Last modified 27 January 2025

Data Protection in Tajikistan

Breach notification in Tajikistan

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Tajikistan

Personal Data Protection Law, No.1537 of 3 August 2018
Protection Data Law, No.631 of 15 May 2002
Informatization Law, No. 40 of 6 August 2001 – Legislation has passed (April 04, 2019, No 1595) that amends and supplements the Informatization Law but the amendments are only of a terminological nature.
Information Law, No.609 of 10 May, 2002
Regulation on Certification of Information Security Facilities, Attestation of Information Objects and the Procedure for Their State Registration, No.404 of 1 October 2004
The List of Information Security Facilities Subject to State Certification, No.424 of 24 February 2008
The decree of the Communication Service under the Government of the Republic of Tajikistan “On the Procedure of implementation by the owner, operator and third party of measures for personal data protection” dated 02.07.2021, #2.21-11

Related resources

Definitions

Definitions in Tajikistan

Personal Data Protection Law (hereinafter 'PDPL') identifies personal data as any information about the facts, events and circumstances of the life of a data subject, which allow to identify him / her.

Under the foregoing law the data subject is considered a physical person, to whom relevant personal data refers.

PDPL does not define the term of sensitive data. However it provides the definition of biometric personal data which includes biometrical and physiological data which identifies the data subject. Biometric personal data may be collected upon receipt of the subject’s consent.

Authority

National data protection authority in Tajikistan

The Main Department is Communication Service under the Government of the Republic of Tajikistan (hereafter 'Regulator').

Address:

57 Rudaki avenue
Dushanbe, Tajikistan
734001

Tel: +992 37 223 11 53
[email protected]
Website: khadamotialoqa.tj

Registration

Registration in Tajikistan

Under PDPL pre-notification of the Regulator while collecting, processing or maintaining a database consisting of personal data is not required.

However, Data Protection Law requires to certify all information security facilities (including cryptographic, software, organizational, technical and hardware-based), as well as foreign made facilities designated for the protection of information.

The list of information protection facilities is set forth by the Main Department for the Protection of State Secrets under the Government of the Republic of Tajikistan (Regulator). Certification is carried out on the basis of an agreement concluded between Regulator and data controller.

Data protection officers

Data protection officers in Tajikistan

Tajik law does not require to appoint any Data Protection Officer or any similar positions.

Collection and processing

Collection and processing in Tajikistan

PDPL provides the following definitions of collection and processing of personal data:

Collection of personal data is an action aimed at receiving personal data
Processing of personal data are actions aimed at:
- Recording
- Systemization
- Storage
- Amendment
- Replenishment
- Extraction
- Usage
- Spread
- Impersonation
- Blocking, and
- Destruction of personal data

Collection and processing of personal data is allowed when the following conditions are met:

The data subject’s consent or that of his / her legal representatives
The processed and collected information is in compliance with the lawful aims of the data controller
The processed and collected information is accurate and complete
The data subject has access to the processed and collected data relating to him / her and has the right to require rectification of the relevant information
The data collector has duly certified all the relevant equipments and facilities designated for processing and collection of data with the Regulator

Article 12 of the PDPL entitles the data collector to process personal data without receiving the data subject’s consent, if it is necessary for governmental authorities to carry out their functions or for the purpose of protecting the constitution rights and freedom of the citizens.

Related resources

Transfer

Transfer in Tajikistan

Transfer of personal data is allowed if the rights and freedom of the data subject are not violated. With regard to cross-border transfers of personal data the PDPL does not impose any restrictions on the data controller if the foreign country provides adequate protection of personal data.

Where there is no adequate protection of personal data, a cross border transfer is permitted in the following cases:

The data subject’s consent is obtained
The transfer is provided pursuant to an international treaty recognized by Tajikistan, or
The transfer is necessary for the purpose of protecting citizens rights and freedom, health and morality and public order of the state

Related resources

Security

Security in Tajikistan

The data controller is obliged to take appropriate measures against unauthorized processing, accidental loss, or modification of personal data.

Related resources

Breach notification

Breach notification in Tajikistan

Currently, there is no formal requirement in Tajikistan to report data breaches to any authority or data subject.

Related resources

Enforcement

Enforcement in Tajikistan

Enforcement of Data Protection Law ('DPL') is primary done by the Main Department for the Protection of State Secrets under the government of Tajikistan.

In addition, Tajikistan courts, the Prosecutor’s Office, the Ministry of Internal Affairs and other law enforcement bodies have the authority to ensure compliance and enforce the provisions of DPL within their competence.

Violations of DPL may result in civil, administrative and criminal sanctions, including:

Administrative fines up to approximately USD1,700
Imprisonment of up to 10 years, and
The right to claim compensation of damages, including emotional distress under civil proceedings

Electronic marketing

Electronic marketing in Tajikistan

The Law of Tajikistan 'On Electronic Commerce' was recently adopted. This provides comprehensive legal regulation on digital commerce, establishing clear rules for electronic trading participants, including requirements for information support, procedures for transaction execution, data security, and liability of the parties.

Online privacy

Online privacy in Tajikistan

Currently, there is no law or regulation in Tajikistan that specifically regulates online privacy.

Related resources

Key contacts

Data protection lawyers in Tajikistan

Alisher Hoshimov

Partner

Centil Law Firm

Dushanbe

Currently, there is no formal requirement in Tajikistan to report data breaches to any authority or data subject.

Quick links

Data Protection in Tajikistan

Breach notification in Tajikistan

Continue reading