March 2024

1. Governing Texts 

The Law of the Kyrgyz Republic of 14 April 2008 No. 58 on Personal Information as amended (only available in Kyrgyz here and Russian here) ('the Law on Personal Data') was adopted to govern personal data matters, on the basis of generally accepted international principles and standards in accordance with the Constitution of the Kyrgyz Republic (only available in Kyrgyz here and Russian here) ('the Constitution') and other laws of the Kyrgyz Republic. The Law on Personal Data ensures the protection of rights and freedoms related to the collection, processing, and use of personal data. 

1.1. Key acts, regulations, directives, bills

• the Law on Personal Data
• the Constitution
• the Procedure for obtaining the consent of the subject of personal data to the collection and processing of their personal data, the procedure and form for notifying subjects of personal data about the transfer of their personal data to a third party (approved by Decree of the Government of the Kyrgyz Republic of 21 November 2017 No. 759) (only available in Kyrgyz here and Russian here)
• requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the execution of which ensures the established levels of personal data security (to the Decree of the Government of the Kyrgyz Republic of 21 November 2017 No. 760) (only available in Kyrgyz here and Russian here);
• the Procedure of registration of holder (owner) of a personal data array, arrays of personal data, and lists  of personal data in Register of holders (owners) of a personal data array (approved by Decree of the Cabinet of Ministers of the Kyrgyz Republic of 18 November 2022 No.638) (only available in Kyrgyz here and Russian here)

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application 

2.1. Personal scope

The Law on Personal Data applies to relations that arise during work with personal information and covers all types of processing except the processing of personal information in connection with personal and family use.

2.2. Territorial scope

Not applicable.

2.3. Material scope

Please see the section on personal scope above.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The President of the Kyrgyz Republic by Decree of 14 September 2021 No. 391 (only available in Kyrgyz here and Russian here) announced the creation of the State Agency for Protection of Personal Data. The State Agency for Protection of Personal Data under the Cabinet of Ministers of the Kyrgyz Republic was registered on January 10, 2022, and as of now, the Agency is a Regulator for data protection.

3.2. Main powers, duties and responsibilities

The Cabinet of Ministers of the Kyrgyz Republic approved a Regulation on the State Agency for Protection of Personal Data on December 22, 2021, by Decree No. 325. 

According to the Regulation, the Agency is the state authority responsible for the development and realization of single state policy in the field of personal data with the functions of protection of the rights of personal data, registration of personal data holders (owners) of personal data arrays and maintaining of Register of holders (owners) of personal data arrays.

4. Key Definitions

Data controller: The Law on Personal Data defines 'data controller' as a 'holder (owner) of a personal data array', which includes state authorities, local governments, legal entities, and individuals having the authority to define the purposes, and categories of personal data, and to control collection, storage, processing, and use of personal data in accordance with the Law on Personal Data.

Data processor: Is an individual or legal entity, determined by the holder (owner) of personal data, responsible for processing personal data, based on a contract signed with the personal data holder/owner.

Personal data: The Law on Personal Data provides that information recorded on a material carrier about a particular person, identifiable by a specific person or which may be identified with a specific person, allowing the identification of that person, directly or indirectly, by reference to one or more factors related to biological, economic, cultural, civil, or social identity shall qualify as personal data. Personal data includes biographical and identification data, personal characteristics, information on marital status, financial status, health, etc.

Sensitive data: There is no clear definition of sensitive personal data. However, as follows from the provisions of the Law on Personal Data it is confidential. It shall be noted that the holder (owner) of a personal data array and the data processor, are obliged to ensure the protection of personal data to prevent unauthorized access, blocking, transmission, as well as its accidental or unauthorized destruction, alteration, or loss, and provide guarantees in respect of technical security measures as well as organizational measures regulating the processing of personal data.

Data subject: An individual to whom the relevant personal data relate.

Health data: Not applicable.

Biometric data: Not applicable.

Pseudonymization: Not applicable.

Personal data array: Is any structured set of personal data of an indefinite number of subjects, regardless of the type of information carrier and means used for processing (archives, electronic databases, etc.).

Public personal data arrays: Means an array of personal data, access to which is not restricted by law and intended for general use (directories, telephone books, address books, etc.).

The Law on Personal Data also contains other definitions such as the recipient of personal data, collection, processing of personal data, actualization, blocking, destruction (erasure), among other things.

5. Legal Bases

5.1. Consent

The data subject of personal data independently decides whether to provide anyone with any of their personal data, and gives consent to their processing freely, consciously, and in a form that allows the confirmation of its receipt, except for the cases provided for in Article 15 of the Law on Personal Data. Personal data can be provided by the subject directly or through a proxy. 

The consent of the data subject must be expressed in a written form on paper or in the form of an electronic document signed in accordance with the legislation of the Kyrgyz Republic with an electronic signature.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

According to Article 21 of the Law on Personal Data:

• the owner of a personal data array and its processor is obliged to take the necessary legal, organizational and technical measures, and/or ensure their adoption to protect personal data from unauthorized or accidental access to them, modification, blocking, copying, providing, distributing personal data, and also from other illegal actions in relation to personal data;
• when processing personal data, the owner of a personal data array and its processor must:
  • prevent the access of unauthorized persons to the equipment used for the processing of personal data (access control);
  • prevent unauthorized reading, copying, changing, or removal of data carriers (control over the use of data carriers);
  • prevent unauthorized recording of personal data and the modification or destruction of recorded personal data (control over the recording) and ensure that it is possible to establish retroactively when, by whom, and what personal data was changed;
  • ensure the security of data processing systems intended for the transfer of personal data, regardless of the means of data transmission (control over the means of data transmission);
  • ensure that each user of the data processing system has access only to those personal data to the processing of which they have access (access control);
  • ensure that it is possible to establish retroactively when, by whom, and what personal data was entered into the data processing system (input control);
  • prevent unauthorized reading, copying, modification, and destruction of personal data during the transfer and transportation of personal data (transport control);
  • ensure the confidentiality of the information received during the processing of personal data; and
  • ensure compliance with the requirements established by the Government of the Kyrgyz Republic ('the Government') for the protection of personal data when processing them in personal data information systems, the implementation of which ensures the established levels of personal data security:
    • keep records of machine-based personal data carriers; and
    • ensure the recovery of personal data modified or destroyed as a result of unauthorized access to them.

7. Controller and Processor Obligations

The holder (owner) of the personal data array must:

• obtain the personal data directly from the owner or owner's attorney;
• ensure the confidentiality of personal data;
• engage with data processors who can provide guarantees on technical security of the data processing, while the holder of personal data may also be a data controller at the same time and in this case, the holder of personal data must guarantee technical security;
• ensure the safety and reliability of personal data and the regime of access to personal data;
• provide personal data within one week if such data is requested by the owner of the personal data bearer;
• register the personal data array with the special register; and
• block or delete personal data if such a request is received from the data subject.

When processing personal data, the data processor must:

• prevent access of unauthorized persons to the equipment used for personal data processing (access control);
• prevent unauthorized reading, copying, modification, or removal of data media (control of data media use);
• prevent unauthorized recording of personal data, alteration, or destruction of stored personal data (entry control), and enable backdated determination of when by whom, and which personal data have been altered;
• ensure the security of data processing systems designed to transfer personal data, irrespective of the data (control of data transmission means);
• ensure that each user of the data processing system has access only to the personal data it is authorized to process (controlled access);
• enable backdated determination of when, by whom, and which personal data has been entered into the data processing system (input control);
• prevent unauthorized reading, copying, alteration, and destruction of personal data during transmission and transportation (transport control); and
• ensure confidentiality of the information in the course of personal data processing.

7.1. Data processing notification

Registration

The Law on Personal Data obliges data controllers to register with the competent state authority, i.e.  State Agency for Protection of Personal Data. .

According to the Law on Personal Data within the registration procedure, the following must be provided:

• name of personal data array;
• name and requisites of holders (owners) of personal data arrays;
• purposes and procedures of collection and processing of personal data;
• regimes and terms of storage;
• list of collecting personal data;
• categories or groups of personal data bearers;
• a source of collecting personal data;
• the procedure of notification of personal data bearers on collecting and possible transfer of personal data;
• list of measures regarding the regime of confidentiality and safety of personal data;
• the authorized person responsible for the work with personal data;
• receiving party or category of receiving parties of personal data; and
• the proposed transfer of personal data outside of the Kyrgyz Republic.

Notification

The data controller, having transferred the personal data without the consent of the personal data bearer to the third party, must inform the personal data subject within one week.

Registration of data controller is available online on the website of the Regulator.

7.2. Data transfers

The Law on Personal Data allows transferring data both within the Kyrgyz Republic and abroad.

In addition, the personal data subject must be informed (in any form within one week) of the transfer.

Personal data may be transferred without the consent of the personal data subject in the following cases:

• extreme necessity in order to protect the interests of the personal data subject;
• upon request of state authorities or local authorities, if the requested list of personal data falls under the competence of the requesting authority; and
• other cases established by the laws of the Kyrgyz Republic.

Transfer of personal data outside of the Kyrgyz Republic

Cross-border data transfers are carried out on the basis of an international treaty between countries, under which the receiving party shall provide adequate protection for personal data.

Furthermore, personal data may be transferred to countries that do not provide an adequate level of protection, provided the following conditions are fulfilled:

• with the consent of the personal data bearer;
• if the transfer is necessary to protect the interests of the personal data bearer; and
• if personal data is contained in the public personal data array.

When transferring personal data to the global information network (internet, etc.) the holder of the personal data array transferring such data, must provide the necessary means of protection whilst maintaining the confidentiality of the information being transferred (Article 24 of the Law on Personal Data).

7.3. Data processing records

According to Article 17 of the Law on Personal Data, where the owner independently assumes the responsibility the owner of a personal data array must:

• receive personal data directly from the subject of personal data or its authorized representatives;
• ensure the confidentiality of personal data in the following cases stipulated by the legislation of the Kyrgyz Republic and determine the processor for the processing of personal data;
• submit guarantees in respect of technical safety measures and the organizational measures; and
• where the owner assumes the processing of personal data, sets up organizational and technical measures for such processing, and assumes the functions and responsibilities of a handler.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

The Law on Personal Data does not contain any direct obligations to appoint a data protection officer ('DPO').

However, according to the Law on Personal Data, holders (owners) of personal data arrays must indicate in a register the name and contact details of the person responsible for working with personal data.

7.6. Data breach notification

Not applicable.

7.7. Data retention

Article 27 of the Law on Personal Data indicates the main information about data retention:

• personal data should not be stored for longer than is necessary to fulfill the purposes of its collection;
• the retention period may be extended only in the interests of the personal data subject or if this is provided for by the legislation of the Kyrgyz Republic. Upon expiration of the storage period and achievement of the purposes of collection, personal data is subject to destruction within two weeks. Upon expiration of the storage period and achievement of the purposes of collection, personal data is subject to destruction within two weeks, depending on the significance of the personal data of certain subjects for historical, sociological, medical, and other purposes. The destruction of personal data is confirmed by the Law on Personal Data. For scientific purposes, instead of destroying personal data, it is permitted to anonymize such data by the owner of a personal data array in accordance with the procedure established by the Government;
• if a decision is made in accordance with the established procedure on the need to preserve personal data after the expiration of the storage period, to achieve the established goals of their collection, the holder (owner) of the personal data array is obliged to ensure the appropriate mode of storing personal data and notify the data subject about this. Certain personal data (personal files, metric books, etc.), after passing the practical need for them, may remain in permanent storage, acquiring the status of an archival document, or the status provided for by the legislation of the Kyrgyz Republic.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

The collection, accumulation, storage, and use of personal data that reveals racial or ethnic origin, nationality, political opinions, religious or philosophical beliefs, as well as those relating to the state of health and sexual inclinations, solely for the purpose of identifying these factors, is not allowed unless:

• the subject of personal data has given their consent to the communication and processing of such data; or
• the processing is necessary to protect the health and safety of the data subject, another person, or a relevant group of persons and it is not possible to obtain the consent of the personal data subject.

7.10. Controller and processor contracts

Data controllers and data processors' relationships must be managed by a civil service contract. General civil liability would apply to these relations.

8. Data Subject Rights

Data subjects have the following rights:

• access to personal data;
• the ability to request the amendment of personal data;
• deletion or cancellation of deletion of personal data;
• to submit complaints to the court against any violation of their rights under personal data regulations; and
• compensation of losses and moral damages.

The holder (owner) of a personal data array has the right to refuse the request of a data subject to block or delete their personal data in the following cases:

• if such a request to block or delete personal data is related to state secrets;
• if the personal data was received from an official detective search; or
• if the personal data subject has been arraigned on a criminal charge.

8.1. Right to be informed

Article 10 of the Law on Personal Data states the data subject of personal data has the right to know about the availability of personal data related to them and to have access to such data. The right of access may be restricted only in the cases provided for in Article 15 of the Law on Personal Data.

8.2. Right to access

Please refer to the section on the right to be informed above.

8.3. Right to rectification

Article 11 of the Law on Personal Data sets out that if there is cause to be justified for requesting changes to personal data, the data subject of personal data has the right to require the owner of the data to make changes to the data subject's personal data. Changes to personal data are made in accordance with the procedure established by Article 28 of the Law on Personal Data.

8.4. Right to erasure

Article 12 of the Law on Personal Data sets out that if the data subject of personal data reveals the inaccuracy of data held or disputes that the owner of the data is not entitled to take actions in relation to such data, then the data subject has the right to demand that the owner to block or delete this data. The blocking, deletion, and lifting of the blocking of personal data is carried out in accordance with Article 19 of this Law.

8.5. Right to object/opt-out

Article 13 of the Law on Personal Data sets out that if the data subject of personal data believes that illegal actions have been committed in relation to their personal data, they have the right to appeal against these actions in court.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Article 14 of the Law on Personal Data establishes the right to compensation for damages and/or compensation for non-pecuniary damage in court.

9. Penalties

Legislation in the Kyrgyz Republic provides liability for the violation of data protection regulations.

As mentioned above, the personal data subject has the right to indemnity and moral compensation.

The Criminal Code of the Kyrgyz Republic of 28 October 2021 No. 127 (only available in Russian here and Kyrgyz here) states that violation of the private life of an individual, in particular, illegal collection of data relating to private life for the purpose of dissemination without the consent of the data bearer entails public or works, and imposes a fine in the amount from KGS 20,000 (approx. $230) to KGS 50,000 (approx. $570).

The Code of Violations No. 128 of 28 October 2021 (available in Russian here) provides administrative liability for the violation of personal data protection as well as the illegal usage, unauthorized access, and transfer to a third party may result in a fine in the amount of KGS 20,000 (approx. $230)

The Kyrgyz Republic's legislation on personal data protection is still developing and requires significant improvements. The definition of personal data currently provided in the Law on Personal Data is rather broad and therefore may lead to various interpretations and disputes over what data can qualify as personal data and is open to interpretation by state authorities.

The scope of the Law on Personal Data is not quite clear, as it applies only to relations arising from working with information of a personal nature irrespective of the means used for the processing of this information, except for the cases of working with personal data for the purposes excluding their transfer to third parties.

9.1 Enforcement decisions

As specified previously, although the Law on Personal Data has been adopted, there has been no enforcement on its provision so far. However, since the Agency has been recently created, we expect enforcement decisions in the future.