Uzbekistan amends personal data law with new localization and cross-border transfer rules
Law No. 1125, signed on 26 March 2026, introduces significant amendments to Uzbekistan's Law on Personal Data. The amendments replace the broad data localization obligation for all citizen data with a targeted regime covering three specific categories - biometric, genetic and telecom user data - while establishing three new legal bases for cross-border data storage and processing. The law enters into force from the date of its official publication.
What has changed and why it matters
The 2019 Law on Personal Data imposed a broad requirement for all personal data of Uzbek citizens processed using information technologies to be stored on servers physically located in Uzbekistan. Law No. 1125, adopted by the Legislative Chamber on 20 January 2026 and approved by the Senate on 5 February 2026, fundamentally restructures this regime. The amendments narrow the mandatory local storage obligation to three defined categories while simultaneously creating structured pathways for lawful cross-border data storage and processing.
New data localization requirements
Under the amended Article 27¹, the following personal data must be stored in the territory of Uzbekistan:
- Biometric data of individuals
- Genetic data of individuals
- Data of individuals using the services of telecommunication operators operating in the territory of Uzbekistan
Databases containing these categories must be registered in the State Register of Personal Data Databases. This replaces the previous regime under which all personal data databases were subject to mandatory registration.
Cross-border data storage and processing
Personal data not falling within the three mandatory local storage categories may now be stored and processed outside Uzbekistan, provided one of the following conditions is met:
- Adequacy recognition: the foreign state is recognized as ensuring an equivalent level of personal data protection. The list of such states will be determined by the Cabinet of Ministers
- Contractual or corporate safeguards: the operator adopts and complies with standard contractual terms or mandatory corporate rules that meet requirements approved by the authorized state body
- International standards compliance: the operator complies with international standards on personal data management and storage, from a list approved by the authorized state body
This represents an entirely new structured mechanism for cross-border data transfers, replacing the more limited framework under Article 15 of the original law which relied primarily on "adequate protection" assessments, subject consent or international treaties.
Scope exclusion changes
Two additional amendments adjust the scope of the law:
- The exclusion for individual data processing has been simplified from "personal and domestic purposes not related to professional or commercial activity" to "personal and domestic purposes" only, narrowing the exemption
- The exclusion for state secrets has been broadened to also cover "information related to defense and national security matters"
Key comparison: 2019 law versus 2026 amendments
| Area | 2019 Law | 2026 Amendments |
|---|---|---|
| Local storage obligation | All personal data of Uzbek citizens processed using IT | Only biometric, genetic and telecom user data |
| Database registration | All personal data databases | Only databases containing the three mandatory local storage categories |
| Cross-border storage | No specific mechanism in Article 27¹ | Three defined legal bases: adequacy, contractual safeguards, international standards |
| Adequacy list authority | Not explicitly assigned | Cabinet of Ministers determines the list |
| Individual processing exemption | Personal and domestic purposes not related to professional or commercial activity | Personal and domestic purposes only |
What this means for your business
For international companies operating in Uzbekistan, these amendments represent a significant and broadly positive shift. The replacement of the blanket localization requirement with a targeted three-category regime removes a compliance burden that affected virtually every company processing customer or employee data in the country. Companies in sectors not handling biometric, genetic or telecom data may now have a lawful basis for storing personal data on infrastructure outside Uzbekistan, subject to meeting one of the three cross-border conditions.
However, the practical impact depends heavily on three pieces of secondary legislation that do not yet exist:
- The Cabinet of Ministers' list of countries with equivalent data protection levels
- The authorized state body's approved standard contractual terms and mandatory corporate rules
- The authorized state body's approved list of international standards
Until these are adopted, the cross-border pathways exist in law but cannot be relied upon in practice. Companies should begin reviewing their data architecture and processing arrangements now, while monitoring the development of the implementing regulations closely.
Companies in telecommunications, healthtech, biometrics, fintech and any sector handling genetic or biometric data remain subject to mandatory local storage and must ensure their databases are registered in the State Register.
Get in touch to discuss what these changes mean for your operations.