The Law of the Republic of Uzbekistan “On Personal Data” of July 2, 2019 No. ZRU-547 (entered into force on October 1, 2019) specifies that “personal data” should be understood as information recorded on electronic, paper and (or) other material media that relates to a particular individual or makes it possible to identify him. The purpose of the above-mentioned legal act is to regulate the protection of personal data. This law provides for a number of legal obligations for persons whose activities are related to personal data.
One of the fundamental principles of legitimate data collection is respect for the constitutional rights and freedoms of the individual. In this regard, more stringent requirements apply to biometric, genetic data, as well as for special personal data (i.e. data on racial or social origin, political, religious or ideological beliefs, membership in political parties and trade unions, as well as data related to physical or mental (mental) health, information about private life and criminal record).
Article 3 of the Law “On Personal Data” defines the scope of application of this act. Thus, this Law applies to relations arising from the processing and protection of personal data, regardless of the means of processing used, including information technologies. The same norm of the act identifies a number of relations that are not covered by this act, namely:
* processing of personal data by an individual for personal, household purposes and not related to his professional or commercial activities;
* formation, storage and use of documents of the National Archival Fund and other archival documents containing personal data;
* processing of personal data related to information constituting state secrets;
* processing of personal data obtained in the course of operational search, intelligence and counterintelligence activities, the fight against crime, law enforcement, as well as in the framework of countering the legalization of proceeds from criminal activities.
It should be noted that this remark of the Law does not mean that in the above cases, personal data is not protected. In these cases, other legal acts regulate these relations.
In the Law “On Personal Data”, the Authorized state body in the field of personal data is the State Center for Personalization under the Cabinet of Ministers of the Republic of Uzbekistan, which has the following powers:
* implements the state policy in the field of personal data;
* participates in the development and implementation of state and other programs in the field of personal data;
* approves the Standard Procedure for Processing personal Data;
* approves the Standard Procedure for Organizing the activities of a structural unit or an authorized person of the owner and / or operator that ensures the processing of personal data and their protection;
* maintains the State Register of Personal Data Databases;
* issues a certificate of registration of the personal data base in the State Register of Personal Data Bases;
* exercises, within the limits of its powers, state control over compliance with the requirements of the legislation on personal data;
* submits proposals to the Cabinet of Ministers of the Republic of Uzbekistan on improving the legal framework in the field of personal data;
* sends to the state bodies authorized in the field of state security, in relation to the scope of their activities, the established information;
* determines the required level of personal data security;
* analyzes the volume and content of the processed personal data, the type of activity, the reality of threats to the security of personal data;
* makes mandatory requirements for legal entities and individuals to eliminate violations of the law on personal data;
* cooperates with the competent authorities of foreign states and international organizations in the field of personal data.
The adopted law defines the procedure for processing personal data and the relationship between the participants in this process – the subject (the person to whom the data relates), the owner of the database (a state body, an individual and (or) a legal entity that has the right to own, use and dispose of the database of personal data) and the operator (the person who performs the processing).
The main principles of the adopted Law regarding the processing and use of personal data are:
Respect for the constitutional rights and freedoms of man and citizen. The Constitution of the Republic of Uzbekistan proclaims respect for human rights. The Constitution distinguishes a number of groups of rights and freedoms of a citizen – personal rights and freedoms, political rights, economic and social rights. When collecting and analyzing personal data of citizens, the operator and the owner must respect all the constitutional rights and freedoms of the subject.
The legality of the purposes and methods of processing personal data. Personal data is processed in the following cases:
* consent of the subject to the processing of this data;
• the need to process this data in order to fulfill the contract to which the subject is a party, or to take measures at the request of the subject prior to the conclusion of such a contract;
• the need to process this data in order to fulfill the obligations of the owner and (or) the operator, as defined by law;
* the need to process this data to protect the legitimate interests of the subject or other person;
* the need to process this data in order to exercise the rights and legitimate interests of the owner and / or operator or a third party, or to achieve socially significant goals, provided that the rights and legitimate interests of the subjects of personal data are not violated;
* processing of this data for statistical or other research purposes, subject to mandatory depersonalization of personal data;
• if this data is obtained from publicly available sources.
The methods of obtaining personal data are also important. Obtaining personal data by illegal means is responsible.
Accuracy and reliability of personal data. Changes and additions to personal data are made by the owner and (or) the operator (a) on the basis of the subject’s request within three days from the date of such request and (b) immediately, if the data is not true.
Confidentiality and security of personal data. Persons who have obtained access to personal data are obliged not to disclose or distribute personal data without the consent of the subject.
Equality of rights of subjects, owners and operators. This principle gives the right to the subject not to provide personal data if they do not relate to the purpose of its data transmission.
Security of the individual, society and the state. The operator and the owner of the personal data must take all measures to protect the received data.
Obtaining consent from the subject to the processing of his personal data is an important condition for obtaining and processing personal data. The subject gives consent to the processing of personal data in any form that allows you to confirm the fact of its receipt.
Publicly available personal data is personal data that is freely accessible with the consent of the subject or that is not subject to confidentiality requirements.
In order to provide information to the population, public sources of personal data can be created (including biographical reference books, telephone, address books, and publicly available electronic information resources).
Publicly available sources of personal data, with the written consent of the subject, may include the last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data provided by the subject.
Information about the subject may be excluded from publicly available sources of personal data upon his request, submitted in the form in which consent was given, or in writing, including in the form of an electronic document, as well as by decision of an authorized state body or court.
The subject of personal data has the right to:
* be aware of the presence of the owner and / or operator, as well as a third party, of their personal data and their composition;
* receive information on the processing of personal data from the owner and / or operator upon request;
* receive information about the conditions for granting access to your personal data from the owner and / or operator;
* apply to the authorized state body or court for the protection of the rights and legitimate interests in relation to your personal data;
* give consent to the processing of your personal data and withdraw such consent, except in cases provided for by this Law;
* give consent to the owner and / or operator, as well as to a third party, to distribute their personal data in publicly available sources of personal data;
* require the owner and / or operator to temporarily suspend the processing of their personal data, if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the purposes of processing.
The personal data of a subject recognized as incapacitated or limited in legal capacity is disposed of by its legal representative, recognized as such in accordance with the procedure established by law.