Page 1

Ru

En

ORQ-547 02.07.2019

Own Own | Ru

The document is currently being amended

LAW OF THE REPUBLIC OF UZBEKISTAN
ABOUT PERSONAL INFORMATION
Adopted by the Legislative Chamber on April 16, 2019
Approved by the Senate on June 21, 2019
Chapter 1. General rules
Article 1 The purpose of this Act
The purpose of this Law is to regulate the relationship in the field of personal data.
Article 2 Personal information legislation
The legislation on personal data consists of this Law and other legislative acts.
If an international agreement of the Republic of Uzbekistan provides for in the legislation of the Republic of Uzbekistan on personal data
the rules of an international treaty shall apply if rules other than those prescribed are established.
Article 3 Scope of this Law
The application of this Law shall include the means of processing used in the processing and protection of personal data, including
including information technology-independent relationships.
Application of this Law:
processing of personal data by an individual for personal, household purposes and not related to their professional or commercial activities
to give;
Formation, storage and use of documents of the National Archive Fund and other archival documents, including personal data;
processing of information about the person included in the list of information constituting state secrets;
operational search, intelligence and counterintelligence activities, in the fight against crime, law enforcement, as well as criminal activity
in relation to the relations arising in the processing of data on the person received in the framework of the fight against money laundering
not applicable.
Article 4 Basic concepts
The following basic concepts are applied in this Law:
Personal information - electronic, paper and related to a particular individual or allowing him / her to be identified.
(or) information recorded in another material body;
subject of personal data (subject) - a natural person to whom personal data belong ;
personal database - a database in the form of an information system containing personal information;
processing of personal data - collection, systematization, storage, modification, filling, use of personal data, their use
to perform an action or a set of actions for the transfer, distribution, transfer, possession and destruction;
operator of the personal database (operator) - the state body which is carrying out processing of the personal data, physical and
(or) a legal entity;
Owner of the personal database (owner) - possession, use and disposal of the personal database
authorized state body, individual and (or) legal entity;
third party - through circumstances or relationships related to the processing of personal data, which is not a subject, owner and (or) operator
any person associated with them.
Article 5 Basic principles of this Law
The main principles of this Law are:
observance of the constitutional rights and freedoms of man and citizen;
the legitimacy of the purposes and methods of processing personal data;
accuracy and reliability of personal information;
confidentiality and protection of personal information;
equality of rights of subjects, owners and operators;
security of the individual, society and the state.
Chapter 2. Government regulation of the field of personal data
Article 6 Bodies regulating the field of personal data by the state
State regulation of the field of personal data in the field of personal data of the Cabinet of Ministers of the Republic of Uzbekistan
carried out by the competent state body.
Article 7 Powers of the Cabinet of Ministers of the Republic of Uzbekistan in the field of personal data
The Cabinet of Ministers of the Republic of Uzbekistan:
ensures the implementation of a unified state policy in the field of personal data;
approves state programs in the field of personal data;
Determines the procedure for maintaining the state register of personal databases;
LexUZ review
See: Regulations on the State Register of Personal Databases, approved by the Resolution of the Cabinet of Ministers No. 71 of February 8, 2020 .

approves the procedure for registration of personal databases in the State Register of Personal Databases;
coordinates the activities of state and economic management bodies, local public authorities in the field of personal data.
Based on the information provided by the authorized state body in the field of personal data, the Cabinet of Ministers of the Republic of Uzbekistan:
the degree of protection of personal data, depending on the threats to the security of that data;
related to the protection of personal data, the implementation of which is their established protection in the processing of personal data
requirements that ensure the level of completion;
storage of biometric and genetic data on existing physical objects and such information outside of personal data
technology requirements.
Article 8 Competent state body in the field of personal data
The State Center for Personalization under the Cabinet of Ministers of the Republic of Uzbekistan is the authorized state body in the field of personal data
(hereinafter referred to as the competent public authority in the text).
Competent state body:
implements the state policy in the field of personal data;
participates in the development and implementation of state programs and other programs in the field of personal data;
Approves the standard procedure for processing personal data;
A structural unit of the owner and (or) operator that provides processing and protection of personal data or
approves the standard procedure for the organization of authorized personal activities;
Maintains the state register of personal databases;
Personal database issues a certificate of registration in the state register of personal databases;
carries out state control over compliance with the requirements of the legislation on personal data within its competence;
Makes proposals to the Cabinet of Ministers of the Republic of Uzbekistan on improving the regulatory framework in the field of personal data;
sends to the competent state bodies in the field of state security the established information applicable to the sphere of their activity;
determines the required level of protection of personal data;
the volume and content of the personal data to be processed, the type of activity, threats to the security of personal data
analyzes the authenticity;
is mandatory for legal entities and individuals to eliminate violations of the legislation on personal data
enters existing instructions;
cooperates with the competent authorities of foreign countries and international organizations in the field of personal data.
Chapter 3 Processing of personal data
Article 9 Participants in the processing of personal data
The subject and the operator are the participants in the processing of personal data. The legal representative of the subject, the owner and third parties also belong to the person
can act as data processing participants.
Article 10 Collection, systematization and storage of personal data
The personal database is necessary for the performance of tasks performed by the owner and (or) operator, as well as a third party
and by collecting sufficient personal data.
The procedure and principles of collection, systematization of personal data are determined independently by the owner and (or) operator. About the person
the ability to identify the subject to the extent required by the previously stated objectives in the collection of personal data;
is done in a form that gives.
The retention period of personal data is determined by the date of achievement of the purpose of their collection and processing.
Article 11 Change and fill in personal information
Modification and replenishment of personal data on the basis of the subject's application, within three days from the date of submission of this application
without delay by the owner and (or) operator.
Changes and additions to the information about the untrue person shall be made immediately from the moment of discrepancy.
is increased.
Article 12 Use of Personal Information
Actions with personal data aimed at achieving the objectives of the activities of the owner, operator and third party
use of data.
Use of personal data by the owner, operator and third party to ensure that this information is adequately protected
provided that the collection of information about this person is carried out only for the previously stated purposes.
Personnel by the owner and (or) operator, as well as employees of a third party involved in the processing of personal data
the use of such information should only be done in accordance with their professional, service or employment obligations.
Employees of the owner and (or) operator, as well as third parties involved in the processing of personal data
to prevent the disclosure of information about a person who has been transferred or who has become known as a result of performing professional, service or work duties
condition
Article 13 Providing personal information
Actions aimed at disclosing personal information to a particular person are the transfer of personal information.
The transfer of personal data to public administration bodies is free of charge.
If the subject refuses to provide information about the person, he has the right not to indicate the reasons for his refusal.
Article 14 Dissemination of personal information
Disclosure of personal information to an unknown number of persons, including personal information in the media
the ability to make information available to the public, to post it on the World Wide Web, or to use personal information in any other way
actions aimed at giving are the dissemination of personal information.
Dissemination of this information with the consent of the subject, in cases of deviation from the previously stated purposes of the collection of personal data
is done.
Article 15 Cross-border transmission of personal data
Transfer of personal data by the owner and (or) operator outside the territory of the Republic of Uzbekistan personal data
is a cross-border signal.
Transboundary transfer of personal data is a foreign policy that ensures equal protection of the rights of personal data subjects.
carried out on the territory of states.
Cross-border transfer of personal data to the territory of foreign countries, which does not provide uniform protection of personal data
can be done in the following cases:
when the subject has the consent to cross-border transmission of personal data;
Protection of the constitutional order of the Republic of Uzbekistan, maintenance of public order, rights and freedoms of citizens, public health
and when it is necessary to protect his spirituality;
In cases stipulated by international agreements of the Republic of Uzbekistan.
Cross-border transmission of personal data is the basis of the constitutional system of the Republic of Uzbekistan, citizens of the Republic of Uzbekistan
to protect the spirituality, health, rights and legitimate interests, to ensure the defense of the country and national security, or
may be limited.
Article 16 Misappropriation of personal information
Actions that, as a result of implementation, make it impossible to determine whether the information about the person belongs to a particular subject.
is the misappropriation of data.
When processing personal data for historical, statistical, sociological, scientific research, the owner and operator, as well as third parties
the person must disclose this information.
Article 17 Deletion of personal data
Actions that, as a result of their implementation, make it impossible to recover personal data are the destruction of personal data.
Personal data must be destroyed by the owner and (or) operator, as well as a third party in the following cases:
when the purpose of processing personal data is achieved;
when the consent of the subject for the processing of personal data is revoked;
upon expiration of the term for processing of personal data established with the consent of the subject;
when the court's decision enters into force.
Chapter 4 Procedure for processing personal data
Article 18 Terms of processing personal data
The processing of personal data shall be carried out in accordance with the basic principles of this Law.
Processing of personal data is carried out in the following cases:
when the subject agrees to the processing of this information;
to process this information for the performance of a contract in which the subject is a party, or at the request of the subject until such a contract is concluded
when it is necessary to take measures;
when it is necessary to process this information in order to fulfill the obligations of the owner and (or) operator established by the legislation;
when it is necessary to process this information to protect the legitimate interests of the subject or another person;
information on the implementation of the rights and legitimate interests of the owner and (or) operator or a third party or a person
This information must be processed in order to achieve socially significant goals, provided that the rights and legitimate interests of the subjects are not violated.
when;
processing of personal data for statistical or other research purposes, subject to their compulsory possession;
if this information is obtained from sources available to all.
This is the case when it is necessary to process personal data in order to protect the rights and legitimate interests of the subject
data processing is allowed without the consent of the subject until consent can be obtained.
Article 19 Requirements for the processing of personal data
The purposes of processing of the data on the person are the regulatory legal acts, regulations regulating activities of the owner and (or) the operator,
shall be determined by the constituent documents or other documents and shall be in accordance with this Law.
The purposes of the processing of personal data are the same as those previously stated at the time of their collection, as well as those of the owner and (or)
must comply with the rights and obligations of the operator.
In the event of a change in the purpose of processing personal data, the owner and (or) operator shall change the purpose of the subject's own data.
must obtain consent for appropriate processing.
Personal information must be accurate and reliable and, if necessary, amended and supplemented.
The amount of personal data that can be entered into the personal database is determined by the subject in accordance with this Law.
The size and nature of the information to be processed must be appropriate to the purposes and methods of processing it.
Personal information is processed in a way that allows the identification of the subject or in an impersonal manner.
The period of processing of personal data exceeds the period of validity of the subject's consent to the processing of personal data
should not go.
Article 20 Procedure for registration of personal databases
Personal databases must be registered in the state register of personal databases.
Registration of a personal database is carried out by notification on the principle of application. Personal information
The application for registration of the database in the State Register of Personal Databases shall be submitted to the competent state body.
Ingredients:
public association or religious organization belonging to the participants (members) of a public association or religious organization and respectively
information about the person being processed by, provided that they are not disclosed or disclosed to third parties;
made accessible to all by the subject;
containing only the last name, first name, and patronymic of the subjects;
required for one-time entry of the subject into the territory where the owner and (or) operator is located, or for other similar purposes;
entered into the information systems of the data on the person having the status of the automated state information systems;
processed without the use of automation tools;
register databases of the person who has information about the person to be processed in accordance with the labor legislation
will not be transferred.
About any change of the information necessary for registration of the database on the owner and (or) the operator the corresponding person
notify the competent state body no later than ten calendar days from the date of such change.
Article 21 The procedure for consenting to the processing of personal data and the withdrawal of consent
The subject gives consent to the processing of personal data in any form that allows to confirm the fact of its receipt.
The consent of the subject in writing, including in the form of an electronic document, is required for the processing of personal data.
In case of incapacity or limited legal capacity of the subject, his legal representative shall provide the subject with personal data.
agrees to the processing in writing, including in the form of an electronic document.
In order to process the personal data of minors, their parents (guardians, trustees), and in their absence, the guardianship and
the sponsoring authorities give their consent in writing, including in the form of an electronic document.
In the event of the death of the subject, consent to the processing of his personal data, if the subject did not give such consent during his lifetime
if so, its heirs shall provide it in writing, including in the form of an electronic document.
Processing of personal data of a subject declared dead by the court, declared missing, is the responsibility of his heirs.
with the consent given in writing, including in the form of an electronic document.
The consent of the subject to the processing of personal data shall be in the form in which this consent was given or in writing.
form, including in the form of an electronic document.
Article 22 Procedure for providing information related to the processing of personal data
The subject has the right to receive the following information concerning the processing of his personal data:
confirmation of the fact that personal data has been processed;
bases and purposes of processing of the personal data;
methods used in the processing of personal data;
name of the owner and (or) operator and their (his) location (postal address), access to personal data
who may or may not disclose information about a person under a contract with the owner and (or) operator or by law
information about individuals;
the content of the information about the person being processed, which belongs to the relevant subject, the source of their receipt, if such information in this Law
unless otherwise provided;
terms of processing of personal data, including terms of their storage;
the procedure for exercising the rights provided for in Article 30 of this Law by the subject;
information on the transboundary transmission of personal data.
In cases where the provision of personal data to the subject violates the rights and legitimate interests of other persons, the subject's own
the right to receive information relating to the processing of personal data may be restricted.
The procedure for providing third parties with information related to the processing of personal data of the subject to the personal data of the subject
determined in accordance with the terms of consent for processing.
The owner and (or) operator is obliged to provide the subject with information related to the processing of his personal data in the following cases:
will be released if:
the subject has been previously notified of the processing of his / her personal data;
if the information about the person has been made available to the subject by all or from a source available to all;
if the provision of such information leads to a violation of the rights and legitimate interests of individuals and legal entities.
Notification of refusal to provide information related to the processing of personal data to the requesting entity within ten days
sent in writing.
The decision to refuse to provide information related to the processing of personal data shall be submitted to the competent state body or the subject.
may appeal to the court.
Article 23 Notify of actions taken during the processing of personal data
When an entity enters its personal data into a personal database, the purpose of processing the personal data is to
They must be notified in writing of their rights set out in Article 30 of the Law .
In case of transfer of personal data to a third party, the owner and (or) operator shall notify the subject in writing within three days.
Notification of the subject in writing is not allowed in the following cases:
when state bodies exercise their powers;
when personal data is provided for historical, statistical, sociological or scientific purposes;
when personal information is collected from sources available to all.
Article 24 Automated processing of personal data
The subject shall have access only to information about his / her personality that affects his / her rights and legitimate interests and has legal consequences.
has the right not to be subject to decision-making on the basis of automated processing, except as provided in the second part of this article
except.
The decision can be made only on the basis of automated processing of the subject's personal data in the following cases:
in the presence of written consent of the subject, including in the form of an electronic document;
if the decision is made to execute the contract between the owner and the subject or to fulfill the terms of the previously concluded contract;
in cases stipulated by the legislation.
The owner and (or) operator shall inform the subject of the decision-making procedure based on the automated processing of his personal data only and
explain the probable legal consequences of such a decision, provide an opportunity to appeal against such a decision, as well as the rights of the subject and
explain the procedure for protecting their legitimate interests.
About consideration by the owner and (or) the operator of the objection specified in part three of this article and results of consideration of such objection
must notify the subject in writing within ten days.
Article 25 Processing of personal data

Racial or social background, political, religious or ideological beliefs, membership in political parties and trade unions
information about the person, as well as information about physical or mental (mental) health, personal life and convictions
special information about.
Processing of special personal data is prohibited, except as provided in the third part of this article .
Processing of special personal data is allowed in the following cases:
in order to ensure the protection of state security from external and internal threats by the competent state body;
if the subject has given written consent for the processing of his personal data, including in the form of an electronic document;
if special information about the person has been published by the subject in sources available to all;
in order to protect the rights and legitimate interests of the subject or other persons;
in the course of the activities of the courts and relevant law enforcement agencies in the framework of the initiated criminal case, enforcement proceedings;
Measures to combat money laundering and terrorist financing
when carried out by;
when carrying out the activities of state statistical bodies, as well as by other state bodies for statistical purposes
when data is used, subject to their possession;
protection of personal data in the provision of medical and social services or in the appointment of medical diagnosis, treatment
provided that it is treated by a medical professional or other person in the health care facility who is responsible for ensuring that this is done;
when exercising rights and fulfilling obligations in the field of labor relations;
protection of legitimate interests of the subject or a third party in case of incapacity or limited legal capacity of the subject
when making is provided;
when personal data, including personal data of candidates for elected public office, are made public;
when carrying out the activities of a non-governmental non-profit organization, religious organization, political party or trade union, the processing shall be carried out only by these organizations and
provided that the personal data of the members or employees of the associations relate to the person and are not transferred to a third party without the consent of the subjects;
when the personal data of children deprived of parental care are processed, these children are sent to the families of citizens for upbringing.
placement (patronage) and other measures to ensure guardianship and trusteeship;
when processing personal data in order to ensure state security;
when information on convictions is processed by state bodies, as well as other persons within their competence.
Article 26 Processing of biometric and genetic data
Personal data describing the anatomical and physiological characteristics of a subject are biometric data.
Analysis of the biological image of the subject or obtaining alternative information related to the hereditary or acquired characteristics of the subject
the data on an individual that are the result of analysis of another element that allows is genetic information.
Biometric and genetic data used to identify the subject may be used only with the consent of the subject.
Except for cases related to the implementation of international treaties of the Republic of Uzbekistan, the administration of justice, enforcement proceedings, as well as
may be processed in other cases stipulated by the legislation.
The use of biometric and genetic data in electronic form outside information systems and their storage outside such systems only
may be carried out on material carriers that exclude their unauthorized use.
Chapter 5 Protection of personal data
Article 27 Guarantees of protection of personal data
The state guarantees the protection of personal data.
The owner and (or) operator, as well as a third party, provide legal, organizational and other protection of personal data.
takes technical measures:
the exercise of the subject's right to protection from intrusion into his private life;
the integrity and integrity of personal information;
observance of confidentiality of personal data;
prevention of unlawful processing of personal data.
See previous edit.
1
Article
27 Special conditions for processing personal data of citizens of the Republic of Uzbekistan

Processing of personal data of citizens of the Republic of Uzbekistan by the owner and (or) operator using information technology
as well as in the technical means located in the territory of the Republic of Uzbekistan
Collection and systematization of personal databases in the databases on the person registered in the state register in accordance with the established procedure
and must be maintained.
1
(Article
27 is introduced in accordance with the Law of the Republic of Uzbekistan No. ZRU-666 of January 14, 2021 - National Database of Legislation,
15.01.2021, No. 03/21/666/0032 - effective from April 16, 2021)

Article 28 Confidentiality of Personal Information
Disclosure and dissemination of personal data without the consent of the subject or in the absence of other legal grounds is not allowed
a requirement that must be complied with by the owner and (or) the operator or another person authorized to use the information about the person
is the confidentiality of personal information.
Owner and (or) operator and other persons who have access to the use of personal data on the person without the consent of the subject
not to disclose or disclose information to third parties.
Article 29 Personal information that everyone can use
Information about a person that can be freely used with the consent of the subject or to which confidentiality requirements do not apply
is personal information that everyone can use.
All available sources of personal information (including biographical) for the purpose of providing information to the public
directories, telephone, address books, electronic information resources that everyone can use) can be created.
With the written consent of the subject, his / her surname, name, patronymic,
information on year and place of birth, address, subscriber number, profession and other information provided by the subject
can be included.
Information about the subject is from all available sources of information about the person, according to his request, what consent
in such a form or in writing, including in the form of an electronic document, as well as by decision of the competent state body or court
can be removed.
Chapter 6 Rights and obligations of participants in the processing of personal data
Article 30 Rights and obligations of the subject
Subject of personal data:
to know that the owner and (or) the operator, as well as a third party have personal data and their content;
Request information from the owner and (or) operator on the processing of personal data upon request:
to receive information from the owner and (or) operator on the terms of providing access to his personal data;
to the competent state body or court on the protection of his rights and legitimate interests in relation to his personal data
to apply;
consent to the processing of personal data and revocation of such consent, except as otherwise provided by this Law
mustasno;
to the owner and (or) to disseminate his / her personal information to all available sources of personal information;
consent to the operator, as well as a third party;
if the personal data is incomplete, outdated, inaccurate, obtained illegally or necessary for processing purposes
otherwise, it has the right to require the owner and (or) operator to suspend the processing of his personal data.
Disposal of personal data of a subject who has been declared incompetent or has limited legal capacity shall be carried out by his legal representative.
increases.
The basics of the constitutional order of the Republic of Uzbekistan, the citizens of the Republic of Uzbekistan
to protect the morale, health, rights and legitimate interests, to ensure the defense of the country and national security
is the obligation of the subject.
Article 31 Rights and obligations of the owner and (or) operator
The owner and (or) operator has the right to process personal data.
Owner and (or) operator:
comply with the legislation on personal data;
provide information related to the processing of personal data at the request of the subject;
approve the content of information about the person necessary and sufficient for the performance of his duties;
in the case of achieving the intended purpose of the processing of personal data, as well as in other cases provided by this Law
take action;
provide evidence that the subject has obtained consent to the processing of personal data in cases provided by law;
modify and (or) supplement the personal data if the reliability of the new information is documented, or if such
delete this information if it is not possible to make changes and (or) additions;
suspend the processing of personal data in the presence of information about the violation of the terms of processing of personal data or
destroy them;
to suspend the processing of the subject's personal data and (or) destroy them electronically by the subject
provide the opportunity to issue;
processing of personal data, as well as personal data in cases where personal data have been altered, deleted and their use is restricted
notify other participants of the transfer in writing;
in case of transfer of personal data to a third party, notify the subject in writing;
registration of databases on the person who owns and (or) processes;
take the necessary legal, organizational and technical measures to protect personal data.
The owner and (or) operator has the right to entrust the processing of personal data to a third party in the following cases:
in the presence of the written consent of the subject, including in the form of an electronic document;
if the decision is made to execute the contract between the owner and the subject or to fulfill the terms of the previously concluded contract;
in cases stipulated by the legislation.
Obligations of the owner and (or) operator, as well as a third party to protect personal data
arises from the time of data collection and is valid until the time they are destroyed or misappropriated.
The structural unit responsible for the processing and protection of personal data of the owner and (or) operator
or appoints an official and ensures his / her work in accordance with the standard procedure for processing personal data.
Chapter 7 Closing rules
Article 32 Dispute resolution
Disputes arising in the field of personal data shall be resolved in the manner prescribed by law.
Article 33 Liability for Violation of Personal Data Legislation
Persons guilty of violating the legislation on personal data shall be liable in accordance with the established procedure.
LexUZ review
See: Article 46 of the Code of Administrative Responsibility of the Republic of Uzbekistan , Article 1412 of the Criminal Code .

2

Article 34 Ensuring the implementation, delivery, explanation of the essence and significance of this Law
The authorized state body, together with other interested ministries, state committees and agencies, shall ensure the implementation of this Law and its delivery to the executors.
and ensure that the essence and significance are explained to the population.
Article 35 Harmonization of legislation with this Law
The Cabinet of Ministers of the Republic of Uzbekistan:
to bring the decisions of the government into accord with this Law;
to ensure that public administration bodies review and repeal their normative legal acts that contradict this Law.
Article 36 Entry into force of this Law
This Law shall enter into force on October 1, 2019.
President of the Republic of Uzbekistan Sh. MIRZIYOYEV
Tashkent,
July 2, 2019,
No. ORQ-547

(National Database of Legislation, 03.07.2019, 03/19/547/3363; 15.01.2021, 03/21/666/0032)

When you find an error in the document, highlight it and press Ctrl + Enter.
© Adolat National Legal Information Center under the Ministry of Justice of the Republic of Uzbekistan is a state institution

