Privacy and Personal Data Protection in Tajikistan

Privacy and Personal Data Protection in Tajikistan

Tajikistan’s Law of 3 August 2018 No. 1537 on Personal Data Protection, also known as the Law on Personal Data for Short, is a data protection law that was recently passed in Tajikstan in 2018. While the right protection of personal data is included in the Constitution of the Republic of Tajikistan of 6 November 1994, the Law on Personal Data defines this right in more contemporary terms, while also imposing punishments on individuals and organizations who fail to comply with the law. To this point, the Law on Personal Data sets forth the legal framework that must be followed when collecting, storing, processing, or disclosing personal the personal information of data subjects within Tajikstan.

How are data controllers and processors defined under the law?

In a manner similar to Uzbekistan’s Law on Personal Data Protection, Tajikistan’s Law on Personal Data does not provide a specific definition for the terms “data controller” or “data processor”. Instead, Tajikstan’s Law on Personal Data uses the term “owner or holder of personal data”, defined as “a government agency, individual, or legal entity that processes and protects personal data in accordance with the legislation of the Republic of Tajikistan”. Conversely, the term “operator of a database” in the context of a data processor, defined to mean “government agency, individual, or legal entity that processes and protects personal data in accordance with the legislation of the Republic of Tajikistan or an agreement with the owner of personal data”.

Moreover, the law defines personal data as “Information about the facts, events, and circumstances pertaining to an individual’s life, allowing the identification of that individual”. To this end, the personal scope of the law applies to all owners or holders of personal data, operators of databases, as well as third parties who also receive personal data and as such, have a legal responsibility in relation to said personal data. Alternatively, the territorial scope of the Law on Personal Data is not explicitly stated, while the material scope of the law regulates various activities related to data processing, including the “systematization, storage, modification, addition, extraction, use, distribution, depersonalization, blocking, and destruction of personal data”.

What are the obligations of owners and holders of personal data and operators of databases under the law?

Under Tajikistan’s Law on Personal Data, owners and holders of personal data and operators of databases are responsible for following the following principles as it pertains to the protection of personal data:

  • Observing human and civil rights, as well as freedoms.
  • Legality.
  • Justice.
  • Transparency and openness.
  • The confidentiality of personal data with respect to limited access.
  • Ensuring the equality of rights for data subjects, operators, and owners.
  • Ensuring the security of the state, individual, and society.

In addition to following the data protection principles stated above, data owners and operators are also required to follow various other obligations as it relates to the collection, storage, processing, and dissemination of personal data. These obligations include providing data subjects with data processing notifications, as well as ensuring that the personal data of data subjects within Tajikstan is not transferred to third parties or countries that do not have an adequate level of data protection. Furthermore, data owners and operators are also responsible for retaining personal data for a period of time no longer than is necessary to fulfill the purpose for which it was collected, as well as taking additional measures to ensure the protection of special categories of personal data.

What are the rights of data subjects under Tajikistan’s Law on Personal Data?

Under Tajikstan’s Law on Personal Data, the rights that are guaranteed to data subjects as it relates to privacy and data protection are somewhat limited when compared to many other privacy laws that have been passed in recent years. To illustrate this point further, the law does not explicitly provide data subjects with the right to erasure, the right to object or opt-out, the right to data portability, and the right not to be subject to automated decision making. On the contrary, data subjects are entitled to the right to be informed, the right to access, and the right to rectification. In terms of the right to rectification, this right encapsulates the rights to erasure and to object or opt-out that are provided by many other privacy policies.

Subsequently, the law states that “The data subject has the right to demand the owner, operator, and related third party to clarify, block, or destroy his/her personal data if it is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, as well as to accept the measures contained within the legislation of the Republic of Tajikistan to protect their rights. Denial of access to such information, its concealment, illegal collection, use, storage, or distribution may be appealed in court”. As such, although data subjects are not granted the rights to erasure or to object or opt-out explicitly, they do have an avenue of recourse should they desire to pursue such actions under the law.

What are the penalties for non-compliance under the law?

In terms of penalties that can be imposed as a result of non-compliance with the law, Tajikistan’s Law on Personal Data is enforced through Tajikstan’s Criminal Code. As such, legal entities who fail to comply with the law are subject to a monetary fine of TJS 11,600 ($1,008), while citizens who violate the law are also subject to a monetary fine of up to TJS 29,000 ($2,515). What’s more, public officials who violate the law are also subject to a monetary fine of up to TJS 2,320 ($201), as well as a variety of other administrative penalties. Actions that can lead to the fines stated above include failing to ensure the safe storage and processing of personal data, as well as the theft or destruction of personal data.

While Tajikistan’s Law on Personal Data Protection defines data controllers and processors using alternative terms and offers fewer rights to data subjects on a surface level, the provisions of the law nevertheless provide data subjects within Tajikstan with a strong level of data protection. As such, Tajikistan has joined the ranks of countries throughout Asia that have passed comprehensive data privacy legislation in the last decade, such as China’s Personal Information Security Specification and Japan’s Act on the Protection of Personal Information. In this way, data subjects within Tajikstan can have the peace of mind that their personal data is being protected at all times.