A European technology company launches a mobile application targeting users in Central Asia. Within weeks, it is processing the personal data of hundreds of thousands of individuals located in Uzbekistan. No local entity has been established. No registration has been filed. The data is stored on servers in Frankfurt. Each of these facts creates a distinct compliance exposure under Uzbek data protection legislation – and the penalties for non-compliance can include suspension of data processing operations entirely.
Data protection compliance in Uzbekistan requires foreign and domestic businesses to register personal data databases with the competent state supervisory authority. Implement a consent mechanism for data collection. Additionally, store certain categories of personal data on servers physically located within Uzbekistan. The registration process typically takes four to eight weeks. Failure to comply exposes operators to administrative sanctions and the risk of processing being blocked.
This guide explains the step-by-step compliance process, the documentary requirements, the most common errors made by international businesses, and a decision checklist to help you determine which obligations apply to your specific situation.
The regulatory environment for personal data in Uzbekistan
Uzbekistan's data protection system is anchored in dedicated personal data legislation adopted in the early 2010s and substantially strengthened in the years since. The body of law establishes the rights of data subjects, the duties of operators, and the powers of the supervisory authority.
The Agentlik (Agency for Personal Data Protection) acts as the principal DPA – the data protection authority responsible for registration, monitoring, and enforcement. It maintains a public register of personal data databases. Any operator that collects or uses personal data of individuals in Uzbekistan must register each database with this authority before processing begins.
The legislation draws a clear distinction between a data controller – the entity that determines the purposes and means of processing – and a data processor, which processes data on behalf of the controller. Both categories carry obligations, but the controller bears primary legal responsibility. This distinction mirrors the architecture familiar to practitioners with GDPR compliance experience, though the specific obligations differ in important respects.
Three features of the Uzbek system deserve particular attention from international businesses. First, the data localisation requirement mandates that personal data of Uzbek citizens be stored and processed on servers physically located within Uzbekistan. This is not a soft recommendation. It is a hard obligation with enforcement consequences. Second, the consent mechanism requirements are prescriptive: consent must be informed, specific, and documented. Implied or bundled consent is not accepted. Third, cross-border data transfer to foreign jurisdictions is subject to restrictions. A transfer is only permitted where the receiving jurisdiction provides an adequate level of protection, or where the data subject has given explicit consent to the transfer.
Businesses operating across the CIS region will find useful comparative context in our analysis of data protection compliance in Russia, where similar localisation and registration requirements apply under a parallel legislative regime.
Step-by-step compliance process and timelines
Achieving compliance involves five sequential stages. Each stage has its own documentary requirements and realistic timeframe. Missing a stage or completing stages out of sequence is one of the most common causes of rejected applications.
Stage 1 – Data mapping and inventory (weeks 1–2). Before any registration can be filed. The business must identify every category of personal data it collects, the purpose of processing each category, the retention period, and the storage location. This inventory forms the factual foundation of the registration application. Many foreign businesses underestimate the time required for this stage. A multinational with multiple product lines may be collecting dozens of distinct data categories across different systems.
Stage 2 – Policy and documentation preparation (weeks 2–4). The business must prepare a privacy policy in the Uzbek language. It must also prepare internal processing rules, a consent form that meets the prescriptive requirements of data protection legislation, and a data transfer agreement if any processor is involved. All documents must reflect the actual processing activities identified in the data mapping stage. Generic GDPR-compliant policies drafted for European operations are not sufficient. They must be adapted to the specific requirements of Uzbek legislation.
Stage 3 – Technical infrastructure review (weeks 2–5, running in parallel). The localisation requirement must be satisfied before or simultaneously with registration. If the business stores data on foreign servers, it must either migrate that data to Uzbek-based infrastructure or engage a local hosting provider. Cloud solutions are available through providers with Uzbekistan-based data centres. The technical review should confirm that security measures – including encryption, access controls, and audit logging – meet the standards required under data protection legislation.
Stage 4 – Registration with the DPA (weeks 4–8 from submission). The registration application is submitted to the Agency for Personal Data Protection. The application package must include a description of each database, the categories of data subjects, the legal basis for processing, the retention schedule, and details of the technical and organisational measures in place. The authority reviews the application and may request supplementary information. Once approved, the database is entered in the public register and the operator receives a registration certificate.
Stage 5 – Ongoing obligations (continuous). Registration is not a one-time event. The operator must notify the authority of any material change to its processing activities within a defined period. It must respond to data subject access requests within the timeframe prescribed by legislation. It must conduct periodic reviews of its data security measures. Staff with access to personal data must receive documented training.
The total minimum timeline from the start of data mapping to receipt of the registration certificate is approximately ten to fourteen weeks for a business that engages experienced local counsel and has no existing infrastructure in Uzbekistan. Businesses that attempt to self-manage the process without local legal support consistently take longer and face a higher rate of application rejections.
For businesses operating at the intersection of data protection and emerging technology. The obligations under Uzbekistan's developing AI and technology regulatory regime may interact directly with personal data processing requirements. particularly where automated decision-making or profiling is involved.
Documentary checklist and common errors by foreign businesses
The following documents are required to complete the registration process. Each must be prepared in Uzbek, or accompanied by a certified translation into Uzbek.
- Privacy policy published on the operator's website or application
- Internal personal data processing rules and procedures
- Consent forms for each data collection point
- Data transfer agreements with any processors
- Technical security documentation confirming localisation and protection measures
Several errors recur with high frequency among international clients approaching this process for the first time.
Error 1 – Treating GDPR compliance as a substitute. A business that has invested heavily in GDPR compliance may assume that its existing documentation satisfies Uzbek requirements. This assumption is incorrect in material respects. The consent mechanism standards differ. The localisation requirement has no direct equivalent in EU law. The registration obligation itself – filing each database with the authority – has no counterpart in the GDPR regime. Existing GDPR documentation is a useful starting point but requires substantive adaptation.
Error 2 – Registering only one database when multiple exist. Each distinct personal data database must be registered separately. A business with a customer database, an employee database, and a marketing analytics database must file three separate registrations. Operators who register only their primary customer-facing database and overlook internal HR or marketing systems create a compliance gap that surfaces during audits.
Error 3 – Delaying localisation until after registration. Some businesses attempt to file the registration application before the technical infrastructure is in place, intending to migrate data subsequently. The authority expects localisation to be in place at the time of registration. Applications that disclose foreign storage locations without a concrete migration timeline are routinely queried or refused.
Error 4 – Using informal or implied consent. Pre-ticked boxes, consent buried in terms of service, and verbal consent are not valid under Uzbek data protection legislation. Consent must be a distinct, affirmative act. The consent form must identify the specific purposes of processing and be retained as documentary evidence. Failure at this point creates exposure across every data subject whose data has been collected without valid consent.
Error 5 – Failing to account for cross-border data transfer restrictions. Businesses that transfer data to group companies or service providers outside Uzbekistan must assess whether the destination jurisdiction provides adequate protection. Where it does not, an explicit data subject consent or a specific contractual mechanism is required. Many foreign businesses discover this requirement only when a cross-border data transfer becomes visible to the authority during an audit or following a data subject complaint.
To receive a tailored assessment of your data protection obligations in Uzbekistan, contact us at info@ferrazwhitmore.com.
Decision framework: which obligations apply to your business
The scope of obligations under Uzbek data protection legislation depends on several factors. The following decision framework helps identify which requirements apply to a given business scenario.
Scenario A – Foreign company with no local entity, serving Uzbek users online. This is the scenario most likely to be overlooked. The legislation applies to any operator that processes personal data of individuals located in Uzbekistan, regardless of the operator's place of incorporation or the location of its servers. A foreign e-commerce platform, SaaS provider, or media business collecting registration data, payment data, or behavioural analytics from Uzbek users is a data controller subject to the full registration and localisation regime. The absence of a local legal entity does not create an exemption.
Scenario B – Foreign company with a local representative office or subsidiary. Where a local entity exists, that entity typically acts as the data controller for processing activities conducted in Uzbekistan. The local entity must complete the registration process and hold the registration certificates. Group-level data transfer agreements are needed to govern any flows of data from the local entity to the parent or other group companies abroad.
Scenario C – B2B operator processing data solely on behalf of another controller. A business acting purely as a data processor – for example. A payroll services provider or a cloud hosting company – processes data under the instruction of the controller. The processor's obligations are defined by its contract with the controller. The controller remains responsible for registration. The processor must implement appropriate technical and organisational security measures and must not process data outside the scope of the controller's instructions.
Scenario D – Business collecting only anonymised or aggregated data. Data that has been genuinely anonymised – so that individuals cannot be identified or re-identified from the data – falls outside the scope of personal data legislation. However, the bar for true anonymisation is high. Pseudonymised data, data sets that can be linked to identifiable individuals through combination with other data, and data that retains unique identifiers do not qualify. Businesses should obtain a legal opinion before relying on an anonymisation argument to avoid registration obligations.
The self-assessment checklist below helps determine whether full compliance obligations are triggered:
- Does your business collect names, contact details, identity numbers, or behavioural data from individuals located in Uzbekistan?
- Does your business store, analyse, or transfer any such data – even temporarily?
- Does your business use third-party processors who access this data?
- Does your business transfer data outside Uzbekistan to group companies or service providers?
- Does your business make automated decisions about individuals based on their data?
If the answer to any of these questions is yes, registration and the full compliance programme are required. A single affirmative answer is sufficient to trigger the obligations. Businesses that answer yes to three or more questions should prioritise a comprehensive compliance review before operating further.
Full details of our advisory services for operators in this jurisdiction are available on our data protection services page for Uzbekistan, which covers registration support, documentation preparation, and ongoing compliance management.
For a tailored strategy on data protection compliance in Uzbekistan, reach out to info@ferrazwhitmore.com.
Frequently asked questions
Q: How long does it take to complete data protection registration in Uzbekistan?
A: The registration of a personal data database with the competent supervisory authority in Uzbekistan typically takes between four and eight weeks from the date of submission, provided the application package is complete. Practical delays arise when translated documents require notarisation or when the authority requests supplementary information. Businesses should build at least two additional weeks into their project timeline as a buffer.
Q: Does Uzbekistan's data protection law apply to foreign companies processing data about Uzbek residents?
A: A common misconception is that Uzbek data protection legislation applies only to locally registered entities. In practice, the law extends to any operator that processes personal data of individuals located in Uzbekistan, regardless of where the operator is incorporated. Engaging a lawyer in Uzbekistan with cross-border experience is advisable for foreign companies collecting data from Uzbek users through websites or mobile applications. As they are subject to the same registration and localisation obligations as domestic businesses.
Q: What are the main cost categories for achieving data protection compliance in Uzbekistan?
A: Compliance costs fall into three broad categories: legal advisory fees for preparing the documentation and registration package. Internal or outsourced technical work to implement data localisation and security measures. Additionally, ongoing costs for staff training and policy maintenance. Government registration fees are modest. The largest expenditure for most foreign businesses is typically the technical infrastructure required to satisfy data localisation requirements, followed by legal advisory costs. A law firm in Uzbekistan or with CIS expertise can help scope these costs accurately at the outset.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our team combines Portuguese civil law expertise with English common law tradition to deliver cross-border legal solutions in data protection compliance, including registration, documentation, and ongoing advisory work in Uzbekistan and across CIS markets. We work with international entrepreneurs, institutional investors, and in-house legal teams who need results-oriented counsel across multiple legal systems. Our data protection practice covers 15 practice areas and spans high-growth and emerging markets across Asia-Pacific, the Middle East, and CIS, supported by practitioners with direct experience before regional supervisory authorities. The firm's Lisbon base provides direct access to EU regulatory expertise, while our CIS practice supports clients navigating the distinct localisation and consent mechanism requirements of jurisdictions such as Uzbekistan. To discuss your data protection obligations in Uzbekistan, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.