Personal Data Protection in Tajikistan: An Overview

Overview

The Law of the Republic of Tajikistan on Personal Data Protection (the Law on DP) has been in force since 2018 but has yet to be tested in practice, as there is no case law on this legislation. The Law on DP differentiates between the collection and processing of personal data:

  • Collection: An action directed at obtaining personal data.
  • Processing: Includes recording, systematizing, storing, changing, supplementing, extracting, using, distributing, anonymizing, blocking, and destroying personal data.

Controllers and Processors

Controllers (referred to as data holders) and processors can be either private or public entities. The legal grounds for collecting and processing personal data are as follows:

  • Private Controllers and Processors: Must obtain the data subject's consent.
  • Public Controllers and Processors: Can also collect and process data with the data subject's consent. However, if these are State organs exercising State power, they can do so without consent in two cases:
    1. When processing personal data in the course of exercising State functions.
    2. When protecting the constitutional rights and freedoms of other individuals.

Other legal grounds such as binding corporate rules or standard data protection clauses are not foreseen by the Law on DP.

Principles of Data Collection and Processing

  • Collection and processing must align strictly with the purposes for which personal data was collected.
  • Personal data can be retained until the purposes of collection and processing are fulfilled.
  • Data subjects must be notified about the collection and processing of their personal data, have access to it, and have the right to rectify mistakes.

Biometric Data

Biometric personal data (data on physiological and biological peculiarities of individuals) can be collected and processed only upon receiving written consent, except when State organs process biometric data for purposes such as crime detection and investigation.

Access to Personal Data

There are two legal regimes for accessing personal data:

  1. Publicly Accessible Personal Data: Can be included in publicly accessible databases through the data subject's consent or without consent by State organs. Once consent is given for public use, it cannot be revoked.
  2. Personal Data of Limited Access: The competent State organ defines the minimum publicly accessible data, which includes the name, additional name of the subject, email address (without the data subject's name), place of work, and job position.

Transborder Flow of Personal Data

Transborder flow of personal data is allowed upon the data subject’s consent or when the foreign State’s data protection regime provides adequate protection of data subjects. The Law on DP does not specify what constitutes ‘adequate protection’ or the procedure for evaluating such regimes.

Data Handling Requirements

  • Personal data must be separated from other information, particularly by recording it on media.
  • Specific storage locations and a list of persons authorized to collect, process, or access personal data must be determined.
  • Databases must exclude the combination of fields that exceed the purposes of their collection.

Safety Measures

Controllers and processors, as well as third parties, must:

  • Establish measures to ensure the safety of personal data and prevent unauthorized access.
  • Determine the list of persons responsible for implementing these measures.

Database Contents

Databases containing personal data must include:

  • Purpose of data collection and processing.
  • Name and address of the controller and processor.
  • Surname, first name, and address of the data subject.
  • Source of obtaining personal data.
  • Time of processing personal data.
  • List of actions to be performed with personal data.
  • A field for data subjects to check their consent for data collection and processing.

Controllers and processors must take measures to destroy personal data once the purpose of its collection and processing is achieved. Data subjects must have the opportunity to familiarize themselves with their personal data without violating the rights and interests of other data subjects.

Reporting Requirements

If data subjects request a report on their personal information retained by the controllers and processors, the latter must provide such a report within three working days.