Overview: personal data


On July 2, 2019, the Republic of Uzbekistan adopted the Law on Personal Data No.547 (The Law), which provides for several legal obligations for individuals whose activities involve personal data – that is actually all legal entities.

Personal data is…?

Personal data is any information related to a specific person or that makes to his/her identification possible and that is recorded on electronic, paper and/or other material object.

Furthermore, stricter requirements apply to biometric or genetic data, as well as to special personal data (i.e. data on racial or social origin, political, religious or ideological beliefs, membership in political parties and trade unions, concerning physical or mental health and privacy, criminal record).

Field of application

The Law clearly defines the scope of its action and covers relations arising from the processing and protection of personal data, regardless of the processing tools used, including information technology.

At the same time, this Law does not apply to relations arising from:

  • processing of personal data for personal, household purposes and not related to his professional or commercial activities;
  • using archival documents containing personal data;
  • processing of personal data that classified as information constituting state secrets;
  • processing of personal data obtained in the course of operational-search, intelligence and counterintelligence activities, the fight against crime, the protection of law and order, as well as in the framework of combating the legalization of proceeds from criminal activity.

Data Protection Authority

The State Personalization Center under the Cabinet of Ministers of the Republic of Uzbekistan is appointed as the authorized state body in the field of personal data and has the following powers:

  • issues a certificate of registration of the personal data base in the State Register of personal data bases;
  • exercises state control over the compliance with the requirements of data protection laws;
  • makes compulsory instructions for eliminating violations of data protection laws;
  • determines the required level of personal data security;
  • analyzes the volume and content of processed personal data, the type of activity and the possibility of threats to the security of personal data. 

Requirements for processing of personal data

The Law sets the legal framework for processing personal data and for the relations between participants in this process: the data subject (the person to whom the data relates), the database owner (state body, individual and (or) legal entity that has the right to own, use and dispose of the personal data base) and the operator (the person performing the processing).

The Law provides for the following requirements for processing personal data:

  • Lawfulness of purposes and methods. Personal data processing can only be carried out with the consent of the data subject. Personal data can be used by employees of the database owner and / or operator, as well as a third party, only in accordance with their professional, official or employment duties. Personal data should be destroyed if the data subject withdraws his/her consent to process the personal data or upon expiration of the term for processing data as allowed by the consent of the data subject.
  • Data minimization. The database including personal data is formed by collecting personal data to the extent necessary and sufficient to achieve the set objectives. The scope and nature of the processed data should match the purposes and methods of their processing. The duration for processing personal data should not exceed the term allowed by the data subject’s consent.
  • Purpose limitation. The objectives of the processing of personal data must comply with the objectives that are stated at the time of their collection, as well as with the rights and obligations of the database owner and/or operator. In case the purposes of processing changes, it is necessary to obtain the consent of the data subject to process the data in accordance with the changed purpose.
  • Storage limitation. Personal data must not be kept in a form that permits the identification of data subjects for longer than is necessary for the purposes for which the data is processed. Upon reaching the purpose of processing, personal data should be destroyed by the database owner and/or operator, as well as by a third party.
  • Accuracy and fairness. Personal data must be accurate and reliable, and, if necessary should be modified and supplemented. The data should be modified and supplemented by the database owner and/or operator (a) no later than three days if requested by the data subject and (b) without undue delay if the data is not true.
  • Confidentiality and security. Persons who have access to personal data are obliged not to disclose or distribute personal data without the consent of the subject. The personal data can be used provided that the necessary level of security is provided. The obligation to protect personal data arises from the moment of collecting personal data and remains until the moment of their destruction or depersonalization.

Making decisions based on automated processing

A decision based solely on the automated processing of the data subject’s personal data can only be accomplished by the data subject’s explicit consent.

The database owner and/or the operator must explain to the data subject the procedure of making decisions based on automated processing and the possible legal consequences of such a decision.

Form of the data subject’s consent

The consent can be expressed in any form that allows verifying the fact of its receipt.

Rights of data subject

The data subject has the right to receive information concerning the processing of his personal data, including:

  • confirmation from the database owner as to whether or not the database owner processes personal data;
  • grounds and purpose of processing personal data;
  • implemented methods for processing personal data;
  • information regarding individuals who have access to personal data or who may disclose personal data on the basis of an agreement concluded with the database owner and/or operator, or on the basis of the Law;
  • the composition of the processed personal data related to the relevant data subject and the source of their receipt;
  • the processing time of personal data, including the storage period;
  • information on the performed or intended cross-border transfer of personal data.

The data subject also has the right to require from the database owner and/or operator to suspend the processing of their personal data if the data is incomplete, outdated, inaccurate, illegally obtained or not necessary for processing purposes.

Registration of databases containing personal data

The requirement to register personal databases in the relevant registry of the authorized body is introduced. There are several exceptions to this requirement; in particular, registration is not necessary if the database contains data that is processed in accordance with labor legislation or without the use of automation facilities.

In addition, the database owner and/or operator must determine the structural unit or responsible official for the work related to the processing and protection of personal data and ensure its operation in accordance with the model procedure for processing personal data (not approved at the date of publication).

Cross-border data transfers

The personal data can be transferred over the border provided that the foreign states to which the data is transferred provide adequate protection of the data subjects’ rights.

There are exceptions when the cross-border transfer is possible without adequate protection, for example, if the data subject agrees to such cross-border transfer.


Along with the adoption of the Law on Personal Data, the Administrative Liability Code and the Criminal Code have been amended. Liability measures also come into force on October 1, 2019.

The sanctions are imposed for illegal collection, systematization, storage, modification, addition, use, provision, dissemination, transfer, depersonalization and destruction of personal data as follows:

  1. Administrative liability in the form of a fine from three to five minimum wages to individuals and from five to 10 wages to corporate officers according to the Article 46-2 of the Administrative Liability Code. Cases of this category are under the jurisdiction of administrative courts.
  2. Criminal liability arises if the same actions were committed after an administrative penalty, in the form of a fine up to 50 minimum wages or deprivation of a certain right of up to three years or correctional work of up to two years according to the Article 141-2 of the Criminal Code.
  3. Criminal liability of a stricter nature is applied if a crime is committed by prior conspiracy by a group of individuals, repeatedly or by a dangerous recidivist, for mercenary or other vile motives, using his official position, or entails grave consequences, with sanctions in the form of a fine from 50 to 100 minimum wages or correctional work from two to three years, or custodial restraint from one year to three years or imprisonment up to three years.
  4. Subjects of personal data also have the right to demand compensation for property and moral damage caused to them as a result of violation of their rights and legitimate interests.

Exemption from liability

A person accused of a criminal offense may be discharged by admitting his guilt, by reconciling himself with the victim and compensation of the caused harm (Article 66-1 of the Criminal Code). However, this rule does not apply to individuals who have unexpired convictions for committing grave or exceptionally aggravated criminal offences.




Compliance: history of appearance in Uzbekistan


Compliance in banks

Nowadays Uzbekistan supports a program by the President of the Republic of Uzbekistan and the Government of the Republic of Uzbekistan of developing and implementation of compliance control system in state bodies, as well as in various business sectors. A certain number of legal acts aimed at implementing the compliance system in various areas have been developed. For example, for the first time, compliance control was mentioned in the joint Resolution of the Board of the Central Bank of the Republic of Uzbekistan Of the Department for combating economic crimes under the Prosecutor General’s office of the Republic of Uzbekistan “On approval of internal control rules for countering the legalization of proceeds from criminal activities, the financing of terrorism and the financing of the proliferation of weapons of mass destruction in commercial banks” No. 2886 dated 23.05.2017, which states that commercial banks should develop internal rules, which should reflect assurance compliance control, audit and (or) functions on counteraction of legalization of incomes received from criminal activity, financing of terrorism and (or) the financing of proliferation of weapons of mass destruction, obtaining in the necessary cases for the purposes of counteraction of legalization of incomes received from criminal activity, financing of terrorism and (or) the financing of proliferation of weapons of mass destruction, information from branches and subsidiaries about their clients, accounts and transactions. Implementation of compliance control in banks is aimed to protect interests of investors, banks and their clients by monitoring compliance of bank employees with the provisions of current legislation, requirements of supervisory authorities, as well as documents defining the Bank’s internal policies and procedures.                                                                                                                          

According to the act, commercial banks should take appropriate measures to study, analyze, identify, evaluate, monitor, manage, document and reduce the level of risk. In their activities they are required to systematically conduct researches, analysis and identification of possible risks of legalization of proceeds from criminal activities, financing of terrorism and financing the proliferation of weapons of mass destruction, and document the results of the study.          

For example, the commercial bank Hamkorbank has a Code of corporate ethics, which declares that the Bank does not accept any types of bribery and corruption. Neither employees nor third parties cooperating with the bank can give remuneration to officials in order to obtain or accelerate actions on their part. The commercial bank Uzpromstroybank has set up an anti-corruption hotline, where you can report illegal actions of employees, as well as warn about various causes and conditions that may contribute to the manifestation of corruption.                                                                            

The position of compliance lawyer

After the above-mentioned legal act position of a compliance lawyer officially appears in Uzbekistan. Thus, according to the Resolution of the Cabinet of Ministers of the Republic of Uzbekistan “On further improvement of the classifier of the main positions of employees and professions of workers” No. 795 dated 04.10.2017, the document was supplemented with the position of a compliance lawyer.

Compliance in the construction sector

Uzbekistan is taking measures to introduce modern market mechanisms to support business entities, provide greater freedom to private sector, strengthen guarantees of their rights and legitimate interests, attract foreign investment and modern technologies. Construction sector can be called one of priority sectors economy of Uzbekistan. The modern construction industry is one of the most prominent national sectors of the economy of the Republic of Uzbekistan showing stable annual growth. President Sh. Mirziyoyev in his strategy of development of the economy on 2017-2021 stated that special attention is given to the construction industry as a priority of the economy to accelerate development of the construction of buildings and structures, new objects of industry and private businesses, railways, roads, residential buildings.  In view of this, in accordance with the Decree of the President of the Republic of Uzbekistan “On measures to radically improve the quality of construction and installation works and improve the control system in construction” under No. 4586 dated 05.02.2020  in order to further improve the quality of construction and installation works, strengthen the role of inspections for control in the construction sector  a compliance service must be created, that will report directly to the head of the construction control inspectorate under the Ministry of construction of the Republic of Uzbekistan.

Compliance in the oil and gas industry

The development of the oil and gas industry of Uzbekistan is inextricably linked with the implementation of tasks to ensure the effective functioning of the fuel and energy complex of the Republic. On 04.04.2020  the decree of the President of the Republic of Uzbekistan “On priority measures to improve the financial stability of the oil and gas industry” came into force, which stated that in order to fully meet the needs of the economy and population of the Republic in energy resources, financial recovery of oil and gas enterprises, as well as creating favorable conditions for the development of a healthy competitive environment in the industry based on generally accepted international standards and best foreign practices, must be ensured implementation of the anti-corruption system “compliance control” at all enterprises of the oil and gas industry.         

To date, JSC “UZBEKNEFTEGAZ” has developed local regulatory documents in order to prevent corruption offenses, as well as a helpline for reporting signs of corruption. Also, the compliance control system seems to be implemented in JSC “UZKIMYOSANOAT”. However, there is no information about the development and implementation of the compliance control system in other organizations related to the oil and gas industry.                                      

Compliance in the Ministry of Justice

Next legal act, which refers to compliance is the decree of the President of the Republic of Uzbekistan “On measures on further improvement of activity of bodies and establishments of justice in the implementation of state legal policy”, which provides that the Ministry of Justice of the Republic of Uzbekistan has to implement anti-corruption compliance and create a position of “officer integrity” for coordination of anti-corruption policy of the Ministry of Justice of the Republic of Uzbekistan.                                                                                              

It is also worth noting that the Ministry of Justice of the Republic of Uzbekistan was the first among the state administration bodies of Uzbekistan to receive the certificate of the international standard of anti-corruption management ISO 37001:2016 “Anti-Corruption management system”. The international standard ISO 37001: 2016 provides for the implementation of acceptable and comparable measures to prevent, detect and take measures against corruption, as well as to minimize corruption risks.                                                     

Compliance and Anti-Corruption Agency

Thus, another legal act that referred to compliance is the Decree of the President of the Republic of Uzbekistan “On additional measures to improve the Anti-Corruption system of the Republic of Uzbekistan”, which declared formation of the Anti-Corruption Agency. One of the main tasks of the Agency is to organize the implementation and effective functioning of the internal Anti-Corruption compliance control system and other international anti-corruption tools in state and economic management bodies, state-owned enterprises, including banks with a state share in the authorized capital, and to conduct anti-corruption monitoring based on modern methods and technologies, as well as to compile a rating of their activities in this area. Based on this Decree, the Anti-Corruption Agency of the Republic of Uzbekistan is the responsible body for implementing the compliance control system in the above-listed organizations.

Compliance and business development Agency                                                                            

According to the decree of the President of the Republic of Uzbekistan “On additional measures to improve the system of public involvement in entrepreneurship and entrepreneurship development” under No. PP-4862 dated 13.10.2020, the Agency for business development, together with the State Inspectorate for supervision of the quality of education and the Ministry of justice was instructed to submit to the Cabinet of Ministers within a month the procedure for forming an electronic register of non-state educational organizations participating in programs for training the population in professions and entrepreneurship, as well as compensation for their expenses spent on training of public. At the same time, it should include: ensuring transparency and fairness in the provision of compensation, creating a system of compliance control to combat corruption, aimed at preventing various forms of abuse in this process.

Implementation of compliance in state-owned enterprises

The next regulatory act is the Decree of the President of the Republic of Uzbekistan “On measures for accelerated reform of enterprises with state participation and privatization of state assets” No. up-6096 dated 27.10.2020, which provides for the formation of a Department for the transformation of large enterprises with state participation in the structure of the Central office of the Ministry of Finance, one of the main tasks of which is to introduce a modern corporate governance system that provides for auditing procurement and management systems, as well as the formation of the compliance system and anti-corruption services in enterprises with state participation.                                                                                                                                     

The main goal of privatization in Uzbekistan is to attract private sector investment in the modernization, technical and technological re-equipment of privatized enterprises, the production of import-substituting and export-oriented products and creation of new job opportunities. Thereby ensuring the growth of the importance and share of the private sector in the country’s economy and accelerating structural changes in the economy.                                  

Compliance in the Cadastral Agency under the State tax Committee

Also, the system of compliance control is provided in the Cadastral Agency under the State tax Committee, as well as in organizations that are part of the Cadastral Agency system, as stated in the Decree of the President of the Republic of Uzbekistan “On organizational measures to reduce the shadow economy and improve the efficiency of tax authorities” No. up-6098 dated 30.10.2020. This implementation is noticeable on the official website of the Cadastral Agency under the State tax Committee, where a section “Fight against corruption” was added, which provides an opportunity to contact anonymously about the presence of corruption. However, according to article 29 of the Law of the Republic of Uzbekistan “On appeals of individuals and legal entities”, appeals submitted anonymously are not subject to consideration.

Conclusions and recommendations.

It is worth to emphasize that it is noticeable how the Government of Uzbekistan is taking measures to implement the compliance system in various areas, including in the activities of state bodies last three years. However, policy development alone is not enough without proper implementation in processes. In addition to hiring employees with special knowledge in the field of compliance, for the positions of compliance lawyers, i.e. “integrity officers”, it is important to conduct regular compliance courses for other employees, develop incentive systems, build an internal system of checks and balances and in order to succeed it is necessary to establish the work of the personnel service, financial control system, etc. It is important to bring existing local regulations into line. Most importantly it is necessary to review and adopt a number of changes and additions to the existing legislation of the Republic of Uzbekistan.

Our clients: ARboost

Our law firm Black Swan Consulting has been closely working for several months with the Russian company ARboost, known in the IT and telecommunications sector.

Within the framework of the agreement, BSC provides legal support in every possible way, as well as advises on various legal issues that the company faces in Uzbekistan. We also represent ARboost’s interests in government agencies.

ARboost was founded in 2010. The main goal of company is to provide ways for mobile operators to conduct interactive campaigns with subscribers.

ARboost offices are located throughout the CIS countries, what provides great convenience for its customers.

The company cooperates with such mobile operators as Beeline, MegaFon, Utel, Tele2.

“In cooperation with BSC, we most value efficiency, customer focus and quality of performed work,” says ARboost in-house counsel Sergey Gudkov.

BSC signed memorandum with NGO “Mercy and Kindness”

“The greatness of a nation and its moral progress can be judged by the way it treats animals,” – Mahatma Gandhi said.

Recently, our law firm “Black Swan Consulting” LLC signed a Memorandum with the NGO “Mehr va Oqibat” (translated from uzbek as Mercy and Kindness), which works in the field of upholding the rights and justice for animals.

Within the framework of this Memorandum, BSC is ready to assist and participate in projects initiated by NGOs. Despite the fact that the specifics of our firm is consulting in the field of corporate and commercial law, intellectual property and compliance, we have shown full readiness to support this NGO in every possible way and advise them in individual cases, as well as work together with them to tighten responsibility for animal cruelty. To date, the maximum fine for animal abuse is about $65. The criminal code of the Republic of Uzbekistan does not provide responsibiity for this act.

As part of this cooperation, we have already helped this NGO to bring to justice the person who shot the cat. As a result, the person was brought to justice and the court imposed ( a fine of $46.

Managing partner of the company – Amir Akhmedov is one of the oldest NGO volunteers, and was there at the time when the society was just emerging.

We hope that our cooperation and our work will be effective and will bring benefits to society