The President of Tajikistan, Emomali Rahmon, signed, on 4 August 2018, the Law of the Republic of Tajikistan on the Protection of Personal Data 2018 (‘the Law’) into law. In particular, the Law defines the legal basis for the collection, storage and processing of personal data, as well as establishes data subject rights and obligations of information owners and third parties.
Alisher Khoshimov and Sarvinoz Salomzoda, at Centil Law Firm, told DataGuidance, “In Tajikistan, the legal norms regulating the collection, processing and protection of personal data were scattered and partial. The existing laws on protecting personal data, Law of 10 May 2002 No. 55 on Information, Law of 6 August 2001 No. 40 on Informatization and Law of 15 May 2002 No. 631 on Protection of Information, could no longer satisfy the preservation of rights and freedoms; [therefore,] the recent adoption of the Law is a big step towards the safety and security […] of data subjects’ personal data.”
There are still some gaps when comparing the Law to other laws on the protection of personal data in the CIS region, [however,] we do believe that with time, amendments will be made for clarity and applicability of the Law
In particular, the Law contains provisions on consent requirements, biometric data and subject access requests. In respect to data collection, the Law specifies that companies must state the purpose of data collection and ensure that collected data is kept up to date. In addition, companies that fail to comply with the Law risk the possibility of incurring penalties.
Khoshimov and Salomzoda, concluded, “Companies dealing with personal information need to take the necessary measures for the protection of personal data by preventing and detecting the unauthorised access of personal data and minimising the [adverse effects] of unintentional or unauthorised diversion, copying, theft, loss, forgery, disclosure or destruction. The Law requires a certificate of compliance to be obtained from an authorised state body to ensure the protection of personal data [by adopting legal, organisational and technical measures] and [provides for] administrative fines for violations. There are still some gaps when comparing the Law to other laws on the protection of personal data in the CIS region, [however,] we do believe that with time, amendments will be made for clarity and applicability of the Law.”
GEORGE HANNAFORD Junior Privacy Analyst