On 26 March 2026, Law No. ZRU-1125 of the Republic of Uzbekistan “On Amendments and Additions to the Law of the Republic of Uzbekistan ‘On Personal Data’” was adopted.

The amendments liberalize the rules governing the storage and processing of personal data and clarify the requirements for their cross-border transfer.

Localization requirements for personal data of certain categories

Under the new rules, only personal data of the following categories is subject to mandatory storage within the territory of Uzbekistan:

  • Biometric data
  • Genetic data
  • Personal data of users of telecommunications services provided by operators operating in Uzbekistan

Companies processing such data (including telecom, fintech, and digital platforms) must ensure the availability of local data storage infrastructure or use locally compliant solutions.

At the same time, databases containing personal data of such categories are subject to mandatory registration in the State Register of Databases of Personal Data. Failure to register may be considered a violation of personal data processing requirements.

New requirements for cross-border transfers of personal data

Personal data that is not subject to mandatory storage in Uzbekistan’s territory may be stored and processed outside the country provided that one of the following conditions is met:

  • The recipient country is included in the list of jurisdictions ensuring an adequate level of personal data protection (such a list is approved by the Cabinet of Ministers of the Republic of Uzbekistan)
  • The data controller applies standard contractual clauses or binding corporate rules that comply with the requirements established by the competent state authority
  • The data controller complies with international standards in the field of personal data management and protection, as approved by the competent state authority

Practical implications

The adopted amendments simplify data localization requirements while introducing a more structured and detailed framework for cross-border data transfers. Possible implications for businesses are as follows:

  • Companies are no longer required to localize all personal data — the requirement now applies only to certain sensitive data (biometric and genetic data, and data of telecom users)
  • It is now possible to store and process personal data outside Uzbekistan provided that the established conditions are met (including the use of contractual mechanisms and corporate rules)
  • Companies should audit the personal data they process to determine whether it is subject to mandatory localization
  • Existing data processing practices should be analyzed, including identifying categories of data, storage locations, and any cross-border data flows.
  • Particular attention should be given to the use of foreign cloud solutions, which may be non-compliant with the new requirements without additional legal support and technical adjustments
  • Companies should implement more formalized data governance procedures, including the registration of databases of personal data and the review of contractual arrangements with counterparties
HOW BEONE CAN HELP

In light of the updated regulations governing the processing and storage of personal data, companies need to properly adapt their processes to the new requirements. We would be pleased to provide assistance in the following areas:

  • Analysis of the applicability of requirements (data localization, registration of databases of personal data, cross-border data transfers)
  • Audit of personal data processing activities, including identification of data categories and cross-border data flows
  • Development and updating of internal documents (policies, regulations, procedures) in the field of personal data protection
  • Design and adaptation of contractual mechanisms (including provisions on cross-border data transfers and protection)
  • Support with the registration of databases of personal data

We will be pleased to provide more detailed advice regarding these changes and discuss any questions you may have.

CONTACTS


© BeOne LLC, 2026
Address: Prospekt Mustakillik 7, Mirzo Ulugbek District, Tashkent, Republic of Uzbekistan
www.beone-uz.com
This website uses cookies to improve your user experience. If you continue on this website, you will be providing your consent to our use of cookies.
Accept