April 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

On December 17, 2021, State Great Khural of Mongolia ('Parliament') of Mongolia adopted:

• the Law of Mongolia on Protection of Personal Data (available in Mongolian here) ('the Law on Personal Data Protection'):
• the Law of Mongolia on Cyber Security (available in Mongolian here) ('the Cyber Security Law');
• the Law of Mongolia on Electronic Signature (available in Mongolian here) ('the Electronic Signature Law'); and
• the Law of Mongolia on Public Information Transparency (available in Mongolian here) ('the Public Information Transparency Law')

All became effective and came into force and effect on May 1, 2022, by repealing the Law of Mongolia on Personal Secrets ('the Personal Secrets Law'), enacted on April 21, 1995, and the Law of Mongolia on Data Transparency and Right to Data ('the Data Transparency Law'), enacted on June 16, 2011.

Other applicable laws include:

• The Law of Mongolia on State and Official Secrets, enacted on December 1, 2016 (available in Mongolian here) ('the State Secrets Law');
• the Civil Code of Mongolia, enacted on January 10, 2002 (available in Mongolian here) ('the Civil Code');
• the Criminal Code of Mongolia, enacted on December 3, 2015 (available in Mongolian here) ('the Criminal Code'); and
• the Law of Mongolia on Minor Offences, enacted on May 11, 2017 (only available in Mongolian here) ('the Minor Offences Law')

Law on Personal Data Protection

The Law on Personal Data Protection was adopted in order to substantially revise and reform the previous Personal Secrets Law, which did not fully comply with international standards such as obliging the data controller or collector to be responsible for the protection of personal data. In addition, the Personal Secrets Law had only a limited scope of protections, did not provide regulation on how to handle other data that can identify an individual, and effectively instructed individuals to protect their data by themselves.

The Law on Personal Data Protection provides for the principles, grounds, and purposes to collect, process, and use the personal data, rights, and obligations of both the data subject and data controller; the power and authority of relevant authorities (including the National Human Rights Commission of Mongolia ('NHRCM') and the Ministry of Digital Development and Communications ('the Ministry') in terms of securing personal data, and regulations for using the audio, video and audio-video recording systems.

In summary, terms, and definitions adopted in the Law on Personal Data Protection are generally similar to those in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Parliament tried to make this law as progressive as possible by clearly establishing the rights and obligations of the data subject, data controller, and data processor in the collection, processing, and use of personal data, specifying the process of protecting the rights of data subject in case of breaches or violations, determining organizations with the authority to protect the rights of the data subject, and clarifying the procedures for filing and resolving complaints. However, there remains a lack of regulation on the response measures to be taken when the rights and legal interests of the data subject are violated. For instance, although the Law on Personal Data Protection provides for notification of detected violations in data collection, processing, and use, only the data processor must notify the data controller, and then the data controller notifies the data subject, instead of allowing both of them to report a breach to the relevant authorities as soon as a breach is detected.

The Ministry was established by the Law on Amendment to the Government Law on November 12, 2021. With respect to personal data protection, it provides methodological assistance in the protection of personal data and has the general authority to approve technological security requirements and procedures for the processing of personal sensitive data, genetic and biometric data, to receive and register notifications submitted by data controllers about information system security breaches and cyber-attacks and to take necessary measures accordingly.

The Cyber Security Law

The Cyber Security Law is another important law related to ensuring the integrity, confidentiality, and accessibility of data in the cyber environment. With the adoption of the law, a system and legal framework for ensuring cybersecurity have been formed, the rights and obligations of citizens, legal entities, and government organizations regarding cybersecurity have become clearer, and activities to ensure cybersecurity, to conduct a cybersecurity risk assessment, and to audit and monitor data security, and to provide integrated management and arrangement have been brought into force.

The key provisions and developments under the Cyber Security Law are:

• the obligations of legal entities providing information technology services in the field of information processing, storage, distribution, and electronic computing, and ensuring its normal functioning through a shared information system in the cyber environment are defined and have obligations to:
  • approve internal procedures for ensuring cybersecurity;
  • immediately report a cyber-attack to the respective center for combating cyber-attacks and breaches and seek assistance if it cannot be stopped;
  • keep information system operation records for the period specified in the common cybersecurity regulation;
  • obtain professional and methodological assistance from relevant government organizations and cooperate with them in the activities of ensuring cybersecurity;
  • have a unit or an official responsible for ensuring cybersecurity;
  • perform a cybersecurity risk assessment every two years, whenever the conditions and situations specified in the relevant regulations arise, and take necessary measures;
  • conduct an information security audit every year, whenever the conditions and situations specified in the relevant regulations arise, and take necessary measures according to the findings, recommendations, and requirements issued;
  • conduct relevant cybersecurity checks for newly introduced IT products and services and their changes and updates; and
  • notify users affected by cyber-attacks and violations immediately;
  • other legal entities have obligations to:
    • follow common procedures for ensuring cyber security;
    • report cyber-attacks and breaches to the respective center for combating cyber attacks and breaches;
    • follow the recommendations and fulfil the requirements set by the authorized organization; and
    • other rights and obligations provided by law.

Various key businesses or operations whose normal operations may malfunction and harm the national security, society, or economy of Mongolia due to a loss of cybersecurity are defined as 'organizations with critical information infrastructures’ and the types of activities of these organizations have been defined under the law (Article 4.1.12 of the Cybersecurity Law). A list of these organizations was approved by the Government of Mongolia ('the Government') (only available in Mongolian here).

The Government approved the National Strategy on Cyber Security on December 28, 2022 (only available in Mongolian here). The purpose of the strategy is, among others, to improve the legal framework for cyber security, create a unified management system, improve human resource capabilities, and develop external and internal cooperation to ensure information security, privacy, and access to information in the cyber environment at the national level. Also, the Government approved the Common Regulation on Ensuring Cyber Security, Prevention, Detection, and Response as required under this law on June 7, 2023 (only available in Mongolian here). State-owned legal entities, legal entities providing services in the field of information technology through shared information systems in the cyber environment, as well as organizations with critical information infrastructure are required to have their own internal regulations for ensuring cyber security in accordance with the common regulation adopted by the Government.

Further, as required under the Cyber Security Law, the Regulation on Registration of Information Security Auditors and Auditing was adopted by the Ministry on August 18, 2023 (only available in Mongolian here). As of now, the Regulation on Conducting Cybersecurity Risk Assessments is still in the process of drafting by the Ministry. In accordance with the Cyber Security Law, only entities registered with the Ministry are allowed to conduct risk assessments and audits on information security. Generally, the General Intelligence Authority is the main body tasked to conduct risk assessments and auditing on the organizations connected to state-owned information systems or networks, and the organizations with critical information infrastructure and may delegate its authority to entities registered with the Ministry.  

With the adoption of the Cyber Security Law, the legal framework and requirements have been adopted for the formation of several bodies in charge of different aspects of cybersecurity, notably the Cyber Security Council which will provide integrated management and organization of cybersecurity activities, as well as supervising the exchange of information and data. The Cyber Security Council consists of the Prime Minister as a chairman, the Minister of Digital Development and Communications as a deputy chairman, and the Director of the General Intelligence Agency. The Cyber Security Council has a Secretariat office.

In connection with the adoption of the Cyber Security Law, the terms, elements, and concepts of crimes in Chapter 26 of the Criminal Code were amended in accordance with the UN Budapest Convention on Cybercrime 2001, and liability for violations of the Cyber Security Law was added to the Criminal Code and the Minor Offences Law.

In connection with the implementation of the Cyber ​​Security Law, the Ministry, in cooperation with the International Telecommunication Union, conducted a study on the readiness of the Ministry to establish a Center for Combating Electronic Attacks and Violations. As a result, the National Center against Cyber-Attacks and Violations ('the National Center') was established by Government Resolution No. 318 dated August 30, 2023 (only available in Mongolian here). The National Center works under the General Intelligence Agency of Mongolia, and is responsible for coordinating the activities of centers against cyber-attacks and violations nationwide and providing professional and methodological assistance.

Further, in order to improve the capabilities of cybersecurity personnel, Computer Security and Intrusion Response Team ('CSIRT') training was held online, and an agreement was reached with the Japanese International Cooperation Agency to implement a project to train teachers and improve the skills of qualified staff to ensure information security. Accordingly, the 'Public Center against Cyber-Attacks and Violations' State Budget Enterprise ('the Public CSIRT/CC') was established by Government Resolution No. 319 dated August 30, 2023 (only available in Mongolian here). The Public CSIRT/CC works under the Ministry and is responsible for providing recommendations for the security of information systems and information networks of citizens, legal entities, and private sector organizations with critical information infrastructure, receiving, investigating, and resolving information from citizens and legal entities about cyber-attacks and violations, and receiving reports on information security audits and cyber security risk assessment.

Electronic Signatures Law

The Electronic Signatures Law was approved by superseding, revising, and invalidating the previous Law on Electronic Signatures, enacted on December 15, 2011 ('the 2011 Electronic Signatures Law').

The Electronic Signatures Law is to regulate the use of electronic signatures for information that was transferred in electronic form using the information system or created, sent, received, stored, or accessible in the electronic environment. An electronic signature has been broadly defined as electronic data that has been attached to or combined with electronic information or documents to identify a person who signed on them or used an electronic seal. Electronic signatures can be in any form, including digital signatures. Similar to the 2011 Electronic Signatures Law, the Electronic Signatures Law's main focus is on the digital signature and electronic seal together with certain regulations and requirements for the personal and public keys, means or devices, and time recording applicable to electronic signatures to ensure the authentication, confidentiality of electronic signatures.

Generally, under the law, any person who reached the age of 16 years can use a digital signature based on the certificate issued by the authorized and licensed entity. Subject to further extension, the certificate is valid for five years for Mongolian citizens and legal entities, and up to three years for foreign citizens and stateless persons. The digital signature to be issued to legal entities are in the form of an electronic seal.

It is emphasized that the adoption of the Electronic Signatures Law became an important reform to move away from paper-based use by improving the conditions for the transfer and exchange of information between people, legal entities, and government organizations using electronic signatures, and increasing the number of agreements and deals made in electronic form.

Constitutional provisions

Article 16.13 of the Constitution of Mongolia, enacted on January 13, 1992 (only available in Mongolian here) ('the Constitution') provides that the personal, family, and correspondence privacy of a citizen must be protected by law and Article 16.17 of the Constitution provides that the safety of an entity, and individuals’ secrets must be protected by adopting laws.

Public sector data protection laws

The State Secrets Law is the principal regulation on public sector data protection. The State Secrets Law provides that a state secret shall mean data that is considered to be a state secret under Mongolian law, disclosure or loss of which is harmful to national security and interest and protected by the state. On the other hand, an official secret is further defined as data that is protected by the state and disclosure or loss of which is harmful to government bodies and other legal entities interests.

The State Secrets Law is applicable to Mongolian government bodies and officials and citizens (Article 3.1 of the State Secrets Law). Foreign nationals and people without citizenship are obliged to follow the State Secrets Law if state and official secrets are disclosed to them (Article 3.2 of the State Secrets Law). Unless otherwise provided in international conventions, the state secrets of foreign countries are protected under this law. The State Secrets Law lists out the type of data, which is generally related to national security, criminal procedure, the military, some aspects of criminal procedure, and relating to intelligence authorities, and state and official secrets are divided into three categories depending on the level of harm to the state and legal and natural persons in case the relevant data is disclosed.

As of 2024, the State Secrets Law was amended several times since its adoption and the most notable amendments are the following:

• four more types of data fall under the term 'state secret', namely, data on witness confidentiality, data on security arrangements, data relating to armed forces expenditures, and data about the location and protection of currency reserves;
• the Minor Offences Law shall apply when persons, legal entities, and officials neglect to respond to an authorized notice, order, or official proposal given by an intelligence agency; and
• the payment of a penalty under the Minor Offences Law shall not absolve the offender from its obligation to remedy the offense and compensate for losses caused by it.

Financial sector

• The Banking Law of Mongolia, enacted on January 28, 2010 (available in Mongolian here) ('the Banking Law'). The Banking Law provides the general regulatory framework for carrying out banking activities and offering banking-related services in Mongolia. As regards data protection, the Banking Law prohibits shareholders, the chairman, members of the board of directors, the executive director, and officers of a bank from releasing or disclosing to others or using any data which is considered by the bank, its customers, or third parties as confidential, with certain exceptions.
• The Law of Mongolia on Insurance, enacted on April 30, 2004 (available in Mongolian here) ('the Insurance Law'). The Insurance Law provides that the data, or documents of an insured must not be disclosed except for circumstances permitted under the laws of Mongolia.
• The Law of Mongolia on Audit, enacted on June 19, 2015 (available in Mongolian here).

Health and Pharma Sector

• The Law of Mongolia on Health, enacted on May 5, 2011 (available in Mongolian here) ('the Health Law');
• The Regulation on the Collection, Processing, Use, Storing, and Security of Health Information, approved by the Government Resolution No. 100 on  March 6, 2024 (only available in Mongolian here) ('the Health Information Regulation'); and
• The Regulation on Medical Ethics of Hospital Personnel, approved by the Minister of Health Resolution No. A/406 on 4, 2019 (only available in Mongolian here) ('the Regulation on Medical Ethics').

The Health Law states that individuals have the right to have their privacy or confidential data protected from third parties. Under the Health Law, citizens, enterprises, and organizations are prohibited from demanding healthcare institutions and medical professionals to provide information about a client's health including the diagnosis, conclusions, medical examination, and treatment without the consent of the client, their family, or authorized organization.  The Health Law was amended on January 12, 2024 to provide specific regulations on health information, including the requirement to be connected to the main state information exchange system when using software to exchange information with people and legal entities other than health institutions.

Health-related secrets are also protected by the Law on Personal Data Protection. With the approval of the Health Information Regulation, special regulations were created for the collection, processing, and use of health information, as well as ensuring the security of health information. The Health Information Regulation provides for the use of the Unified Health Information Database through the Information Exchange System of the Health Sector. Accordingly, in cases where health information is transmitted through this system, notifications should be delivered to the information subject. Further, the Regulation on Medical Ethics provides fundamental principles concerning the personal secrets of the patients or customers of the hospital.

Telecommunication sector

The Law of Mongolia on Communications, enacted October 18, 2001 (available in Mongolian here) ('the Communications Law') is the principal legislation regulating the telecommunications sector. The Communications Law sets out the authority of the Communication Regulatory Commission ('CRC') and states that the CRC is, among others, authorized to revoke the license if the licensed entities in the telecommunications sector disclose secrets of communication and correspondence.

In connection with the adoption of the Cyber Security Law, the Communications Law has been amended to classify special use networks to be operated for the needs of the national and local governmental organizations for the defense and security of Mongolia, disaster prevention, crime prevention, social order maintenance, and the needs of the state and local government organizations into the 'special use communication networks' and 'state integrated information networks'. The special use network will be under the protection of the state, and the Regulation on the Establishment and Use of the Special Use Network was approved by the Government on January 31, 2018 (only available in Mongolian here).

1.2. Guidelines

As mentioned above, the Ministry is the main authority to establish the requirements, regulations, and guidelines for data security, evaluation instructions, and storage.

The NHRCM will carry out functions such as raising public awareness and providing directions and recommendations to relevant organizations regarding the collection, processing, use, and protection of personal sensitive data.

1.3. Case law

As precedent is not considered to be a source of law in Mongolia, the courts in the modern Mongolian legal system play no formal role in law creation. Judges are only to apply the law, not create it. Decisions issued by the various courts do not create a precedent, and there is no concept of stare decisis. Whilst judicial decisions of the Supreme Court of Mongolia are binding upon all courts and other persons for the particular purpose of that case, they have no further effect on legislation. Therefore, their decisions do not become law in a general sense.

2. Scope of Application

2.1. Personal scope

The Law on Personal Data Protection applies to individuals, legal entities, and non-legal entities, as well as public authorities in the collection, processing, use, and security of Personal Data (Article 3.1 of the Law on Personal Data Protection). The law also applies to the collection, processing, use, and security of personal data with the help of technical tools and software (Article 3.2 of the Law on Personal Data Protection).

2.2. Territorial scope

The Law on Personal Data Protection applies to the Mongolian territory.

2.3. Material scope

Please refer to sections 1.1, 4, and 5 for the data processing and categorization of personal data and the use of personal data.

The Law on Personal Data Protection does not apply to the following relations and cases (Article 3.3 of the Law on Personal Data Protection):

• to collect, process, use and ensure the security of personal data related to themselves or their family members without violating such person's right to freedom;
• to place audio, video, and audio-visual recording devices for the purpose of protecting movable and immovable properties owned, possessed, or used by such person, or protecting the life and health of the person or family member;
• to use their biometric data for the purpose of protecting and storing their movable and immovable properties owned, possessed, and used by such a person; and
• disclosure of information to the public as required by law.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The NHRCM and the Ministry are the main regulatory authorities for ensuring the implementation of the Law on Personal Data Protection

The NHRCM has the following responsibilities under the Law on Personal Data Protection (Article 24 of the Law on Personal Data Protection):

• to monitor the implementation of the legislation on the protection of personal data, to organize public awareness and advocacy activities, to submit recommendations and requirements to relevant organizations in this regard, and to comment on relevant regulations;
• if it is considered that in the course of collecting, processing, using, and protecting information, human rights and freedoms protected by the Law on Personal Data Protection have been infringed or potentially infringed, complaints and information must be received and investigated or resolved on its own initiative, and to submit recommendations and requirements to the relevant authorities on this issue;
• to provide legal assistance to relevant organizations in the field of collection, processing, use, and protection of sensitive data;
• to receive and review the records submitted by the data controller on the violations detected in the collection, processing, and use of information and the measures taken to eliminate its negative consequences, and make recommendations on further issues to be considered;
• to make recommendations for the purpose of preventing violations of human rights and freedoms in the process of collecting, processing, and using information using electronic processing technology in accordance with Article 23 of the Law on Personal Data Protection; and
• include information on personal data protection activities, violations, and implementation of Personal Data rights in the report on human rights and freedoms in Mongolia.

3.2. Main powers, duties and responsibilities

The Ministry shall exercise the following powers (Article 25 of the Law on Personal Data Protection):

• ensure the implementation of the legislation on the protection of personal data, advertise to the public, cooperate with relevant organizations, to provide professional and methodological assistance;
• approve technological safety requirements and procedures to be followed in processing sensitive data, biometric and genetic information; and
• receive and register the notification submitted by the data controller on the loss of security of the information system for the purpose of collecting, processing, and using information and being affected by the cyber-attack and take necessary measures immediately.

Other state authorities

The state authorities shall monitor the collection, processing, and use of personal data by the data controller within the scope of their functions specified in each sectoral law.

Health care

The Ministry of Health is in charge of adopting regulations in respect of the health and operations of health organizations including but not limited to:

• organizing the performance and enforcement of the decisions of the Government and legislation with respect to health;
• guiding and monitoring the operation of health organizations of the Capital City and Aimag; and
• other functions provided by the Health Law.

The Ministry of Health also has the power to grant permission to medical institutions and the Minister of Health grants licenses to medical practitioners. Therefore, in case medical organizations or practitioners are in breach of any laws or regulations, the relevant complaints are submitted to the Ministry of Health. The Ethics Committee implements the Regulation on Medical Ethics under which practitioners are obliged to keep a patient's secrets confidential. Therefore, the Ethics Committee plays an important role in the data protection process by medical practitioners.

The State Specialized Inspection Agency is authorized to monitor organizations in the health sector, including whether they meet sanitary and other standards.

Telecommunications

The CRC has the right to monitor telecommunications companies and implement the majority of the Communications Law. The CRC is obliged to ensure that telecommunications companies keep the confidentiality of the people's communications.

4. Key Definitions

Data controller|data processor: is defined as a person, legal entity, or organization that collects, processes, and uses data in accordance with the law, or with the consent of the data subject (Article 4.1.8 of the Law on Personal Data Protection).

Personal data: is defined as the sensitive data of a person and the name of a person's parents, their name, date of birth, place of birth, residential address and location, civil registration number, assets, education, memberships, electronic identifiers, and other data that directly or indirectly or could identify a person (Article 4.1.11 of the Law on Personal Data Protection).

Sensitive data: is defined as data about a person's origin, race, religion, belief, health, communication, genetic and biometric data, the private key of a digital signature, conviction status, sexual and gender orientation and expression, and sexuality. Among this sensitive data, data about health, genetic and biometric data, communication, private keys of digital signatures, sexual and gender orientation and expression, and sexuality are classified as 'personal secrets' (Article 4.1.12 of the Law on Personal Data Protection).

Health data: is defined as information about a person's physical and mental health and health care and services received (Article 4.1.15 of the Law on Personal Data Protection).

Biometric data: is defined as non-overlapping physical data related to the human body such as fingerprints, iris, face, voice, and physical characteristics that can be identified with the help of equipment, hardware, and software (Article 4.1.1 of the Law on Personal Data Protection).

Pseudonymization: is not defined under the Law on the Protection of Personal Data.

Data Processing: is described as the operations of classifying, storing, analyzing, changing, deleting, and restoring data, and their aggregates, under the Public Information Transparency Law (only available in Mongolian here) (Article 4.1.4 of the Law on Public Information Transparency).

Data Subject: 'owner of the information' is defined as a person who is identified by personal data, in the case of some civil legal capability, citizens without legal capability, limited civil legal capability, and unless otherwise specified in the Civil Code, as for citizens with partial civil legal capability, their authorized legal representative (Article 4.1.5 of the Law on the Protection of Personal Data).

Communication/correspondence data: is defined as data exchanged using letters, parcels, telecommunications, and information technology (Article 4.1.4 of the Law on Personal Data Protection).

Assets/property data: is described as data about assets owned, held, or used by the data subject (i.e., genuine owner of the data) (Article 4.1.10 of the Law on Personal Data Protection).

Genetics data: is defined as unique data about the physical, health, or inherited genetic characteristics of a person determined by the analysis of a biological sample (Article 4.1.2 of the Law on Personal Data Protection).

Inside data: is defined as data that is not publicly available and that may influence the price of a security, and analysis made on the basis of data available to the public shall not be considered inside data, even though there is a possibility of it appreciably influencing the price or volume of trade of a security (the Securities Market Law of Mongolia 2013 (available in Mongolian here) ('the Securities Market Law'))

5. Legal Bases

5.1. Consent

Personal data may not be collected, processed, or used by any person for purposes other than specifically stated in the law, unless permitted by the data subject, or unless the data subject is to acquire health services and to liaise with certain governmental authorities (Article 9.2 of the Law on Personal Data Protection). Consent from the data subject is necessary in most cases of collecting, processing, and using personal data, including for the purpose of creating historical, scientific, artistic, and literary works, as well as for the preparation of statistics in such a way that is not possible to identify individuals (Article 6.2.5 of the Law on Personal Data Protection). and for journalism purposes provided that personal secrets may not be collected, used or processed for the purposes of journalism (Article 12 of the Law on Personal Data Protection).

• A data controller shall present the following conditions to the data subject as a request for obtaining permission (Article 8.2 of the Law on Personal Data Protection):
  • a clear and comprehensive statement of the purpose of collecting, processing, and using the data;
  • the name of the data controller, and contact information;
  • a list of data required to be collected, processed, and used;
  • the period of data processing and use;
  • whether the data will be made public;
  • whether the data will be transferred to others, and if so, the recipients of the transfer and the list of data to be transferred; and
  • a form of withdrawal of consent.

The data subject shall give written consent to the data controller, and this consent must be in paper or electronic form (Article 8.3 of the Law on Personal Data Protection). Consent in electronic form must be provided by means specified in the law or acceptable to the data subject provided that the data subject is identified and verified in the cyber environment (Article 8.4 of the Law on Personal Data Protection).

In the event of non-response of the data subject to the request for a data collection consent, the expiration of the time limit for providing such response or consent, or the expiration of a reasonable time shall not constitute consent to the collection of the data (Article 8.6 of the Law on Personal Data Protection). If a data controller processes and uses the data for a purpose other than the purpose for which the initial consent was obtained, re-authorization must be obtained from the data subject (Article 8.10 of the Law on Personal Data Protection).

5.2. Contract with the data subject

Under the Law on Personal Data Protection, the contract with the data subject is not necessary as long as the consent to collect, process, and use data is obtained as specified in the same law.

5.3. Legal obligations

Data controllers (legal entities other than state authorities, non-legal entities, and individuals) may collect, process, and use the information:

• with the consent of the data subject (Article 6.1.1 of the Law on Personal Data Protection);
• on grounds specified by law (Article 6.1.2 of the Law on Personal Data Protection);
• to exercise the rights and fulfil the obligations in employment relations by the data controller in cases provided by law (Article 6.1.3 of the Law on Personal Data Protection);
• to execute contracts and ensure the implementation of executed contracts (Article 6.1.4 of the Law on Personal Data Protection);
• made public in accordance with the law (Article 7.1.2 of the Law on Personal Data Protection); and
• to create historical, academic, artistic, and literary works and prepare open data and statistical information by making it impossible to identify a person (Article 7.1.3 of the Law on Personal Data Protection).

5.4. Interests of the data subject

Government authorities, among data controllers, may collect and process information to prevent damage to the life, body, rights, freedom, and property of the owner of that information, and to protect their rights and legal interests (Article 6.2.3 of the Law on Personal Data Protection).

5.5. Public interest

Governmental authorities as data controllers may collect and process information:

• with the consent of the data subject (Article 6.1.1 of the Law on Personal Data Protection);
• on grounds specified by law (Article 6.1.2 of the Law on Personal Data Protection);
• to exercise the rights and fulfill the obligations in employment relations by the data controller in cases provided by law (Article 6.1.3 of the Law on Personal Data Protection);
• to execute contracts and ensure the implementation of executed contracts (Article 6.1.4 of the Law on Personal Data Protection);
• to fulfill obligations under the international treaties of Mongolia (Article 6.1.5 of the Law on Personal Data Protection); and
• to exercise the functions provided by law without affecting the rights and legitimate interests of the data subject (Article 6.1.6 of the Law on Personal Data Protection).

Governmental authorities as data controllers may use information:

• with the consent of the data subject (Article 6.2.1 of the Law on Personal Data Protection);
• on grounds specified by law (Article 6.2.2 of the Law on Personal Data Protection);
• to prevent damage to the life, body, rights, freedom, and property of the data subject, and protect its rights and legitimate interests (Article 6.2.3 of the Law on Personal Data Protection);
• to prevent damage to the rights and legal interests of others (Article 6.2.4 of the Law on Personal Data Protection); and
• to create historical, scientific, artistic, and literary works and prepare statistical data, making it impossible to identify a person (Article 6.2.5 of the Law on Personal Data Protection).

5.6. Legitimate interests of the data controller

Save for the statutory obligations, the Law on Personal Data Protection is silent as to the legitimate interest and right of the data controller. The data controller may transfer its rights and obligations to collect and process personal data to a data processor under a contract.

5.7. Legal bases in other instances

Employment

Personal data may be collected and processed in the course of labor relations where the employer exercises its rights and fulfils its liability. With the consent of the employee, an employer may use their biometric data other than non-overlapping physical data (fingerprints) in order to facilitate the process of identifying and verifying the employee in accordance with the internal labor regulations established in accordance with the Labor Law. Employers are prohibited from modifying or transferring such personal data to others (Article 10.2 of the Law on Personal Data Protection) as well as to exercise rights and fulfilling obligations in employment relations in cases provided by law (Article 6.1.3 of the Law on Personal Data Protection).

More generally, data may also be collected, processed, or used by a data controller to exercise its rights and obligations in the course of employment relations or to conclude a contract to ensure its implementation.

Genetic and biometric data

Genetic and biometric data may only be used, processed, or collected by competent governmental authorities for their specific purposes, including, maintaining individual registration and elector registration, identifying and verifying foreign citizens at the border, fighting and preventing crimes and offenses, and by employers for identifying and verifying employees with their consent (other than non-overlapping physical data including fingerprints) (Article 10 of the Law on Personal Data Protection). No person or legal entity may collect or use biometric or genetic data without the data subject's consent or unless the law specifically allows these legal entities to do so (Article 9.2 of the Law on Personal Data Protection).

Other 

Legal entities, individuals, and non-legal entities may collect and process personal data that are disclosed to the public in accordance with the law (Article 7.1.2 of the Law on Personal Data Protection). Legal entities, individuals, and non-legal entities may also collect and process anonymized personal data to create historical, scientific, artistic, and literary works and prepare anonymized statistical information (Article 7.1.3 of the Law on Personal Data Protection).

6. Principles

Under the Law on Personal Data Protection, the following principles shall be followed in the collection, processing, and use of data (Article 5 of the Law on Personal Data Protection):

• refrain from violating human rights and freedom;
• respect human rights and legal interests;
• refrain from discrimination;
• collect, process, and use data on the basis of the law or with the consent of the data subject;
• ensure data security; and
• ensure the accuracy and completeness of the data.

7. Controller and Processor Obligations

Breach of duties, instructions, and tasks on the part of the data processor shall not be grounds for releasing the data controller from its obligations and responsibilities towards the data subject (Article 19.5 of the Law on Personal Data Protection).

In addition, data controllers must:

• adopt and implement internal regulations for ensuring data security in accordance with the requirements issued by the Ministry (Article 20.1.1 of the Law on Personal Data Protection);
• develop measures to be taken in the event of data loss and a plan to deliver notice to the data subject and the relevant governmental organization in accordance with law (Article 20.1.2 of the Law on Personal Data Protection);
• take all measures to ensure the integrity, confidentiality, and accessibility of the data system used for data collection, processing, and use (Article 20.1.3 of the Law on Personal Data Protection);
• approve and implement regulations and instructions on restricting the use of data, deleting data, and making it impossible to identify the data subject (Article 20.1.4 of the Law on Personal Data Protection);
• carry out an assessment to ensure the security of data processing operations (Article 20.1.5 of the Law on Personal Data Protection); and 
• as soon as the data processor becomes aware of any violations detected during data collection and processing, the data processor shall notify the data controller (Article 22.1 of the Law on Personal Data Protection;

If data is to be collected, processed, and used via electronic processing technology without the participation of the data controller (Article 23.1 of the Law on Personal Data Protection) for the purpose of making decisions that would affect rights, freedom, and legal interests of the data subject or in the case of permanent processing of sensitive data, then the data processor shall carry out an advance assessment in accordance with the methodology approved by the Ministry and submit it to the NHRCM for further recommendation. The new law has expanded the powers of the NHRCM on data protection such that it receives and investigates information and complaints submitted in this regard and stipulates requirements and recommendations to relevant authorities and companies on the matter.

7.1. Data processing notification

In order to process, collect, and use the personal data, the data controller should obtain the consent of the data subject (Article 8.2 of the Law on Personal Data Protection). The data controller is also responsible for providing information on the processing and use of data upon the request of the data subject (Article 18.2.8 of the Law on Personal Data Protection).

The data controller should immediately notify the data subject in the following cases:

• the data subject's sensitive data was used;
• data has been processed or the processed data is transferred to a third party for grounds and purposes other than data processing with the consent of the data subject;
• conditions specified in the consent form have changed since the data subject's data was collected (Article 21.1 of the Law on Personal Data Protection).

In cases other than those mentioned above, upon occurrence of which the data controller should immediately notify the data subject, the data controller may send notifications to the data subject when collecting, processing, and using of the latter's personal data.

7.2. Data transfers

The Law on Personal Data Protection does not provide the regulation for cross-border data transfer sufficiently. However, it is prohibited to transfer data to a person, legal entity, or international organization in a foreign country, except as provided by law and international treaties of Mongolia, or unless the data subject has given consent (Article 14.1 of the Law on Personal Data Protection)

Furthermore, any transfer of personal data from the initial receiver to a third party is prohibited unless the data subject grants consent to transfer their data to a third party (Articles 8.2.6 and 8.11 of the Law on Personal Data Protection). Subject to consent, the data controller may transfer data collecting and processing duties to a data processor on a contractual basis.

7.3. Data processing records

The data controller has an obligation to keep records of its operation and activities for data collection, processing, and use (Article 18.2.12 of the Law on Personal Data Protection).

7.4. Data protection impact assessment

Under the Law on Personal Data Protection, the data controller and data processor shall conduct a risk assessment to ensure the security of data processing operations (Article 20.1.5 of the Law on Personal Data Protection).

The same law also provides that the Ministry shall establish the requirements for data security, evaluation guidance, and storage technology requirements for data collection, processing, and use (Article 20.2 of the Law on Personal Data Protection). However, we are not aware of any approved regulation that provides detailed procedures in this regard.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Under the Law on Personal Data Protection, there remains a lack of regulation on the response measures to be taken when the rights and legal interests of the data subject are violated.

For instance, although the law provides for notification of detected violations in data collection, processing, and use, only the data processor must notify the data controller, and then the data controller notify the data subject (Articles 22.1 and 22.2 of the Law on Personal Data Protection).

Such notification shall include the following data (Article 22.3 of the Law on Personal Data Protection):

• the data subject who is related to the violation/breach and data records;
• name and contact information of the data controller;
• violation/breach and its possible negative consequences; and
• response measures taken to eliminate the violation/breach and its possible negative consequences.

The data subject is entitled to file a complaint if they believe that their rights and legal interests have been harmed due to the violation/breach (Article 22.4 of the Law on Personal Data Protection).

7.7. Data retention

General

The data controller and the processor are obligated to store data obtained during collection, processing, and use process (Article 18.2.13 of the Law on Personal Data Protection). Further, the data controller may delete the data only on the following events, including (Article 15 of the Law on Personal Data Protection):

• at the request of the data subject if the data has not been collected, processed, or used in accordance with the laws;
• the data controller has been obliged to delete data per Mongolian law,  Mongolian international treaties or effective court decision;
• the purpose, for which data has been collected, has been achieved for a data other than data that has been collected or processed under the law, as specified in the contract, or as mutually agreed upon; or
• other grounds, as specified in the laws.

The Electronic Data Processing Regulation (only available in Mongolian here) requires user and security test conditions (cases) and data conducted in the data system to be stored in data collection, processing, use, and decision-making activities without human intervention. Additionally, the Sensitive, Genetic, and Biometric Data Processing Regulation (only available in Mongolian here) requires the collection, processing, and use of sensitive, biometric, and genetic data to be subject to the principle of storage limitations.

Health care

The Regulation on Medical Ethics sets forth the fundamental principle of 'courtesy' which includes patients' data retention by hospital personnel. Further, it provides that hospital personnel must keep the secrets of patients during their lifetime and after they are deceased. Also, it provides that the governing persons of a hospital must establish conditions whereby the data or data of patients can be kept safe.

Telecommunications

Article 25.2.4 of the Communications Law provides that data and data must be kept safe by the licensed entity.

7.8. Children's data

Under the Law on Personal Data Protection, the 'owner of personal information' includes their legal representative (Article 4.1.5 of the Law on Personal Data Protection). Consent may also be obtained from a legal representative when collecting personal information (Article 8.5 of the Law on Personal Data Protection).

Therefore, it is understood that children's authorized legal representatives can give consent on behalf of a child. Other than this provision, the law does not provide any detailed regulation.

7.9. Special categories of personal data

Processing of personal data for the purpose of criminal investigations is not regulated by the Law on Personal Data Protection.

The Law on Personal Data Protection provides special provisions for two special categories of personal data. Among the sensitive personal data, is the private key of a digital signature, sexual and gender orientation, sexuality, an individual's origin, race, religion, belief, health and correspondence data, and convictions status shall be collected, processed, and used on the following additional grounds (Article 9.2.3 of the Law on Personal Data Protection):

• healthcare staff to exercise their rights and fulfill obligations specified in the law for the protection of the health of the respective person or others and the provision of healthcare services (Article 9.2.2 of the Law on Personal Data Protection); and 
• provide an explanation, statement, and evidence in accordance with the law for the requirements of the claims from citizens and legal entities.

Secondly, state authorities may use human genetic and biometric data for the purpose of maintaining civil state registration, identifying and verifying a foreign citizen crossing the state border, combating, preventing, and investigating crimes and offenses, and for the forensic analysis conducted during the course of resolving a case or dispute (Article 10.1 of the Law on Personal Data Protection).

An employer may also use biometric data other than non-overlapping physiological data (fingerprints) with the employees' consent in order to facilitate the identification and verification of employees under the internal labor procedures (Article 10.2 of the Law on Personal Data Protection).

7.10. Controller and processor contracts

The data controller may transfer its responsibility and obligation of data collection and processing to the data processor on the basis of the contract (Article 19.1 of the Law on Personal Data Protection). The purpose of data collection and processing, the term of the contract, the list of data, and the conditions for protecting the rights of the data owner shall be included in the contract (Article 19.2 of the Law on Personal Data Protection). Unless otherwise specified in the contract, the data processor shall be prohibited from transferring its obligations, and the responsibilities shall be clearly stated in the contract (Article 19.3 of the Law on Personal Data Protection).

8. Data Subject Rights

8.1. Right to be informed

The Law on Personal Data Protection provides for the right to know whether their data has been collected, processed, or used (Article 16.1.2 of the Law on Personal Data Protection), to know about the third party the data has been transferred, or if it is to be transferred (Article 16.1.4 of the Law on Personal Data Protection), and to know the conditions presented by the data controller (Article 16.1.3 of the Law on Personal Data Protection).

In the following cases, the data controller shall immediately notify the data subject of (Article 21.1 of the Law on Personal Data Protection):

• used sensitive data of the person;
• processed the data for other grounds and purposes than data processing with the data subject's consent, or transferred the processed data to third parties;
• conditions specified in the consent form have changed since the data subject's data was collected.

Data controllers may deliver a notice to collect, process, and use the data subject's data except as specified above (Article 21.2 of the Law on Personal Data Protection).

8.2. Right to access

The Law on Personal Data Protection provides for the right to obtain a copy of the information applicable to the data subject from the data controller in paper or electronic form (Article 16.1.8 of the Law on Personal Data Protection).

8.3. Right to rectification

The Law on Personal Data Protection provides for the right to notify the data controller about the rectification of erroneous information, make changes, and provide additional information (Article 16.1.5 of the Law on Personal Data Protection).

8.4. Right to erasure

The Law on Personal Data Protection provides for the right to the erasure of their data in accordance with the law (Article 16.1.6 of the Law on Personal Data Protection).

8.5. Right to object/opt-out

The Law on Personal Data Protection provides for the right to make a cancellation request in the process of data collection, processing, and use, and notify the data controller in writing (Article 16.1.10 of the Law on Personal Data Protection).

The Law on Personal Data Protection also provides for the right to voluntarily give or refuse to give consent to data collection and transfer to the data controller (Article 16.1.1 of the Law on Personal Data Protection).

8.6. Right to data portability

The Law on Personal Data Protection provides for the right to transfer the above copy of the data to their chosen data controller (Article 16.1.9 of the Law on Personal Data Protection).

8.7. Right not to be subject to automated decision-making

The data subject's additional consent is required for collection, processing, use, or decision-making in electronic form without human intervention, if consent for such processing was not initially obtained.  

8.8. Other rights

The Law on Personal Data Protection also provides for the right to file a complaint or comment on the decision made as a result of data processing, to require additional information to be entered or data to be reprocessed (Article 16.1.11 of the Law on Personal Data Protection).

9. Penalties

Unlawfully acquiring, disclosing, and transferring personal secrets without consent is subject to criminal sanctions under the Criminal Code. Furthermore, under the Minor Offences Law, a breach of the Law on Personal Data Protection by individual and legal entities shall be subject to a fine of MNT 500,000 (approx. $144) or MNT 5 million (approx. $1,450), respectively, if such breach does not constitute a crime for the purpose of the Criminal Code. When the breach is related to personal sensitive data, the fine is MNT 2 million (approx. $589) or MNT 20 million (approx. $5,890).

Other sectoral penalties

Financial Sector

Financial market participants, such as banks, brokers, insurance companies, and auditors, should be licensed by the competent authorities of Mongolia. In case the participants breach the law, including data protection obligations, the regulatory authorities may terminate their license to conduct specific activities.

Under the Criminal Code, bank officers, medical practitioners, or auditors are subject to a fine of between MNT 450,000 (approx. $130) to MNT 5.4 million (approx. $1,590), or community service for a period of 240 to 720 hours, or imprisonment for one month to five years, or a travel ban for one month to one year, if an individual's secret protected by law is illegally acquired or passed on to others (Article 13.10.1 of the Criminal Code). If the crime is committed using communication or electronic means, the penalty shall be a fine of MNT 5.4 million (approx. $1,590) to MNT 27 million (approx. $7,960), or a travel ban for one to five years, or imprisonment for one to five years (Article 13.10.2.1 of the Criminal Code).

Bank officers, medical practitioners, or auditors are subject to a fine of between MNT 5.4 million (approx. $1,590) to MNT 27 million (approx. $7,960), or imprisonment for one to five years, or a travel ban for one to five years if such person illegally discloses another persons' secrets that they obtained during the course of their official duty (Article 13.11.2 of the Criminal Code).

Concerning inside data, the Securities Market Law states that when holders of inside information participate in the trading of fluctuating securities and financial instruments based on them due to this information, or offer or persuade others to participate in the trading of fluctuating securities and financial instruments based on them, whether or not they knew that the information was inside information, or illegally disclose inside information to others except when the inside data holder is obliged to disclose the data due to their position and duties and such illegal acts are not punishable under the Criminal Code, the property obtained shall be confiscated, any damage incurred shall be remedied by the party at fault and the legal entities concerned will be subject to a fine equal to MNT 20 million (approx. $5,890), and the individuals subject to a fine equal to MNT 2 million (approx. $589) (Article 11.10.6 of the Minor Offences Law). If the issuer of securities has not fulfilled their obligation to disclose internal information to the public in accordance with the procedures established by the Stock Exchange or authorized body, and to inform the authorized body or securities trading organization when disclosing internal information to the public, or breached the procedure for public disclosure of internal information in the manner prescribed by law and such illegal acts are not punishable under the Criminal Code, the property obtained shall be confiscated, any damage incurred shall be remedied by the party at fault and the legal entities concerned will be subject to a fine equal to MNT 20 million (approx. $5,890), and the individuals subject to a fine equal to MNT 2 million (approx. $589) (Article 11.10.7 of the Minor Offences Law).

Buying or selling stocks by using inside data or transferring such data is punishable with a fine of between MNT 2.7 million (approx. $795) to MNT 10 million (approx. $2,947) or imprisonment for six months to two years or a travel ban for six months to two years (Article 18.8.1 of the Criminal Code). Depending on the circumstances and severity of the offense, imprisonment may be increased to 12 years and in case the crime was committed to favor a legal entity, the amount of fine may be increased up to MNT 80 million (approx. $23,577) (Articles 18.8.2, 18.8.3, and 18.8.4 of the Criminal Code).

Health care

Article 7.7.1 of the Regulation on Medical Ethics provides that hospital personnel may provide data regarding its operations except for organizational or personal confidential data. Further hospital personnel must ensure that patients are not recognizably seen or appear on public media without their permission. Further, Article 8.8 of the Regulation on Medical Ethics strictly prohibits hospital personnel from disclosing, even accidentally, any confidential data of the patient.

Under the Criminal Code, bank officers, medical practitioners, or auditors are subject to a fine of between MNT 5.4 million (approx. $1,590) to MNT 27 million (approx. $7,960), or imprisonment for one to five years, or a travel ban for one to five years, if such person illegally discloses another persons' secrets that they obtained during the course of their official duty (Article 13.11.2 of the Criminal Code).

Telecommunications

The CRC may terminate the operational licenses of the telecommunications companies in the event that they illegally disclose the confidentiality of the communications and letters of their clients (Article 15.1.2 of the Communications Law).

9.1 Enforcement decisions

According to the latest information,  the NHRCM has established a new Department in charge of Personal Data Protection and is working to ensure the implementation of the Law on Personal Data Protection by receiving complaints and information related to personal data.

Further, in relation to cyber security, the centers for combating cyber-attacks and breaches have been established. The Ministry, in cooperation with the Office of the Cyber Security Council, the representative office of the Japan International Cooperation Agency ('JICA') in Mongolia, and GMO Internet Group organized six training sessions for cyber security specialists as of February 29, 2024.

Since the enactment of a set of laws related to personal data protection, the Ministry has been diligently working to ensure the implementation of the laws by approving the necessary detailed regulations and working to draft some of the remaining undrafted regulations. Moreover, the NHRCM is planning to undertake a nationwide inspection on matters concerning personal data protection in 2024.