The Law of Turkmenistan No.519-V ‘On Information about Private Life and its Protection’ (the ‘Data Protection Law’) is the main and only law governing matters relating to collection and processing of personal data in Turkmenistan.
The Data Protection Law was enacted on 20 March 2017, ie after the adoption of the General Data Protection Regulation (the ‘GDPR’) and entered into force on 1 July 2017. In fact, the Data Protection Law partly reflects the rules and principles perpetuated in the GDPR. However, the similarities that can be discovered between the Data Protection Law and the GDPR are few and in most cases the Data Protection Law implements the simplified approach suggested by the GDPR.
The Law of Turkmenistan No.519-V ‘On Information about Private Life and its Protection’ (the ‘Data Protection Law’) is the main and only law governing matters relating to collection and processing of personal data in Turkmenistan.
The Data Protection Law was enacted on 20 March 2017, ie after the adoption of the General Data Protection Regulation (the ‘GDPR’) and entered into force on 1 July 2017. In fact, the Data Protection Law partly reflects the rules and principles perpetuated in the GDPR. However, the similarities that can be discovered between the Data Protection Law and the GDPR are few and in most cases the Data Protection Law implements the simplified approach suggested by the GDPR.
Article 1 of the Data Protection Law defines the term ‘personal data’ as ‘any kind of information, which relates to a certain individual, which is recorded on an electronic, paper or other medium’. In terms of accessibility, personal data can be divided into two types: public (such as telephone directory, social media, etc) and restricted. Publicly available personal data includes information, which is either freely accessible upon consent of the individual (owner of personal data) or exempted from confidentiality in accordance with the laws of Turkmenistan.
The Data Protection Law additionally introduces a term ‘biometric data’ that encompasses any information that reflects physical and biological characteristics of an individual (owner of personal data). The term is somewhat similar to the term ‘biometric data’ that is envisaged in the GDPR (Article 4(14)) but does not include any reference to physiological and behavioural characteristics.
Both personal data and biometric data are recognized as confidential under the Data Protection Law and collection and processing of such data must be limited to the purposes the data is collected for.
In Turkmenistan the Data Protection Law does not provide for a definition of sensitive personal data. It is directly prohibited to collect specific categories of personal data which, inter alia, includes data on nationality, skin colour, religious and political views, medical conditions, etc. Collection of such categories of personal data is permissible under the following circumstances:
- Receipt of a written consent of owner of personal information
- Such personal data is publicly available
- Collection of personal data is required for healthcare and health protection of an owner of such personal data
- Collection of personal data is performed by religious or non-commercial organization provided that the collected data would not be distributed without a prior written consent of owner of personal data
- Collection of personal data is required for implementation of justice and / or investigative activity
There is no special national authority in the field of data protection policy.
No registration of a personal data database is required under the Data Protection Law.
No appointment of a data protection officer is required under the Data Protection Law.
Owner of personal data shall give consent on collection and processing of its personal data. Such consent can be delivered in written or electronic form or by virtue of any other secured means in compliance with Turkmen law.
Any such consent shall include the following information:
- Name (surname, name), address, ID document of an owner of personal data
- Name (surname, name) and the address of the data operator
- Purpose of collecting and processing personal data
- List of personal data to be collected and processed by the data operator
- List of actions related to personal data for the purpose of which the consent is given, a general description of the methods used to collect and process personal data
- Term of the given consent, as well as the procedure for its withdrawal
No consent is required for collection and processing of personal data for the following purposes:
- Investigatory activity
- Statistical analysis
- Life and health protection, protection of constitutional rights
- Implementation of international agreements of Turkmenistan, etc
For the purposes of cross-border transfers of personal data, the relevant consent of owner of personal data is required. Since the Data Protection Law does not stipulate on whether this should be a separate consent, it is recommended to obtain such consent together with a general consent on collection and processing of personal data.
Please note that personal data transferred outside Turkmenistan shall also be stored in the territory of Turkmenistan. Personal data processed for the purpose of statistical and/or scientific analysis shall be de-personalized.
Data operator is not allowed to transfer personal data outside Turkmenistan to a third party by virtue of a contract on collection and/or processing of personal data.
Article 23 of the Data Protection Law stipulates that data operators shall implement a set of legal, organizational and technical measures to ensure personal data protection. Such measures shall:
- Uphold the rights to privacy, personal and family secrets
- Ensure integrity and security of personal data
- Confidentiality of personal data
- Allow owner of personal data to have guaranteed access to such personal data
- Prevent unauthorised collection and processing of personal data
Data operators are statutorily obliged to take any necessary and lawful measures to protect personal data and ensure:
- Prevention of unauthorized access to personal data
- Timely detection of unauthorized access to personal information
- No adverse effects of such unauthorized access to personal data
It is important to note that the obligation of the data operators, as well as any third party acquiring the personal data, to protect confidentiality of the acquired personal data, arises from the moment such data is collected and shall be effective until the moment such data is destroyed or depersonalized.
Data Protection Law does not provide for any provisions regarding breach notification requirements. In other words, data operators are not obliged to notify the owners of personal data regarding any identified or potential confidentiality breach. However, the Data Protection Law envisages that data operators are obliged to block any personal data within one working day, if there is risk that a breach occurred.
General enforcement of the Data Protection Law is performed by the General Prosecutor’s Office. However, any suffered party may file a suit directly to a court.
Article 5(8) of the Law of Turkmenistan ‘On Advertising’ prohibits distribution of any information protected by the law (including personal data) for advertising purposes.
Data Protection Law provisions apply to online privacy as well. There are no other specific regulations that govern online privacy in Turkmenistan. Data operator shall refer to rules and regulations specified in the Data Protection Law.