DLA Piper Intelligence

Data Protection
Laws of the World

Law

Kyrgyzstan
Kyrgyzstan

The Law of the Kyrgyz Republic on Personal Data No.58 dated 14 April 2008 ('The Law on Personal Data')

Last modified 21 Jan 2019
Law
Kyrgyzstan

The Law of the Kyrgyz Republic on Personal Data No.58 dated 14 April 2008 ('The Law on Personal Data')

Last modified 21 Jan 2019
Definitions

The Law on Personal Data provides that information recorded on a material carrier relating to a particular person, which identifies a specific person or which could be used to identify a specific person, directly or indirectly, by reference to one or more factors related to biological, economic, cultural, civil or social identity shall qualify as 'personal data'. 

Personal data include:

  • Biographical and identification data
  • Personal characteristics
  • Information on marital status
  • Financial status
  • Health data

There is no clear definition of Sensitive Personal Data. Under the provisions of the Law on Personal Data, all personal data is confidential. It should be noted that the Holder (Owner) of personal data (ie the data controller) and the data processor are obliged to ensure protection of personal data to prevent:

  • Unauthorized access
  • Blocking
  • Transmission
  • As well as its accidental or unauthorized destruction
  • Alteration or loss
  • Provide guarantees in respect of technical security measures and organizational measures regulating processing of personal data

However, confidentiality of personal data does not apply in cases of anonymisation or on request of the individual to which the personal data relates.

Last modified 21 Jan 2019
Authority

No state authority has been yet appointed as the regulator in the field of data protection.

Last modified 21 Jan 2019
Registration

The Law on Personal Data obliges Holders (Owners) of Personal Data Arrays to register with the competent state authority, however, to the best of our knowledge, none of Holders (Owners) of Personal Data Array has been registered to date, in particular, due to the fact that such regulator does not exist.

According to the Law on Personal Data within the registration procedure the following must be provided:

  • Name and details of Holders (Owners) of Personal Data Arrays (ie data controller)
  • Purposes and procedures of collection and processing of personal data
  • Retention and terms of storage
  • List of collected personal data
  • Categories or groups of personal data bearers
  • A source of collecting of personal data
  • Procedure of notification of data subjects on collecting and possible transfer of personal data
  • List of measures regarding the regime of confidentiality and safety of personal data
  • Authorized person responsible for working with personal data
  • Receiving party or category of receiving parties of personal data
  • Proposed transfer of personal data outside of the Kyrgyz Republic
Last modified 21 Jan 2019
Data Protection Officers

Under the Law on Personal Data, Holders (Owners) of personal data (ie the data controller) must indicate in its registration the name and contact details of the person that is responsible for the work with personal data. However, the Law on Personal Data does not contain any direct obligations to appoint a Data Protection Officer.

Last modified 21 Jan 2019
Collection & Processing

One of the basic principles of dealing with personal data is that personal data must be collected for accurately pre-defined, stated and legal purposes and must not be further processed in any manner incompatible with those purposes.

Processing of personal data is permitted in the following cases:

  • The data subject has given its consent
  • If it is necessary for public authorities, local authorities within their competence established by laws of the Kyrgyz Republic
  • If it is necessary to achieve the legitimate interests of Holders (Owners)
  • When implementation of these interests does not preclude the exercise of rights and freedoms of data subjects with regard to the processing of personal data
  • When it is necessary to protect the interests of the data subject
  • If personal data are processed solely for the purposes of journalism or for the purpose of artistic or literary works
Last modified 21 Jan 2019
Transfer

The Law on Personal Data allows transfer of personal data both within the country and abroad.

Transfer of personal data within the Kyrgyz Republic

  • Data subject must be informed (in any form within a week)
  • Personal data may be transferred without consent of the data subject in
    the following cases:
    • Extreme necessity in order to protect the interests of the data subject
    • Upon request of state authorities, local authorities, if the requested list of personal data fall under the competence of the requesting authority
    • Under any other case established by laws of the Kyrgyz Republic

Transfer of personal data outside the Kyrgyz Republic

  • The cross-border transfer is carried out on the basis of an international treaty between the countries, under which the receiving party must provide adequate protection of the personal data
  • Consent of the data subject has been obtained, or
  • Personal data may be transferred to the countries that do not provide the adequate level of protection on certain conditions:
    • With consent of the data subject
    • If the transfer is necessary to protect the data subject's interests, or
    • If personal data are contained in the Public Personal Data database

When transferring personal data to the global information network (internet, etc) the Holder of the personal data (ie the data controller) transferring such data, shall provide the necessary means of protection with regard to the confidentiality of the information being transferred.

Last modified 21 Jan 2019
Security

When processing personal data the Holder (Owner) of personal data (data controller) and processor shall:

  • Prevent access of unauthorized persons to the equipment used for personal data processing (access control)
  • Prevent unauthorized reading, copying, modification or removal of data media (control of data media use)
  • Prevent unauthorized recording of personal data and alteration or destruction of stored personal data (entry control) and enable backdated determination of when, by whom and which personal data have been altered
  • Ensure security of data processing systems, designed to transfer personal data irrespective of the data involved (control of data transmission means)
  • Ensure that each user of a data processing system has only has access to the personal data which it is authorized to process (controlled access)
  • Enable backdated determination of when, by whom and which personal data have been entered into the data processing system (input control)
  • Prevent unauthorized reading, copying, alteration and destruction of personal data during the transmission and transportation of personal data (transport control)
  • Ensure the confidentiality of the information in the course of personal data processing
Last modified 21 Jan 2019
Breach Notification

If the Holder (Owner) of personal data (data controller) transfers the personal data without consent of the data subject to a third party they must inform the data subject within a week.

Last modified 21 Jan 2019
Enforcement

Although the Law on Personal Data has been adopted, there is no enforcement practice of its provisions in place so far since no responsible state authority has been appointed yet.

Last modified 21 Jan 2019
Electronic Marketing

Sending of electronic communications for advertising is generally subject to prior express consent of the recipient.

Last modified 21 Jan 2019
Online Privacy

The Law on Electrical and Postal Communication establishes that all databases of telecommunication operators must be confidential and that telecom operators are obliged to keep communication data confidential.

Last modified 21 Jan 2019
Contacts
Begaliev Kerim
Begaliev Kerim
Partner
Centil Law Firm
T +996 312 919780
Last modified 21 Jan 2019