The Ministry of Foreign Affairs of the Republic of Uzbekistan (‘MOFA’) published, on 3 July 2019, the law on personal data (‘the Law’) following its signature by the President of the Republic of Uzbekistan, Shavkat Mirziyoyev. The Law specifies conditions for processing personal data, including requirements for, among other things, obtaining data subjects’ consent, specifying purposes of processing, and notifying data subjects in writing in order to transfer personal data to a third party.
Anora Turakhujaeva, Associate at GRATA International Law Firm, Uzbekistan, told DataGuidance by OneTrust, “According to the Law, the operator could be a state body, individual and/or legal entity that exercises the processing of personal data. This means that all organisations, including private companies, can be regarded as operators of personal data as they collect, store, use, and update data related to their employees. […] The Law puts additional obligations on companies in terms of processing personal data. Specifically, the Law obliges operators to take necessary legal, organisational and technical measures to protect personal data. […] [The Law defines] personal data as information recorded on electronic, paper and/or other material carrier, relating to a specific individual or enabling him/her to be identified. Even though the Law provides for this definition of personal data, it is not as detailed as it was in the draft version of the Law.”
We assume that a number of issues will arise while implementing the Law, which will [mean] further amendments to the Law and other legislation
In particular, the Law excludes biographical, biometric and identification data, personal characteristics, and information about family, social, official, financial and material status, education, profession, health and criminal past in its definition of personal data, which were included in the draft version of the Law. In addition, the Law will require that personal data databases should be registered with the state register except in particular circumstances, such as where no automated processing takes place. The Law also stipulates that cross-border transfers of personal data will be restricted to foreign states that provide adequate protection, unless the data subject provides consent, among other exceptions. Furthermore, the Law specifies that cross-border transfers of personal data may be prohibited in order to protect the interests of the Republic of Uzbekistan and its citizens.
Muborak Kambarova, Counsel at Kinstellar, Tashkent, told DataGuidance by OneTrust, “As the Law introduces clear definitions of what is considered to be personal data and how it should be treated, as well as defining sanctions for violations of the Law, we believe that it will force private companies to closely monitor the collection and processing of personal data. This may lead to additional costs for private businesses. […] We assume that a number of issues will arise during the implementation of the Law, which will [mean] further amendments to the Law and other legislation.”
The Law will enter into force on 1 October 2019.
ANGUS YOUNG Junior Privacy Analyst