May 2024

1. Governing Texts

Prior to 2018, the rights of data subjects had been protected by a range of existing laws that indirectly apply, due to the lack of comprehensive legislation on data protection. However, in 2018, Law of August 3, 2018, No. 1537 on Personal Data Protection (only available in Tajik here) (the Law on Personal Data) was adopted, which established grounds for the regulation of relations between owners, operators, and data subjects. The Law on Personal Data also clearly sets out rules for obtaining consent, notifying the data subject in case of the transfer of their data, as well as conditions for cross-border transfers.

1.1. Key acts, regulations, directives, bills

The fundamental provision of Tajik legislation which provides for the right to protection of personal data is contained in Article 23 of the Constitution of the Republic of Tajikistan of November 6, 1994, which states that the collection, storage, use, and dissemination of personal data of an individual without their consent is prohibited.

In addition to the Law on Personal Data, provisions regulating data protection are provided by:

• Law of June 22, 2023, No.1968 on Permits system (only available in Tajik here) (Law on Permits System);
• Law of May 10, 2002, No. 55 on Information (only available in Tajik here) (the Law on Information);
• Criminal Code of the Republic of Tajikistan of May 21, 1998 No. 574 (only available in Tajik here) (the Criminal Code), which provides for criminal liability for various offenses related to information stored on computer systems;
• Code on Administrative Offences of the Republic of Tajikistan of December 31, 2008, No. 455 (only available in Tajik here) (the Code on Administrative Offences), which provides for administrative liabilities for failure to take measures ensuring the safety of storage and processing of information in establishments and entities irrespective of ownership; and
• the Order on Measures to Protect Personal Data by the Owner, Operators, and Third parties of July 2, 2021, No. 2.21-11 (please note this publication is not available in electronic form).

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law on Personal Data applies to owners or holders of personal data, operators of databases, as well as third parties under a legal relationship relevant to the personal data. They can be state bodies, individuals, and legal entities involved in the processing and protecting of personal data in accordance with the laws of the Republic of Tajikistan or, in the case of operators, through an agreement with the owner.

Furthermore, the collection and processing of personal data of those declared by court as missing or dead are to be carried out in accordance with the legislation of the Republic of Tajikistan (Article 8 of the Law on Personal Data).

2.2. Territorial scope

The Law on Personal Data does not contain an explicit provision as to whom and to what extent it applies. However, in light of general provisions of legal acts adopted by the Parliament of the Republic of Tajikistan, it applies within the territory of Tajikistan where enforcement can be provided.

2.3. Material scope

The Law on Personal Data regulates the collection, processing, and protection of personal data (Article 3 of the Law on Personal Data). Processing includes actions related to the recording, systematization, storage, modification, addition, extraction, use, distribution, depersonalization, blocking, and destruction of personal data (Article 1 of the Law on Personal Data).

Under Article 3 of the Law on Personal Data, the following actions are not covered:

• the processing and protection of personal data solely for personal and family needs, unless the rights of other individuals and/or legal entities have been violated;
• the formation, storage, registration, and use of documents containing personal data of the National Archival Fund of the Republic of Tajikistan and other archival documents in accordance with the legislation of the Republic of Tajikistan; and
• the processing of personal data that are classified, in accordance with the legislation of the Republic of Tajikistan, as state secrets.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Data protection is regulated by the Communication Service under the Government of the Republic of Tajikistan (the Government).

3.2. Main powers, duties and responsibilities

The Government has the following powers (Chapter 2 of the Law on Personal Data):

• granting of certificates of conformity for the protection of personal data and information security;

• realization of state policy on the protection of personal data;

• elaboration of regulations on the protection of personal data and presenting them to the President of the Republic of Tajikistan (the President) for confirmation;

• confirmation of the list of personal data that is necessary or sufficient for the fulfilment of the activities of the holder, operator, and any related third party;

• confirmation of an order for the realization of measures on the protection of personnel data by the holder, operator, and any related third party;

• consideration of physical persons' and legal entities' approaches to the protection of personal data; and

• determination of a list of responsible persons for compliance with the legislation of the Republic of Tajikistan on the protection of personal data and its enforcement.

Article 7 of the Law on Personal Data authorizes state bodies with the following powers:

• realization of state policy on the protection of personal data;

• elaboration of regulations on the protection of personal data and presenting to the President for confirmation;

• confirmation of the list of personal data that is necessary or enough for the implementation of activities of a data holder, operator, and any related third party;

• confirmation of an order for the realization of measures on the protection of personal data by a data holder, operator, and any related third party;

• consideration of any physical persons' and legal entities' approaches to the protection of personal data; and

• determination of a list of responsible persons to ensure compliance with the legislation of the Republic of Tajikistan on the protection of personal data and taking measures for prosecution.

4. Key Definitions

Data controller: Referred to as the owner or holder of personal data, a government agency, individual, or legal entity that processes and protects personal data in accordance with the legislation of the Republic of Tajikistan.

Data processor: Referred to as the operator of a database, a government agency, individual, or legal entity that processes and protects personal data in accordance with the legislation of the Republic of Tajikistan or an agreement with the owner of personal data.

Personal data: Information about the facts, events, and circumstances pertaining to an individual's life, allowing the identification of that individual.

Sensitive data: This is not defined in the Law on Personal Data. However, it does refer to the confidentiality of personal data with limited access, to which rules that determine the availability, transfer, and storage conditions of personal data apply.

Health data: This is not defined in the Law on Personal Data.

Biometric data: Personal data that determine the physiological and biological characteristics of the data subject.

Pseudonymization: Referred to as the depersonalization of personal data, and actions, as a result of which, personal data becomes impossible to determine the identity of personal data to a specific subject of personal data without the use of additional information.

Personal data processing: Actions aimed at the recording, systematization, storage, modification, addition, extraction, use, distribution, depersonalization, blocking, and destruction of personal data.

Third party: A person who is not a data subject, owner, or operator, but is associated with them by circumstances or by legal relations based on personal data.

Tangible materials: Material objects on which personal data are recorded in the form of symbols, type, and sound.

Data subject: An individual to whom the relevant personal data belongs.

5. Legal Bases

5.1. Consent

Article 11 of the Law on Personal Data states that access to personal data is established when the consent of the data subject or their legal representative is given to the owner, operator, or related third party. However, data subjects can revoke their consent according to Article 11 of the Law on Personal Data.

There are no formal requirements as to the form of consent. Nevertheless, as a general rule, consent should be documented in writing and bear the signature of the owner of personal data.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Pursuant to Article 12 of the Law on Personal Data, the collection and processing of personal data without the consent of the data subject is permitted in the following cases:

• performance of duties by state bodies stipulated in the law of the Republic of Tajikistan; and

• protection of the constitutional rights and freedoms of citizens.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Pursuant to Article 24 of the Law on Information, owners, operators, and any related third parties are permitted to collect and process personal data in accordance with the procedure established by the Law on Information and other regulatory legal acts of the Republic of Tajikistan.

Accordingly, the collection and processing of personal data and the protection thereof should comply with the following principles (Article 4 of the Law on Personal Data):

• observance of human and civil rights and freedoms;

• legality;

• justice;

• openness and transparency;

• confidentiality of personal data with limited access;

• equality of the rights of data subjects, owners, and operators; and

• ensuring the security of the individual, society, and the state.

Furthermore, the protection of personal data is also guaranteed by the state under Article 5 of the Law on Personal Data. In this regard, measures should be taken for the prevention of unintentional and unauthorized diversion, copying, theft, loss, modification, forgery, disclosure, and/or destruction of personal data.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no requirements to notify any authority or data subject of a data breach under any data protection legislation in Tajikistan.

However, Article 27 of the Law on Information provides that all organizations collecting information on citizens must carry out state registration of the relevant databases, according to the rules that have been established by the Government. Moreover, the Law on Permits System requires holders or owners of information systems to attain a license for the provision of systems that transfer encrypted personal data, as this comprises an activity involving the technical protection of confidential information.

7.2. Data transfers

Transfers of personal data within the territory of states which provide an adequate level of protection of data subject's personal data is carried out in accordance with Article 18 of the Law on Personal Data. The transfer of data within the territory of states not providing for the protection of personal data may be carried out in the event of:

• the consent of the data subject or their legal representative to transfer their personal data;

• cases provided for by international treaties recognized by the Republic of Tajikistan;

• cases provided for by the legislation of the Republic of Tajikistan for the protection of constitutional order, public order, rights and freedoms of person and citizen, health and morality of the population, and defense and security of the state; and

• for the protection of constitutional rights and freedoms of persons and citizens, in the event of the impossibility of obtaining consent from a data subject or their legal representative.

In addition, Article 21 of the Law on Personal Data obliges owners and operators of the information who are transferring the personal data to a third party to notify the data subject no later than three working days after the transfer with the following information:

• the name and address of the individual or legal entity receiving the data;

• the purpose of processing personal data; and

• the source of personal data.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Not applicable.

7.7. Data retention

The retention period for personal data is determined by the date of achieving the goals of processing unless otherwise provided by the legislation of the Republic of Tajikistan (Article 14 of the Law on Personal Data). Personal data should be destroyed once the retention period has expired (Article 20 of the Law on Personal Data).

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

The Law on Personal Data provides for the notion of biometric personal data. According to Article 17 of the Law on Personal Data, biometric personal data used by the operator to identify the subject of personal data can be processed only with the written consent of the data subject.

Article 17(2) of the Law on Personal Data provides exceptions to the consent requirement, including the implementation in criminal prosecution and justice, the execution of judicial acts, as well as in cases where provided for by the legislation of the Republic of Tajikistan on defense, security, operational-search activities, countering of terrorism, extremism, corruption, and the legalization or laundering of proceeds from crime, as well as for the financing of terrorism and the financing of the proliferation of weapons of mass destruction, execution of criminal punishment, acquisition, and termination of citizenship of the Republic of Tajikistan.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

According to Article 22 of the Law on Personal Data, data subjects' rights are as follows:

• confirmation of the fact that their data is being collected and processed;

• the legal grounds and objectives for the collection and processing of information;

• the purpose and methods of the collection and processing of information;

• the name and location of the owner, operator, and any related third party, including information about persons who have access to personal data and to whom personal data may be disclosed;

• the period of time of the collection and processing of personal data, including the period of storage of such data; and

• information about the realized or anticipated transboundary transfer of personal data.

8.2. Right to access

The right to access personal data by the data subject may be limited in accordance with the legislation of the Republic of Tajikistan.

8.3. Right to rectification

The data subject has the right to demand the owner, operator, and related third party to clarify, block, or destroy their personal data if it is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, as well as to accept the measures contained within the legislation of the Republic of Tajikistan to protect their rights. Denial of access to such information, its concealment, illegal collection, use, storage, or distribution may be appealed in court.

8.4. Right to erasure

Please see the section on the right to rectification above.

8.5. Right to object/opt-out

Please see the section on the right to rectification above.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

Please note that according to the Law on State Budget for 2024 of November 15, 2023 No. 1157 (only available in Tajik here), one calculation index is equal to TJS 72 (approx. $6).

Legal entities

Failure to take measures to ensure the safe storage and processing of information in establishments and entities irrespective of ownership, including the theft, destruction, or other consequences, in the absence of evidence of a crime, may entail a fine for officials from 7 to 10 calculation indixes, and for legal entities from 100 to 200 calculation indexes (Article 521 of the Code on Administrative Offences).

Citizens

Illegal access to information stored in a computer system or network, or on media storage, accompanied by the violation of the protection of the system, or negligence resulting in the alteration, erasure, or blockage of data and the disabling of computer equipment, or causing extensive damage to it may entail a fine from 200 to 400 calculation indexes.

According to the Criminal Code, unauthorized copying or other misappropriation of information stored in the computer system, network, or on media storage, as well as the interception of information transmitted through computer connection, may entail a fine of from 200 to 500 calculation indexes.

Officials

The violation of the rules on the technical protection of information, including the use of technical means of protection received from abroad without an appropriate certificate from an authorized body, and the supply and use of technical means of information protection that do not comply with prescribed standards, may entail a fine from 12 to 15 calculation indexes (Article 507 of the Code on Administrative Offences). Other penalties stipulated for citizens also apply to officials.

9.1 Enforcement decisions

Decisions issued by the Government are not available publicly.