Data protection & privacy laws in Uzbekistan (2026)

Law No. ZRU-547 'On Personal Data', adopted 2 July 2019, effective 1 October 2019, establishes definitions, legal bases for processing, data-subject rights (access, rectification, erasure, objection, portability), and obligations for database owners and operators.

An amendment signed 26 March 2026 dismantled the blanket data-localization regime introduced in 2021 (ZRU-666). Most personal data may now be stored abroad if the destination country provides adequate protection, standard contractual clauses are used, or internationally recognised standards approved by the state are followed.

Even after the March 2026 reform, biometric and genetic data and personal data of citizens using domestic telecommunications operators must continue to be stored and processed on servers physically located within Uzbekistan.

The Personalization Agency under the Ministry of Justice (reorganised from the State Personalization Centre effective January 2023) oversees policy and compliance. Uzkomnazorat (State Inspectorate for Informatization and Telecommunications) exercises state control, issues binding orders, and maintains the Register of Infringers of the Rights of Personal Data Subjects.

Presidential Decree No. PP-153 (30 April 2025) marked a shift toward stricter enforcement, introducing mandatory breach-notification obligations and expanded administrative and criminal liability for data incidents, particularly in the financial sector.

Cabinet of Ministers Resolution No. 570 (October 2022) approved a regulation on determining protection levels for data during processing. Two Ministry of Justice orders (November 2023, reg. nos. 3477 and 3478) set standard procedures for operating data-protection units and for processing personal data, fleshing out the statutory obligations.