Data protection & privacy laws in Azerbaijan (2026)

The Law on Personal Data No. 998-IIIQ of 11 May 2010 is a generally-applicable statute governing the collection and processing of personal data across sectors, and remains the primary in-force framework.

The Ministry of Digital Development and Transport is the supervisory authority; it maintains the state register of personal data information systems, conducts inspections, issues binding instructions and initiates administrative proceedings. There is no separate, fully independent data protection authority of the EU model.

The law does not use 'controller' and 'processor'; it instead refers to the 'owner' and 'operator' of personal data, reflecting that it predates and is not fully harmonised with the GDPR.

Creating personal data information resources and systems requires state registration with (and, for certain systems, special permission/licence from) the Ministry; information systems of personal data are subject to mandatory state registration.

Transfrontier transfers are permitted where the destination country ensures an adequate level of protection, the data subject gives explicit consent, or the transfer is necessary to perform a contract; transfers threatening national security or public order are prohibited.

A Centralized Information and Digital Analytics System (MİRAS), controlled by the State Security Service, is slated to be fully operational by May 2026; rights groups warn it lacks judicial authorisation or independent oversight, raising privacy-protection concerns alongside the formal data-protection regime.