Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Uzbekistan: Q&A on data localisation in Uzbekistan

On 15 January 2021, Law of 2 July 2019 No. ЗРУ-547 on Personal Data ('the Law') was amended to introduce data localisation requirements which will come into force on 16 April 2021. Ulugbek Abdullaev and Asol Iskhaeva, Counsel and Paralegal respectively at Dentons, answers some key questions on the new requirements.

avdeev007 / Signature collection / istockphoto.com

1. What is the key personal data localisation law in Uzbekistan?

The Law, as amended by Law of 14 January 2021 No. ЗРУ-666 on Amendments and Additions to Some Legislative Acts.

2. When do you have to localise the data?

The localisation requirement applies to the data that:

  • relates to an identified or identifiable individual and is fixed in a tangible medium;
  • relates to Uzbekistan citizens; and
  • is processed with the use of information technologies, including the internet and any global information network stored on any data storage device (electronic, paper, or any other device)1.

'Processing' is broadly defined to cover any one or a combination of actions for collection, systematisation, storage, modification, supplementation, use, provision, dissemination, transfer, depersonalisation, and destruction of personal data2.

An Uzbek citizen is defined as a person:

  • who permanently resides in the Republic of Uzbekistan since 28 July 1992, who is not a citizen of a foreign state, and has expressed a desire to become a citizen of the Republic of Uzbekistan;
  • who lives in the territory of Uzbekistan but has moved outside of Uzbekistan to study continuously, or has undergone military service, and returned to Uzbekistan within one year after graduation or military service and has been constantly registered in the Republic of Uzbekistan, provided that he/she does not have citizenship of a foreign state;
  • who holds the citizenship of the Republic of Uzbekistan on the day the Law of 13 March 2020 No. LRU-610 on Citizenship of the Republic of Uzbekistan ('the Law on Citizenship') came into force (i.e. 14 September 2020); and
  • who has acquired citizenship of the Republic of Uzbekistan in accordance with the Law on Citizenship.

3. What companies are subject to the data localisation laws in Uzbekistan?

It applies to any individual or a legal entity processing the personal data of Uzbekistan citizens. The Law defines three main categories of persons:

  • subject of personal data: an individual to whom personal data relates ('the Subject');
  • operator of a personal-data base: an individual, legal entity, or body processing personal data ('the Operator'); and
  • owner of a personal-data base: an individual, legal entity, or body having the right to own, use, and dispose personal data ('the Owner').

4. Can you transfer the data subject's data across borders under the data localisation laws?

Yes, as there is no restriction to transferring data abroad under Article 15 of the Law, once it is localised.

5. What requirements must be met when transferring the data?

The personal data can be transferred to countries with adequate level of protection for such transferred data. However, at the moment, there is clarity on what countries have 'adequate' level of protection.

In the absence of the list of countries with 'adequate' protection, the transfer would be allowed mainly based on the data subject's consent for such transfer under Article 15 of the Law.

6. Do you need to take into account the regulators' guidance on compliance with the data localisation laws?

There is no such guidance yet.

7. What liability can you be exposed to for non-compliance with the data localisation laws?

The liability can generally be in the form of:

  • public liability in the form of an administrative or criminal liability; and
  • civil (tort) liability which is usually damages to compensate for harm caused as a result of unlawful action or omission.

Administrative liability takes the form of a financial penalty in the amount of from five to 10 basic calculation units3 ('BCU') (approx. €100 to 200).

If repeated, the infringement would qualify as a criminal offence with the application of the fine up to 50 BCU (approx. €980), or the data protection officer ('DPO') could be disqualified/deprived of a certain right for up to three years, or be subject to corrective labour for up to two years.

In the following case, the criminal offence would be subject to the fine increased to 50-100 BCU (approx. €980 to €1,960), the DPO could be subject to corrective labour for two to three years or to restriction of liberty from one to three years or to imprisonment for up to three years if the offence is committed:

  • by a group of persons with prior conspiration;
  • repeatedly or by a dangerous repeat offender;
  • out of mercenary or other base motives;
  • with the use of an official position; and/or
  • with grave consequences4.

8. What are the enforcement risks in practice?

The requirement on personal data localisation will come into force on 16 April 2021, therefore there are no cases on enforcement at the moment.

It is assumed that one of the most likely enforcement measures could be the restriction of access to information resources where personal data is processed and has not been localised.

9. Are there any additional requirements or best practices related to data localisation laws not covered above that you should be aware of?

As businesses have globalised, the ways of processing data have also changed and become complex. Companies would need to analyse the way that they collect and process data, and introduce certain changes to the way they handle personal data. Hence, the data localisation nuances should be taken into account when building a compliance approach for Uzbekistan.

We also expect more guidance from the regulators in Uzbekistan, as well as enforcement approach and principles that data protection authorities may take this year. Hence, businesses will need to take into account the practice side of the issues in the future.

Ulugbek Abdullaev Counsel
[email protected]
Asol Iskhaeva Paralegal
[email protected]
Dentons, Tashkent


1. Articles 4 and 271 of the Law.
2. Article 4 of the Law.
3. Articles 15 and 46 of the Administrative Responsibility Code of Uzbekistan of 22 September 1994 No. 2015-XII (as amended).
4. Article 141 of the Criminal Code the Republic of Uzbekistan of 22 September 1994.