Browse by jurisdiction
Kazakhstan's LPDP requires written consent before collecting personal data with detailed specifications. Data must be stored within Kazakhstan (data localization). A massive 2025 breach affecting 16 million individuals prompted proposals for criminal liability for mass leaks. Breach notification is required within one business day.
Uzbekistan's 2019 law requires explicit consent for data collection, third-party provision, and cross-border transfers. Presidential Decree PP-153 (April 2025) marks a shift toward practical enforcement with compulsory breach notifications in the financial sector. A new AI regulation bill is under parliamentary review.
Kyrgyzstan's 2008 law provides a basic data protection framework. The May 2025 amendment introducing administrative liability for violations represents a significant step, as previously the law lacked effective penalty mechanisms. Enforcement is still minimal but growing.
Tajikistan's 2018 data protection law provides a framework for personal data processing with consent requirements. Enforcement is in its infancy with very low penalties and minimal practical enforcement activity. The President determines the authorized enforcement body.
Turkmenistan has the weakest data protection framework among Central Asian states. No dedicated data protection authority exists, penalties are very low (120-150 EUR for administrative violations), and practical enforcement is essentially non-existent. No Central Asian state has acceded to Council of Europe Convention 108+.