Uzbekistan's personal data regime is a binding legal framework, not a soft recommendation. Any company - domestic or foreign - that collects, stores, transfers or otherwise processes personal data of individuals located in Uzbekistan must comply with Law No. ZRU-547 on Personal Data (Закон Республики Узбекистан «О персональных данных»), as amended, and a growing body of subordinate regulations. Non-compliance exposes businesses to administrative fines, mandatory data deletion orders, and operational restrictions that can halt digital services entirely. This article maps the legal architecture, identifies the most consequential obligations for international operators, and explains how to build a defensible compliance posture in Uzbekistan.
The cornerstone of Uzbekistan's data protection system is Law No. ZRU-547 on Personal Data, originally enacted and subsequently amended to expand its scope and enforcement teeth. The law defines personal data broadly as any information that directly or indirectly identifies a natural person. This definition captures names, identification numbers, location data, biometric identifiers, and online identifiers - a scope comparable to the European General Data Protection Regulation (GDPR) definition under Article 4.
The law is supplemented by Presidential Decree No. PP-3832 on measures to improve the system of protection of personal data, which established the Agency for Personal Data Protection (Агентство по защите персональных данных, APDP) as the primary supervisory authority. The APDP holds powers to conduct audits, issue binding instructions, impose administrative sanctions, and refer serious violations to prosecutorial authorities. Understanding the APDP's mandate is essential for any compliance programme targeting Uzbekistan.
Article 8 of the Law on Personal Data establishes the principle of purpose limitation: data may only be collected for specific, pre-defined, and lawful purposes. Article 9 introduces the proportionality requirement, prohibiting collection of data exceeding what is necessary for the stated purpose. Article 14 governs the rights of data subjects, including the right to access, correct, and delete their personal data - rights that must be operationalised through internal procedures, not merely acknowledged in a privacy policy.
Cabinet of Ministers Resolution No. 757 on the procedure for processing personal data in information systems sets out technical and organisational requirements for data controllers and processors. It mandates registration of personal data databases with the APDP, specifies minimum security standards, and defines the categories of data that require enhanced protection. Biometric data, health data, and data relating to criminal convictions fall into a special category requiring explicit consent and heightened security measures.
The Law on Electronic Commerce (Закон «Об электронной коммерции») intersects with data protection obligations for e-commerce operators, requiring transparent disclosure of data processing practices at the point of collection. Operators running digital platforms in Uzbekistan must treat this law as a parallel compliance obligation, not an alternative to the Personal Data Law.
The territorial scope of Uzbekistan's data protection obligations is broader than many international operators assume. The Law on Personal Data applies to any entity - regardless of its place of incorporation - that processes personal data of individuals residing in Uzbekistan. A company incorporated in Singapore, the Netherlands, or the UAE that operates a website collecting data from Uzbek users, or that employs staff in Uzbekistan, falls within the law's scope.
The law distinguishes between data controllers (операторы персональных данных) and data processors (третьи лица, обрабатывающие персональные данные). A controller determines the purposes and means of processing. A processor acts on the controller's instructions. Both bear legal obligations, but controllers carry primary liability. Foreign companies that engage Uzbek service providers to process data on their behalf remain responsible as controllers for ensuring the processor's compliance.
Three practical scenarios illustrate the scope:
The third scenario highlights the localisation requirement, which is one of the most operationally significant obligations in the Uzbek framework.
To receive a checklist on data controller obligations and database registration requirements in Uzbekistan, send a request to info@vlolawfirm.com.
Data localisation is a hard legal requirement under Article 22 of the Law on Personal Data. Personal data of Uzbek citizens must be stored and processed on servers physically located within Uzbekistan. This obligation applies at the point of initial collection and throughout the data lifecycle. Using a cloud provider whose nearest data centre is in Frankfurt or Singapore does not satisfy the requirement, even if the provider offers contractual assurances about data handling.
The localisation obligation has direct infrastructure consequences. Companies must either establish their own server capacity in Uzbekistan, contract with a licensed Uzbek data centre operator, or use a cloud provider that maintains a certified Uzbek node. The APDP maintains a register of certified information systems, and operating outside this register creates regulatory exposure.
Cross-border transfer of personal data - meaning any transmission of data to a recipient outside Uzbekistan - is permitted only under specific conditions set out in Article 23 of the Law on Personal Data. The conditions are:
The adequacy assessment mechanism is still developing. Unlike the European Commission's adequacy decisions, Uzbekistan has not yet published a comprehensive list of adequate jurisdictions. In practice, companies rely on consent or contractual necessity as the most reliable transfer bases. Consent-based transfers require granular documentation: the consent must be specific to the transfer, not bundled with general terms of service.
A non-obvious risk arises in group company structures. Transferring employee or customer data from an Uzbek subsidiary to a parent company's global HR or CRM system constitutes a cross-border transfer subject to Article 23. Many multinational groups overlook this, treating intra-group data flows as purely administrative. The APDP does not recognise intra-group transfers as a standalone legal basis.
The cost of building or contracting localised infrastructure varies significantly by business size. For a mid-size operator, contracting with an established Uzbek data centre typically starts from the low thousands of USD per year. For large-scale operations requiring dedicated capacity, costs rise substantially. Factoring these costs into market entry budgets is essential.
Consent (согласие субъекта персональных данных) is the primary lawful basis for personal data processing under Uzbek law, and its requirements are more prescriptive than many international operators expect. Article 10 of the Law on Personal Data requires that consent be:
Pre-ticked boxes, implied consent through continued use of a service, and bundled consent clauses buried in general terms do not satisfy these requirements. A common mistake among international operators entering Uzbekistan is importing consent mechanisms designed for other jurisdictions - including GDPR-compliant mechanisms - without adapting them to Uzbek specifics. While the GDPR and Uzbek law share philosophical roots, the procedural requirements differ in ways that matter during an audit.
The law recognises limited alternative lawful bases beyond consent. Processing is lawful without consent where it is necessary for the performance of a contract with the data subject, required by law, or necessary to protect the vital interests of the data subject. However, these bases are interpreted narrowly. Legitimate interests - a widely used basis under GDPR Article 6(1)(f) - does not have a direct equivalent in Uzbek law, meaning companies cannot rely on it as a fallback.
Special category data requires explicit consent and additional safeguards. Article 15 of the Law on Personal Data identifies the following as special categories: health and medical data, biometric data, data on racial or ethnic origin, political views, religious beliefs, and criminal records. Processing special category data without explicit consent is prohibited except in narrowly defined circumstances, such as medical necessity or legal obligation. For businesses in healthcare, fintech, or HR technology, this creates a high compliance bar that must be addressed in system design, not retrofitted after deployment.
Children's data deserves separate attention. Processing personal data of individuals under 18 requires consent from a parent or legal guardian. Digital platforms with broad user bases must implement age verification mechanisms that are technically reliable, not merely declaratory.
To receive a checklist on consent documentation and lawful basis mapping for Uzbekistan, send a request to info@vlolawfirm.com.
Uzbekistan's data breach notification regime is mandatory and time-bound. Under the Law on Personal Data and the APDP's procedural guidelines, a data controller that becomes aware of a personal data breach must notify the APDP within 24 hours of discovery. The notification must include a description of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
Notification to affected data subjects is also required where the breach is likely to result in high risk to their rights and freedoms. The law does not specify a fixed deadline for subject notification, but the APDP expects it to occur without undue delay. In practice, companies should target subject notification within 72 hours of the APDP notification, mirroring GDPR practice, as this demonstrates good faith during any subsequent investigation.
A common mistake is treating breach notification as a purely technical function delegated to IT teams. The legal consequences of a breach - including potential administrative liability, civil claims from affected individuals, and reputational damage - require legal counsel to be involved from the moment a breach is suspected. Delayed or incomplete notification is treated as an aggravating factor in enforcement proceedings.
The responsible person for personal data (ответственный за организацию обработки персональных данных) is a mandatory appointment for data controllers under Article 18 of the Law on Personal Data. This role is functionally equivalent to a Data Protection Officer (DPO) under GDPR. The responsible person must:
Unlike the GDPR's DPO, the Uzbek responsible person does not need to be independent of the organisation's management. However, the role must be formally designated in writing, and the designation must be communicated to the APDP. Foreign companies operating through a representative office or subsidiary in Uzbekistan must appoint a locally accessible responsible person - a remote appointment from headquarters in another country does not satisfy the requirement in practice.
Enforcement by the APDP has become more active. Administrative sanctions for violations of the Law on Personal Data are set out in the Code of Administrative Responsibility (Кодекс об административной ответственности), Article 46. Sanctions range from warnings for first-time minor violations to fines calculated as multiples of the base calculation unit (базовая расчётная величина, BRV). For legal entities, fines for serious violations - including failure to register a database, unlawful cross-border transfer, or failure to notify a breach - can reach levels that are commercially significant for small and mid-size operators.
Beyond fines, the APDP can issue orders requiring deletion of unlawfully processed data, suspension of data processing activities, and blocking of access to non-compliant information systems. For a digital business, a processing suspension order is operationally equivalent to a shutdown notice. The risk of inaction is therefore not abstract: companies that delay building compliance infrastructure face the prospect of forced operational interruption, which typically costs far more than proactive compliance.
A defensible compliance programme for Uzbekistan requires addressing five structural elements: legal basis mapping, database registration, localisation infrastructure, internal governance, and incident response readiness.
Legal basis mapping means identifying, for each category of personal data processed, the lawful basis under Uzbek law. This exercise typically reveals gaps between existing global privacy notices and Uzbek requirements. The output is a data processing register (реестр обработки персональных данных) that documents purposes, legal bases, retention periods, and transfer mechanisms for each data category.
Database registration with the APDP is a mandatory procedural step for controllers. The registration application must describe the database, the categories of data subjects, the purposes of processing, the security measures in place, and the identity of the responsible person. Registration is not a one-time formality: changes to the database's scope or purpose must be notified to the APDP. Operating an unregistered database is a standalone violation, independent of whether any other breach has occurred.
Localisation infrastructure must be in place before data collection begins, not after. Companies that launch Uzbek-facing services on global infrastructure and plan to migrate later routinely underestimate the technical complexity and timeline of migration. A non-obvious risk is that data collected before localisation is in place is itself unlawfully processed, creating retroactive liability.
Internal governance requires written policies, staff training, and documented procedures for handling data subject requests. The 30-day response deadline for subject access, correction, and deletion requests runs from receipt of the request. Missing this deadline is a common source of complaints to the APDP from data subjects, and complaints trigger formal investigations.
Incident response readiness means having a documented breach response plan that assigns roles, defines escalation paths, and pre-populates the APDP notification template. Companies that draft this plan after a breach occurs consistently miss the 24-hour notification window, compounding their liability.
The business economics of compliance are straightforward. A mid-size operator entering the Uzbek market should budget for legal advisory fees starting from the low thousands of USD for an initial compliance gap assessment, plus infrastructure costs for localisation, plus ongoing costs for the responsible person function. These costs are modest relative to the potential cost of enforcement action, which can include fines, operational suspension, and reputational damage in a market where trust is a competitive differentiator.
To receive a checklist on building a personal data compliance programme for Uzbekistan, send a request to info@vlolawfirm.com.
What is the most significant practical risk for a foreign company processing data of Uzbek users without a local compliance structure?
The most immediate risk is operating an unregistered personal data database, which is a standalone violation under Uzbek law regardless of whether any data breach or misuse has occurred. The APDP can identify unregistered databases through its monitoring of information systems and through complaints from data subjects. Once identified, the company faces a combination of fines, a mandatory registration order, and potential suspension of data processing until compliance is achieved. For a digital business, suspension of processing effectively means suspension of service. Building the registration and governance structure before launching Uzbek-facing services eliminates this risk at its root.
How long does it take to achieve compliance, and what does it cost for a mid-size international operator?
A realistic timeline for a mid-size operator to achieve substantive compliance - covering legal basis mapping, database registration, localisation, responsible person appointment, and internal policies - is three to five months from the start of the project. The timeline depends heavily on the complexity of the data architecture and the speed of infrastructure decisions. Legal advisory costs for the compliance build typically start from the low thousands of USD and scale with complexity. Infrastructure costs for localised data storage add to this, as does the ongoing cost of maintaining the responsible person function. Delaying compliance does not reduce these costs; it adds the risk of enforcement costs on top of them.
When should a company use consent as the lawful basis for processing, and when should it rely on contractual necessity instead?
Consent is the appropriate basis when processing is not strictly necessary to deliver the service the data subject has requested, or when the company wants to use data for secondary purposes such as marketing or analytics. Contractual necessity is appropriate when processing is genuinely required to perform a contract with the data subject - for example, processing a delivery address to fulfil an e-commerce order. The distinction matters because consent can be withdrawn at any time, requiring the company to stop processing and potentially delete the data, while contractual necessity is more stable. A common strategic mistake is defaulting to consent for all processing, which creates a fragile legal basis that can be undermined by mass withdrawal. Mapping each processing activity to the most appropriate and stable lawful basis is a core compliance task.
Uzbekistan's data protection framework is a mature and actively enforced legal regime that imposes concrete obligations on any business processing personal data of individuals in the country. The combination of localisation requirements, mandatory database registration, strict consent standards, and a 24-hour breach notification window means that compliance cannot be treated as a post-launch consideration. Companies that build compliance into their market entry planning avoid the operational and financial costs of remediation under regulatory pressure.
Our law firm VLO Law Firm has experience supporting clients in Uzbekistan on data protection and compliance matters. We can assist with compliance gap assessments, database registration with the APDP, responsible person appointment, cross-border transfer structuring, and breach response. To receive a consultation, contact: info@vlolawfirm.com.