New standards for personal data processing approved in Uzbekistan

The Order of the Ministry of Justice under registration number 3478, dated November 15, 2023, approving a standardized procedure for the processing of personal data, has been adopted in Uzbekistan.

This procedure outlines:

• The process of handling personal data.
• Principles, objectives, and conditions of processing.
• Rights and obligations of the data owner and the database operator.

When processing personal data, whether by the owner, operator, or a third party, the following steps must be observed:

• Processing carried out for specific and predefined purposes.
• Prevention of merging databases that differ in processing objectives.
• Ensuring accuracy, reliability, and integrity of personal data.
• Storage of personal data for no longer than the necessary duration to achieve the processing purpose, unless legislation or a contract with the data subject specifies a different storage period.
• Destruction or anonymization of personal data after achieving processing goals or when no longer needed, unless legislation dictates an alternative procedure.

Consent from the data subject for the processing of their personal data must be obtained in written form or in the form of an electronic document. Acceptance (approval) of an offer (public contract) with specific processing purposes is considered the data subject's consent.

The data subject or their legal representative has the right to revoke their consent to the processing of personal data at any time. The consent document must include: the operator's name, TIN (for individuals – full name, TIN), the data subject's full name, processing objectives, a list of information subject to processing, duration of consent, permission for data transfer to third parties and their cross-border transfer, consent for data dissemination in publicly accessible sources, and other relevant information.

When processing personal data for research or scientific purposes, the owner, operator, or a third party must anonymize this data. In this case, the data subject's consent is not required, and anonymization ensures the impossibility of data recovery.

Personal data must be destroyed within 3 days after achieving the processing goals, withdrawal of consent, expiration of the consent period, or the entry into legal force of a judicial decision.

In the event of a government agency's request for the provision of personal data, the data subject must send a notification about it (except for state secrets and information subject to limited access).

Personal data can only be transferred to economic associations, state organizations and institutions, as well as non-governmental organizations with the consent of the data subject.