HomeAnalyticsAlertsData Protection Enforcement in Uzbekistan: Recent Regulatory Actions

Data Protection Enforcement in Uzbekistan: Recent Regulatory Actions

Uzbekistan's data protection supervisory authority – the Agentlik (Agency for Personal Data Protection, referred to here as the DPA) – has materially intensified its enforcement posture. International companies collecting or processing personal data of Uzbek residents are now facing active inspections, formal warnings, and financial penalties where compliance gaps are identified. The shift from a guidance-oriented regime to active enforcement took effect in early 2025, and its practical consequences are already being felt across multiple sectors.

Uzbekistan's data protection legislation imposes obligations on any data controller or data processor handling personal data of individuals located in Uzbekistan, regardless of where the processing entity is incorporated. Companies must register with the DPA, maintain valid consent mechanisms for data collection, and restrict cross-border data transfer to countries recognised as providing adequate protection. Businesses that have not completed registration or that rely on outdated consent formats face immediate exposure to enforcement action.

This alert sets out what has changed, which business categories are most exposed, and the concrete steps international companies should take without delay. For a broader picture of how Uzbekistan's data protection rules interact with its emerging technology regulatory regime, see our analysis of AI and technology law in Uzbekistan.

What has changed and when it took effect

Uzbekistan enacted its foundational personal data legislation several years ago, but enforcement remained limited. That changed in 2024 when the DPA received expanded investigative powers and a dedicated sanctions budget. From the first quarter of 2025, the authority began issuing formal compliance orders to registered and unregistered entities alike.

The key developments are as follows. First, the DPA now conducts both scheduled and unannounced inspections of data controllers operating in Uzbekistan. Second, the authority has published updated guidance on consent mechanism requirements, setting higher standards for the language, specificity, and revocability of user consent. Third, data transfer restrictions have been tightened: transfers to jurisdictions outside a published list of recognised countries now require either individual DPA authorisation or the use of approved contractual instruments. Fourth, the DPA is actively cross-referencing its own registry against business registration records to identify unregistered data controllers. a process that has resulted in a wave of first-instance notices issued to foreign-owned entities operating through local subsidiaries.

Penalties under Uzbekistan's administrative legislation scale with the severity and duration of the breach. Repeat violations attract materially higher sanctions. The compliance deadline for companies that received a first-instance notice in Q1 2025 was 30 days from the date of receipt. Companies that have not yet received a notice but that are identifiably non-compliant should treat the present moment as their effective compliance deadline.

Which business categories are affected

Enforcement actions to date have concentrated on four categories of business. E-commerce and digital marketplace operators – including those running platforms accessible to Uzbek consumers from abroad – are the most frequently targeted. Financial services providers processing payment or credit data of Uzbek residents rank second. Telecommunications and mobile application companies whose products are used within Uzbekistan follow closely. Healthcare and HR technology companies handling sensitive personal data form the fourth high-risk category.

The threshold criteria for DPA scrutiny are broad. Any entity that: (i) maintains a database of personal data of more than a defined minimum number of Uzbek residents. (ii) engages in automated profiling of individuals located in Uzbekistan. or (iii) transfers personal data outside Uzbekistan in the course of its operations. falls within the DPA's active enforcement scope. The DPA has indicated that it does not require a physical presence in Uzbekistan to assert jurisdiction over a data controller. This mirrors the extraterritorial logic found in GDPR compliance regimes and should be treated accordingly by international operators.

Companies that process employee data through centralised HR systems located outside Uzbekistan are also exposed. The DPA has clarified that payroll processing, performance management, and workforce analytics systems all constitute personal data processing subject to local rules when the data subjects are Uzbek residents.

To receive a preliminary assessment of your company's exposure under Uzbekistan's data protection enforcement regime, contact us at info@ferrazwhitmore.com.

Immediate actions required

International companies should take the following steps now.

  • Audit data flows. Map all personal data of Uzbek residents that your organisation collects, stores, or transfers. Identify which systems process this data and whether they are located inside or outside Uzbekistan.
  • Verify DPA registration. Confirm whether your entity – or the local subsidiary through which you operate – is registered with the DPA as a data controller. If not, initiate registration immediately. Unregistered controllers are the primary enforcement target at present.
  • Review consent mechanisms. Assess whether your consent formats meet the DPA's updated standards. Consents that are bundled into general terms of service, that lack a clear revocation mechanism, or that fail to specify the categories of data collected are likely to be found deficient.
  • Assess cross-border data transfer arrangements. If your operations involve data transfer to jurisdictions outside Uzbekistan's approved list, obtain DPA authorisation or implement approved contractual safeguards before the next inspection cycle begins.
  • Appoint a local point of contact. The DPA expects data controllers without a registered presence in Uzbekistan to designate a local representative. Failure to do so is itself a ground for a compliance order.

Companies operating in adjacent CIS markets should note that enforcement intensification is a regional trend. Our alert on data protection enforcement in Russia addresses parallel developments that affect cross-border data transfer arrangements spanning both jurisdictions. Full guidance on registering and maintaining compliant operations in Uzbekistan is available through our data protection services for Uzbekistan.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice covers the full CIS region, including Uzbekistan, and our team has direct experience advising data controllers and data processors on registration, consent mechanism design, cross-border data transfer arrangements, and DPA engagement. As a law firm in Uzbekistan matters, we combine knowledge of the local regulatory regime with the cross-border compliance perspective that international companies require. Practitioners seeking a lawyer in Uzbekistan with experience across both civil law systems and GDPR compliance frameworks will find our team well placed to assist. The firm's Lisbon base provides direct access to EU regulatory expertise, while our CIS practice group supports clients facing enforcement risk in high-growth and emerging markets. To discuss your situation and assess the immediate steps required for your organisation, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.

Published: April 30, 2026

Author: Anna Chen – Senior Associate, Asia-Pacific, Middle East & CIS

Anna Chen is a Senior Associate at Ferraz & Whitmore focusing on cross-border transactions, market entry, and dispute resolution across Asia-Pacific, Middle Eastern, and CIS jurisdictions. She supports international clients in navigating regulatory and commercial challenges in high-growth and emerging markets.