DLA Piper Intelligence

Data Protection
Laws of the World

Law

Uzbekistan
Uzbekistan

Currently, Uzbekistan does not have a stand-alone data protection law.

Provisions regulating data protection issues are reflected in a number of legal acts, the most significant of which are the Constitution of the Republic of Uzbekistan entered into force on December 8, 1992, Law No. 439-II 'On Principles and Guarantees of Freedom of Information' dated December 12, 2002 (the 'Freedom of Information Law') and Law No. 560-II 'On Informatization' dated December 11, 2003.

Data protection provisions are partly captured by the Civil Code, the Labour Code, the Code on Administrative Liability, and the Criminal Code of the country, that establish liability for collection and dissemination of information about private life of individuals, disclosure of medical or commercial secrets, secrecy of correspondence, banking operations and savings, and etc.

There are also sector-specific laws applicable depending on the type of industry. Data protection regulation exists mainly in financial, telecommunication, health and insurance sectors and consists of the following legal acts:

  • Law No. 530-II 'On Bank Secrecy' dated August 30, 2003, under which a bank is prohibited to disclose bank secrecy, and should guarantee its protection
  • Law No. 822-I 'On Telecommunications' dated August 20, 1999, under which all operators and service providers are obliged to ensure the secrecy of communications
  • Law No. 265-I 'On Protection of Citizens’ Health' dated August 29, 1996, under which the medical secrecy is protected
  • Law No. 358-II 'On Insurance Activities' dated April 5, 2002, under which insurance companies should guarantee the confidentiality of information which became available in course of provision of insurance services

On May 18, 2018, a draft law 'On Personal Data' (the 'Draft Law') was presented for general public discussion with the scheduled date for its adoption to be January 1, 2019. Based on the publicly available sources, on December 25, 2018 the Draft Law was reviewed by the Legislative Chamber of Oliy Majlis (Uzbekistan’s Parliament). Yet, as of today the law has not been adopted.

Information presented herein is prepared based on the Draft Law, as currently available in public sources. All or some provisions of the Draft Law may be changed and redrafted prior to its adoption.

Last modified 28 Jan 2019
Law
Uzbekistan

Currently, Uzbekistan does not have a stand-alone data protection law.

Provisions regulating data protection issues are reflected in a number of legal acts, the most significant of which are the Constitution of the Republic of Uzbekistan entered into force on December 8, 1992, Law No. 439-II 'On Principles and Guarantees of Freedom of Information' dated December 12, 2002 (the 'Freedom of Information Law') and Law No. 560-II 'On Informatization' dated December 11, 2003.

Data protection provisions are partly captured by the Civil Code, the Labour Code, the Code on Administrative Liability, and the Criminal Code of the country, that establish liability for collection and dissemination of information about private life of individuals, disclosure of medical or commercial secrets, secrecy of correspondence, banking operations and savings, and etc.

There are also sector-specific laws applicable depending on the type of industry. Data protection regulation exists mainly in financial, telecommunication, health and insurance sectors and consists of the following legal acts:

  • Law No. 530-II 'On Bank Secrecy' dated August 30, 2003, under which a bank is prohibited to disclose bank secrecy, and should guarantee its protection
  • Law No. 822-I 'On Telecommunications' dated August 20, 1999, under which all operators and service providers are obliged to ensure the secrecy of communications
  • Law No. 265-I 'On Protection of Citizens’ Health' dated August 29, 1996, under which the medical secrecy is protected
  • Law No. 358-II 'On Insurance Activities' dated April 5, 2002, under which insurance companies should guarantee the confidentiality of information which became available in course of provision of insurance services

On May 18, 2018, a draft law 'On Personal Data' (the 'Draft Law') was presented for general public discussion with the scheduled date for its adoption to be January 1, 2019. Based on the publicly available sources, on December 25, 2018 the Draft Law was reviewed by the Legislative Chamber of Oliy Majlis (Uzbekistan’s Parliament). Yet, as of today the law has not been adopted.

Information presented herein is prepared based on the Draft Law, as currently available in public sources. All or some provisions of the Draft Law may be changed and redrafted prior to its adoption.

Last modified 28 Jan 2019
Definitions

Existing laws

The existing laws do not provide a precise definition of the term 'personal data', yet classify personal data of individuals as confidential. As a matter of general practice, personal data is viewed as any information about facts, events and circumstances of an individual’s life, allowing to identify the individual.

Laws related to formation and use of state information resources further provide a list of information that can be attributed to personal data, as follows:

  • Biographic data
  • Identification data
  • Personal characteristic
  • Information about family status
  • Social status
  • Education background
  • Skills
  • Profession
  • Occupation
  • Financial standing
  • Health condition, etc

The Draft Law

Unlike the existing laws, the Draft Law introduces a precise definition of the term 'personal data'. As such, personal data is defined as the data related to or identifying an individual (towards whom processing of personal data is performed), which is recorded on an electronic, paper or other material.

The Draft Law further sets out an exhaustive list of information that can be qualified as personal data, as follows:

  • Biographic data
  • Biometric data
  • Identification data
  • Personal characteristic
  • Information about family status
  • Social status
  • Occupation
  • Financial standing
  • Education background
  • Profession
  • Health condition
  • Criminal record

Existing laws

The existing laws do not define the term 'sensitive personal data'.

The Draft Law

The Draft Law defines 'sensitive personal data' as data about:

  • Racial or ethnical origin
  • Political, religious or ideological convictions
  • Membership in political parties and trade unions
  • Physical or mental health
  • Information regarding private life and criminal record
Last modified 28 Jan 2019
Authority

Existing laws

Currently, there is no national data protection authority in Uzbekistan. However, there are sector-specific regulators that may regulate data protection issues in the relevant sectors. For example:

  • The Ministry for Development of Information Technologies and Communications of the Republic of Uzbekistan – in the telecommunication sphere
  • The Central Bank of the Republic of Uzbekistan – in the financial sphere
  • The Ministry of Health of the Republic of Uzbekistan – in the health sphere, etc

The Draft Law

The Draft Law designates the Cabinet of Ministers of the Republic of Uzbekistan (the 'Cabinet of Ministers') and Authorized State Body as the main regulatory authorities in respect of the protection of personal data. It should be noted that the Authorized State Body is to be determined by the Cabinet of Ministers.

Last modified 28 Jan 2019
Registration

Existing laws

The existing laws do not require the registration of databases that contain personal data, except for state information systems providing public services in online mode. State information systems, which, among other things, process personal data, are subject to registration with the Ministry for Development of Information Technologies and Communications of the Republic of Uzbekistan.

The Draft Law

The Draft Law requires a personal data database to be registered with the special State Registry of Personal Data Databases. The registration should represent a simple notification with a respective authority. The registration would not be required in cases, as follows:

  • If related to employment
  • When an agreement was entered into with the data subject
  • When the data is publicly available
  • When the data constitutes names and surnames of the individuals, etc
Last modified 28 Jan 2019
Data Protection Officers

Existing laws

Under the existing laws, there is no requirement for organizations to appoint a data protection officer.

The Draft Law

According to the Draft Law, government bodies, local self-government bodies, organizations, legal persons should designate a structural unit or a responsible person that has to organize work with respect to personal data protection in the course of its processing.

Last modified 28 Jan 2019
Collection & Processing

Existing laws

Article 13 of the Freedom of Information Law establishes that collecting, storing and disseminating information on the private life of an individual is allowed only on the basis of consent of such individual, except as required by law. In practice, the term 'information on private life' is equated with the term 'personal data'.

Thus, in order for a data processor to collect, store and process any personal information on individuals, it must obtain a prior consent from a data subject (ie, the individual).

Existing legislation does not provide for specific requirements as regards the form of the consent. As a matter of practice, the consent is obtained in written form.

The Draft Law

Under the Draft Law, processing of personal data includes actions with respect to:

  • Collection
  • Systematization
  • Accumulation
  • Storage
  • Clarification (update, alteration)
  • Use
  • Dissemination (including transfer)
  • Depersonalization
  • Blocking and deletion

Processing of personal data requires prior consent from an individual or his / her legal representatives. The consent should be made in writing or in the form of an electronic document. The amount of the personal data that can be included in the personal data database is to be determined in the consent.

Processing of personal data should pursue a certain purpose. This purpose should be fixed in the foundation documents or any other internal documents of a data controller and / or processor. Whenever the purpose of these operations changes, a new consent from individuals to conduct operations over the personal data related to them in line with such new purpose must be obtained.

A data processor may assign the processing of personal data to third parties only with the consent of individuals whose data is processed. Where assigned, a data processor is liable before the individuals for the actions of a person to whom the assignment is made.

The Draft Law determines that amendment and / or deletion of personal data requires the data processor to notify such individuals about this within three working days after these activities are executed.

The Draft Law requires a data processor to notify an individual on inclusion of his / her personal data into its personal data database, within ten working days from such inclusion. Such notification must be accompanied with information on the rights of the data subject, envisaged by the Draft Law, the purpose of operations over the personal data and third parties to which the personal data is transferred (if any). This requirement does not apply in cases where the personal data is collected from public sources. Transfer of personal data to third parties would require notification of the data subject, only if the initial consent of the data subject did not envisage such notification.

Lastly, collecting and processing of personal data for historical, statistical, sociological, or scientific research purposes requires the data processor to depersonalize such data, making it anonymous.

Last modified 28 Jan 2019
Transfer

Existing laws

Current laws do not prohibit the transfer of personal data outside of Uzbekistan. However, the procedure of such transfer is not defined by laws. The only requirement set by existing data protection regulations, is obtainment of consents of individuals whose personal data is transferred abroad.

The Draft Law

The Draft Law defines the cross-border transfer of personal data as the transfer of personal data to the territory of a foreign state authority, legal entity or individual of a foreign state. It allows the cross-border transfer of personal data on the condition that a foreign state can ensure the protection of personal data.

Nevertheless, cross-border transfer of personal data is still possible even in the absence of provision of foreign state protection. For this purpose, there should be:

  • The consent of a data owner on such cross-border transfer in place, or
  • A sufficient cause, such as protection of the constitutional order, public order, rights and freedoms of citizens, health and morality of the population, or
  • A ground envisaged in the international treaties of the Republic of Uzbekistan

The Draft Law also determines that cross-border transfer of personal data may be prohibited or restricted in order to protect the constitutional order of the Republic of Uzbekistan, morality, health, rights and legitimate interests of citizens, and to secure the defence of the country and national security.

Last modified 28 Jan 2019
Security

Existing laws

The Freedom of Information Law contains a broad provision applicable with respect to security of different data. It states that any information, unlawful treatment of which can cause damage to its owner, user and other person, is subject to protection.

Further, it sets the purposes of such protection, which include:

  • Prevention of threats to the security of individuals, society and the state in the sphere of information
  • Preserving confidentiality of information, preventing its leak, theft, loss
  • Preventing distortion and forgery of information

Security and protection of information are also envisaged in the laws related to formation and use of state information resources. Regulation 'On the Procedure for Documentation of Information, Tracking and Registration of State Information Resources' approved by the Resolution No.1558 of the Cabinet of Ministers of the Republic of Uzbekistan dated February 10, 2006 provides that protection of information resources, containing confidential information, should be provided through a set of organizational and technical measures aimed at solving the following main tasks:

  • Prevention of leak, theft, loss, distortion, blocking, forgery of information resources and other unauthorized access to personal data
  • Blocking of the channels of leakage of information
  • Prevention of special software and technical impacts aimed at the destruction and distortion of information
  • Identification of special devices for the removal or destruction of information embedded in technical facilities and allocated premises

The Draft Law

The Draft Law states that personal data is subject to the protection guaranteed by the state. It also imposes obligation on a data controller, processor and third party to take necessary legal, organizational and technical measures to ensure the protection of personal data. However, the Draft Law does not envisage the precise types and content of such measures, thus allowing a controller and a processor to determine them independently provided they are in line with data protection laws. In any case, processing and storage of information should be carried out exclusively by means that meet the requirements of information security.

Last modified 28 Jan 2019
Breach Notification

Both the existing laws and the Draft Law do not provide for the obligation to notify about a data breach.

Last modified 28 Jan 2019
Enforcement

Existing laws

Enforcement of existing laws related to personal data is ensured by a number of provisions contained in the Civil Code, the Criminal Code and the Code on Administrative Liability.

The Civil Code sets forth natural persons’ non-property rights (such as right to privacy, person’s life and health, honor and dignity etc) and provides for the remedies to protect them, which includes, inter alia, claiming damages, seeking injunctive relief and others.

According to Article 46 of the Code on Administrative Liability, disclosure of medical or commercial secrets, secrecy of correspondence and other communications, notarial actions, banking operations and savings, as well as other information that may cause moral or material damage to a citizen, his rights, freedoms and legitimate interests entails administrative liability in the form of a fine to be imposed on citizens (in the amount of up to 2 minimum monthly wages (approx US$49)), and on the companies’ executive officers (in the amount of up to 5 minimum monthly wages (approx US$121)).

Also, collection and dissemination of information about the private life of individuals, constituting their private or family secret, without their consent is punishable by large fines amounting up to 40 minimum monthly wages (approx US$970). Repeated commission of the offense may lead to larger fines or imprisonment.

In the meantime, Article 141-1 of the Criminal Code prohibits violation of personal privacy by illegal collection and dissemination of personal information and family secrets. The liability for the above violation committed after imposition of an administrative penalty may be in the form of a fine (in the amount of up to 100 minimum monthly wages (approx. US$2426)), mandatory public works (up to 300  hours), or correctional labor (up to 2 years).

Pursuant to Article 179-3 of the Code on Administrative Liability, wrongful demanding, obtaining or disclosure of information constituting commercial, banking and other secrecy protected by law, in connection with combating money laundering and financing of terrorism, entails the imposition of a fine (in the amount of up to 15 minimum monthly wages (approx. US$363)).

The Draft Law

Under the Draft Law, a data subject is entitled to protect his / her personal data from:

  • Illegal processing or accidental loss
  • Destruction
  • Damage
  • Failure to provide
  • Protection from the provision of information which is false or defamatory

In this regard, a data subject has a right to apply to a competent state bodies with such issues, resort to legal remedies, including claiming moral and material damages.

Under the Draft Law, the Authorized State Body is authorized to monitor compliance of others with the law and to examine complaints and applications of natural and legal persons regarding personal data processing issues. It also empowers the Authorized State Body to impose administrative and other liability on those violating the requirements of the Draft Law.

Last modified 28 Jan 2019
Electronic Marketing

Existing laws

The Law No. ZRU-385 of the Republic of Uzbekistan 'On E-Commerce' (new version) dated May 22, 2015 contains a provision on the use of personal data in e-commerce and electronic marketing. It requires obtaining prior consent of a data subject for distribution of the offer and advertising, including through mass distribution of electronic messages.

The Draft Law

The Draft Law does not specifically regulate the use of personal data in electronic marketing. It is not in any way excluded from the scope of the Draft Law application. Therefore, the Draft Law is deemed to apply to the use of personal data in electronic marketing.

Last modified 28 Jan 2019
Online Privacy

Both the existing laws and the Draft Law do not provide for regulation of online privacy. However, if personal data is involved and privacy issues are concerned, there are no obstacles for their application with respect to online privacy.

Last modified 28 Jan 2019
Contacts
Dilshad Khabibullaev
Dilshad Khabibullaev
Partner
Centil Law Firm
T +998711204778
Valeriya Ok
Valeriya Ok
Senior Associate
Centil Law Firm
T +998711204778
Sabina Saparova
Sabina Saparova
Associate
Centil Law Firm
T +998711204778
Last modified 28 Jan 2019