the manner specified by law;
  • the operator and provider have the rights to organise the accounting of the web resources of the data transfer network used by the subscriber (maintaining log files); and
  • when providing WiFi services, the operator and provider are obliged to take hardware and technical measures to identify users, as well as organise the accounting of used web resources (log files).

7.8. Children's data

For juvenile subjects, consent to the processing of their personal data in writing, including in the form of an electronic document, is given by parents, and in their absence, guardianship and trusteeship authorities.

7.9. Special categories of personal data

Special personal data is data on racial or social origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data relating to physical or mental health, information about private life, and criminal record.

As outlined in section on legal bases in other instances above, the processing of special personal data is prohibited, with the exception of limited cases.

7.10. Controller and processor contracts

The Law on Personal Data does not specifically regulate contractual relations between the owner and the operator.

However, according to the Law on Informatization, one can have a right (title) of ownership to the information systems (among which are the databases of personal data) and information resources (which are in the information system), and thus the Civil Code of Uzbekistan No 163-I of 21 December 1995, (as amended) (only available in Uzbek and Russian here), governs the relations between the owners and/or operators of information resources, which means the general law of obligations applies to agreements concluded between them.

8. Data Subject Rights 

Notably, data subjects have a statutory duty to provide their personal data in order to protect the foundations of the constitutional order, and for reasons related to morality, health, rights, and the legitimate interests of citizens of Uzbekistan, to ensure State defence and security (Article 30 of the Law on Personal Data).

8.1. Right to be informed

The data subject has the right to know that the owner (or operator), as well a third party, possess their personal data and the type of personal data that they possess.

Furthermore, the subject has the right to receive information regarding the processing of their personal data containing (Article 22 of the Law on Personal Data):

  • confirmation of the fact of processing of personal data;
  • grounds and purposes of processing of personal data;
  • applicable methods of processing of personal data;
  • the name of the owner and (or) operator and their location (mailing address), information about persons who have access to personal data or who may be disclosed personal data on the basis of an agreement concluded with the owner and (or) operator, or based on law;
  • the composition of the processed personal data relating to the relevant subject, the source of their receipt, unless otherwise provided by the Law on Personal Data;
  • terms for processing of personal data, including periods for their storage;
  • the procedure for the exercise by the subject of the rights provided for in Article 30 of the Law on Personal Data;
  • information about the carried out or alleged cross-border transfer of personal data.

The data subject, when including their personal data in the personal database, must be notified in writing about the purposes of processing of personal data. In the case of the transfer of personal data to a third party, the owner and/or operator must, within three days, notify the data subject in writing (Article 23 of the Law on Personal Data).

The data subject's right to receive information regarding the processing of their personal data may be limited in cases where the provision of such information violates the rights and legitimate interests of others.

Furthermore, the owner and/or operator may be released from the obligation to provide information to the data subject where (Article 22 of the Law on Personal Data):

  • the subject was previously notified of the processing of their personal data;
  • personal data was made publicly available by the subject or obtained from a publicly available source;
  • providing such information will violate the rights and legitimate interests of individuals and legal entities.

A notice of refusal to provide information regarding the processing of personal data shall be sent to the submitting subject in writing within ten days. In addition, the decision to refuse to provide information regarding the processing of personal data may be appealed by the subject to the authorised State body or court.

8.2. Right to access

The subject's right to receive information regarding the processing of their personal data may be limited in cases where the provision of such information violates the rights and legitimate interests of others.

8.3. Right to rectification

The duty to change, and add to, the personal data collected/processed by the owner and/or operator on the basis of the appeal of the subject must be carried out no later than three days from the date of such request (Article 11 of the Law on Personal Data).

Changes and additions to personal data that do not correspond to reality are made without delay from the moment such non-compliance is established (Article 11 of the Law on Personal Data).

8.4. Right to erasure

As noted above in section on data retention above, personal data must be destroyed by the owner and (or) operator, as well as by a third party, if there is a withdrawal of the consent of the subject to the processing of personal data.

Furthermore, in accordance with the Rules for the Provision of Data Network Services operator is obliged to erase the subscriber's personal data from its database in accordance with the legislation, after the termination of the contract with the subscriber. In addition, the dealer is obliged to erase personal data of subscriber in accordance with the legislation after providing the operator with such data.

8.5. Right to object/opt-out

The right to object requires a temporary suspension of the processing of their personal data, in case it is incomplete, outdated, inaccurate, illegally obtained, or unnecessary for the purpose of processing.

Furthermore, information about a data subject may be excluded from publicly available sources of personal data upon their request, submitted in the form in which consent was given, or in writing, including in the form of an electronic document, as well as by decision of an authorised state body or court.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

The subject has the right not to be subject to a decision on the basis of exclusively automated processing of their personal data, affecting their rights and legitimate interests, giving rise to legal consequences (Article 24 of the Law on Personal Data).

A decision based on exclusively automated processing of the subject's personal data can be made in the following cases:

  • the presence of the consent of the subject in writing, including in the form of an electronic document;
  • if the decision is made pursuant to an agreement between the owner and the subject, or fulfilment of the conditions of a previously concluded agreement; and
  • prescribed by law.

8.8. Other rights

The right to apply to the SPC or the relevant court for the protection of rights and legitimate interests, as well as the right to give and withdraw consent to the processing of their personal data and to give consent to distribute their personal data in publicly available sources.

9. Penalties

According to the Administrative Responsibility Code of Uzbekistan of 22 September 1994 No. 2015-XII (as amended by Law of 29 October 2021 No. ZRU-726) (only available in Uzbek and Russian here) ('the Administrative Code'), unlawful processing of personal data using information technologies, including on the world information network Internet may be sanctioned by a fine in the amount of  seven base calculation amounts ('BCA') (approx. €155) for citizens and  50 BCA (approx. €1,100) for officials. If the unlawful processing is repeated after the imposition of the above-mentioned administrative fine, then fines can amount to 100-150 BCA (approx. €2,200 to €3,300) or the person will be deprived of a certain right for up to three years, or sentenced to correctional labour for up to two years. The offender shall be punished by (criminal liability) a fine from 150 to 200 BCA (approx. €3,300 to €4,400), or by correctional labour up to three years, or by restriction of liberty up to three years, or by imprisonment up to three years, if the same actions are:

  • committed by prior conspiracy by a group of persons;
  • committed repeatedly or by a dangerous recidivist;
  • committed out of mercenary or other base motives;
  • committed using official position; and/or
  • entailing grave consequences.

9.1 Enforcement decisions

No decisions have been rendered yet.