Data Protection in Uzbekistan (Guide)

Publication date: 14.05.2026

Personal data means any information recorded on electronic, paper or any other medium that relates to a specific individual or makes it possible to identify that individual. The Law of the Republic of Uzbekistan “On Personal Data” dated 2 July 2019 No. ZRU-547 applies to the processing and protection of such data regardless of the means of processing, including IT systems. Classic business examples include: full name, PINFL (an analogue of a taxpayer identification number), passport details, date of birth, address, telephone number, e-mail, photos, call recordings, IP/account identifiers, HR data, client and user profiles.

For a company, it is important to distinguish at least four categories of data: ordinary data, special data, biometric data and genetic data. Special data includes information about health, criminal records, private life, political or religious views, etc.; biometric data includes fingerprints, facial images, iris scans, voice and other physiological characteristics; genetic data means data obtained from the analysis of biological material. These categories are subject to a stricter regime.

To whom within the company do the obligations apply?

If a company determines why and how data is processed, it acts as the owner and/or operator of a personal data database. If processing is delegated to a contractor, the company’s obligations regarding the legality of purposes, access regime, data protection and control over the counterparty do not disappear. The law expressly proceeds from the model of “subject — individual — owner/operator — third party”.

In practice, this means that almost all key business processes usually fall within the scope of regulation: HR, recruitment, payroll, CRM, customer support, marketing, website and feedback forms, video surveillance, access control, call centers, suppliers and agents, mobile applications, cloud services, corporate e-mail and internal portals.

Basic principles without which processing is unlawful

The processing of personal data must be based on the following principles: respect for constitutional rights and freedoms, legality of the purposes and methods of processing, accuracy and reliability of data, confidentiality and security of data, equality of participants’ rights, and ensuring the security of the individual, society and the state. These principles are not merely declarative: they must serve as the basis for internal policies and contracts.

Accordingly, four practical rules follow:

collect only what is genuinely necessary;
determine the purpose of processing in advance;
do not use data for a new purpose without a new legal basis;
do not store data longer than required by the purpose. The law expressly states that the volume and nature of data must correspond to the purposes and methods of processing, and that the processing period must not exceed the validity period of consent if consent is the legal basis.

On what grounds may a company process data?

The main lawful grounds are:

consent of the subject, i.e. the individual;
necessity for the performance of a contract to which the subject is a party, or for taking steps prior to entering into a contract at the request of the subject;
necessity to comply with obligations imposed by law;
protection of the lawful interests of the subject or other persons;
exercise of the rights and lawful interests of the owner/operator or a third party, provided that the rights of the subject are not violated;
statistical and other research purposes, subject to mandatory anonymization;
data from publicly available sources.

For a business company, this means the following. In employment relations, performance of a contract with a client, invoicing, delivery of goods, and compliance with accounting, tax, labor and other mandatory legislation, consent is not always the only or main legal basis. However, for marketing, publication of case studies, transfer of data to “non-essential” contractors, publication of photos/videos, and processing beyond a reasonably necessary scope, a clear legal basis is generally required — often consent specifically.

What must the company inform the subject about?

When personal data is included in a database, the subject must be notified in writing of the purposes of processing and of their rights under Article 30 of the Law. This is one of the most underestimated elements of compliance: companies collect consent but forget about separate proper notification.

Therefore, a company should have at least:

a privacy policy for its website, clients and users;
an HR notice for employees/candidates;
consent forms where consent is actually required;
notices for individual counterparties if their data is collected not only for the purpose of signing a contract.

Rights of the subject that the company must be able to handle

The subject has the right to know whether the company holds their data and what data exactly; to receive information about processing; to receive information about access conditions; to apply to the authorized body or to court; and to demand temporary suspension of processing if the data is incomplete, outdated, inaccurate, unlawfully obtained or no longer necessary for the purposes of processing. The law also establishes an obligation to amend and supplement data upon the subject’s request no later than three days from the date of such request.

At the process level, this means that the company must have an internal procedure for handling subject requests: who receives the request, how the applicant is identified, who searches for data across systems, who approves the response, how deadlines are recorded, and when data is blocked, corrected or destroyed. Without such a procedure, a formal “policy” is almost ineffective.

Obligations of the company as owner/operator

Obligations to protect personal data arise from the moment it is collected and continue until it is destroyed or anonymized. Use of data by employees and related third parties is permitted only within the scope of their professional, official or employment duties. In other words, access must be role-based, not granted “as a favor” or “just in case”.

In addition, the company must ensure the accuracy and relevance of data, use it only for previously declared purposes, store it in an identifiable form only for as long as required by the purpose, and then destroy or anonymize it. Upon achievement of the processing purpose, withdrawal of consent, expiration of the processing period or entry into force of a court decision, the data must be destroyed.

Does the company need a person responsible for personal data?

Yes, at a practical level, it does. The law expressly provides for the approval of a model procedure for organizing the activities of a structural unit or authorized person responsible for ensuring the processing and protection of personal data. In 2023, special Orders of the Ministry of Justice No. 3477 and No. 3478 were adopted, which establish the model for internal organization and the model processing procedure.

For an ordinary commercial company, the minimum reasonable model is as follows:

appoint a person responsible for personal data by internal order;
define their powers;
identify the relevant systems and databases;
introduce an access matrix;
require HR, IT, legal, security and marketing functions to interact through a unified approval process.

Registration of a personal data database: what changed in 2026

This is one of the key points. Previously, the issue was often simplified as “all databases are subject to registration”. Following the amendments introduced by Law No. ZRU-1125 dated 26 March 2026, Article 20 of the Law now provides that the State Register must include databases that are subject to mandatory storage within the territory of Uzbekistan under part two of Article 27¹ of the Law. Registration is carried out on an application basis, by way of notification.

At the same time, the regulation on the register, approved by Resolution of the Cabinet of Ministers No. 71, still contains a list of databases that are not subject to registration: for example, databases containing only full names; data used for one-time access; data processed without automation; and data processed in accordance with labor legislation. In practice, it is necessary to consider not only the older wording of the regulation, but also the new version of Article 20 of the Law as an act of higher legal force.

What must be stored in Uzbekistan?

After the 2026 amendments, Article 27¹ of the Law expressly states that the following must be stored within the territory of the Republic of Uzbekistan:

biometric data of individuals;
genetic data of individuals;
data of individuals who are users of services of telecommunications operators operating in Uzbekistan.

This is an important clarification. The 2021 wording was much broader and linked localization to the processing of personal data of Uzbek citizens using IT, including on the Internet, on technical means physically located in Uzbekistan and registered in the register. In 2026, the list of mandatory localization was clarified, and the database registration regime was tied specifically to this new, more specific model.

When is storage and processing outside Uzbekistan permitted?

For data not listed in part two of Article 27¹ of the Law, storage and processing abroad are permitted if at least one of the following conditions is met:

the foreign state is recognized as providing adequate protection of personal data;
the operator applies and complies with standard contractual clauses or binding corporate rules that meet the requirements of the authorized body;
the operator complies with international standards in the field of personal data management and storage from the list approved by the authorized body. The list of states providing adequate protection is established by the Cabinet of Ministers.

The practical conclusion is as follows: the use of foreign clouds, CRM systems, HRM systems, e-mail services, call centers and analytics tools should no longer be assessed under the model of “always prohibited”. However, legal and technical due diligence must be carried out: what category of data is transferred, whether it falls under mandatory localization, whether contractual safeguards exist, where the servers are actually located, whether there are sub-processors, and how access and deletion are organized.

Special, biometric and genetic data

Special personal data may be processed only in cases specifically provided for by law; these include written consent of the subject, publication by the subject in publicly available sources, protection of lawful interests, and certain cases involving statistics, medicine, employment relations, etc. Biometric and genetic data are subject to separate enhanced requirements, and the Cabinet of Ministers has established special requirements for carriers and technologies used to store such data outside personal data databases.

If a company uses Face ID, facial/fingerprint-based access control, biometric verification, medical examinations with transfer of results, genetic testing, health data or information about criminal records, this is not “ordinary HR or security”, but a high-risk area. A separate legal analysis is required before implementation.

Personal data of employees: a separate internal block

For HR matters, the company should have a separate local act. Regulation No. 71 expressly excludes from registration databases processed in accordance with labor legislation, while the Labor Code separately requires the employee to be familiarized against signature with a local act governing the transfer of data within the organization, limits access only to specially authorized persons, and prohibits requesting health information beyond what is related to the employee’s job function.

Therefore, it is better not to mix HR procedures with the general client privacy policy. Employees and candidates should have their own: notice, consent where required, regulation on the protection of employees’ personal data, procedure for transfer to accounting, banks, insurance companies, state authorities, archives, IT and security departments.

What internal documents should the company have?

The recommended minimum document package for a company is as follows:

1. Policy on the processing and protection of personal data. This is the basic framework document: purposes, categories of subjects, scope of data, legal grounds for processing, retention periods, rights of subjects, request-handling procedure, protection measures, cross-border transfer, destruction and liability. It is logical to build it on the basis of the Law and Model Procedure No. 3478.

2. Order appointing a responsible person/establishing a unit. This document establishes personal responsibility, functions, the right to request information from departments, and obligations regarding database inventory, access control and training. This corresponds to the model provided by Order No. 3477.

3. Register of processing activities / data map. This is an internal document in which, for each process, the following are specified: category of subjects, scope of data, storage system, legal basis for processing, retention period, recipients, cross-border transfer, and responsible process owner. Such a register is not expressly named by law, but without it, it is impossible to demonstrably comply with Articles 18, 19, 23, 27¹ and 31 of the Law.

4. Consent and notice forms. These should be separate for clients, the website, marketing, employees, candidates, individual counterparties, video surveillance and biometrics. The key point is not to create one “universal consent for everything”.

5. Procedure for handling subject requests. This should cover access, correction, blocking, destruction, withdrawal of consent and complaints.

6. Access and confidentiality regulation. This should cover role-based access, confidentiality agreements, access logs, prohibition on copying data to personal devices, rules for exports, and control over contractors.

7. Retention and destruction procedure. This should specify what is stored, where, for how long, who authorizes deletion, how a destruction act is prepared, and how “suspension” applies in the event of a dispute or inspection.

8. Data processing terms with contractors. These are contractual terms with cloud providers, hosting providers, CRM providers, call centers, outsourcers, marketing platforms and integrators. They are especially important for foreign providers.

How to properly formalize consent

Consent must be specific, informed and linked to a purpose. Since the law requires actual processing to correspond to previously declared purposes, consent “to any actions with personal data for any purposes” is a poor model and weak from a dispute perspective. If the purpose of processing changes, consent must be obtained in accordance with the new purpose.

It is advisable to indicate in the consent: who the operator is, the purpose of processing, the list of data, actions with the data, processing period, list of recipients/categories of recipients, presence of cross-border transfer, procedure for withdrawal of consent, and reference to the policy/notice.

Information security measures

Resolution of the Cabinet of Ministers No. 570 requires the owner and/or operator, based on security threats, to determine the level of protection of personal data and implement organizational and technical protection measures. The law also empowers the authorized body to determine the required level of protection and analyze the volume, content and reality of threats.

The practical minimum for a company includes:

inventory of systems and databases;
access rights segregation;
multi-factor authentication (MFA) for critical systems;
encryption of backups and storage media;
logging of access and data exports;
prohibition on storing databases on personal laptops/flash drives;
remote access rules;
segmentation of HR/client/biometric data;
control over contractors and subcontractors;
regular staff training;
incident response procedure.

Anonymization and destruction

For historical, statistical, sociological and scientific research, data must be anonymized. Destruction is mandatory upon achievement of the purpose, withdrawal of consent, expiration of the processing period or entry into force of a court decision. This must not merely be declared: the company must have a real mechanism for deletion from operational systems, archives, backups and exports.

It is advisable to introduce destruction acts and a deletion matrix, where each category of data has an indicated retention period, legal basis for storage and trigger event for deletion. Without this, companies usually accumulate data “indefinitely”, which is difficult to reconcile with the law.

Website, mobile application, marketing and CRM

If a company collects data through a website, feedback forms, chatbots, subscriptions, personal account, application or call center, it needs: a public policy, proper checkboxes/consents, a clear notice of purpose, distinction between mandatory and optional fields, separate logic for marketing, and contracts with analytics, cloud, mailing and call-tracking providers. Publication of data on the Internet beyond previously declared purposes requires the subject’s consent.

Particular attention should be paid to cases where the CRM or analytics system is located outside Uzbekistan. It is necessary to check whether the specific category of data falls under mandatory localization and whether the conditions of Article 27¹ of the Law for foreign processing are complied with.

What to do with contractors and within a group of companies

Transfer of data to a contractor is not a technical detail but a separate legal risk. The contract must specify: the purpose and limits of processing, list of data, prohibition on use for the contractor’s own purposes, security measures, sub-processors, place of storage, deletion and return procedure, audit rights, incident notification, liability and cross-border transfer.

For groups of companies, it is particularly important not to proceed from the assumption that “within a holding, everything can be transferred without restrictions”. Each legal entity must be assessed as a separate participant in processing, unless otherwise structured documentarily and factually.

Inspections, risks and liability

The authorized body has the right to issue mandatory instructions to eliminate violations of personal data legislation. For Internet resources, a separate control mechanism applies in relation to special processing conditions, including instructions to eliminate violations and, in certain cases, restriction of access to the Internet resource.

Violation of personal data legislation may entail administrative and criminal liability: Article 46² applies in the Code of Administrative Liability of the Republic of Uzbekistan, while Article 141² applies in the Criminal Code of the Republic of Uzbekistan. The exact elements of the offense and sanctions must be checked against the current wording as of the date of the event, but the existence of both forms of liability and a special offense relating to personal data violations is beyond doubt.

Data protection laws in Uzbekistan

No.	Regulatory act	Date	Number	What it regulates
1	Law of the Republic of Uzbekistan “On Personal Data”	02.07.2019	547	The basic law in the field of personal data: defines concepts, processing principles, rights of subjects, obligations of the owner and operator of a personal data database, powers of state authorities, and rules for collection, storage, modification, use, transfer, anonymization and destruction of data.
2	Resolution of the Cabinet of Ministers of the Republic of Uzbekistan “On Approval of the Administrative Regulation for the Provision of the Public Service for Maintaining the State Register of Personal Data Databases”	08.02.2020	71	Establishes the procedure for maintaining the State Register of Personal Data Databases, including database registration, amendments, exclusion from the register, application procedure through Public Service Centers or the Single Interactive Public Services Portal, applicant requirements and composition of submitted information.
3	Resolution of the Cabinet of Ministers of the Republic of Uzbekistan “On Measures to Improve Information Security on the World Wide Web”	05.09.2018	707	In addition to general regulation of Internet security, approves the Regulation on the procedure for state control over compliance with special conditions for processing personal data of citizens of the Republic of Uzbekistan.
4	Resolution of the Cabinet of Ministers of the Republic of Uzbekistan “On Approval of Certain Regulatory Legal Documents in the Field of Personal Data Processing”	05.10.2022	570	Approves subordinate regulatory documents on personal data protection, including the regulation on determining the level of protection of personal data during processing, as well as requirements for material carriers and technologies for storing biometric and genetic data outside personal data databases.
5	Order of the Minister of Justice of the Republic of Uzbekistan “On Approval of the Model Procedure for Organizing the Activities of a Structural Unit or Authorized Person of the Owner and/or Operator of a Personal Data Database Responsible for Ensuring the Processing and Protection of Personal Data”	15.11.2023	Reg. No. 3477	Establishes the model procedure for organizing the activities of a structural unit or authorized person responsible for the processing and protection of personal data at the owner and/or operator of the database.
6	Order of the Minister of Justice of the Republic of Uzbekistan “On Approval of the Model Procedure for Processing Personal Data”	15.11.2023	Reg. No. 3478	Approves the Model Procedure for Processing Personal Data: principles, purposes, processing conditions, rights and obligations of the owner and/or operator of the database, general protection rules and classification of data.