Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Uzbekistan - Data Protection Overview
Back

Uzbekistan - Data Protection Overview

March 2024

1. Governing Texts

The legislative history of data protection in Uzbekistan can be divided into two periods. The first period started with Law of Uzbekistan of 24 April 1994 No 400-I on Guarantees and Freedom of Access to Information ('the Law on Information'), and lasted for 16 years, until the enactment of Law of Uzbekistan of 2 July 2019 No. LRU-547 on Personal Data (only available in Uzbek and Russian here) ('the Law on Personal Data'), which initiated the second period.

1.1. Key acts, regulations, directives, bills

Legislative history

The Law on Information

During the first period, the Government of the Republic of Uzbekistan ('the Government') issued fragmented rules on data protection amongst general laws and sector-specific regulations. The Law on Information extended the provisions of Article 29 of the Constitution of the Republic of Uzbekistan of 8 December 1992 (as amended) on freedom of speech, expression, and information. Besides regulating the process of obtaining information (Articles 6 and 7 of the Law on Information), the Law on Information stated that some types of information were 'not to be provided' by the entities, namely the information which contains 'state and other protected by law secrets' (Article 9 of the Law on Information).

The next act of the Supreme Assembly during this first period was Law of the Republic of Uzbekistan of 12 December 2002 No. 439-II on Principles and Guarantees of Freedom of Information (only available in Uzbek and Russian here) ('the Freedom of Information Law'), which introduced several more concepts on the protection of information. Among others, the Freedom of Information Law gave legal definitions to the notions of information, informational resources, protection of information, and confidential information. It also provided for the specific ground for refusal to provide information if it is confidential or if, as a result of its disclosure, damage may be caused to the rights and legitimate interests of an individual and to the interests of society and the State (Article 10 of the Freedom of Information Law). In turn, the personal data of individuals was deemed confidential. It was prohibited by law, without the concept of an individual, to collect, store, process, distribute, or use information about personal life and that which violates the privacy of personal life and correspondence. The persons involved in any type of processing were to bear statutory responsibility for violating the procedure for using the information on individuals (Article 13 Freedom of Information Law). However, the Freedom of Information Law did not provide for that procedure nor did it enumerate any other information deemed ipso jure confidential.

The Law on Informatization

The final important law which remains significant even today is Law of the Republic of Uzbekistan of 11 December 2003 No. 560-II on Informatization ('the Law on  Informatization'). One of the main objectives of the Law on  Informatization was to create informational resources, IT, and information services markets. To achieve this, the Law on Informatization:

  • established title of ownership on informational resources and information systems (Article 9 of the Law on  Informatization), thus providing their negotiability;

  • categorized information resources into publicly available and limited access. Confidential information and information to which access is limited by its owner were in the category of information with limited access. Neither the Law on Informatization, nor subsequent legislation, established the procedure for the assignment of information resources to access categories which were initially planned to be followed by the owners;

  • obliged the owners of websites and webpages, including bloggers, not to exploit their respective data subjects with a view to disclosing information that contains State and other secrets protected by law. In the case of non-compliance, the Agency of Information and Mass Communications ('the Information Agency') and the Center for Mass Communications ('the Information Center') have the right to restrict access;

  • obliged State bodies, legal entities, and individuals to ensure the protection of information resources and information systems containing information on State secrets and confidential information;

  • excepted the procedure for the formation and use of information resources that contain personal data of individuals from its scope of application;

  • exempted the use of information resources for concluding contracts from its scope of application;

  • gave the right of unlimited access to individuals to the information resources which contain their personal data only with a view to making corrections to it. The Law on Informatization also stated that in cases established by the legislation, individuals would have restricted access to their personal data; and

  • outlined the right to include information resources into the international information networks and the Internet. However, the resources containing the information resources with limited access were to establish sufficient security measures in the first place.

Moreover, the Law on Informatization addresses the protection of information resources and information systems.

The Law on Electronic Document Management and the Law on E-Commerce

More specific rules on the protection of information (and personal data) were later developed in Law of the Republic of Uzbekistan of 29 April 2004 No. 611-II on Electronic Document Management (only available in Uzbek and Russian here) ('the Law on Electronic Document Management'), Law of the Republic of Uzbekistan of 29 April 2004 No. 613-II on Electronic Commerce (only available in Uzbek and Russian here) ('the Law on E-Commerce'), and numerous other government regulations.

The Law on E-Commerce stated that e-commerce providers must ensure the storage of electronic documents and electronic messages and prohibited the use of personal data:

  • for purposes other than the objectives of the contract;

  • for transferring to third parties; and

  • to distribute commercial offers and advertising, without the consent of the owner.

Information intermediaries follow more specific standards of protection.

The Law on Electronic Document Management left the question of document protection open, allowing the Government to adopt two further sets of rules, namely:

  • rules on geographical location of the main servers:

    • the hosting of the main server and reservation of any level is allowed only in the territory of Uzbekistan;

    • an information intermediary is required to place its information system on servers located in the territory of Uzbekistan;

    • the seller is required to ensure the storage of electronic documents and electronic messages, and the electronic trading platform should securely exchange documents (messages) and store them on servers located on the territory of Uzbekistan;

    • the storage of documents, messages, and other information related to agreements concluded in electronic commerce should be carried out on the territory of Uzbekistan. The seller and/or the information intermediary is required to ensure the safety of personal data, both of buyers and other individuals who became known to them during the conclusion of electronic commerce agreements, and the protection of their information systems, databases, means, and environment for storing electronic documents and messages from unauthorized access; and

  • rules on the content of open (publicly available) data, information included in the open data set must meet the following requirements;

  • information provided for posting on the State Portal shall not contain information constituting State, military, or official secret, or other information having access restrictions;

  • it shall not contain other information prohibited by law;

  • it shall not contain false information;

  • it shall not disclose information containing State, banking, commercial, tax, or other secret protected by law, as well as confidential information; and

  • it shall not provide access to personal data of individuals.

Current legislation

As noted above, the following legislation is therefore relevant to the field of data protection:

  • the Law on Personal Data;

  • the Law on Information;

  • the Freedom of Information Law;

  • the Law on  Informatization;

  • the Law on Electronic Document Management;

  • the Law on E-Commerce;

  • Law of the Republic of Uzbekistan of 15 April 2022 No. RK-764 on Cybersecurity (only available in Uzbek and Russian here);

  • Law of the Republic of Uzbekistan of 26 August 2004 No. 660-II on Countering Legalization  of Proceeds from Crime, the Financing of Terrorism, and the Financing of the Proliferation of Weapons of Mass Destruction (only available in Uzbek and Russian here);

  • Law of the Republic of Uzbekistan of 4 April 2006 No. ZRU-30 on Protection of Information in the Automated Banking System (only available in Uzbek and Russian here); 

  • Law of the Republic of Uzbekistan of 1 November 2019 No. ZRU-578 on Payments and Payment Systems (only available in Uzbek and Russian here) ('the Law on Payments and Payment Systems'); and

  • Law of the Republic of Uzbekistan of 24.11.2020 No. ZRU-649 on State Genomic Registration (only available in Uzbek and Russian here) ('the Law on State Genomic Registration').

The President of the Republic of Uzbekistan has issued the following decrees:

  • Decree of the President of the Republic of Uzbekistan of 21 November 2018 No. PP-4024 on Measures to Improve the Control System for the Implementation of Information Technologies and Communications (only available in Uzbek and Russian here); and

  • Decree of the President of the Republic of Uzbekistan of 13 June 2016 No. UP-5653 on Additional Measures to Further Developing the Sphere of Information and Mass Communications (only available in Uzbek and Russian here).

The Cabinet of Ministers of the Republic of Uzbekistan ('the Cabinet of Ministers') has issued the following decrees:

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 10 July 1998 No. 293 on Additional Measures to Increase the Efficiency of Using the Frequency Spectrum, Forming, and Distribution of TV and Radio Programs and Data Transfer (only available in Uzbek and Russian here);

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 26 March 1999 No. 137 on Approval of the Regulation on the Procedure for Preparing and Distributing the Information Resources of the Republic of Uzbekistan on the Data Transfer Networks, including the Internet (only available in Uzbek and Russian here);

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 22 November 2005 No. 256 on Improvement of the Regulatory Legal Framework in the field of Informatization (only available in Uzbek and Russian here);

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 21 April 2009 No. 116 on Order of Submission and Posting of Information on the Government Portal of the Republic of Uzbekistan on the Internet;

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 7 November 2011 No. 296 on Measures for the Implementation of the Resolution of the President of the Republic of Uzbekistan of 8 July 2011 No. PP-1572 on Additional Measures for the Protection of National Information Resources (only available in Uzbek and Russian here);

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 2 June 2016 No. 185 on Measures to Further Improve the Implementation of Transactions in Electronic Commerce (only available in Uzbek and Russian here);

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 2 August 2016 No. 249 on Approval of the Regulation on the Organization of Activities of Information Intermediaries-Organizers of Electronic Fairs, Auctions, and Competitions (only available in Uzbek and Russian here);

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 1 May 2018 No. 318 on Approval of the Regulations on the Ministry for the Development of Information Technologies and Communications of the Republic of Uzbekistan and the Inspection for Control in the Field of Communications, Informatization, and Telecommunication Technologies under the Ministry for the Development of Information Technologies and Communications of the Republic of Uzbekistan (only available in Uzbek and Russian here);

  • Decree of the Cabinet of Ministers of the Republic of Uzbekistan of 5 September 2018 No. 707 on Measure to Improve Information Security in the Global Information Network Internet (only available in Uzbek and Russian here);

  • Resolution of the Cabinet of Ministers of the Republic of Uzbekistan of 8 February 2020 No. 71on Approval of the Regulation on the Procedure for Registering Personal Databases in the State Register of Personal Databases (only available in Uzbek and Russian here) ('the Standard Procedure for Registering Personal Databases');

  • Resolution of the Cabinet of Ministers of the Republic of Uzbekistan of 29 November 2021 No. 717 on Approval of the Regulations on the Organization of a Special Regime for the Support of Artificial Intelligence Technologies and the Procedure for its Activities (only available in Uzbek here); and

  • Resolution of the Cabinet of Ministers of the Republic of Uzbekistan of 5 October 2022 No. 570 on Approval of Certain Normative Legal Documents in the Field of Processing of Personal Data (only available in Uzbek here) (the 'Resolution No. 570').

Finally, the following orders and decrees have also been issued:

  • Order of the Minister for the Development of Information Technologies and Communications of the Republic of Uzbekistan of 30 June 2020 No. 3275 on Approval of the Rules for the Provision of Data Network Services (only available in Uzbek here);

  • Decree of the Ministry for the Development of Information Technologies and Communications of the Center for Coordination and Development of the Securities Market at the State Committee for Competition of the Republic of Uzbekistan of 11 December 2015 No. 2739 on Approval of the Regulation on the Procedure for Ensuring the Safety of Electronic Records in Accounting Registers (only available in Uzbek and Russian here) ('the Regulation on Accounting Registers'); and

  • Decree of the Management Board of the Central Bank of the Republic of Uzbekistan of 10 March 2020 No. 3224 on Approval of the Regulation on the Protection of Information in Automated Systems of Commercial Banks of the Republic of Uzbekistan ('the Decree on Automated Systems').

1.2. Guidelines

The Ministry of Justice has published the following guidelines:

  • Standard Procedure for Organizing the Activities of a Structural Unit or Official of the Owner and (or) Operator of the Database of Personal Data, Ensuring Personal Data Processing and Their Protection, registered on 15 November 2023, No. 3477 (‘Standard Procedure No. 1’); and
  • Standard Procedure of Personal Data Processing, registered on 15 November 2023, No. 3478 (only available in Uzbek here) (‘Standard Procedure No. 2’).

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

In terms of the Law of Personal Data, it applies to relations arising from the processing and protection of personal data (Article 3 of the Law on Personal Data). The participants in the processing of personal data include the operator of the database and the owner of the database, as well as any representatives or third parties (Article 9 of the Law on Personal Data). An owner and/or operator may be a State body, an individual, or a legal entity (Article 4 of the Law on Personal Data). 

At the time of publication, the scope of application of the laws and regulations covers substantially different entities, for example, commercial banks, telecommunication operators and providers, information and investment intermediaries, and sellers in e-commerce. This is primarily because data protection legislation has been regulated by sector-specific government regulations before the enactment of the Law on Personal Data, and secondly because during that period, laws provided only declaratory provisions with unspecific enforcement mechanisms. The situation did not change even after the enactment of the Law on Personal Data as those regulations are still in force. However, they are mostly in line with the Law on Personal Data. 

2.2. Territorial scope

The Law on Personal Data does not explicitly define its territorial scope. 

2.3. Material scope

The Law on Personal Data covers the following types of processing:

  • collection;

  • systematization;

  • storage;

  • modification;

  • supplementation;

  • use;

  • provision;

  • distribution;

  • transfer (including cross-border);

  • depersonalization; and

  • erasure.

The Law on Personal Data does not specifically exempt particular types of processing, rather it provides whole categories of data that are not within its scope of application. Those categories are (Article 3 of the Law on Personal Data):

  • when an individual processes the personal data for personal, domestic purposes, and unrelated to their professional or commercial activity;

  • the formation, storage, and use of documents of the National Archival Fund and other archival documents containing personal data;

  • the processing of personal data related to State secrets; and

  • the processing of personal data obtained in the course of operational search, intelligence and counterintelligence activities, and law enforcement activities.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulators are the Cabinet of Ministers and ('the Agency') under the Ministry of Justice . Several other functions in the sphere of information (data) protection are carried out by the following State bodies:

3.2. Main powers, duties and responsibilities

Cabinet of Ministers

The Cabinet of Ministers carries out the following functions:

  • monitoring implementation of a unified State policy and programs in the field of personal data;

  • determining the procedure for maintaining the State Register of Personal Data Databases ('the State Register');

  • approving the procedure for registering databases of personal data in the State Register;

  • coordinating the activities of State administration and economic management bodies, and local government authorities in the field of personal data; and

  • on the basis of data provided by the  Agency, setting:

    • security levels during the processing of personal data, depending on security threats;

    • protection requirements during the processing of personal data; and

    • requirements for material carriers of biometric and genetic data, and technologies for storing such data outside of databases of personal data.

Personalization Agency

In the field of personal data, the  Agency carries out the following functions:

  • implementing State policy;

  • participating in the development and implementation of State and other programs;

  • adopting:

    • the Standard Procedure for Registering Personal Databases; and

    • the Standard Procedure for Organizing the Activities of a Structural Unit or an Authorized Person of the Owner (or Operator), Ensuring the Processing of Personal Data and Their Protection ('the Standard Procedure for Processing Personal Data'). Although a draft resolution of the Cabinet of Ministers on the approval of the Standard Procedure for Processing Personal Data (only available in Uzbek here) was introduced and discussed in 2019, such standard is yet to be approved;

  • maintaining the State Register, and issuing a Certificate of Registration of a Personal Data Database in the State Register;

  • exercising state control over compliance with the requirements of the legislation and making proposals to the Cabinet of Ministers on improving the regulatory framework;

  • sending the information in relation to the scope of their activities to the State security authorities;

  • determining a necessary level of security of personal data, and analyzing the volume and content of processed personal data, the type of activity, and any threats to the security of personal data;

  • executing orders to eliminate violations of the legislation on personal data which are binding upon legal entities and individuals;

  • cooperating with competent authorities of foreign states and international organizations; and

  • providing recommendations to the structural unit or official of the owner and/or operator at their request if there is uncertainty or problem with regard to personal data processing.

4. Key Definitions

Data controller: The Law on Personal Data does not provide for this specific term, but it refers to the 'owner of a database.' An owner is defined as a State body, an individual, and/or legal entity that has the right to own, use, and dispose of the personal database (Article 4 of the Law on Personal Data).

Data processor: The Law on Personal Data does not provide for this specific term, but the meaning of it can be covered by the notion of the 'operator.' Operator a State body, an individual and/or a legal entity that processes personal data (Article 4 of the Law on Personal Data).

Personal data: Information recorded on electronic, paper, or other tangible medium of expression relating to a specific individual or enabling the identification thereof.

Sensitive data: Information is to be protected due to the fact that its disclosure, modification, erasure, or concealment may harm the participants of the securities market (Regulation on Accountability Registers). The Law on Personal Data does not provide for this specific term but refers to 'special personal data' in Article 25 of the Law on Personal Data. Special personal data is data relating to:

  • racial or social origin;

  • political, religious, or ideological beliefs;

  • membership in political parties and trade unions;

  • physical or mental health;

  • information about private life; and

  • criminal record.

Health data: The Law on Personal Data does not provide for this specific term, but health data is covered in the definition of special personal data, which includes data relating to physical or mental health.

Biometric data: Personal data which describes anatomical and physiological characteristics of the data subject (Article 26 of the Law on Personal Data).

Pseudonymization: Referred to as ' depersonalization,' the actions, as a result of which, personal data becomes impossible to determine whether personal data belongs to a particular subject (Article 16 of the Law on Personal Data).

Pseudonymization: Referred to as ' depersonalization,' the actions, as a result of which, personal data becomes impossible to determine whether personal data belongs to a particular subject (Article 16 of the Law on Personal Data).

Genomic data: personal data, including encoded information about certain fragments of deoxyribonucleic acid (DNA) of a person or an unidentified corpse (Article 3 of the Law on State Genomic Registration).

Databases of personal data: A database in the form of an information system containing personal data (Article 4 of the Law on Personal Data).

Publicly available personal data: Personal data that is freely accessible with the consent of the data subject or which is not confidential (Article 29 of the Law on Personal Data).

Genetic data: Personal data related to the inherited or acquired characteristics of the data subject, which are known as a result of the analysis of the biological sample of the data subject or of another element that allows obtaining equivalent information (Article 26 of the Law on Personal Data).

Data subject: The natural person to whom the personal data relates (Article 4 of the Law on Personal Data).

5. Legal Bases

5.1. Consent

The Law on Personal Data does not provide the definition to the term 'consent,' but specifies the form in which it should be taken in Article 21 of the Law on Personal Data.

The data subject may agree to the processing of personal data in any form that allows confirmation of its receipt. The Standard Procedure No. 2 exemplifies that the subject can also express consent by approving the offer of the data processor if the latter explicitly indicates the processing of personal data (Clause 9 of the Standard Procedure No. 2).

The Standard Procedure No. 2 clarifies that the consent form should contain the following information:

  1. name, tax identification number of the data processor (surname, first name and patronymic of an individual, personal identification number of the subject);

  2. surname, first name, and patronymic of the data subject;

  3. the purposes of personal data processing;

  4. the list of personal data of the subject, for the processing of which consent is given;

  5. period of validity of the consent to personal data processing;

  6. consent to the provision of personal data to third parties and (or) data transfer;

  7. consent to the dissemination of personal data in publicly available sources; and

  8. other information (Clause 11 of the Standard Procedure No. 2).

For the processing of special personal data (data on racial or social origin, political, religious, or ideological beliefs, membership in political parties and trade unions, as well as data relating to physical or mental health, information about private life, and criminal record), the consent of the subject in writing is required, including in the form of an electronic document.

The subject in writing, including in the form of an electronic document, is mandatory if the controller/processor uses exclusively automated processing.

In the event of incapacity or limitation of the legal capacity of the subject, written consent, including in the form of an electronic document, to the processing of their personal data is given by their legal representative.

Furthermore, the data subject may withdraw consent in the form in which consent was given, or in writing, including in the form of an electronic document.

5.2. Contract with the data subject

According to the Law on Personal Data, data processing can be carried out in order to fulfill the contract to which the subject is a party or to take measures at the request of the subject before concluding such a contract (Article 18 of the Law on Personal Data).

Moreover, exclusively automated processing is allowed when there is an agreement between the controller/processor and the subject, or for the purposes of fulfillment of the conditions of a previously concluded agreement (Article 24 of the Law on Personal Data).

5.3. Legal obligations

According to Article 18 of the Law on Personal Data, the processing of personal data can be carried out in order to fulfill the obligations of the owner and/or operator as defined by legislation.

5.4. Interests of the data subject

Article 18 of the Law on Personal Data stipulates that the processing of personal data can be carried out for the protection of the interest of the data subject or another person.

Furthermore, if it is necessary to process personal data in order to protect the rights and legitimate interests of the data subject, such processing is allowed without their consent, until the moment when it becomes possible to obtain consent (Article 18 of the Law on Personal Data).

5.5. Public interest

The Law on Personal Data does not provide any specific norms on public interest. However, Article 18 stated that the processing of personal data can be carried out to achieve socially significant purposes, provided that this does not violate the rights and legitimate interests of the data subjects.

5.6. Legitimate interests of the data controller

Article 18 of the Law on Personal Data specifies that processing of personal data can be carried out to exercise the rights and legitimate interests of the owner and/or operator, or a third party, provided that this does not violate the rights and legitimate interests of the data subjects.

5.7. Legal bases in other instances

Additional legal bases

Article 18 of the Law on Personal Data outlines that processing of personal data can also be carried out:

  • for statistical or other research purposes, subject to the mandatory  depersonalization of personal data; or

  • if the personal data is obtained from publicly available sources.

Special personal data

Article 25 of the Law on Personal Data provides the processing of special personal data is prohibited, except:

  • in order to ensure State security from external and internal threats by the  authorized State body;

  • if the data subject has given their consent in writing, including in the form of an electronic document, to the processing of their special personal data;

  • if special personal data is published by the subject in publicly available sources;

  • in order to protect the rights and legitimate interests of the data subject or other persons;

  • when carrying out the activities of courts and relevant law enforcement agencies in the framework of an initiated criminal case and enforcement proceedings;

  • when the prosecutor's office implements measures aimed at countering the  legalization of proceeds from criminal activity and the financing of terrorism;

  • when carrying out the activities of State statistics bodies, as well as when other State bodies use personal data for statistical purposes, with the obligatory condition of their  depersonalization;

  • when providing medical and social services or establishing a medical diagnosis, or treatment, on the condition that such data is processed by a medical worker or another person of a health care institution who is entrusted with the responsibility to ensure the protection of personal data;

  • when exercising rights and fulfilling obligations in the field of  labor relations;

  • while ensuring the protection of the legitimate interests of the data subject or a third party, in the event of incapacity or limited legal capacity of the data subject;

  • when disclosing personal data, including personal data of candidates for elected public office;

  • when carrying out activities by a non-governmental non-profit  organization, religious organization, political party, or trade union, provided that the processing concerns exclusively the personal data of members or employees of these organizations and associations, and personal data is not transferred to a third party without the consent of the data subjects;

  • when processing personal data of children left without parental care, when they are placed in families of citizens, and other measures to ensure guardianship and guardianship;

  • when processing personal data in order to ensure State security; and

  • when processing data on convictions by State bodies, as well as by other persons within the limits of their authority.

Biometric and genetic data

Biometric and genetic data that is used to establish the identity of a subject can be processed only with the consent of the data subject, with the exception of cases related to the implementation of international treaties of the Republic of Uzbekistan, administration of justice, enforcement proceedings, as well as in other cases provided for by law (Article 26 of the Law on Personal Data).

There are specific requirements for the material carriers containing biometric and genetic data. First of all, such material carriers must be marked as 'confidential' or 'for professional use', and the owner and/or operator must keep the records of such material carriers. Regulation No.2 also requires that when biometric and genetic data are stored electronically, such data should be encrypted and protected cryptographically or in any other manner.

Moreover, the owner and/or operator should take appropriate security measures to prevent theft, erasure, destruction,  unauthorized acquisition, alteration, and uncontrolled abandonment of material carriers on which biometric and genetic data are recorded. When taking such measures, biometric and genetic data must:

  • meet the requirements of fire safety, sanitary norms, rules, and hygienic standards, and be guaranteed against flooding;

  • have reliable means of protection that exclude access to them by unauthorized persons;

  • be stored in safes, metal shelves, or metal racks; and

  • be stored in rooms equipped with security alarms and video surveillance devices, with entrance doors and windows connected to the security service.

Material carriers should be used for the period specified by the owner and/or operator who recorded biometric and genetic data on the material carrier, but no longer than the period of use specified by the manufacturer of the material carrier. When personal data is deleted from material carriers on which biometric and genetic data is recorded, such material carriers shall not be written off. The material carriers that have not been written off may be reused for personal data processing in the future, except for the material carriers intended for one-time use and worn out.

Additionally, the Uzbek legislation sets out specific requirements for the storage of biometric and genetic data outside of databases of personal data. When storing biometric and genetic data outside of databases of personal data, the following conditions must be maintained:

  • access to personal data stored on a material carrier for  authorized persons of the owner and/or the operator;

  • use of electronic signature means or other information technologies that allow preserving the integrity and invariability of biometric and genetic data recorded on a material carrier; and

  • verifying whether the subject's written consent to process biometric and genetic data or other grounds for processing biometric and genetic data stipulated by law exist.

An owner and/or operator shall have the right to establish additional requirements, not conflicting with legislative requirements, for technologies of storage of biometric and genetic data outside databases of personal data, depending on methods and means of protection of such data in databases of this owner and/or operator.

Genomic data

Starting in 2023, a procedure will be introduced by which the state will carry out genomic registration that will include the processing of genomic data. Notably, the accounting and storage of such genomic data will be contained in a single database.

Genomic data obtained during the state genomic registration will be used for the purposes of:

  • prevention, disclosure, and investigation of crimes, as well as identification of persons who committed them;

  • search for missing persons;

  • identification of unidentified corpses (remains, body parts); and

  • establishing biological kinship.

The transfer of genomic data to third parties is prohibited. Furthermore, the transfer of genomic data outside the territory of the Republic of Uzbekistan is prohibited, except in cases of transfer of genomic data within the framework of individual criminal cases in accordance with international treaties and laws of the Republic of Uzbekistan.

Genomic data can be blocked,  depersonalized, or destroyed. Moreover, blocking of genomic data stored in a single database of genomic data is carried out by an authorized state body, if there is information about violations of the conditions for its processing. The authorized state body carries out depersonalization of genomic data stored in a single database of genomic data, in order to increase its security and reduce the level of possible damage in cases of transmission of genomic data (Article 23-30 of the Law on State Genomic Registration).

Publicly available data

Article 29 of the Law on Personal Data notes that in order to provide information to the population, publicly available sources of personal data may be created, including biographical directories, telephone, address books, and public electronic information resources. The publicly available sources of personal data, with the written consent of the data subject, may include their last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession, and other data reported by the data subject.

Data collected by means of video recording devices

As per the Standard Procedure No. 2 collecting data by means of video recording devices (e.g. security cameras), which are installed for security or precautionary purposes, is not considered as a collection of personal in the sense of personal data legislation unless they are intended to be processed for specific purposes. Meanwhile, the dissemination of data collected through these video recording devices shall be prohibited.

6. Principles

Article 5 of the Law on Personal Data outlines a number of basic principles, including the legality of processing, as well as the accuracy, reliability, confidentiality, and security of personal data.

7. Controller and Processor Obligations

The owner (or operator) has the right to process personal data, and during the processing, they are obliged to (Article 31 of the Law on Personal Data):

  • comply with personal data legislation;

  • provide information regarding the processing of the data subjects' personal data upon their request;

  • approve the content of personal data necessary and sufficient to perform tasks;

  • take measures to erase personal data;

  • provide evidence of the consent of the data subject to the processing;

  • alter personal data subject to documentary confirmation of the reliability of the new data or erase it, in case it is impossible to introduce those alterations;

  • temporarily suspend processing or erase personal data if there is information about a violation of the conditions for their processing;

  • provide the opportunity for the data subjects to submit documents in an electronic form to temporarily suspend the processing and/or erasure of their personal data;

  • notify the data subject in writing, as well as other participants in the processing of personal data in cases of changes, erasure of, and restrictions of access to personal data;

  • notify the data subject in writing in cases where there is a transfer of personal data to a third party;

  • register owned and/or processed databases of personal data; and

  • take the necessary legal,  organizational, and technical measures to protect personal data.

The obligations of the owner (or operator), as well as a third party, to protect personal data, arise from the moment the personal data is collected, and is valid until the data is erased or depersonalized. According to the Law on Personal Data, the owner, and the operator have the same set of rights and responsibilities.

When processing personal data for historical, statistical, sociological, and scientific research, the owner and operator, as well as a third party, are obliged to depersonalize such data (Article 16 of the Law on Personal Data).

Moreover, it should be noted that Uzbekistan has created a preferential regime for all subjects working on artificial intelligence ('AI'). In particular, the legislation allows them to obtain depersonalized data from governmental resources for the development and support of AI technologies.

Levels of Protection of Personal Data

The Regulation on Determining the Levels of Protection of Personal Data During Their Processing approved by Resolution No. 570 (the 'Regulation') determines the levels of protection of personal data with which the owner (or operator) must comply while processing personal data.

When processing personal data, the owner and/or operator shall implement organizational and technical measures for the protection of personal data based on threats to their security. There are three types of threats to the security of personal data:

  • type I threats are threats related to the presence of undeclared opportunities in the system software of the database of personal data;

  • type II threats are threats related to the presence of undeclared opportunities in the application software of the database of personal data; and

  • type III threats are threats related to the presence of undeclared opportunities in the system and application software of the database of personal data.

As a result, when processing personal data in databases, 4 levels of protection of such data shall be established.

Level of protection

Conditions for each level

(each level of protection is needed when at least one of the conditions is present)

Requirements

(to ensure each level of protection the following requirements must be met)

4th level of protection

  1. the presence of type III threats to databases and processing of publicly available data in the database.
  1. organization of the security regime of the premises in which the databases are located, preventing the possibility of an uncontrolled break-in or stay in these premises by persons who do not have the right of access to these premises;
  2. ensuring the security of material media of personal data;
  3. approval by the head of the owner and/or the operator of the document defining the list of persons whose access to personal data processed in databases is necessary for the performance of their official (labor) duties; and
  4. use of means of data protection, which have passed the procedure of evaluation of compliance with the legislation requirements in the field of information security, in cases when the application of such means is necessary for the protection of personal data from existing threats.

3rd level of protection

  1. the existence of type II threats for the databases and processing of publicly available data of the owner and/or operator's employees or publicly available data of less than 50,000 subjects who are not employees of the owner and/or operator;
  2. the existence of type III threats to databases and processing of special data of the owner's and/or operator's employees and/or special data of less than 50,000 subjects who are not employees of the owner and/or operator; and
  3. the existence of type III threats to databases and the processing of biometric and/or genetic data.
  1. the fulfillment of the requirements specified for 4th level of protection; and
  2. appointment of an official (employee) responsible for ensuring the personal data security in the databases.

2nd level of protection

  1. the existence of type I threats for databases and processing of publicly available personal data in databases;
  2. the existence of type II threats for databases and processing of special data of employees of the owner and/or the operator or special data of less than 50,000 subjects who are not employees of the owner and/or the operator;
  3. the existence of type II threats to databases and the processing of biometric and/or genetic data in the databases;
  4. the existence of a type II threat to databases and the processing of publicly available data by more than 50,000 subjects who are not employees of the owner and/or operator in the databases; and
  5. the existence of type III threats to databases and the processing of special data of more than 50,000 subjects who are not employees of the owner and/or the operator in databases.
  1. the fulfillment of the requirements specified for 3rd level of protection; and
  2. providing access to the electronic journal of messages exclusively to the officials (employees) or to the authorized person who needs the information contained in the mentioned journal for performing their job (labor) duties.

1st level of protection

  1. the existence of type I threats for the databases and the processing of special and/or biometric and/or genetic personal data in the databases; and
  2. the existence of type II threats for databases and processing of special personal data of more than 50,000 subjects who are not employees of the owner and/or the operator.
  1. fulfillment of the requirements specified for 2nd level of protection;
  2. the automatic registration in the electronic security log of the changes in the owner's and/or operator's employee's authorization to access the personal data contained in the databases; and
  3. establishment of a structural subdivision, responsible for ensuring the security of personal data in databases, or assigning to one of the structural subdivisions the functions for ensuring such security.

7.1. Data processing notification

Databases of personal data are subject to registration in the State Register (Article 20 of the Law on Personal Data). Such registration is carried out free of charge by filing an online notification through the User Identification System (available in Russian here). However, at the request of the owner (or operator), the application for registration may also be submitted in print form. In the application, the operator or owner indicates, inter alia, the following information (the Standard Procedure for Registering Personal Databases):

  • the purpose of processing personal data;

  • the ability to remotely manage databases;

  • whether this data is the property of the owner (or operator);

  • whether permission has been obtained from the data subject;

  • whether there is a possibility of cross-border transfer of personal data;

  • whether there is a person (an employee) who is responsible for the processing of personal data; and

  • a list of processed personal data of the data subject, which may contain biometric, genetic, and other data.

Submitted applications are reviewed by the  Agency, and a decision on the registration or refusal thereof will be made within 15 days from the date of application (Rule 15 of the Resolution). The  Agency may request additional information from the owner and/or operator in the case of incomplete applications, and the Agency can refuse to register a database on the grounds of an incomplete submission (Rules 19 and 20 of the Resolution). Once the decision to register has been made, the Agency will register the database in the State Register with a unique registration number as well as issue a certificate of registration (Rules 16 and 17 of the Resolution).

The owner and/or operator is obliged to notify the Agency of any changes and/or additions to the information provided for registration within ten days from the date of occurrence (Article 20 of the Law on Personal Data and Rule 23 of the Standard Procedure for Registering Personal Databases). Furthermore, the owner and/or operator is also obliged to notify the Agency when it terminates the processing of personal data within ten days from the date of termination (Rule 27 of the Standard Procedure for Registering Personal Databases).

Databases of personal data are excluded from the State Register, inter alia:

  • upon suspension or termination of the activities of the owner (or operator);

  • upon the expiration of the processing of personal data or the term for their termination; and

  • based on a court decision to suspend the processing of personal data of the owner (or operator).

After removing the database from the State Register, its registration number cannot be used later.

Exemptions

Databases that contain the following personal data are not subject to registration:

  • related to the participants (members) of a public association or religious  organization, and processed accordingly by a public association or religious organization, provided that personal data will not be distributed or disclosed to a third party;

  • data which is made publicly available by the data subject;

  • data which only includes the data subject's full name;

  • data which is necessary for the purpose of a single pass of the data subject to the territory on which the owner (or operator) is located, or for other similar purposes;

  • data included in information systems of personal data which have the status of State automated information systems;

  • data which is processed without the use of automation; and

  • data which is processed in accordance with labor legislation.

The procedure for registration is set out in Chapter 3 and Appendix 1 of the Standard Procedure for Registering Personal Databases as well as the Manuals for submitting an application ('the Manuals'). Furthermore, applicants should file their submissions in compliance with the sample form provided in Appendix 2 of the Standard Procedure for Registering Personal Databases. It is worth noting that the term above 'use of automation' means the use of computers as the  Agency maintains. Accordingly, every database of personal data which are processed on computers is subject to registration.

In particular, applicants should first register their personal details through the User Identification System, which can be accessed in Uzbek and Russian, before submitting an application via the State Register website here.

7.2. Data transfers

The owner (or operator) can transfer personal data from Uzbekistan to the territory of foreign states which can ensure adequate protection of the rights of the data subject (Article 15 of the Law on Personal Data). Cross-border transfers to states that do not provide adequate protection may be carried out in the following cases:

  • with the data subject's consent;

  • to protect the constitutional and public order, the rights and freedoms of citizens, the health, and morality of the population; and

  • if stipulated by international treaties to which Uzbekistan is a signatory.

The owner (or operator) also has the right to entrust the processing of personal data to a third party in the following cases:

  • with the written consent of the subject (including in the form of an electronic document);

  • if the decision is made pursuant to an agreement between the owner and the data subject;

  • to fulfill the conditions of a previously concluded agreement; or

  • as prescribed by law.

Notably, the Law on Personal Data was amended by Law of 14 January 2021 No. ЗРУ-666 on Amendments and Additions to Some Legislative Acts (only available in Uzbek here) to introduce a new data localization rule in Article 27-1 of the Law on Personal Data. Accordingly, the owner and/or operator, when processing the personal data of citizens of the Republic of Uzbekistan using information technologies, including via a global information network, is obliged to:

  • ensure databases of personal data are collected, systematized, and stored using technical means physically located on the territory of the Republic of Uzbekistan; and

  • register such databases in the prescribed manner in the State Register.

In this regard, on 25 February 2021, the Agency issued a statement (only available in Uzbek here) to clarify the impact of the data localization rule and confirmed that it will introduce a normative document on the implementation and technical conditions of the data localization rule.

7.3. Data processing records

The Law on Personal Data does not provide any provision that controllers/operators should maintain a record of processing activities.

7.4. Data protection impact assessment

 The Law on Personal Data does not provide any provision that controllers/operators should carry out Data Protection Impact Assessments.

7.5. Data protection officer appointment

The owner (or operator) is responsible for determining a structural unit or an officer responsible for the work related to the processing and protection of personal data and ensures that it works in accordance with the Standard Procedure for Processing Personal Data (Article 31 of the Law on Personal Data).

The employees of the owner (or operator), as well as of a third party, are required to carry out the processing only in accordance with their professional, official, or labor duties, and to prevent the disclosure of personal data that they have become trusted with or has become known to them in connection with the performance of their respective duties.

An appointed structural unit or official is required to ensure that work related to personal data is carried out in accordance with the standard procedure for processing personal data (Article 31 of the Law on Personal Data).

Clause 5 of Standard Procedure No. 2 provides that the structural unit or official is responsible for ensuring the security of personal data in the information systems of the owner and/or operator.  Furthermore, the structural unit and/or the official shall undertake measures to ensure the protection of the personal data by:

  • subdividing publicly available personal data and sensitive personal data;

  • using means of cryptographic information protection to store personal data that are not publicly available;

  • implementing a journal of incidents in the system of a database; and

  • establishing the procedure of blocking and destruction of personal data at the request of the data subject.

7.6. Data breach notification

There are no data breach notification requirements under the Law on Personal Data.

However, according to Article 57 of the Law on Payments and Payment Systems, in the event of a breach of the information security regime, payment system operators and payment service providers promptly report to the Central Bank a violation and the measures taken to minimize its consequences. The Central Bank carries out the formation and maintenance of a database of violations of the information security regime of payment systems. Besides that, commercial banks immediately notify the Central Bank of the accident (connected to data protection) in writing or electronically (Item 32 of the Decree on Automated Systems).

7.7. Data retention

In general, Article 17 of the Law on Personal Data provides that personal data is subject to destruction by the owner and/or operator, as well as by a third party:

  • upon achieving the purpose of processing personal data;

  • if there is a revocation of the data subject's consent to the processing of personal data;

  • upon expiration of the period for processing personal data, determined by the consent of the data subject; and

  • upon entry into the legal force of a court decision.

Furthermore, the use and storage of biometric and genetic data in electronic form outside information systems can only be carried out on tangible media that exclude unauthorized access to them (Article 26 of the Law on Personal Data).

In addition, the existing regulations impose the following obligations on the accounting of log files, without providing detailed mechanisms of implementation:

  • the internet service provider of a public point of access is obliged to organize the accounting of the used internet web resources (log files) and their storage for three months;

  • the organizer of the WiFi service is obliged, together with the operator and/or provider, to take hardware and technical measures to identify the users, as well as to organize the accounting of used web resources (log files) in the manner specified by law;

  • the operator and provider have the rights to organize the accounting of the web resources of the data transfer network used by the subscriber (maintaining log files); and

  • when providing WiFi services, the operator and provider are obliged to take hardware and technical measures to identify users, as well as organize the accounting of used web resources (log files).

7.8. Children's data

For juvenile subjects, consent to the processing of their personal data in writing, including in the form of an electronic document, is given by parents, and in their absence, guardianship, and trusteeship authorities.

7.9. Special categories of personal data

Special personal data is data on racial or social origin, political, religious, or ideological beliefs, membership in political parties and trade unions, as well as data relating to physical or mental health, information about private life, and criminal records.

As outlined in the section on legal bases in other instances above, the processing of special personal data is prohibited, with the exception of limited cases.

7.10. Controller and processor contracts

The Law on Personal Data does not specifically regulate contractual relations between the owner and the operator.

However, according to the Law on Informatization, one can have a right (title) of ownership to the information systems (among which are the databases of personal data) and information resources (which are in the information system), and thus the Civil Code of Uzbekistan No 163-I of 21 December 1995, (as amended), governs the relations between the owners and/or operators of information resources, which means the general law of obligations applies to agreements concluded between them.

8. Data Subject Rights

Notably, data subjects have a statutory duty to provide their personal data in order to protect the foundations of the constitutional order, and for reasons related to morality, health, rights, and the legitimate interests of citizens of Uzbekistan, to ensure State defense and security (Article 30 of the Law on Personal Data).

8.1. Right to be informed

The data subject has the right to know that the owner (or operator), as well as a third party, possess their personal data and the type of personal data that they possess.

Furthermore, the subject has the right to receive information regarding the processing of their personal data containing (Article 22 of the Law on Personal Data):

  • confirmation of the fact of processing of personal data;

  • grounds and purposes of processing of personal data;

  • applicable methods of processing of personal data;

  • the name of the owner and (or) operator and their location (mailing address), information about persons who have access to personal data or who may disclose personal data on the basis of an agreement concluded with the owner and (or) operator, or based on law;

  • the composition of the processed personal data relating to the relevant subject, the source of their receipt, unless otherwise provided by the Law on Personal Data;

  • terms for processing of personal data, including periods for their storage;

  • the procedure for the exercise by the subject of the rights provided for in Article 30 of the Law on Personal Data; and

  • information about the carried out or alleged cross-border transfer of personal data.

The data subject, when including their personal data in the personal database, must be notified in writing about the purposes of processing of personal data. In the case of the transfer of personal data to a third party, the owner and/or operator must, within 3 days, notify the data subject in writing (Article 23 of the Law on Personal Data).

The data subject's right to receive information regarding the processing of their personal data may be limited in cases where the provision of such information violates the rights and legitimate interests of others.

A notification of the subject must be undertaken if the personal data of his/hers is requested by the governmental bodies. The rule is not applicable in case the public authority exerts its power under the law (Clause 19 of the Standard Procedure No. 2). Other public institutions (akin to business associations, state organizations and institutions, and non-governmental organizations) must obtain the personal data after the data subject have his/her consent (Clause 18 of the Standard Procedure No. 2).

Furthermore, the owner and/or operator may be released from the obligation to provide information to the data subject where (Article 22 of the Law on Personal Data):

  • the subject was previously notified of the processing of their personal data;

  • personal data was made publicly available by the subject or obtained from a publicly available source; or

  • providing such information will violate the rights and legitimate interests of individuals and legal entities.

A notice of refusal to provide information regarding the processing of personal data shall be sent to the submitting subject in writing within ten days. In addition, the decision to refuse to provide information regarding the processing of personal data may be appealed by the subject to the authorized State body or court.

8.2. Right to access

The subject's right to receive information regarding the processing of their personal data may be limited in cases where the provision of such information violates the rights and legitimate interests of others.

8.3. Right to rectification

The duty to change, and add to, the personal data collected/processed by the owner and/or operator on the basis of the appeal of the subject must be carried out no later than three days from the date of such request (Article 11 of the Law on Personal Data).

Changes and additions to personal data that do not correspond to reality are made without delay from the moment such non-compliance is established (Article 11 of the Law on Personal Data).

8.4. Right to erasure

As noted above in the section on data retention above, personal data must be destroyed by the owner and (or) operator, as well as by a third party, if there is a withdrawal of the consent of the subject to the processing of personal data.

Furthermore, in accordance with the Rules for the Provision of Data Network Services operator is obliged to erase the subscriber's personal data from its database in accordance with the legislation, after the termination of the contract with the subscriber. In addition, the dealer is obliged to erase the personal data of the subscriber in accordance with the legislation after providing the operator with such data.

The owner and/or operator is obliged to initiate erasure within three days if:

  • the processing of personal data has been accomplished;

  • the data subject withdrew consent for data processing;

  • the period of personal data processing defined by the subject's consent expired; and

  • a court decision entered into force (Clause 23 of the Standard Procedure No.2).

8.5. Right to object/opt-out

The right to object requires a temporary suspension of the processing of their personal data, in case it is incomplete, outdated, inaccurate, illegally obtained, or unnecessary for the purpose of processing.

Furthermore, information about a data subject may be excluded from publicly available sources of personal data upon their request, submitted in the form in which consent was given, or in writing, including in the form of an electronic document, as well as by decision of an authorized state body or court.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

The subject has the right not to be subject to a decision on the basis of exclusively automated processing of their personal data, affecting their rights and legitimate interests, and giving rise to legal consequences (Article 24 of the Law on Personal Data).

A decision based on exclusively automated processing of the subject's personal data can be made in the following cases:

  • the presence of the consent of the subject in writing, including in the form of an electronic document;
  • if the decision is made pursuant to an agreement between the owner and the subject, or fulfillment of the conditions of a previously concluded agreement; and
  • prescribed by law.

8.8. Other rights

The right to apply to the Agency or the relevant court for the protection of rights and legitimate interests, as well as the right to give and withdraw consent to the processing of their personal data and to give consent to distribute their personal data in publicly available sources.

9. Penalties

According to the Administrative Responsibility Code of Uzbekistan of 22 September 1994 No. 2015-XII (as amended by Law of 29 October 2021 No. ZRU-726) (only available in Uzbek and Russian here) ('the Administrative Code'), unlawful processing of personal data using information technologies, including on the world information network Internet may be sanctioned by a fine in the amount of seven base calculation amounts ('BCA') (approx. $187) for citizens and 50 BCA (approx. $1,338) for officials. If the unlawful processing is repeated after the imposition of the above-mentioned administrative fine, then fines can amount to 100 to 150 BCA (approx. $2,680 to $4,015), or the person will be deprived of a certain right for up to three years, or sentenced to correctional labor for up to two years. The offender shall be punished by (criminal liability) a fine from 150 to 200 BCA (approx. $4,015 to $5,360), by correctional labor up to three years, or by restriction of liberty up to three years, or by imprisonment up to three years if the same actions are:

  • committed by prior conspiracy by a group of persons;

  • committed repeatedly or by a dangerous recidivist;

  • committed out of mercenary or other base motives;

  • committed using official position; and/or

  • entailing grave consequences.

9.1 Enforcement decisions

No decisions have been rendered yet.