The General Data Protection Regulation, or GDPR for short, which came into force in May 2018, is the European Union's strictest data protection law. The most important feature of this regulation is that it applies not only to European companies but to any company processing EU citizens' data, even if the company is located in Tashkent or Tokyo. The fine for violation can reach 4 percent of annual global turnover or 20 million euros, making GDPR compliance a serious matter for business.
Core principles of GDPR
GDPR establishes seven core principles for processing personal data. First is lawfulness, fairness, and transparency: the user must understand how and why their data is used. Second is purpose limitation: data is collected only for a specifically defined purpose. Third is data minimization: only necessary information is obtained. The remaining principles are accuracy, storage limitation, integrity and confidentiality, and accountability. Together these principles create a system that protects user rights.
User rights
GDPR grants users very strong rights, and their implementation is mandatory for companies. The right of access allows the user to know what data about them is stored in the company. The right to rectification provides the ability to change incorrect data. The most well-known right is the right to be forgotten, by which the user can demand the complete deletion of their data. There are also rights to data portability, objection to processing, and protection from automated decisions. All these rights must be fulfilled within one month free of charge.
DPO and DPIA
In many cases, GDPR requires the company to appoint a Data Protection Officer, or DPO. The DPO must be independent and report directly to senior management. For high-risk processing cases, a Data Protection Impact Assessment, or DPIA, is mandatory. The DPIA process evaluates the purposes of processing, its necessity and proportionality, identifies risks to users, and develops measures to mitigate them. The DPIA document is provided to the regulator during audits.
Sayt.uz practice
Sayt.uz has achieved full GDPR compliance for serving European clients. Users can export and delete their data through the personal cabinet, and this process takes an average of 18 hours. Hosting plans starting at 95,000 soums include a GDPR-compliant cookie banner and privacy policy template. For corporate clients, DPO consulting service starts at 2,400,000 soums and includes preparation of DPIA documents. In 2024, the system successfully processed 89 data deletion requests and 234 export requests.