PERSONAL DATA COMPLIANCE IN UZBEKISTAN

Uzbekistan’s approach to personal data protection is rapidly evolving in response to the increasing digitalization of its economy. With the expansion of e-commerce platforms, fintech solutions, telecom services, and digital public services, the volume and sensitivity of collected personal data have surged, intensifying the need for robust safeguards.

The country has developed a structured regulatory system that now reflects many aspects found in advanced jurisdictions. Legal norms governing the collection, processing, and storage of personal data are no longer perceived as abstract formalities but as enforceable compliance obligations, particularly for entities in regulated sectors.

Recent legislative initiatives, including Presidential Decree No. PP-153 dated 30 April 2025, mark a turning point in regulatory enforcement. New requirements for the financial sector, such as compulsory breach notifications and legal liability for data incidents, signal a shift from declarative norms to practical accountability. These measures are designed to embed cybersecurity and data governance into the operational fabric of financial institutions.

Local businesses are beginning to adapt, with a noticeable increase in compliance awareness and internal policy development. However, challenges remain, especially in aligning internal processes with localization rules, obtaining valid consent, and managing cross-border data transfers within the constraints of the law. For foreign companies, navigating Uzbekistan’s personal data framework is becoming a non-negotiable element of market entry strategy. Compliance is not only a legal requirement but a critical factor in maintaining consumer confidence and mitigating reputational risk in a data-conscious environment.

Data Privacy Rules in Uzbekistan / Legal framework

Personal data compliance in Uzbekistan extends beyond a mere meeting of formal legal obligations to avoid fines and penalties. Companies that establish comprehensive compliance programs showcase their dedication to responsible and transparent handling of personal data. This strengthens brand integrity, cultivates trust among consumers and partners, and supports long-term resilience in a rapidly evolving digital landscape.

The cornerstone of Uzbekistan’s data protection regime is the Law of the Republic of Uzbekistan “On Personal Data” No. ZRU-547 dated 2 July 2019. This law establishes the legal framework for processing personal data in Uzbekistan. It defines key terms, outlines data subjects’ rights, sets requirements for data controllers and processors, mandates data localization, and introduces consent, security, and registration obligations to ensure lawful and transparent data use.

A number of regulations further clarify the obligations:

Resolution No. 71 of the Cabinet of Ministers of the Republic of Uzbekistan dated 08 February 2020 «On approval of the Regulation on the State Register of Personal Data Bases» outlines the procedure for registering databases containing personal data, establishes the responsible authority, sets timelines for registration decisions, and defines exceptions. The goal is transparency and regulatory oversight in data processing.

Resolution No. 570 of the Cabinet of Ministers of the Republic of Uzbekistan dated 5 October 2022 “On the Approval of Certain Regulatory Legal Acts in the Field of Personal Data Processing” establishes two regulations, governing the protection levels of personal data, and material carriers located outside the personal data databases.

Orders No. 3477 and No. 3478 issued by chairman of the Ministry of Justice of the Republic of Uzbekistan “On the Approval of the Standard Procedure for Processing Personal Data”, registered on 15 November 2023, define the rules for processing and protecting personal data, including key principles, purposes, and the rights and duties of the database owner and operator.

Furthermore, matters related to personal data regulation in Uzbekistan are supported by the Law of the Republic of Uzbekistan “On Informatization” No. 560-II dated 11 December 2003 and “On Cybersecurity” No. ZRU-764 dated 15 April 2022.

International Standards

In Uzbekistan, several key standards from the ISO/IEC 27000 series have been officially adopted at the national level. These as well include O‘zDSt ISO/IEC 27002:2024 [1], offering guidance on security controls, and O‘zDSt ISO/IEC 27005:2024 [2], which focuses on risk assessment and management. Their adoption demonstrates Uzbekistan’s commitment to aligning domestic cybersecurity practices with global frameworks.

In addition, while not directly applicable in Uzbekistan, EU General Data Protection Regulation (GDPR) remains a globally recognized benchmark for data protection and continues to shape best practices worldwide. Therefore, GDPR may often serve as a model for shaping internal compliance programs and contractual documentation, particularly among companies engaged in cross-border activities or cooperating with EU-based partners.

Key Requirements for Handling Personal Data in Uzbekistan

The legislation sets out the circumstances under which the processing of personal data by the data owner or operator is considered lawful. These include:

• processing based on the data subject’s consent;
• processing for the performance of a contract with the data subject or in the data subject’s legitimate interests;
• processing by the data operator to fulfill obligations established by law;
• processing for statistical or other research purposes after data anonymization;
• processing of personal data that is publicly available.[3]

Uzbek legislation does not mandate a rigid structure as to the order and data collection practices. However, it requires that the collection of data be proportionate to the stated purposes.[4]

In this context, consent becomes the central legal ground for most forms of data processing. Notably, data collection, provision to third parties, dissemination through publicly accessible sources, and cross-border transfers to countries with inadequate protection levels may only be carried out with the explicit consent of the data subject. Where such actions fall outside the originally declared purposes for which consent was obtained, an additional, separate consent must be secured before proceeding.[5]

While Uzbekistan’s legal framework provides operators with a degree of flexibility in how they structure their data collection practices, this flexibility is counterbalanced by clear legal obligations that safeguard the rights of data subjects. Therefore, companies must adopt clear internal policies and ensure that each data collection activity is aligned with the purposes communicated to data subjects and documented through valid consent.

Consent Requirements

One of the primary legal bases for the processing of personal data under Uzbek law is the explicit consent of the data subject.[6] Uzbek law places particular emphasis on consent not only as a general basis for data processing, but also as a mandatory prerequisite for the transfer, dissemination, or cross-border transmission of personal data. If such activities exceed the originally declared processing purposes, renewed and specific consent must be obtained from the data subject.[7]

Under Uzbek law, valid consent must contain the following essential elements:

• The full legal name of the data operator and its Taxpayer Identification Number (TIN); for individuals, the full name and Personal Identification Number of an Individual (PINFL);
• The full name of the data subject and the details of the identification document;
• The clearly defined purposes for data processing;
• A list of personal data to be processed, explicitly specified in the consent;
• The term or duration for consent validity;
• Whether the data is permitted to be transferred to third parties and/or across borders;
• Whether the data may be distributed in publicly accessible sources;
• Any other relevant information necessary to ensure informed consent.[8]

Consent form

Consent must be obtained in a manner that allows for confirmation of its receipt by the operator, regardless of the form used.[9] With respect to special categories of personal data such as biometric, genetic, or health-related information, the law requires that consent be provided in written form.[10]

State Registration of Personal Data Databases

Prior to commencing the processing of personal data, database owner/operator, must register their databases in the State Register of Personal Data Databases.[11] Applications for registration of database must be submitted to the authorized body – State Personalization Center under the Cabinet of Ministers of Republic of Uzbekistan.[12]

The process of database registration takes up to 15 days.[13] Within that period, the State Personalization Center decides on granting registration. In the event of approval, the Centre issues Certificate of Registration of the personal data database in the State Register. In the event of a refusal, a formal decision denying registration is provided.

Under Uzbek law, certain personal data databases are exempt from registration. These include data used internally by organizations, public data, basic identity details, access logs, non-automated processing, data in state systems, or data processed under labor laws provided they are not disclosed to third parties or used for broader processing purposes.[14]

Personal Data Localization and Storage Requirements in Uzbekistan

Uzbek law requires that personal data of Uzbek citizens be stored on servers physically located within the country.[15] This data localization rule applies to both local and foreign businesses operating in Uzbekistan.

Although the requirement has raised concerns, especially among foreign companies regarding cost and technical feasibility, it remains a legal obligation. A high-profile example of enforcement is TikTok, which was blocked in Uzbekistan in 2021, partly due to non-compliance with these localization rules. This case demonstrated the government’s serious approach to data sovereignty, even in relation to global platforms.

Compliance Options:

• Using certified local data centers.
• Adopting hybrid cloud solutions that ensure primary hosting is based in Uzbekistan.
• Planning infrastructure early to avoid costly restructuring later.

Biometric and genetic data carriers must be labeled as “confidential” or “for official use”[16] and stored securely in fireproof, flood-resistant environments with surveillance and access control.[17] Encryption is required for digital protection.[18] Companies must track carriers, meet fire and sanitary standards, and follow formal procedures for reuse or destruction after use.[19]

Safeguarding Personal Data

The Cabinet of Ministers is authorized to determine the level of protection applicable to various categories of personal data and establish technical and organizational safeguards.[20] This is operationalized through two key regulations:

1. The regulation on determining levels of personal data protection in their processing, approved by the Cabinet of Ministers on October 5, 2022;
2. The regulation on requirements for material carriers and storage technologies for biometric and genetic data outside of databases of personal data, approved by the Cabinet of Ministers on October 5, 2022.

According to these regulations, personal data must be classified into different protection levels based on the types of threats they face. The higher the threat level, the stricter the data protection requirements. This includes physical security, role-based access control, encryption, use of certified information protection systems, and internal audits.

Cross-border transfers

Transfers of personal data outside Uzbekistan are restricted to jurisdictions that ensure adequate protection.[21] If a country is not recognized as providing such protection, transfers may still take place, but only with the explicit consent of the data subject or where required by law or international treaty.[22] Uzbekistan does not yet publish a definitive list of adequate countries, placing the burden on businesses to evaluate the legal environment of the recipient jurisdiction.

Data Subject Rights: Legal Guarantees and Emerging Challenges

Uzbekistan’s data protection framework grants individuals a set of core rights aimed at giving them control over their personal data. These include the right to access their data, request corrections of outdated or inaccurate information[23], demand deletion when processing becomes unlawful[24], and object to the provision of their data[25].

One of the most impactful rights is the ability to withdraw consent at any time. Once this happens, the operator must immediately cease the relevant processing and delete the data, unless another legal basis (such as contractual or legal obligation) justifies retention.[26]

While the law formally mirrors international standards such as the GDPR, practical enforcement and user awareness remain limited. In most cases, businesses still lack automated or clear procedures for fulfilling data subject requests. Furthermore, the lack of digital tools for individuals to exercise these rights weakens their practical effect.

That said, enforcement trends, especially in regulated sectors like finance and telecom, suggest that ignoring these rights may result in reputational risks and administrative liability. Businesses operating in Uzbekistan should proactively implement internal protocols for handling access, correction, and deletion requests, even in the absence of widespread enforcement.

Enforcement and Liability

In Uzbekistan, enforcement of personal data regulations is overseen by the State Center for Personalization under the Cabinet of Ministers. Legal entities, as well as their responsible officers, may face administrative fines for non-compliance.[27] In more serious instances, such as unlawful collection, dissemination, or acquisition of personal data, criminal liability may also be imposed.[28]

Recent developments suggest a clear trend toward stricter enforcement. As Uzbekistan continues aligning its legal framework with global data protection standards, authorities are becoming more proactive in monitoring compliance and imposing sanctions. Notably, enforcement is no longer limited to formal violations; it now includes practical implementation such as failure to ensure data localization or mishandling user consent.[29]

Practical Recommendations for Ensuring Compliance in Uzbekistan

To operate effectively and minimize legal and reputational risks in Uzbekistan, companies, particularly foreign entities should adopt a proactive and structured approach to personal data compliance. Key steps include:

• Begin with a thorough review of data flows to identify what categories of personal data are collected, processed, stored, and transferred. Clear documentation of processing purposes and legal bases is essential.
• Prior to commencing data processing, ensure that all relevant databases are registered with the authorized state body in accordance with national legislation. Consent mechanisms must be aligned with Uzbek legal standards. This includes language clarity, scope of use, and withdrawal procedures.
• Where applicable, implement technical solutions to meet data localization requirements. This may involve collaboration with certified local hosting providers or the adoption of hybrid cloud models with primary storage based in Uzbekistan.
• Appoint a data protection officer or designate a local compliance representative to oversee ongoing compliance and interface with regulators. Develop and maintain internal policies and procedures for data incident response, rights requests handling, and regular audits.
• Ensure that privacy and data protection obligations are incorporated into contracts with third-party service providers and partners, especially where data access or transfer is involved.
• Publish a comprehensive privacy policy reflecting actual practices. This enhances both regulatory defensibility and consumer trust, demonstrating a firm’s commitment to lawful and ethical data handling.

Authors:

– Jamshid Agzamkhadjaev (Managing Partner, Settle Law Firm)

– Saida Junaydullaeva (Paralegal, Settle Law Firm)

References:

[1] National Standard of Uzbekistan OʻzMSt ISO/IEC 27002:2024 (ISO/IEC 27002:2022, IDT), Information security, cybersecurity and privacy protection — Information security controls, approved by the Uzbek Agency for Standardization, Metrology and Certification.

[2] National Standard of Uzbekistan OʻzMSt ISO/IEC 27005:2024 (ISO/IEC 27005:2022, IDT), Information security, cybersecurity and privacy protection — Guidelines for information security risk management, approved by the Uzbek Agency for Standardization, Metrology and Certification.

[3] Order of the Minister of Justice of the Republic of Uzbekistan “On the Approval of the Standard Procedure for Processing Personal Data”, registered on 15 November 2023, reg. No. 3478, para.4.

[4] Law of the Republic of Uzbekistan “On Personal Data” No. ZRU-547 dated 2 July 2019, Art. 10 (2).

[5] Ibid, Art. 14 (2), 15 (3)(1).

[6] Ibid, Art. 10 (2)(1).

[7] Ibid, Art. 14 (2), 15 (3)(1).

[8] Order of the Minister of Justice of the Republic of Uzbekistan “On the Approval of the Standard Procedure for Processing Personal Data”, registered on 15 November 2023, reg. No. 3478, para.11.

[9] Law of the Republic of Uzbekistan “On Personal Data” No. ZRU-547 dated 2 July 2019, Art. 21 (1).

[10] Ibid, Art. 21 (2).

[11] Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 71 of 8 February 2020 “On the Approval of the Regulation on the State Register of Personal Data Databases”, para.4.

[12] Law of the Republic of Uzbekistan “On Personal Data” No. ZRU-547 dated 2 July 2019, Art.20 (1).

[13] Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 71 of 8 February 2020 “On the Approval of the Regulation on the State Register of Personal Data Databases”, para.15.

[14] Law of the Republic of Uzbekistan “On Personal Data” No. ZRU-547 dated 2 July 2019, Art.20 (3).

[15] Ibid, Art. 27¹.

[16] Regulation on the Requirements for Material Carriers of Biometric and Genetic Data and Technologies for Storing Such Data Outside Personal Data Databases, Annex No. 2 to the Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 570 of 5 October 2022, para.3.

[17] Ibid, para.6 (2).

[18] Ibid, para.4.

[19] Ibid, para.7.

[20] Law of the Republic of Uzbekistan “On Personal Data” No. ZRU-547 dated 2 July 2019, Art. 7 (2).

[21] Ibid, Art. 15 (2).

[22] Ibid, Art. 15 (3).

[23] Law of the Republic of Uzbekistan “On Personal Data” No. ZRU-547 dated 2 July 2019, Art. 11.

[24] Ibid, Art. 1.

[25] Ibid, Art. 13 (1).

[26] Ibid, Art. 17(2)(2).

[27] Code of Administrative Liability of the Republic of Uzbekistan, entered into force on 1 April 1995, Art. 46².

[28] Criminal Code of the Republic of Uzbekistan, entered into force on 1 April 1995, Art.141².

[29] Law of the Republic of Uzbekistan “On Amendments and Additions to Certain Legislative Acts of the Republic of Uzbekistan” No. ZRU-726 dated 29 October 2021