The Constitution of the Kyrgyz Republic prohibits collection, storage, use and dissemination of confidential information, private life information is not allowed without consent confidential/private life information subject.
More detailed regulation of personal data may be found in the Law of the Kyrgyz Republic on Personal Data No.58 dated 14 April 2008 ('The Law on Personal Data'), which entered into force on 18 April 2008. The most recent amendments were made to the Law on Personal Data on 29 November 2021. These amendments states that rules of processing of personal data for purposes of protection of the rights of participants in criminal proceedings is determined by the Cabinet of Ministers of the Kyrgyz Republic.
The Law on Personal Data is directed at legal regulation of work with personal data based on the standard international norms and principles according to the Constitution of the Kyrgyz Republic and laws of the Kyrgyz Republic is necessary first of all for assuring human personal rights and freedoms relating to the personal data gathering, processing and use.
The Law on Personal Data regulates relations arising at work with personal data, irrespective of the applied information processing means, except the work realization with the personal data, with its further transfer to the third persons.
Additional requirements to collection, use and transfer of personal data can be found in the following normative-legal acts:
- Procedure for Obtaining Consent of Personal Data Subject on Collection and Processing of its Personal Data, the Procedure and Form of Notification of Personal Data Subject on Transfer of their Personal Data to a Third Party approved by the Regulation of the Government of the Kyrgyz Republic dated 21 November 2017 # 759;
- Requirements for Ensuring the Security and Protection of Personal Data During their Processing in Personal Data Information Systems, the Implementation of Which Ensures the Established Levels of Protection of Personal Data approved by Regulation of the Government of the Kyrgyz Republic dated 21 November 2017 # 760.
The most recent amendments were made to the Law on Personal Data on 12 July 2022. These amendments include that part 5 and 6 of article 6 are stated as follows:
- at the request of the subject of personal data, the mode of public access to information (bibliographic directories, telephone and address books, private announcements, etc.) can be established. Exceptions are cases when information must be public in cases of administration of justice and execution of a judicial act, as well as in cases provided for by the laws of the Kyrgyz Republic in the field of electronic governance, national security, countering terrorism and corruption, operational-search activities and other cases determined by laws of the Kyrgyz Republic.
- from the moment of state registration of the death of the subject of personal data, the person is assigned the status of "deceased". The personal data of the deceased subject are subject to archiving and storage.
The Law on Personal Data provides that information recorded on a material carrier relating to a particular person, which identifies a specific person or which could be used to identify a specific person, directly or indirectly, by reference to one or more factors related to biological, economic, cultural, civil or social identity shall qualify as 'personal data'.
Personal data include:
- Biographical and identification data
- Personal characteristics
- Information on marital status
- Financial status
- Health data
There is no clear definition of Sensitive Personal Data. Under the provisions of the Law on Personal Data, all personal data is confidential. It should be noted that the Holder (Owner) of personal data (ie the data controller) and the data processor are obliged to ensure protection of personal data to prevent:
- Unauthorized access
- As well as its accidental or unauthorized destruction
- Alteration or loss
- Provide guarantees in respect of technical security measures and organizational measures regulating processing of personal data
However, confidentiality of personal data does not apply in cases of anonymisation or on request of the individual to which the personal data relates.
The President of the Kyrgyz Republic by Decree No. 391 dated as of 14 September 2021 announced creation of the State Agency for Protection of Personal Data. However, currently neither regulations and by-laws of the new Agency have been adopted, nor authorized officer have been appointed.
The Law on Personal Data obliges Holders (Owners) of Personal Data Arrays to register with the competent state authority, however, to the best of our knowledge, none of Holders (Owners) of Personal Data Array has been registered to date, in particular, due to the fact that such regulator does not exist.
According to the Law on Personal Data within the registration procedure the following must be provided:
- Name and details of Holders (Owners) of Personal Data Arrays (ie data controller)
- Purposes and procedures of collection and processing of personal data
- Retention and terms of storage
- List of collected personal data
- Categories or groups of personal data bearers
- A source of collecting of personal data
- Procedure of notification of data subjects on collecting and possible transfer of personal data
- List of measures regarding the regime of confidentiality and safety of personal data
- Authorized person responsible for working with personal data
- Receiving party or category of receiving parties of personal data
- Proposed transfer of personal data outside of the Kyrgyz Republic
With regards to the registration obligation the procedure for registering holders (owners) of personal data arrays was approved.
Registration in the Register consists of three stages. During the first two stages, the holder fills in electronic forms to obtain a registration number in the Registry. During the third stage, the holder goes through the procedure for agreeing and registering lists of personal data for their collection, processing and storage as part of the implementation of their functions and purposes.
Registration of holders in the Register is carried out after authorization in the Register through the Unified Identification System through a cloud-based electronic signature of a legal entity. After filing the application, the holder receives a unique registration number in the Registry. Based on the results of registration in the Register, the holder receives the right to collect, process and store personal data in accordance with the legislation of the Kyrgyz Republic in the field of personal data.
 The procedure for registering holders (owners) of personal data arrays, personal data arrays and lists of personal data in the Register of holders (owners) of personal data arrays, as well as its maintenance and publication approved by Decree of the Cabinet of Ministers of the Kyrgyz Republic dated November 18, 2022 No. 638
Under the Law on Personal Data, Holders (Owners) of personal data (ie the data controller) must indicate in its registration the name and contact details of the person that is responsible for the work with personal data. However, the Law on Personal Data does not contain any direct obligations to appoint a Data Protection Officer.
One of the basic principles of dealing with personal data is that personal data must be collected for accurately pre-defined, stated and legal purposes and must not be further processed in any manner incompatible with those purposes.
Processing of personal data is permitted in the following cases:
- The data subject has given its consent
- If it is necessary for public authorities, local authorities within their competence established by laws of the Kyrgyz Republic
- If it is necessary to achieve the legitimate interests of Holders (Owners)
- When implementation of these interests does not preclude the exercise of rights and freedoms of data subjects with regard to the processing of personal data
- When it is necessary to protect the interests of the data subject
- If personal data are processed solely for the purposes of journalism or for the purpose of artistic or literary works
The Law on Personal Data allows transfer of personal data both within the country and abroad.
Transfer of personal data within the Kyrgyz Republic
- Data subject must be informed (in any form within a week)
- Personal data may be transferred without consent of the data subject in
the following cases:
- Extreme necessity in order to protect the interests of the data subject
- Upon request of state authorities, local authorities, if the requested list of personal data fall under the competence of the requesting authority
- Under any other case established by laws of the Kyrgyz Republic
Transfer of personal data outside the Kyrgyz Republic
- The cross-border transfer is carried out on the basis of an international treaty between the countries, under which the receiving party must provide adequate protection of the personal data
- Consent of the data subject has been obtained, or
- Personal data may be transferred to the countries that do not provide the adequate level of protection on certain conditions:
- With consent of the data subject
- If the transfer is necessary to protect the data subject's interests, or
- If personal data are contained in the Public Personal Data database
When transferring personal data to the global information network (internet, etc) the Holder of the personal data (ie the data controller) transferring such data, shall provide the necessary means of protection with regard to the confidentiality of the information being transferred.
When processing personal data the Holder (Owner) of personal data (data controller) and processor shall:
- Prevent access of unauthorized persons to the equipment used for personal data processing (access control)
- Prevent unauthorized reading, copying, modification or removal of data media (control of data media use)
- Prevent unauthorized recording of personal data and alteration or destruction of stored personal data (entry control) and enable backdated determination of when, by whom and which personal data have been altered
- Ensure security of data processing systems, designed to transfer personal data irrespective of the data involved (control of data transmission means)
- Ensure that each user of a data processing system has only has access to the personal data which it is authorized to process (controlled access)
- Enable backdated determination of when, by whom and which personal data have been entered into the data processing system (input control)
- Prevent unauthorized reading, copying, alteration and destruction of personal data during the transmission and transportation of personal data (transport control)
- Ensure the confidentiality of the information in the course of personal data processing
If the Holder (Owner) of personal data (data controller) transfers the personal data without consent of the data subject to a third party they must inform the data subject within a week.
Although the Law on Personal Data has been adopted, there is no enforcement practice of its provisions in place. However, since responsible agency has been appointed (State Agency for Protection of Personal Data), enforcement practice may change after the agency is fully operational.
Sending of electronic communications for advertising is generally subject to prior express consent of the recipient.
The Law on Electrical and Postal Communication establishes that all databases of telecommunication operators must be confidential and that telecom operators are obliged to keep communication data confidential.