Azerbaijan Personal Data Law: practical compliance guide

Azerbaijan's Law on Personal Data (No. 998-IIQ) and accompanying Cabinet of Ministers Decision No. 49 establish a registration regime for personal data information systems. Any operator — public or private — that automates the processing of citizens' personal data must register the system with the Ministry of Digital Development and Transport before processing begins. The registry is publicly searchable and includes the purpose, categories of data, and retention period.

The law distinguishes ordinary personal data from special categories (race, religion, health, biometrics, criminal records). Special categories require explicit, documented consent and stronger safeguards. The 2022 amendments tightened consent requirements: consent must be specific, informed, and revocable. Pre-ticked boxes and bundled consents are no longer acceptable. Children under 14 cannot give valid consent themselves; a parent or guardian must.

Cross-border transfer is restricted. Data may flow only to countries that provide adequate protection, as determined by the regulator, or under specific lawful exceptions such as explicit consent or contract performance. Operators must keep transfer logs. Several sector regulations — for the financial sector under the Central Bank, for telecoms under AzInTelecom — add localization rules requiring at least the primary copy of customer data to remain on servers physically in Azerbaijan.

Penalties under the Code of Administrative Offences range from 1,500 AZN for missing registration up to 6,000 AZN for unlawful disclosure, with criminal liability under Article 156-1 of the Criminal Code for grievous breaches. Practical compliance steps: appoint a responsible person, register every processing system, document consent flows, run a yearly internal audit, and align retention to the documented purpose. Treat data minimization as the default — collect only what the registered purpose justifies.