On July 2, 2019, the Republic of Uzbekistan adopted the first special law that regulates the protection of personal data. The Law on Personal Data No. LRU-547 (The Law), which comes into force on October 1, 2019, provides for a range of legal obligations for persons whose activities involve personal data – that is virtually all legal entities.
What is personal data?
Personal data is any information related to a specific person or that makes it possible to identify him/her and that is recorded on electronic, paper and/or other tangible media.
In addition, more stringent requirements apply to biometric or genetic data, as well as to special personal data (i.e. data on racial or social origin, political, religious or ideological beliefs, membership in political parties and trade unions, concerning physical or mental health and privacy, criminal record).
Data Protection Authority
The State Personalization Center under the Cabinet of Ministers of the Republic of Uzbekistan is appointed as the authorized state body in the field of personal data and has the following powers:
issues a certificate of registration of the personal data base in the State Register of personal data bases;
exercises state control over the compliance with the requirements of data protection laws;
makes mandatory instructions for eliminating violations of data protection laws;
determines the required level of personal data security;
analyzes the volume and content of processed personal data, the type of activity and the possibility of threats to the security of personal data.
Requirements for processing of personal data
The new law sets the legal framework for processing personal data and for the relations between participants in this process: the data subject (the person to whom the data relates), the database owner and the operator (the person performing the processing).
The law provides for the following requirements for processing personal data:
Lawfulness of purposes and methods. Personal data processing can only be carried out with the consent of the data subject. Personal data can be used by employees of the database owner and / or operator, as well as a third party, only in accordance with their professional, official or employment duties. Personal data should be destroyed if the data subject withdraws his/her consent to process the personal data or upon expiration of the term for processing data as allowed by the consent of the data subject.
Data minimization. The database including personal data is formed by collecting personal data to the extent necessary and sufficient to achieve the set objectives. The scope and nature of the processed data should match the purposes and methods of their processing. The duration for processing personal data should not exceed the term allowed by the data subject's consent.
Purpose limitation. The objectives of the processing of personal data must comply with the objectives that are stated at the time of their collection, as well as with the rights and obligations of the database owner and/or operator. In case the purposes of processing changes, it is necessary to obtain the consent of the data subject to process the data in accordance with the changed purpose.
Storage limitation. Personal data must not be kept in a form that permits the identification of data subjects for longer than is necessary for the purposes for which the data is processed. Upon reaching the purpose of processing, personal data should be destroyed by the database owner and/or operator, as well as by a third party.
Accuracy and fairness. Personal data must be accurate and reliable, and, if necessary should be modified and supplemented. The data should be modified and supplemented by the database owner and/or operator (a) no later than three days if requested by the data subject and (b) without undue delay if the data is not true.
Confidentiality and security. Persons who have access to personal data are obliged not to disclose or distribute personal data without the consent of the subject. The personal data can be used provided that the necessary level of security is provided. The obligation to protect personal data arises from the moment of collecting personal data and remains until the moment of their destruction or depersonalization.
We expect that a standard procedure for the processing of personal data and the order of organization activities for the processing of personal data and their protection will be approved in the near future.
Making decisions based on automated processing
A decision based solely on the automated processing of the data subject’s personal data can only be accomplished by the data subject’s explicit consent.
The database owner and/or the operator must explain to the data subject the procedure of making decisions based on automated processing and the possible legal consequences of such a decision.
Form of the data subject’s consent
The consent can be expressed in any form that allows verifying the fact of its receipt.
Rights of data subject
The data subject has the right to receive information concerning the processing of his personal data, including:
confirmation from the database owner as to whether or not the database owner processes personal data;
grounds and purpose of processing personal data;
implemented methods for processing personal data;
information regarding individuals who have access to personal data or who may disclose personal data on the basis of an agreement concluded with the database owner and/or operator, or on the basis of the Law;
the composition of the processed personal data related to the relevant data subject and the source of their receipt;
the processing time of personal data, including the storage period;
information on the performed or intended cross-border transfer of personal data.
The data subject also has the right to require from the database owner and/or operator to suspend the processing of their personal data in case the data is incomplete, outdated, inaccurate, illegally obtained or not necessary for processing purposes.
Registration of databases containing personal data
The requirement to register personal databases in the relevant registrar of the authorized body is introduced. There are several exceptions to this requirement; in particular, registration is not necessary if the database contains data that is processed in accordance with labor legislation or without the use of automation facilities.
In addition, the database owner and/or operator must determine the structural unit or responsible official for the work related to the processing and protection of personal data and ensure its operation in accordance with the model procedure for processing personal data (not approved at the date of publication).
Cross-border data transfers
The personal data can be transferred over the border provided that the foreign states to which the data is transferred provide adequate protection of the data subjects’ rights.
There are exceptions when the cross-border transfer is possible without adequate protection, for example, if the data subject agrees to such cross-border transfer.
Along with the adoption of the Law on Personal Data, the Administrative Liability Code and the Criminal Code have been amended by the Law No. LRU-548 dated 8, 2019. Liability measures also come into force on October 1, 2019.
The sanctions are imposed for illegal collection, systematization, storage, modification, addition, use, provision, dissemination, transfer, depersonalization and destruction of personal data as follows:
Administrative liability in the form of a fine from three to five minimum wages to individuals and from five to 10 wages (about US$125-250) to corporate officers (Article 46-2 of the Administrative Liability Code). Cases of this category are under the jurisdiction of administrative courts.
Criminal liability arises if the same actions were committed after an administrative penalty, in the form of a fine up to 50 minimum wages (about US$1,250) or deprivation of a certain right of up to three years or correctional work of up to two years (Article 141-2 of the Criminal Code).
Criminal liability of a stricter nature is applied if a crime is committed by prior conspiracy by a group of individuals, repeatedly or by a dangerous recidivist, for mercenary or other vile motives, using his official position, or entails grave consequences, with sanctions in the form of a fine from 50 to 100 minimum wages (about US$1,250-2,500) or correctional work from two to three years, or custodial restraint from one year to three years or imprisonment up to three years.
Exemption from liability
A person accused of a criminal offense may be discharged by admitting his guilt, by reconciling himself with the victim and compensation of the caused harm (Article 66-1 of the Criminal Code). However, this rule does not apply to individuals who have unexpired convictions for committing grave or exceptionally aggravated criminal offences.