The Republic of Uzbekistan has adopted the first unified statute addressing matters related to personal data protection and processing of personal data. The Personal Data Law1 ("Personal Data Law" or "Law") will enter into force on 1 October 2019.
Previously, personal data protection and processing were regulated by different legislative acts (including resolutions of the Government), which complicated compliance requirements for businesses in Uzbekistan. The above Law is Uzbekistan's first attempt to unify personal data regulations in line with international standards.
1. Who does the Personal Data Law apply to?
Data subjects (i.e., individuals to whom personal data is related), operators and owners of databases containing personal data, as well as third parties, are subject to the Personal Data Law. The Law is not specific with respect to its application to foreign individuals and companies. We understand that territorial principles shall apply, and any type of personal data processing2 in Uzbekistan must be subject to the Law.
2. What constitutes "personal data"?
"Personal data" under the Law is defined as any information (in paper, electronic or other tangible form) relating to an identified or identifiable data subject. Given the broad definition of personal data, practical application of the Law will be mainly affected by its interpretation by stakeholders.
Among others, personal data contains information about the subject's name, date and place of birth, phone number, place of residence, and profession.
The Law also provides for other types of personal data, such as special personal data (e.g., ethnicity, political and religious views, mental diseases and convictions) and biometric and genetic data (e.g., anatomic and physiological peculiarities, and inherited or acquired characteristics of individuals).
3. What are the main rules?
a. Generally, personal data can be processed after obtaining the consent of subjects. Subject to certain exemptions, consent can be made in any form, provided that its receipt is evidenced.
b. Personal data subjects may generally withdraw their consent for data processing at any time. However, such withdrawal should not breach the existing legislation.
c. Operators and/or owners of databases should clearly define the purposes of data processing. After achieving such purposes, personal data must be destroyed.
d. In certain cases, consent should be verified by a subject's signature (including electronic signature), including cases when:
- Subjects' special data is to be processed;
- Personal data is included in the publicly available information sources; and
- Operators and/or owners of databases delegate data processing to third parties.
e. Personal data may be processed without the consent of subjects in specific cases provided in the Personal Data Law, including in case of the law enforcement agencies carrying out their activities, the state authorities using the personal data (which must be de-personalized) for statistical purposes, the disclosure of personal data when this is required by legislation, etc.
f. Operators and/or owners of databases may provide access to personal data to third parties in accordance with the terms and conditions of a subject's consent given to such parties pursuant to item (a) above.
g. Personal data cannot be transferred to a party that does not have measures for data protection.
h. Subjects have the right to request access to their personal data previously collected by operators and/or owners of databases, and information on how data is processed, the list of third parties to whom data is disclosed, etc.
i. Personal data should be stored by operators, data owners and/or third parties in databases that presumably need to be located in Uzbekistan.3 The Law does not impose any particular requirements with regard to the databases. Therefore, the database can be electronic or non-electronic. Except for simple databases (i.e., those containing very basic data and/or maintained in a non-electronic form), databases should be registered with the State Center for Personalization under the Cabinet of Ministers of Uzbekistan.
4. What are the rules for the trans-border flow of personal data?
As a general rule, personal data may be transferred to countries that provide adequate data protection.
The Law does not define the term "adequate" and it is not clear how the adequacy of data protection in a particular country will be determined. We believe that this matter will be addressed by the Uzbek Government in its subsequent resolution for implementation of the Law.
What are the consequences of non-compliance?
Effective as of 1 October 2019, Uzbekistan has adopted a separate law4 envisaging administrative and criminal offenses for breaching the personal data legislation. The penalties for such an offense include relatively modest financial penalties for the management of companies (generally, fines of up to USD 1,200) or corrective works.
In addition, data subjects who suffer harm as a result of an infringer's breach of Personal Data Law may have the right to take civil action against such companies and/or individuals, and seek damages.
The adoption of the Personal Data Law is a significant step toward ensuring personal data protection in Uzbekistan. Nevertheless, many issues remain open under the Law. Implementing regulations must be adopted and guidance from the authorities must be provided to fully realize the purpose of the Law.