Privacy Law at Kyrgyzstan
Kyrgyzstan's primary legislation governing personal data protection is the Law of the Kyrgyz Republic No. 58 "On Personal Information", enacted on April 14, 2008, and amended in 2017 and 2021. This law establishes a legal framework for the collection, processing, and protection of personal data, aiming to safeguard human and civil rights and freedoms.
📘 Key Provisions of the Law
1. Scope and Applicability
Coverage: Applies to all entities handling personal data, including state authorities, local governments, and legal entities, regardless of the processing method
Exemptions: Does not apply to personal data processing related to personal, family, or business affairs unless such processing violates the rights of data subjects
2. Definitions
Personal Information: Recorded information about an identified or identifiable individual, encompassing biographical, identification, financial, health, and other personal details
Personal Data Array: A structured collection of personal data, regardless of the medium (e.g., electronic databases, archives)
Data Subject: The individual to whom the personal data pertains
Data Holder (Owner):Entities authorized to determine the purposes and means of processing personal data
Data Processor: Entities processing personal data on behalf of the data holder
3. Principles of Personal Data Processing
Legality: Data must be processed lawfully and transparently
Purpose Limitation: Data should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes
Data Minimization: Only data necessary for the intended purpose should be collected
Accuracy: Data should be accurate and kept up to date
Storage Limitation: Data should not be kept longer than necessary for the purposes for which it was collected
Integrity and Confidentiality: Data should be processed in a manner that ensures its security
4. Conditions for Lawful Processing Personal data processing is permitted under the following conditions
Consent: The data subject has given explicit consent
Legal Obligation: Processing is necessary for compliance with a legal obligation
Legitimate Interests: Processing is necessary for the legitimate interests pursued by the data holder, provided these interests do not override the rights and freedoms of the data subject
Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
5. Rights of Data Subjects
Access: The right to obtain confirmation of whether personal data concerning them is being processed and, if so, access to that data
Rectification: The right to request correction of inaccurate or incomplete data
Erasure: The right to request deletion of data when it is no longer necessary for the purposes for which it was collected
Blocking: The right to request blocking of data if its accuracy is contested
Objection: The right to object to processing based on legitimate interests or public tasks
6. Cross-Border Data Transfers Transfers of personal data to other countries are permitted if
Adequate Protection: The receiving country ensures an adequate level of data protection
Consent: The data subject has consented to the transfer
Contractual Necessity: The transfer is necessary for the performance of a contract
Public Interest: The transfer is necessary for important public interest reasons
7. Data Security Measures Data holders and processors are required to implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction
8. Enforcement and Penalties Violations of the law may result in administrative or legal actions, including fines or other penalties as determined by the legislation of the Kyrgyz Republic
🛡️ Implementation and Oversight
The Authorized State Body is responsible for overseeing compliance with the personal data protection law, including: Monitoring and ensuring that personal data processing activities adhere to legal requirement. Cooperating with international bodies on data protection matter. Maintaining a register of data holders and their personal data array. For more detailed information and guidance, you can refer to the official text of the law available on the Data Protection Authority's website.
RELATED Blog
0 comments