Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 570 on Approval of Certain Normative Legal Documents in the Field of Processing of Personal Data entered, on 7 January 2023, into force following its adoption on 5 October 2022. In particular, the Resolution ensures the implementation of Article 7 of the Law of the Republic of Uzbekistan of 2 July 2019 No. ЗРУ-547 on Personal Data and approved the Regulation on determining the levels of protection of personal data during their processing ('Regulation No. 1') and the Regulation on the requirements for physical objects containing biometric and genetic data and technologies for storing such data outside personal databases ('Regulation No. 2'). 

More specifically, Resolution No. 1 determines the levels of protection of personal data with which the owner or operator must comply while processing personal data, noting that when processing personal data, the owner and/or operator shall implement organisational and technical measures for the protection of personal data based on threats to their security. Specifically, Regulation No. 1 establishes three types of threats to the security of personal data:

• type I threats are threats related to the presence of undeclared opportunities in the system software of the database of personal data;
• type II threats are threats related to the presence of undeclared opportunities in the application software of the database of personal data; and
• type III threats are threats related to the presence of undeclared opportunities in the system software and application software of the database of personal data.

Based on the three types of threats, Regulation No. 1 provides four levels of protection, and that one of the four levels of protection must be established when processing personal data.

Moreover, Regulation No. 2 sets out the requirements for material carriers containing biometric and genetic data. Notably, Regulation No. 2 details that any physical objects used for the purpose of processing biometric and genetic data must be labeled 'confidential' or 'for use within the scope of the service'. In addition, Regulation No. 2 requires that when biometric and genetic data are stored electronically, these data should be encrypted and protected cryptographically or in any other manner. Furthermore, Regulation No. 2 requires the owner and/or operator to take appropriate security measures to prevent the theft, erasure, destruction, unauthorised acquisition, alteration, and uncontrolled abandonment of material carriers on which biometric and genetic data are recorded.

You can read the Resolution, only available in Uzbek, here.