January 5, 2024

Model Procedures in the sphere of processing personal data in Uzbekistan.

The Model Procedures of personal data processing and organization of activity of authorized persons (structural subdivisions) ensuring personal data protection were approved recently in the Republic of Uzbekistan. Our new memorandum brings out the content of these new legislative acts in the field of personal data protection. 

Table of contents: 

  1. Introduction
  2. Legislation
  3. Conditions of Personal Data Processing
  4. Processing personal data
  5. Dissemination of personal data
  6. Cross-border transfer of personal data
  7. De-identification and destruction of personal data
  8. Organization of activity of the unit or authorized person of the owner or operator of the base on personal data protection

 

  1. Introduction

In 2019, with the adoption of the Law of the Republic of Uzbekistan “On Personal Data” (hereinafter – the Law), public authorities take actions to comprehensively protect personal information. Thus, in November 2023, the Minister of Justice of the Republic of Uzbekistan, by Order No. 19-mx and Order No. 20-mx, approved the Model Procedures on personal data processing in organizations.

The notion of “Model Procedure” was first mentioned in Arts. 8 and 31 of the Law. However, until November 2023, the articles did not have detailed information disclosing the content of the Model procedure.

 

  1. Legislation

1) Law of the Republic of Uzbekistan “On personal data” dated 02.07.2019, No. LRU-547;

2) Order of the Minister of Justice of the Republic of Uzbekistan “On approval of the Model procedure of personal data processing”, registered on 15.11.2023, reg. no. 3478 (hereinafter  Model Procedure No. 1);

3) Order of the Minister of Justice of the Republic of Uzbekistan “On approval of the Model procedure of organization of activity of the structural unit or authorized person of the owner and (or) operator of the personal database, ensuring the processing and protection of personal data”, registered on 15.11.2023, reg. no. 3477 (hereinafter referred to as Model Procedure No. 2).

 

  1. Conditions of personal data processing

Persons involved in the processing of personal data are:

1) the subject of personal data – the natural person whose personal data is processed;

2) the owner and (or) operator of the personal database;

3) third parties admitted to the processing of personal data with the subject’s consent.

In turn, personal data are subdivided into publicly available and non-public data. Unlike non-public data, the first category of data is freely accessible, does not require the consent of the subject, and is not protected by legislative acts.

The law and Model Procedure No. 1 distinguish cases when the processing of personal data by the owner or operator of the personal database is carried out lawfully. These include:

  • processing of personal data after obtaining the subject’s consent;
  • processing of personal data for the fulfillment of a contract with the subject or their use in the legitimate interests of the subject;
  • processing of personal data by the operator of the personal database to fulfill its obligations defined in the legislation;
  • processing of personal data for statistical and other research purposes after their anonymization;
  • processing of publicly available personal data.

 

  1. Processing personal data

In order to start the processing of personal data, the data subject must give consent in writing or electronically. In order to qualify the consent, Model Procedure No. 1 establishes a list of necessary information.

In case the personal data was entered into the database with an error or it is necessary to make changes to it, the operator shall correct or supplement the personal data within three days upon the written request of the subject.

In addition, operators are prohibited from using personal data for purposes not specified in advance in the conditions of data processing.

The data subject has the right to withdraw his or her consent without giving a reason and to request the destruction of his or her data.

  1. Dissemination of personal data

Personal data may be transmitted to third parties or disseminated by the operator if the subject has given his/her consent to its transmission.

Public authorities and other organizations may request personal data from the operator. In such a case, it is legitimate for the operator to notify the subject before their transfer.

  1. Cross-border transfer of personal data

Cross-border transfer of personal data is the dispatch of personal data beyond the borders of the Republic of Uzbekistan, where adequate protection of personal data is provided.

It is possible if:

  • there is consent of the subject for the transfer;
  • there is a need to transfer the data due to the protection of the constitutional order of the Republic of Uzbekistan, public order, rights and freedoms of citizens, health and morals of the population;
  • the transfer of personal data is provided for by an international treaty.
  1. De-identification and destruction of personal data

When conducting research and collecting statistical data, the operator or a third party shall anonymize the personal data.

The anonymization procedure irrevocably destroys the personal data and does not require the consent of the subject.

In addition, the operator is obliged to destroy the subject’s personal data within three days, in case of:

  • withdrawal of the subject’s consent to the processing of personal data;
  • achievement of the purpose of personal data processing;
  • expiration of the term of data processing, if previously stated by the operator;
  • entry into force of a court decision on data destruction.

The first mentioned case and its term of execution (para. 23 of the Model Procedure No. 1) is in contradiction with para. 10 of Model Procedure No. 1 establishes a different term of personal data destruction equal to one working day following the day of receipt of the application.

  1. Organization of activity of the unit or authorized person of the owner or operator of the base on personal data protection

The activities of the special unit or authorized person shall be carried out under the provisions of the Law, the requirements of standard procedures, and internal regulations approved by the owner or operator. On their basis, the subdivision or authorized person shall have the right not to comply with unlawful requirements of the owner or operator. 

The main tasks of the unit or authorized person of the owner (operator) of the personal database are:

  • ensuring the protection, security, and confidentiality of personal data;
  • preventing unauthorized access to personal data processing;
  • conducting seminars and pieces of training for employees working with personal data;
  • identifying threats, eliminating their causes, and developing proposals to improve the deficiencies in the personal database.  

Moreover, in case of liquidation of a subdivision, transfer of subdivision employees or termination of their labor contract, the owner or operator undertakes to close access to personal data not later than the last working day of employees.

Para. 7 of Model Procedure No. 2 stipulates the right of the subdivision or authorized person to apply to the Agency of Personalization under the Ministry of Justice of the Republic of Uzbekistan in order to receive recommendations on solving problems related to personal data.