Protection of personal data is one of the most important issues in the modern world. Improper processing of personal data by companies may endanger the financial and moral status of a person and the proper use of data in the future. For this reason, the personal data protection inspector periodically controls the companies and assesses their personal information processing standards. The results of the audit can be painful for the organization. In particular, the inspector can request a temporary or permanent termination of data processing, impose appropriate administrative liability – a fine, refer to the court, etc.
The company is obliged to use personal data only to achieve a clearly defined purpose, so as to avoid unwanted disclosure of data to third parties.
The Loialte’s team is ready to provide you with services related to personal data processing issues in the following areas:
Under the Law “On Personal Data” (No. ZRU-547), any person or entity processing personal information must have a specific legal basis, most commonly the explicit consent of the data subject. Legally, the collector (owner) and processor (operator) are required to ensure the security, confidentiality, and accuracy of the data from the moment of collection until its disposal. In 2026, the law was significantly updated to distinguish between “general” personal data and “sensitive” categories, such as biometric and genetic information, which require enhanced physical and digital safeguards. Practically, this means businesses must maintain an internal “Personal Data Processing Policy” and appoint a responsible person to oversee data protection. Every individual has the right to know what data is being collected, for what purpose, and can request its deletion or correction at any time. Failure to comply with these fundamental principles can lead to administrative fines and the inclusion of the company in the “Register of Infringers.”
Following the landmark amendments to Article 27-1 effective March 27, 2026, mandatory localization on physical servers within Uzbekistan is now strictly limited to three sensitive categories: biometric data (Face ID, fingerprints), genetic data (DNA profiles), and telecommunications data (usage records of local operators). According to the updated Law “On Personal Data,” all other general categories of personal information—such as names, addresses, and transaction histories—may now be stored and processed on foreign servers or cloud platforms. This reform was specifically designed to allow international services like Apple Pay, Google Pay, and global SaaS platforms to operate legally without relocating their entire infrastructure. Practically, for most e-commerce and consulting firms, this removes the “total localization” burden that existed prior to 2026. However, any biometric or genetic data collected locally must still remain on hardware physically located within the Republic.
Since the March 2026 legal overhaul, the mandatory requirement to register personal data databases with the State Personalization Agency (via pd.gov.uz) now applies only to those databases containing data subject to mandatory localization (biometric, genetic, or telecom data). Under the updated Article 20, companies processing only “general” personal data that can be stored abroad are no longer required to undergo the formal state registration process, though they must still comply with all other protection standards. Legally, for those who must register, the process involves a simple notification detailing the types of data collected and the technical measures taken to protect them. Practically, the agency reviews the application within 15 days and issues a certificate of registration. Even if registration is not required, the company must still be able to prove to regulators that it has implemented sufficient organizational and technical security measures.
For personal data that is not subject to mandatory localization, cross-border transfers are legally permitted in 2026 provided one of three specific conditions is met: the destination country is on the “Adequate Protection” list approved by the Cabinet of Ministers, the operator uses Standard Contractual Clauses (SCCs), or the operator complies with approved international standards (like ISO 27001). This framework is similar to the European GDPR and aims to ensure that Uzbekistan citizens’ data is protected even when it leaves the country. Practically, businesses must review their contracts with foreign service providers to include these mandatory data protection clauses. The State Personalization Agency maintains oversight and can block transfers to countries or companies that do not meet these security benchmarks. This “pragmatic model” allows for global digital integration while maintaining a legal safety net for citizens’ information.
Penalties for personal data violations in Uzbekistan include administrative fines, the suspension of the company’s website, and, in cases of severe or repeated breaches, potential criminal liability. Under the Code of Administrative Responsibility, the failure to ensure the security of personal data can result in fines for officials, while the Criminal Code (Article 141-2) addresses the intentional illegal disclosure of private information. Practically, the most immediate risk for a business is being added to the “Register of Infringers of the Rights of Personal Data Subjects,” which results in the blocking of the company’s information resources (websites and apps) within Uzbekistan territory. In 2026, regulators have intensified their focus on “unauthorized leaks,” and companies are now practically required to report major data breaches to the authorities within a short timeframe. Proactive compliance—including regular security audits and employee training—is the only way to avoid these high-stakes enforcement actions.
Phone
Phone
Phone
Uzbekistan, Tashkent
United Arab Emirates, Dubai
Phone
Phone
Phone
Uzbekistan, Tashkent
United Arab Emirates, Dubai
Developed By Web Features 2026 All Rights Reserved
