EN
EN RU
RYSKIYEVA & PARTNERS
Law Firm
+998 (99) 174-00-25
+998 (99) 174-00-25
info@ryskiyeva.com
26, Passage 2, Tarakkiyot Street, Tashkent city, Uzbekistan
REQUEST ADVICE
Home/Articles/Personal data protection in Uzbekistan: a review of legislation

Personal data protection in Uzbekistan: a review of legislation

← Previous Next →
Publication date: 25.07.2025

Uzbek Law "On Personal Data" (No. ZRU-547 dated July 2, 2019) is a fundamental normative act governing relations in the field of collection, processing, storage and protection of personal data. The law was adopted by the Legislative Chamber on April 16, 2019 and approved by the Senate on June 21, 2019. It was subsequently amended, including changes from 2021 and 2023.

The purpose of the law is to ensure the rights and freedoms of citizens when processing their personal data, as well as to protect these data from unlawful use. The law applies to all types of personal data processing, including automated, with the exception of:

  • Personal (household) processing;
  • Archival activities;
  • Processing of state secrets;
  • Operational-search and counterintelligence activities.

Basic concepts

The Law defines key terms, including:

  • Personal data is any information that allows identification of a specific person;
  • Subject - the person to whom the data relates;
  • Operator – a person or body that processes data;
  • A database is a structured system containing personal data;
  • Third party - a participant who is not the subject or the operator.

Principles of personal data processing

The processing of personal data must be based on the following principles:

  • Legality;
  • Expediency;
  • Reliability;
  • Confidentiality;
  • Equality of the parties;
  • Protection of the individual, society and the state.

Government regulation

Control and coordination in the field of personal data protection are carried out:

  • The Cabinet of Ministers, which develops policy, determines the procedure for maintaining registers, and establishes requirements for protection;
  • The State Personalization Center, which acts as an authorized body that maintains the database registry, issues certificates and monitors compliance with the law.

Terms and conditions of processing

Data processing is possible:

  • With the consent of the subject (person);
  • For the execution of contracts;
  • In the context of compliance with legislation;
  • To protect the interests of subjects;
  • For statistical and scientific research with mandatory depersonalization.

Registration of databases is mandatory, with a few exceptions, such as if the data is publicly available or only concerns full names.

Rights of data subjects (persons)

Persons have the right to:

  • Receive information about the processing of their data;
  • Give and revoke consent;
  • Request correction or deletion of data;
  • Object to automated decisions.

Special and biometric data

Processing sensitive data (religion, health, criminal record, etc.) is only possible in exceptional cases and requires written consent. Biometric and genetic data are subject to special protection, including storage on media that prevents unauthorized access.

Security and privacy

Owners and operators are required to take measures to protect data, including:

  • Preventing unauthorized access;
  • Ensuring confidentiality;
  • Storage of data on the territory of Uzbekistan (for citizens of Uzbekistan).

The Law on Personal Data creates a systemic legal framework for protecting the personal information of citizens of Uzbekistan. It regulates not only the rights of citizens, but also the obligations of operators, including both government agencies and private companies. The gradual strengthening of regulation, including obligations to localize data, demonstrates the seriousness of the state's approach to digital security issues.

Assessment of the level of protection of personal data

In the context of digitalization of the economy and active use of information technologies in Uzbekistan, the protection of personal data is of particular importance. One of the key regulatory documents in this area is the Regulation on determining the level of protection of personal data during their processing, approved by Resolution of the Cabinet of Ministers No. 570 of October 5, 2022.

The regulation aims to establish clear criteria for determining the degree of protection of personal data processed in databases. It applies to owners and operators of personal data and ensures their obligation to implement appropriate organizational and technical security measures.

Data categories

The document identifies the following types of personal data:

  • Special data - information about race, beliefs, health, criminal record, etc.;
  • Biometric data are the anatomical and physiological characteristics of the subject;
  • Genetic data - information obtained from biological samples;
  • Publicly available data is data that is disseminated with the consent of the subject.

Security Threats

The document classifies security threats to the processing of personal data into three types:

  1. Type 1 threats are vulnerabilities in system software;
  2. Type 2 threats are vulnerabilities in application software;
  3. Type 3 threats are other threats that are not related to software.

Security levels

Four levels of personal data protection have been established :

Level

Characteristic

Level 1

Maximum protection - used in the presence of type 1 threats and the processing of special, biometric or genetic data.

Level 2

High level of protection - in case of type 2 threats and processing of large volumes of sensitive data.

Level 3

Medium protection - used when less sensitive data is processed in the presence of threats of type 2 or 3.

Level 4

Basic level of protection - when working with publicly available data and type 3 threats.

 

Requirements for protection

Each level corresponds to certain measures:

  • Level 4: security of buildings, list of authorized employees, protection of information carriers.
  • Level 3: all of the above + appointment of a person responsible for security.
  • Level 2: all of the above + access control to database logs.
  • Level 1: all of the above + automatic audit of changes in access rights and creation of a specialized data protection unit.

Liability

Violation of the requirements of the Regulation entails liability in accordance with the current legislation. All disputes are resolved in accordance with the procedure established by national legal acts.

The Regulation on the Protection of Personal Data supplements the Law of the Republic of Uzbekistan "On Personal Data" and plays an important role in the formation of a sustainable cybersecurity system. It obliges organizations not only to formally process data, but also to take into account the real level of threats, ensuring adequate protection of citizens' information.
Our address
26, Passage 2, Tarakkiyot Street,
Tashkent city, Uzbekistan
Our phone
+998 (99) 174-00-25
Our email
info@ryskiyeva.com
2024  Ryskiyeva & Partners
Powered by Создание сайтов в Megagroup.uz
Leave a request
Ask your question
Indicates required fields
Your name:*
Indicates required fields
Your phone:*
Indicates required fields
Your E-mail:*
Indicates required fields
Comments:*
Indicates required fields
Я согласен(а) с обработкой персональных данных*
Спасибо! Ваш запрос отправлен