In an era where data is often called “the new oil,” the security of citizens’ personal information has become a top priority for governments worldwide. Following this global trend, Uzbekistan has introduced significant amendments to its Law “On Personal Data” through Law No. O’RQ-1125, signed on March 26, 2026. This new legislation marks a major shift in how personal information is handled, stored, and protected within the country.
The core of the new amendment is the requirement for data localization. This means that specific categories of sensitive information must now be stored and processed using technical equipment (servers) physically located within the territory of Uzbekistan.
The following data types are now strictly subject to local storage:
- Biometric Data: Facial recognition patterns, fingerprints, and other unique physical identifiers.
- Genetic Data: Information related to an individual’s hereditary characteristics or health profile.
- Telecom User Data: Personal details of individuals using services from telecommunications operators active within Uzbekistan.
Exceptions: When Can Data Be Processed Abroad?
While the law prioritizes local storage, it provides a legal framework for cross-border data transfers for information not listed in the mandatory local storage category. These transfers are permitted if one of the following conditions is met:
- Recognized Jurisdictions: The foreign state must be officially recognized as providing an adequate level of protection for personal data, equivalent to Uzbekistan’s standards.
- Standard Contractual Clauses (SCCs): The data operator adopts and complies with standard contractual clauses or binding corporate rules approved by the authorized state body.
- International Standards: The operator adheres to recognized international standards for personal data management and storage, as verified by the competent authorities.
Why This Matters for Businesses and Citizens
For citizens, these changes provide a higher guarantee of digital sovereignty and privacy. By keeping sensitive biometric and genetic data within national borders, the risk of unauthorized access by foreign entities is significantly reduced.
For businesses—especially international IT companies, banks, and service providers—this law necessitates a review of their technical infrastructure. Companies must ensure that their databases and cloud solutions comply with these new residency requirements to avoid legal penalties.
Conclusion
The law entered into force on the day of its official publication. This legislative move aligns Uzbekistan with modern international privacy frameworks, such as the GDPR, while tailoring the requirements to national security and digital infrastructure goals.
Would you like me to add a section on the potential penalties for non-compliance or perhaps a “Quick Guide” for businesses on how to adapt to these changes?
