Kyrgyzstan Law No. 129, New Data Privacy Legislation

Law of the Kyrgyz Republic of 20 July 2017 No. 129, also known as the Law on Personal Data for short, is an amended data privacy bill that was recently passed in Kyrgyzstan in 2017. Much like other personal data protection laws that have been passed in neighboring Central Asian countries in recent years, such as Tajikistan’s Law of 3 August 2018 No. 1537 on Personal Data Protection and Kazakhstan’s Law on Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on the Regulation of Digital Technologies, Kyrgyzstan’s Law on Personal Data sets forth the legal grounds upon which personal data may be collected and processed within the country, as well as the sanctions that can be imposed against individuals and organizations who fail to comply with the law.

How are data controllers and processors defined under Krygzstan’s Law on Personal Data?

Under Kyrgyzstan’s Law on Personal Data, a data controller is defined as “a holder (owner) of a personal data array, which includes state authorities, local governments, legal entities, and individuals having the authority to define the purposes, and categories of personal data, and to control collection, storage, processing, and use of personal data in accordance with the Law on Personal Data.” Alternatively, a data processor is defined as “an individual or legal entity, determined by the holder (owner) of personal data, responsible for processing personal data, based on a contract signed with the personal data holder/owner.” Furthermore, the law defines a data subject as “an individual to whom includes the relevant personal data.”

What are the requirements of data controllers and processors under Kyrgyzstan’s Law on Personal Data?

Under Kyrgyzstan’s Law on Personal Data, data controllers and processors who operate within the country must adhere to the following principles when processing personal data:

• Data controllers and processors are responsible for obtaining personal data directly from data subjects, or their attorneys.
• Data controllers and processors must ensure the confidentiality of all personal data they collect or process.
• Data controllers and processors must “ensure the safety and reliability of personal data and the regime of access to personal data.”
• Data controllers and processors must register their personal data arrays with the special register.
• Data controllers and processors must delete or block the personal data of a data subject, is such a request is made.
• Data controllers and processors must “prevent access of unauthorized persons to the equipment used for personal data processing.”
• Data controllers and processors must “ensure the security of data processing systems designed to transfer personal data, irrespective of the data (control of data transmission means).”
• Data controllers and processors must “prevent unauthorised recording of personal data, alteration, or destruction of stored personal data (entry control) and enable backdated determination of when, by whom and which personal data have been altered.”

What are the rights of data subjects under Krygzstan’s Law on Personal Data?

Under Kyrgyzstan’s Law on Personal Data, data subjects within the country have the following data protection rights:

• The right to access their personal data.
• The right to request the amendment of their personal data.
• The right to request the cancellation or deletion of their personal data.
• The right to object to or opt-out of data processing.
• The right “to submit complaints to the court against any violation of his/her rights under personal data regulations.”
• The right to seek compensation for losses and moral damages.

In terms of penalties related to non-compliance with the law, Kyrgyzstan’s Law on Personal Data is enforced through The Criminal Code of the Kyrgyz Republic No. 19 of 2 February 2017. To this end, data controllers and processors who fail to comply with the law are subject to a monetary penalty of KGS 7,500 ($101). However, although the Law on Personal Data Protection has been enacted, no responsible state authority has been established to the applicable penalties set forth in The Criminal Code of the Kyrgyz Republic No. 19 of 2 February 2017. As such, additional punishments related to non-compliance with the law are sure to be developed in the future.

With the passing of Krygzstan’s Law on Personal Data, the country of Kyrgyzstan effectively guaranteed the data privacy rights of their respective citizens. As such, citizens of Krygzstan can rest assured thath thier personal data is safeguarded from harm whenever they provide said data to a data controller or processor. While the penalties of the Law on Personal Data are not as steep or far reaching as those provided by other major international privacy policies, such as the European Union’s General Data Protection Regulation or GDPR, the provisions and rights set forth by the law nevertheless stand as a formidable means by which data subjects with the country can seek justice should their privacy be infringed upon.