Law on Personal Data Protection Kyrgyzstan

    Overview

    Kyrgyzstan’s Law on Personal Data Protection (No. 58 of April 14, 2008) regulates the collection, processing, storage, and transfer of personal data. The law aims to safeguard individuals' privacy rights, establish data processing principles, and define obligations for businesses handling personal information.

    Regulation Summary

    Timeline
    • April 14, 2008: Law enacted.
    • April 18, 2008: Entered into force. 
    • July 20, 2017: Amendments introduced.
    • November 29, 2021: Additional revisions made.
    • July 12, 2022: Latest amendments take effect.
    What Businesses Are Affected
    • All organizations processing personal data in Kyrgyzstan, including public and private entities.
    • Foreign businesses processing data of Kyrgyz residents, if they operate within Kyrgyzstan or use local infrastructure.
    • Entities handling sensitive data such as biometric, health, or financial information.
    Exemptions
    • Personal or household use of personal data.
    • Government authorities processing data for national security, taxation, or law enforcement purposes.
    • Journalistic, literary, academic, or artistic work complying with ethical guidelines.
    Responsibilities for Businesses
    • Lawful Processing: Businesses must process personal data with consent or a legitimate legal basis.
    • Purpose Limitation: Data must only be used for specified and lawful purposes.
    • Data Security: Companies must implement security measures to prevent unauthorized access or breaches.
    • Accountability: Businesses must document their data processing activities and appoint a responsible officer where applicable.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Websites must obtain user consent for the use of non-essential cookies.
    • Privacy Notice: A transparent and accessible privacy policy must be provided.
    • User Rights Portal: Websites should facilitate requests for data access, correction, or deletion.
    • Secure Data Transmission: Encryption and secure handling of collected personal data are required.
    Additional Requirements
    • Cross-Border Data Transfers: Permitted only if the recipient country provides adequate protection, safeguards are in place, or explicit consent is obtained in accordance with international agreements.
    • Data Protection Officer (DPO): Required for organizations engaged in large-scale or sensitive data processing.
    • Impact Assessments: Mandatory for high-risk data processing, including profiling and automated decision-making.
    Data Subject Rights
    • Access: Individuals can request copies of their personal data.
    • Rectification: Right to correct incorrect or incomplete data.
    • Erasure: Right to request deletion of personal data in certain circumstances.
    • Portability: Right to obtain and transfer personal data.
    • Objection: Right to refuse data processing for direct marketing or other specified purposes.
    • Restriction: Right to limit processing under specific conditions.
    Enforcement
    • Regulatory Body: The State Agency for Protection of Personal Data oversees compliance.
    • Fines: Violations can result in fines ranging from 10,000 to 1,000,000 Kyrgyzstani Soms (~$110 to $11,000 USD)depending on the severity, with additional daily fines for continued non-compliance until corrective actions are taken.
    • Sanctions: In serious cases, businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596