Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Mongolia: Law on Personal Data Protection enters into effect

On May 1, 2022, the Law on Mongolia on Protection of Personal Data (the Law on Personal Data Protection) entered into effect. In particular, the Law on Personal Data Protection repealed the Law of Mongolia on Personal Secrets (the Personal Secrets Law), and the Law of Mongolia on Data Transparency and Right to Data (the Data Transparency Law) ceased to become effective.

In addition, the following laws also entered into effect on May 1, 2022:

  • the Law of Mongolia on Cyber Security (the Cyber Security Law);
  • the Law of Mongolia on Electronic Signature (the Electronic Signature Law); and
  • the Law of Mongolia on Public Information Transparency (the Public Information Transparency Law).

Content

In particular, the Law on Personal Data Protection applies to individuals, legal entities, and non-legal entities, as well as authorities in the collection, processing, use, and security of personal data. Likewise, the Law on Personal Data Protection provides definitions for terms, including, 'data controller,' 'processing,' 'personal data,' 'sensitive data,' 'biometric data,' and 'genetic data.' 

The legal bases for processing personal data under the Law on Personal Data Protection include, among other things, the consent of the data subject, contracting with the data subject, individual and public interest, and the legitimate interests of the data controller.

In addition, the Law on Personal Data Protection outlines data subject rights, including the right to be informed, access, rectification, erasure, object/opt-out from data processing, data portability, and to file a complaint as a result of data processing. More specifically, data controllers' obligations under the Law on Personal Data Protection include keeping data processing records, conducting risk assessments for data security, notifying authorities in the event of a data breach, and concluding data controller and data processor contracts for the processing of personal data.

Regulatory authority

Notably, the National Human Rights Commission of Mongolia (NHRCM) is responsible for ensuring the implementation of the Law on Personal Data Protection, including investigating data processing activities where necessary. 

You can read the Law on Personal Data Protection here, the Law on Cyber Security here, the Law on Electronic Signature here, and the Public Information Transparency Law here, all only available in Mongolian.