Data Protection & Cybersecurity in Uzbekistan

Please contact us at info@ryskiyeva.com to get a fee quote for providing written advice on below questions.

1. Please provide an overview of the legal and regulatory framework governing data protection, privacy, and cybersecurity in Uzbekistan, including the principal laws, the entities and activities covered, the sectors regulated, and the authorities responsible for enforcement.
2. Are any significant developments in the data protection, privacy, or cybersecurity landscape expected during 2025–2026, such as new laws, implementing regulations, amendments, or increased enforcement activity?
3. Are entities subject to data protection or cybersecurity laws in Uzbekistan required to register, notify, or obtain any license or authorization? If so, please describe the requirements, any available exemptions, and the consequences of non-compliance.
4. How do the applicable laws in Uzbekistan define “personal data,” “personal information,” “personally identifiable information,” or equivalent concepts? Do they also define sensitive or special categories of personal data, as well as other key terms such as “controller,” “processor,” and “data subject”?
5. What core principles govern the processing of personal data in Uzbekistan? In particular, is a lawful basis required, are there transparency obligations, and are there rules on storage limitation, purpose limitation, or data minimization?
6. In what circumstances is consent required, or commonly relied upon, for the processing of personal data? What rules govern the validity, form, scope, and management of consent, including implied consent, bundled consent, and consent incorporated into broader documents?
7. Are there special rules for processing particular types of personal data, such as health data, children’s data, biometric data, or other sensitive data? Are there any categories of data that may not be collected, disclosed, or otherwise processed?
8. Do the data protection laws in Uzbekistan provide for any exemptions, derogations, limitations, or exclusions beyond those already mentioned? If so, please describe them.
9. Are risk assessments, privacy impact assessments, or data protection impact assessments required or recommended in connection with personal data processing? If so, in what circumstances, and how are they generally conducted in practice?
10. Are there any binding or persuasive codes of practice, guidelines, or sector-specific standards in Uzbekistan relating to the processing of personal data, such as for children’s data or health data?
11. Are organizations required to maintain records of processing activities or adopt internal procedures, governance measures, or written documentation relating to personal data processing? If so, how do businesses typically comply?
12. Do the laws in Uzbekistan require or recommend the adoption of data retention and/or secure data disposal policies? If so, please describe the applicable requirements or best practices.
13. In what situations must or should an organization consult with the relevant data protection authority or other regulator?
14. Are organizations required to appoint a data protection officer, chief information security officer, or any other designated person responsible for privacy or data protection compliance? If so, what are that person’s statutory duties?
15. Are employers or organizations required or encouraged to provide employee training on data protection and privacy compliance? If so, what does such training typically involve?
16. Are controllers required to provide individuals with notice of their data processing activities? If so, please describe the relevant notice obligations, including whether a privacy notice or online privacy policy is required.
17. Do the laws in Uzbekistan distinguish between the obligations and liabilities of controllers and processors? If so, what are the main legal consequences of that distinction?
18. What restrictions apply in Uzbekistan to monitoring, profiling, automated decision-making, or the use of tracking technologies such as cookies? How are these concepts defined, if at all?
19. Are there any restrictions under local law on targeted advertising or behavioral advertising? If so, how are these concepts defined and regulated?
20. Do the laws in Uzbekistan restrict or regulate the sale, disclosure, or other commercial transfer of personal data? If so, how is “sale” or any analogous term defined?

21. What legal restrictions apply to direct marketing communications in Uzbekistan, including telephone calls, SMS messages, email marketing, and similar outreach? How are these forms of communication defined and regulated?
22. Are biometrics, including facial recognition and similar technologies, specifically regulated under the laws of Uzbekistan? If so, how are biometric data and related terms defined?
23. Are there any laws, regulations, or official guidance in Uzbekistan specifically addressing artificial intelligence or machine learning in the context of privacy, data protection, or cybersecurity?
24. Is the transfer of personal data outside the jurisdiction restricted or regulated? If so, please explain the applicable restrictions, transfer mechanisms, approvals, or notifications, and how businesses commonly comply.
25. What security obligations do applicable data protection laws impose on controllers and processors with respect to personal data?
26. Do the data protection laws in Uzbekistan impose obligations in relation to personal data breaches? If so, how is a breach defined, and when must it be reported to regulators, affected individuals, law enforcement, or other parties?
27. What rights do individuals have under the data protection laws in Uzbekistan, such as rights of access, correction, deletion, objection, or portability? Please briefly explain how such rights are exercised and any key limitations or exceptions.
28. Do the data protection laws in Uzbekistan provide individuals with a private right of action? If so, in what circumstances may such claims be brought?
29. Are individuals entitled to compensation or damages for violations of data protection law? If so, does recovery require proof of material loss, or may non-material harm such as distress or emotional harm also suffice?
30. How are data protection laws generally enforced in Uzbekistan in practice?
31. What penalties, sanctions, or other consequences may be imposed for breaches of data protection law in Uzbekistan, including administrative fines and criminal liability where applicable?
32. Are there any formal guidelines, methodologies, or statutory criteria governing the assessment or calculation of fines and sanctions for data protection violations?
33. Can enforcement decisions under data protection law be challenged or appealed? If so, please outline the available appeal mechanisms.
34. Are there any visible enforcement trends, recurring issues, or regulatory priorities in the field of data protection in Uzbekistan?
35. Do cybersecurity laws in Uzbekistan require organizations to implement specific cybersecurity controls, safeguards, or risk management measures? If so, please provide details.
36. Do applicable cybersecurity laws or regulations impose requirements relating to supply chain security or third-party risk management? If so, please describe them.
37. Are organizations subject to any mandatory information-sharing obligations under cybersecurity laws, for example in relation to threats, vulnerabilities, or incidents?
38. Are organizations required to appoint a chief information security officer, cybersecurity contact person, or similar responsible individual under cybersecurity laws? If so, what are that person’s responsibilities?
39. Are there sector-specific cybersecurity laws, regulations, or regulatory requirements for industries such as finance, healthcare, telecommunications, or government? If so, please provide an overview.
40. What role do international cybersecurity frameworks and standards play in shaping or influencing local cybersecurity laws and regulatory practice?
41. Do cybersecurity laws in Uzbekistan impose obligations in the event of a cybersecurity incident? If so, how is such an incident defined, and when must it be reported to regulators, affected persons, law enforcement, or other stakeholders?
42. How are cybersecurity laws typically enforced in practice in Uzbekistan?
43. What supervisory, investigative, inspection, audit, or monitoring powers do regulators have under cybersecurity laws in Uzbekistan?
44. What penalties or sanctions may be imposed for non-compliance with cybersecurity laws and regulations in Uzbekistan?