27 July 2017
The President of Kyrgyzstan signed, on 21 July 2017, the Law on Amending the Law of the Kyrgyz Republic on Personal Information (‘the Law’), which reforms the regulation of the exchange, transfer and storage of personal data in information systems and significantly modernises the legislation with respect to electronic commerce. The Law forms part of the Taza Koom project, a national high-tech programme focusing on the use of information technology to serve citizens, improve public services and create better conditions for businesses.
Chynara Esengeldieva and Kymbat Ibakova, Managing Director and Senior Associate at Lorenz respectively, told DataGuidance, “The Law extends the scope of application of the Law of 14 April 2008 No. 58 on Personal Information, particularly with regard to the use of information technology. In particular, it was developed with a view to a more effective protection for data subjects. As such, the Law is generally in line with the framework of the Taza Koom project, which is currently being implemented by representatives of civil society, government agencies and private businesses.”
Under the Law, the information of data subjects can now be stored in a depersonalised format, subject to certain data security requirements. In particular, data holders and processors are required to implement, or ensure the implementation of, necessary legal, organisational and technical measures to protect data from a number of actions, including illegal or accidental access, change, blocking, copying, or unlawful distribution.
Since laws are being brought into compliance with the Taza Koom project, there are currently plans to prepare and issue guidance on data security
“The Law stipulates the duty of data holders or processors to maintain a record of personal data storage and ensure the restoration of modified or destroyed personal data resulting from illicit access,” Esengeldieva and Ibakova outlined. “Since laws are being brought into compliance with the Taza Koom project, the Government is currently planning to prepare and issue such guidance [on data security], although no statement has been made regarding its content and terms.”
Data holders involved in transferring information to third parties will also now need to account for these external transfers, and register the disclosure or transfer of information with the appropriate state bodies.
Esengeldieva and Ibakova highlighted, “Pursuant to the Law, a personal data holder, if requested, should provide a data subject with information related to the processing of his/her personal data, including a confirmation of the processing by the data holder; the legal grounds and objectives of the processing; the name and location of the data holder; the terms for the processing and storage; and executed or planned data transfers.”
The Law also includes a provision granting an authorised state body certain rights and functions, including the power to review citizens’ complaints and identify and address illegal activities.
Esengeldieva and Ibakova concluded, “Although, the Law foresees the creation of a supervisory authority, the Government has been silent on the appointment or identification of such an authority.”
Kaveh Lahooti | Privacy Analyst