Data & Privacy Β· Azerbaijan
Data protection & privacy law in Azerbaijan (2026)
Azerbaijan shaded by its data & privacy status
Data protection in Azerbaijan: comprehensive law, under Law of the Republic of Azerbaijan on Personal Data No. 998-IIIQ (adopted 11 May 2010, as amended), supervised by the Ministry of Digital Development and Transport; supplemented by the Law on Information, Informatisation and Protection of Information, the Civil Code and the Code of Administrative Offences..
Azerbaijan has a comprehensive, generally-applicable personal data protection regime centered on the 2010 Law on Personal Data (No. 998-IIIQ), which sets out processing principles, data-subject rights, registration of data systems and cross-border transfer rules. The Ministry of Digital Development and Transport acts as the supervisory authority, maintaining a state register of personal data information systems and enforcing the law. The framework predates and is not fully aligned with the EU GDPR, though amendments have moved it incrementally toward international (Council of Europe Convention 108) standards.
Key points
The Law on Personal Data No. 998-IIIQ of 11 May 2010 is a generally-applicable statute governing the collection and processing of personal data across sectors, and remains the primary in-force framework.
The Ministry of Digital Development and Transport is the supervisory authority; it maintains the state register of personal data information systems, conducts inspections, issues binding instructions and initiates administrative proceedings. There is no separate, fully independent data protection authority of the EU model.
The law does not use 'controller' and 'processor'; it instead refers to the 'owner' and 'operator' of personal data, reflecting that it predates and is not fully harmonised with the GDPR.
Creating personal data information resources and systems requires state registration with (and, for certain systems, special permission/licence from) the Ministry; information systems of personal data are subject to mandatory state registration.
Transfrontier transfers are permitted where the destination country ensures an adequate level of protection, the data subject gives explicit consent, or the transfer is necessary to perform a contract; transfers threatening national security or public order are prohibited.
A Centralized Information and Digital Analytics System (MΔ°RAS), controlled by the State Security Service, is slated to be fully operational by May 2026; rights groups warn it lacks judicial authorisation or independent oversight, raising privacy-protection concerns alongside the formal data-protection regime.
Timeline - major decisions & events
The Electronic Security Service under the Ministry of Digital Development and Transport prepared a wholly new personal data protection law intended to replace the 2010 statute, incorporating GDPR-aligned principles to address data flows from IoT devices, smart city infrastructure, biometrics, and mobile platforms. The Head of the Electronic Security Service announced at CIDC-2025 that the draft was under government review with adoption expected in the near term.
Report.az βAzerbaijan's parliament enacted targeted amendments to the core 2010 personal data statute, updating provisions on data collection, processing obligations, and cross-border transfer rules. The amendment is part of an incremental modernisation effort preceding the planned full legislative overhaul.
Report.az βAmendments to the Law on Information, Informatization and Protection of Information (adopted 27 May 2022, effective 6 July 2022) introduced legally binding definitions for cyber attack, cyber incident, and critical information infrastructure, and added Chapter V-I imposing mandatory security requirements on operators of critical systems. Corresponding Administrative Offences Code amendments established penalties for non-compliance.
Scientific and Practical Cyber Security Journal (SCSA) βPresident Ilham Aliyev signed a decree establishing state measures to secure critical information infrastructure and assigning oversight responsibilities to the Electronic Security Service (CERT.AZ). The decree provided the policy mandate that drove the 2022 legislative amendments.
Electronic Security Service (CERT.AZ) β Official Statute βAzerbaijan adopted its first comprehensive personal data protection law, establishing legal definitions for data owner and data operator (analogous to GDPR controller/processor), principles of lawfulness, purpose limitation, data minimisation, and accuracy, and granting citizens rights of access, correction, and deletion. The Ministry of Communications and Information Technologies (later Ministry of Digital Development and Transport) was designated as the supervisory authority.
ILO NATLEX βAzerbaijan adopted a dedicated statute governing the collection, storage, and use of biometric data, one of the earliest sector-specific data protection instruments in the country. The law established rules for biometric identifiers used in identity documents and established processing restrictions for sensitive biometric records.
DataGuidance β Azerbaijan Data Protection Overview βThis statute guaranteed citizens' right to request and receive information held by public authorities and established proactive disclosure obligations. It built the complementary transparency framework alongside the evolving data protection regime, and set limits on withholding personal or third-party data from public records.
UNODC Legal Resources β Azerbaijan βSigned by President Heydar Aliyev, this foundational statute regulated information resources, information systems, and protection of information. It was the first post-Soviet data governance law in Azerbaijan, creating the baseline framework for information security obligations and cross-sector data-processing rules that later underpinned the 2010 personal data law.
WIPO Lex β Republic of Azerbaijan βAdopted by popular referendum, Azerbaijan's Constitution established in Article 32 the inviolability of private life and the right to privacy of personal correspondence and communications, and in Article 50 freedom to seek and receive information. These constitutional guarantees form the supreme legal basis upon which all subsequent data protection and privacy legislation is grounded.
E-Government Portal of Azerbaijan βAzerbaijan - other topics
Data & Privacy in other countries
Last verified 5/25/2026 Β· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Β· Explore the full world map β