Personal Information Privacy in Turkmenistan
The Law of Turkmenistan of 20 March 2017 on Information on Private Life and its Protection, also known as the Law on Information for short, is a data protection and personal privacy law that was passed in March of 2017. Prior to the passing of the Information, legal protections in Turkmenistan as it relates to the protection of personal data and privacy were limited to technical provisions contained within other various statutory documents. As such, the Law on Information sets forth the requirements and obligations for data controllers and processors under the law, as well as the punishment that can result from failing to follow the law and its various provisions.
How are data controllers and processors defined under the Law on Information?
The Law on Information does not provide a definition for the term “data controller” and instead uses the term “operator of a database”. As such, the law defines an operator of a database as “a state body, other legal entity, or physical person performing collection, processing, and protection of personal data, and also determining the purposes and content of these actions”. Conversely, the Law on Information does not make use of the term “data processor” either. However, unlike many other data privacy laws that provide an alternative term for individuals who are in charge of processing data, the Law on Information does provide a term that applies to the concept of a “data processor”.
As such, the processing of personal data is also applicable to operators of databases, as well as any other individuals or third parties with who said operators may also share personal data with. Moreover, the law does not provide a definition for personal data, and instead uses the concept of information on personal life, or personal information. As such, personal information is defined under the law as “any data relating to the physical person determined or based on such data, fixed on electronic, paper, or other material medium. For the purposes of this overview, such a physical person will be referred to as a ‘data subject”.
In terms of the scope and application of the Law on Information, the personal scope of the law is applicable to all relations that result from data processing activities, such as the collection and processing of personal data. On the contrary, the Law on Information does explicitly state and territorial applicability of the law, while the material scope of the law covers “personal data, special categories of personal data, biometric data, dissemination of personal information through the media, cross-border transfer of personal information, anonymisation of personal information, etc”. However, there are exceptions to the material application of the law, such as instances in which personal data is related to state secrets.
What are the requirements of database operators under the Law on Information?
Under the Law on Information, database operators have a variety of duties and obligations as it pertains to ensuring that the personal information of data subjects is protected at all times. These duties and obligations are conveyed through the following principles:
- Observing the constitutional rights and freedoms of all people and citizens.
- Ensuring that purposes and methods for which personal information is collected and processed are based on legality.
- Ensuring that the purposes for the collection and processing of personal information are in accordance with the purposes for which said personal information was collected, as well as the powers of database operators as it relates to the collection of personal information.
- Ensuring the safety of individuals, society, and the state as it relates to the collection and processing of personal information.
- Ensuring that the purposes for collection and processing of personal information are in accordance with the volume and nature of said personal information.
- Ensuring that all personal information that is collected and processed is reliable, sufficient for the purposes for which it was collected or processed, “the inadmissibility of the collection and processing of personal information that is excessive in relation to the purposes determined when collecting personal information”.
- Ensuring that all personal information that is collected and processed remains confidential, and that access to said personal information is limited.
What are the rights of data subjects under the Law on Information?
Under the Law on Information, data subjects within Turkmenistan are entitled to the following rights as it relates to the collection and processing of their personal information:
- The right to be informed– Data subjects have the right to be informed as to whether a database operator or other third party has access to their personal information, as well as the contact details of said database operator or third parties, among other details.
- The right to access– Data subjects have the right to access personal information that pertains to them.
- The right to rectification- Data subjects have the right to request that a database operator rectify personal information related to them.
- The right to erasure– Data subjects have the right to request that a database operator or third party erase personal information related to them.
- The right to object or opt-out– Data subjects have the right to withdraw their consent to the collection and processing of their personal information.
- Other Rights– Data subjects have a variety of other rights under the law, some of which include the right to protect their rights and legal interests under the law, the right to be made aware of the terms for the processing of their personal information, and the right to be provided a list of their personal information at their request.
In terms of penalties that can be imposed against database operators who fail to comply with the law, there are a variety of penalties that can be enforced in accordance with the law. “As the Administrative Code sets out, illegal collection, storage, or dissemination of information about private life, constituting a personal or family secret of another person, without his/her consent, shall entail the imposition of a fine of between five to ten sizes of the basic value ($150 to $294) or administrative arrest for up to 15 days”. Additionally, database operators who continue to violate the law are also subject to a fine of between five to ten average monthly wages, or correctional labor for up to one year”.
As data privacy has become of the utmost importance due to the prevalence of internet communication and commerce in today’s society, laws that protect personal data are needed now more than ever before. As such, Turkmenistan addressed this need through the passing of the Law of Turkmenistan of 20 March 2017 on Information on Private Life and its Protection. In doing so, they joined the trend of countries throughout the world, including Aisa, who have passed legislation relating to data protection in recent years, such as Tajikstan’s Law on Personal Data Protection and Uzbekistan’s Law on Personal Data