Currently, there is no formal requirement in Tajikistan to report data breaches to any authority or data subject.
- Personal Data Protection Law, No.1537 of 3 August 2018
- Protection Data Law, No.631 of 15 May 2002
- Informatization Law, No. 40 of 6 August 2001 – Legislation has passed (April 04, 2019, No 1595) that amends and supplements the Informatization Law but the amendments are only of a terminological nature.
- Information Law, No.609 of 10 May, 2002
- Regulation on Certification of Information Security Facilities, Attestation of Information Objects and the Procedure for Their State Registration, No.404 of 1 October 2004
- The List of Information Security Facilities Subject to State Certification, No.424 of 24 February 2008
- The decree of the Communication Service under the Government of the Republic of Tajikistan “On the Procedure of implementation by the owner, operator and third party of measures for personal data protection” dated 02.07.2021, #2.21-11
Personal Data Protection Law (hereinafter 'PDPL') identifies personal data as any information about the facts, events and circumstances of the life of a data subject, which allow to identify him / her.
Under the foregoing law the data subject is considered a physical person, to whom relevant personal data refers.
PDPL does not define the term of sensitive data. However it provides the definition of biometric personal data which includes biometrical and physiological data which identifies the data subject. Biometric personal data may be collected upon receipt of the subject’s consent.
The Main Department is Communication Service under the Government of the Republic of Tajikistan (hereafter 'Regulator').
Address:
57 Rudaki avenue
Dushanbe, Tajikistan
734001
Tel: +992 37 223 11 53
[email protected]
Website: khadamotialoqa.tj
Under PDPL pre-notification of the Regulator while collecting, processing or maintaining a database consisting of personal data is not required.
However, Data Protection Law requires to certify all information security facilities (including cryptographic, software, organizational, technical and hardware-based), as well as foreign made facilities designated for the protection of information.
The list of information protection facilities is set forth by the Main Department for the Protection of State Secrets under the Government of the Republic of Tajikistan (Regulator). Certification is carried out on the basis of an agreement concluded between Regulator and data controller.
Tajik law does not require to appoint any Data Protection Officer or any similar positions.
PDPL provides the following definitions of collection and processing of personal data:
- Collection of personal data is an action aimed at receiving personal data
- Processing of personal data are actions aimed at:
- Recording
- Systemization
- Storage
- Amendment
- Replenishment
- Extraction
- Usage
- Spread
- Impersonation
- Blocking, and
- Destruction of personal data
Collection and processing of personal data is allowed when the following conditions are met:
- The data subject’s consent or that of his / her legal representatives
- The processed and collected information is in compliance with the lawful aims of the data controller
- The processed and collected information is accurate and complete
- The data subject has access to the processed and collected data relating to him / her and has the right to require rectification of the relevant information
- The data collector has duly certified all the relevant equipments and facilities designated for processing and collection of data with the Regulator
Article 11 of the PDPL entitles the data collector to process personal data without receiving the data subject’s consent, if it is necessary for governmental authorities to carry out their functions or for the purpose of protecting the constitution rights and freedom of the citizens.
Transfer of personal data is allowed if the rights and freedom of the data subject are not violated. With regard to cross-border transfers of personal data the PDPL does not impose any restrictions on the data controller if the foreign country provides adequate protection of personal data.
Where there is no adequate protection of personal data, a cross border transfer is permitted in the following cases:
- The data subject’s consent is obtained
- The transfer is provided pursuant to an international treaty recognized by Tajikistan, or
- The transfer is necessary for the purpose of protecting citizens rights and freedom, health and morality and public order of the state
The data controller is obliged to take appropriate measures against unauthorized processing, accidental loss, or modification of personal data.
Currently, there is no formal requirement in Tajikistan to report data breaches to any authority or data subject.
Enforcement of Data Protection Law ('DPL') is primary done by the Main Department for the Protection of State Secrets under the government of Tajikistan.
In addition, Tajikistan courts, the Prosecutor’s Office, the Ministry of Internal Affairs and other law enforcement bodies have the authority to ensure compliance and enforce the provisions of DPL within their competence.
Violations of DPL may result in civil, administrative and criminal sanctions, including:
- Administrative fines up to approximately USD1,700
- Imprisonment of up to 10 years, and
- The right to claim compensation of damages, including emotional distress under civil proceedings
Currently, there is no law or regulation in Tajikistan that specifically regulates electronic marketing.
Currently, there is no law or regulation in Tajikistan that specifically regulates online privacy.