Uzbekistan Personal Data Law: A Compliance Checklist for IT Companies
Law

Uzbekistan Personal Data Law: A Compliance Checklist for IT Companies

If your product collects data from users in Uzbekistan, you're already subject to its personal data law. Here's what that means in practice for your IT team — from privacy policies to data localization. A concrete checklist, no fluff.

Bakhrom Isomadinov
Bakhrom Isomadinov
Founder & CEO of Pactum · IT, AI and startup law
July 17, 20266 min read
Поделиться:

Uzbekistan Personal Data Law: A Compliance Checklist for IT Companies

If your service handles user registrations, collects analytics, or stores payment information — you're processing personal data. In Uzbekistan, this space is governed by a dedicated personal data law, and ignorance of its requirements is no defense. The good news: building compliance is entirely achievable without an in-house legal team, once you understand the logic behind the law.

Key takeaways:

  • The law applies to all operators processing data of Uzbekistan residents — regardless of where your company is incorporated.
  • Storing personal data of Uzbek residents generally requires localization on servers within the country (with certain exceptions).
  • Processing data without user consent is a violation — even if the data appears "publicly available."
  • Regulatory fines and enforcement orders are real; your exposure grows as your product scales.

---

Who Is a "Data Operator" — and Why That's Probably You

Uzbekistan's personal data law introduces the concept of a data operator — any individual or organization that independently or jointly determines the purposes and means of processing personal data. If you're running a mobile app, a SaaS platform, or an e-commerce store with Uzbek users, you are an operator.

Where your company is registered doesn't matter. The extraterritorial principle works similarly to the GDPR: if you're intentionally targeting users in Uzbekistan, the law applies to you.

A practical note: if you use third-party services — analytics tools, CRMs, email platforms — you're transferring data to third parties. The law requires that such transfers be formalized, either through user consent or through a contract with clearly defined data protection obligations.

---

What Counts as Personal Data

Personal data is any information that directly or indirectly identifies a natural person. In an IT context, this includes:

  • Full name, date of birth;
  • Phone number, email address, physical address;
  • IP address, cookie identifiers;
  • Geolocation data;
  • Device data combined with other attributes;
  • Behavioral patterns, where they allow user identification.

A separate category covers special (sensitive) data: biometrics, health information, political views, religious beliefs. Processing these comes with stricter requirements — typically explicit written consent is required. If your product touches healthcare, HR tech, or fintech, this is your highest-risk zone.

---

Data Storage Approaches: A Comparison

OptionProsConsBest For
Local server / data center in UzbekistanFull compliance with localization requirementsHigher infrastructure costs, less flexibilityProducts with a large local user base
Hybrid model (core data in UZ, analytics abroad)Balances cost and complianceRequires clear data classificationMost SaaS startups
Fully foreign cloudCheaper, familiar stackRisk of violating localization rulesOnly if Uzbek residents' data isn't stored persistently
Anonymization before cross-border transferRemoves certain restrictionsComplex to implement correctly; requires expertiseAnalytics and ML use cases

> Important: The specific localization requirements and the list of permitted exceptions should be verified as of the date of application — the regulator periodically updates its guidance.

---

Consent for personal data processing must be:

  • Freely given — you cannot block core functionality if a user declines optional analytics;
  • Informed — users must know exactly what you collect, why, and for how long;
  • Specific — a single blanket consent doesn't cover different processing purposes;
  • Revocable — users must have a simple, accessible way to withdraw consent at any time.

When we were building Pactum, one of the first things we did was audit every data collection form. My advice: use separate checkboxes for marketing communications and for basic registration from day one — it's both legally correct and more straightforward for your users.

---

Checklist: What to Do This Week

  • [ ] Build a data map: what data you collect, where you store it, and who you share it with.
  • [ ] Review your privacy policy: it should be available in Uzbek and/or Russian, be specific, and be current.
  • [ ] Verify that your consent mechanism meets requirements — separately for each processing purpose.
  • [ ] Review contracts with vendors who receive user data (analytics, CRM, support tools).
  • [ ] Confirm where Uzbek residents' data is physically stored and whether it meets localization requirements.
  • [ ] Designate an internal data responsibility owner — even if it's not a dedicated role.
  • [ ] Establish a process for responding to user requests: access, correction, and deletion of data.

---

FAQ

Do we need to register with the regulator as a personal data operator?

The law provides for a notification procedure for certain categories of operators. Specific requirements and thresholds depend on the types of data and volumes processed — verify the current procedure with a specialist or directly on the regulator's website.

We're an early-stage startup — do we need a Data Protection Officer (DPO)?

A formal DPO role is not explicitly mandated for all organizations under Uzbek law, but having a designated responsible person de facto reduces risk. At an early stage, this can be a co-founder or CTO with clearly defined responsibilities.

What constitutes a violation, and what are the consequences?

Violations include processing without consent, non-compliance with localization requirements, and failure to provide users with access to their data. Sanctions range from regulatory orders to administrative liability; specific fine amounts are periodically revised — check current figures as of the applicable date.

Does the law apply to B2B products?

Yes, if your processing involves data of natural persons — such as a client's employees or contact persons. Operating in B2B does not exempt you from the law's requirements.

Can we store data in AWS or Google Cloud?

It depends on the type of data and whether the provider has infrastructure in Uzbekistan or otherwise satisfies conditions set out in the law. There is no blanket prohibition, but there's no automatic permission either — a review of your specific architecture is necessary.

---

*This article is for general informational purposes only and does not constitute individual legal advice. Please consult a qualified specialist to assess your specific situation.*

---

If this checklist raised further questions or you need help with documentation — book a consultation. At Pactum, we help IT companies build personal data compliance from the ground up: from auditing your current setup to drafting privacy policies and vendor data processing agreements.

Liked the article?
Поделиться:
Bakhrom Isomadinov
Bakhrom Isomadinov
Founder & CEO of Pactum · IT, AI and startup law

Founder of the Pactum legal platform. Writes about the legal side of IT, AI and startups in Uzbekistan — from data protection and IT Park to venture deals.

Основатель и CEO Pactum · pactum.uz

Need professional advice?

Our lawyers are ready to help with any question

View services
We'll call you back in 15 minutes
Leave your phone number — a lawyer will answer your question from this article for free