Uzbekistan Personal Data Law: A Compliance Checklist for IT Companies
If your product collects data from users in Uzbekistan, you're already subject to its personal data law. Here's what that means in practice for your IT team — from privacy policies to data localization. A concrete checklist, no fluff.
Uzbekistan Personal Data Law: A Compliance Checklist for IT Companies
If your service handles user registrations, collects analytics, or stores payment information — you're processing personal data. In Uzbekistan, this space is governed by a dedicated personal data law, and ignorance of its requirements is no defense. The good news: building compliance is entirely achievable without an in-house legal team, once you understand the logic behind the law.
Key takeaways:
- The law applies to all operators processing data of Uzbekistan residents — regardless of where your company is incorporated.
- Storing personal data of Uzbek residents generally requires localization on servers within the country (with certain exceptions).
- Processing data without user consent is a violation — even if the data appears "publicly available."
- Regulatory fines and enforcement orders are real; your exposure grows as your product scales.
---
Who Is a "Data Operator" — and Why That's Probably You
Uzbekistan's personal data law introduces the concept of a data operator — any individual or organization that independently or jointly determines the purposes and means of processing personal data. If you're running a mobile app, a SaaS platform, or an e-commerce store with Uzbek users, you are an operator.
Where your company is registered doesn't matter. The extraterritorial principle works similarly to the GDPR: if you're intentionally targeting users in Uzbekistan, the law applies to you.
A practical note: if you use third-party services — analytics tools, CRMs, email platforms — you're transferring data to third parties. The law requires that such transfers be formalized, either through user consent or through a contract with clearly defined data protection obligations.
---
What Counts as Personal Data
Personal data is any information that directly or indirectly identifies a natural person. In an IT context, this includes:
- Full name, date of birth;
- Phone number, email address, physical address;
- IP address, cookie identifiers;
- Geolocation data;
- Device data combined with other attributes;
- Behavioral patterns, where they allow user identification.
A separate category covers special (sensitive) data: biometrics, health information, political views, religious beliefs. Processing these comes with stricter requirements — typically explicit written consent is required. If your product touches healthcare, HR tech, or fintech, this is your highest-risk zone.
---
Data Storage Approaches: A Comparison
| Option | Pros | Cons | Best For |
|---|---|---|---|
| Local server / data center in Uzbekistan | Full compliance with localization requirements | Higher infrastructure costs, less flexibility | Products with a large local user base |
| Hybrid model (core data in UZ, analytics abroad) | Balances cost and compliance | Requires clear data classification | Most SaaS startups |
| Fully foreign cloud | Cheaper, familiar stack | Risk of violating localization rules | Only if Uzbek residents' data isn't stored persistently |
| Anonymization before cross-border transfer | Removes certain restrictions | Complex to implement correctly; requires expertise | Analytics and ML use cases |
> Important: The specific localization requirements and the list of permitted exceptions should be verified as of the date of application — the regulator periodically updates its guidance.
---
User Consent: How to Get It Right
Consent for personal data processing must be:
- Freely given — you cannot block core functionality if a user declines optional analytics;
- Informed — users must know exactly what you collect, why, and for how long;
- Specific — a single blanket consent doesn't cover different processing purposes;
- Revocable — users must have a simple, accessible way to withdraw consent at any time.
When we were building Pactum, one of the first things we did was audit every data collection form. My advice: use separate checkboxes for marketing communications and for basic registration from day one — it's both legally correct and more straightforward for your users.
---
Checklist: What to Do This Week
- [ ] Build a data map: what data you collect, where you store it, and who you share it with.
- [ ] Review your privacy policy: it should be available in Uzbek and/or Russian, be specific, and be current.
- [ ] Verify that your consent mechanism meets requirements — separately for each processing purpose.
- [ ] Review contracts with vendors who receive user data (analytics, CRM, support tools).
- [ ] Confirm where Uzbek residents' data is physically stored and whether it meets localization requirements.
- [ ] Designate an internal data responsibility owner — even if it's not a dedicated role.
- [ ] Establish a process for responding to user requests: access, correction, and deletion of data.
---
FAQ
Do we need to register with the regulator as a personal data operator?
The law provides for a notification procedure for certain categories of operators. Specific requirements and thresholds depend on the types of data and volumes processed — verify the current procedure with a specialist or directly on the regulator's website.
We're an early-stage startup — do we need a Data Protection Officer (DPO)?
A formal DPO role is not explicitly mandated for all organizations under Uzbek law, but having a designated responsible person de facto reduces risk. At an early stage, this can be a co-founder or CTO with clearly defined responsibilities.
What constitutes a violation, and what are the consequences?
Violations include processing without consent, non-compliance with localization requirements, and failure to provide users with access to their data. Sanctions range from regulatory orders to administrative liability; specific fine amounts are periodically revised — check current figures as of the applicable date.
Does the law apply to B2B products?
Yes, if your processing involves data of natural persons — such as a client's employees or contact persons. Operating in B2B does not exempt you from the law's requirements.
Can we store data in AWS or Google Cloud?
It depends on the type of data and whether the provider has infrastructure in Uzbekistan or otherwise satisfies conditions set out in the law. There is no blanket prohibition, but there's no automatic permission either — a review of your specific architecture is necessary.
---
*This article is for general informational purposes only and does not constitute individual legal advice. Please consult a qualified specialist to assess your specific situation.*
---
If this checklist raised further questions or you need help with documentation — book a consultation. At Pactum, we help IT companies build personal data compliance from the ground up: from auditing your current setup to drafting privacy policies and vendor data processing agreements.

Founder of the Pactum legal platform. Writes about the legal side of IT, AI and startups in Uzbekistan — from data protection and IT Park to venture deals.
Read also
Opening a Branch or Representative Office of a Foreign Company in Uzbekistan: A Complete Guide
A foreign company can operate in Uzbekistan through a branch or representative office without establishing a separate legal entity. This guide covers the step-by-step accreditation process, required documents, key risks, and practical advice from the Pactum legal team.
Can You Have a Notary Come to Your Home or Hospital in Uzbekistan?
Yes — a notary can travel to your home, hospital, or any other convenient location. This is a fully legal service available in Uzbekistan. Learn when a mobile notary visit is possible, what documents to prepare, and how to arrange an appointment in the Yunusabad district of Tashkent.
Legal Retainer Services for Business: What's Included and When It Beats an In-House Lawyer
A legal retainer is a fixed monthly fee that gives your business comprehensive legal coverage — from contract drafting to dispute resolution. We break down what a typical retainer package actually includes, how the cost compares to hiring in-house counsel, and when outsourcing pays for itself within the first month.