Skip to content
World Watch/Azerbaijan/Data & Privacy

Data & Privacy Β· Azerbaijan

Data protection & privacy law in Azerbaijan (2026)

Comprehensive lawLaw of the Republic of Azerbaijan on Personal Data No. 998-IIIQ (adopted 11 May 2010, as amended), supervised by the Ministry of Digital Development and Transport; supplemented by the Law on Information, Informatisation and Protection of Information, the Civil Code and the Code of Administrative Offences.Country index 78 Β· B+

Azerbaijan shaded by its data & privacy status

Data protection in Azerbaijan: comprehensive law, under Law of the Republic of Azerbaijan on Personal Data No. 998-IIIQ (adopted 11 May 2010, as amended), supervised by the Ministry of Digital Development and Transport; supplemented by the Law on Information, Informatisation and Protection of Information, the Civil Code and the Code of Administrative Offences..

Azerbaijan has a comprehensive, generally-applicable personal data protection regime centered on the 2010 Law on Personal Data (No. 998-IIIQ), which sets out processing principles, data-subject rights, registration of data systems and cross-border transfer rules. The Ministry of Digital Development and Transport acts as the supervisory authority, maintaining a state register of personal data information systems and enforcing the law. The framework predates and is not fully aligned with the EU GDPR, though amendments have moved it incrementally toward international (Council of Europe Convention 108) standards.

Key points

Comprehensive law in force

The Law on Personal Data No. 998-IIIQ of 11 May 2010 is a generally-applicable statute governing the collection and processing of personal data across sectors, and remains the primary in-force framework.

Supervisory authority

The Ministry of Digital Development and Transport is the supervisory authority; it maintains the state register of personal data information systems, conducts inspections, issues binding instructions and initiates administrative proceedings. There is no separate, fully independent data protection authority of the EU model.

Terminology differs from GDPR

The law does not use 'controller' and 'processor'; it instead refers to the 'owner' and 'operator' of personal data, reflecting that it predates and is not fully harmonised with the GDPR.

Registration of personal data information systems

Creating personal data information resources and systems requires state registration with (and, for certain systems, special permission/licence from) the Ministry; information systems of personal data are subject to mandatory state registration.

Cross-border transfer rules

Transfrontier transfers are permitted where the destination country ensures an adequate level of protection, the data subject gives explicit consent, or the transfer is necessary to perform a contract; transfers threatening national security or public order are prohibited.

State surveillance development (MΔ°RAS)

A Centralized Information and Digital Analytics System (MΔ°RAS), controlled by the State Security Service, is slated to be fully operational by May 2026; rights groups warn it lacks judicial authorisation or independent oversight, raising privacy-protection concerns alongside the formal data-protection regime.

Timeline - major decisions & events

Jan 1, 2025law
New Comprehensive Personal Data Protection Law Drafted, GDPR-Aligned Overhaul Pending

The Electronic Security Service under the Ministry of Digital Development and Transport prepared a wholly new personal data protection law intended to replace the 2010 statute, incorporating GDPR-aligned principles to address data flows from IoT devices, smart city infrastructure, biometrics, and mobile platforms. The Head of the Electronic Security Service announced at CIDC-2025 that the draft was under government review with adoption expected in the near term.

Report.az β†—
Jun 28, 2024law
Law on Personal Data (No. 998-IIIQ) Amended

Azerbaijan's parliament enacted targeted amendments to the core 2010 personal data statute, updating provisions on data collection, processing obligations, and cross-border transfer rules. The amendment is part of an incremental modernisation effort preceding the planned full legislative overhaul.

Report.az β†—
Jul 6, 2022law
Critical Information Infrastructure Security Chapter Enters into Force

Amendments to the Law on Information, Informatization and Protection of Information (adopted 27 May 2022, effective 6 July 2022) introduced legally binding definitions for cyber attack, cyber incident, and critical information infrastructure, and added Chapter V-I imposing mandatory security requirements on operators of critical systems. Corresponding Administrative Offences Code amendments established penalties for non-compliance.

Scientific and Practical Cyber Security Journal (SCSA) β†—
Apr 1, 2021decisionofficial
Presidential Decree on Critical Information Infrastructure Security Signed

President Ilham Aliyev signed a decree establishing state measures to secure critical information infrastructure and assigning oversight responsibilities to the Electronic Security Service (CERT.AZ). The decree provided the policy mandate that drove the 2022 legislative amendments.

Electronic Security Service (CERT.AZ) β€” Official Statute β†—
May 11, 2010lawofficial
Law on Personal Data (No. 998-IIIQ) Enacted, Primary Data Protection Statute

Azerbaijan adopted its first comprehensive personal data protection law, establishing legal definitions for data owner and data operator (analogous to GDPR controller/processor), principles of lawfulness, purpose limitation, data minimisation, and accuracy, and granting citizens rights of access, correction, and deletion. The Ministry of Communications and Information Technologies (later Ministry of Digital Development and Transport) was designated as the supervisory authority.

ILO NATLEX β†—
Jun 13, 2008law
Law on Biometric Information Enacted

Azerbaijan adopted a dedicated statute governing the collection, storage, and use of biometric data, one of the earliest sector-specific data protection instruments in the country. The law established rules for biometric identifiers used in identity documents and established processing restrictions for sensitive biometric records.

DataGuidance β€” Azerbaijan Data Protection Overview β†—
Sep 30, 2005lawofficial
Law on the Right to Obtain Information Enacted

This statute guaranteed citizens' right to request and receive information held by public authorities and established proactive disclosure obligations. It built the complementary transparency framework alongside the evolving data protection regime, and set limits on withholding personal or third-party data from public records.

UNODC Legal Resources β€” Azerbaijan β†—
Apr 3, 1998lawofficial
Law on Information, Informatization and Protection of Information Enacted

Signed by President Heydar Aliyev, this foundational statute regulated information resources, information systems, and protection of information. It was the first post-Soviet data governance law in Azerbaijan, creating the baseline framework for information security obligations and cross-sector data-processing rules that later underpinned the 2010 personal data law.

WIPO Lex β€” Republic of Azerbaijan β†—
Nov 12, 1995lawofficial
Constitution of Azerbaijan Adopted, Foundational Privacy Rights Enshrined

Adopted by popular referendum, Azerbaijan's Constitution established in Article 32 the inviolability of private life and the right to privacy of personal correspondence and communications, and in Article 50 freedom to seek and receive information. These constitutional guarantees form the supreme legal basis upon which all subsequent data protection and privacy legislation is grounded.

E-Government Portal of Azerbaijan β†—

Azerbaijan - other topics

Data & Privacy in other countries

Last verified 5/25/2026 Β· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Β· Explore the full world map β†’