Law on Personal Data Protection Mongolia

    Overview

    The Law on Personal Data Protection, enacted on December 17, 2021, and effective from May 1, 2022, governs the collection, processing, use, and security of personal data in Mongolia. It aims to enhance data privacy, security, and individual rights while defining businesses’ obligations in handling personal data.

     

    Regulation Summary

    Timeline
    • December 17, 2021 – Law adopted.
    • May 1, 2022 – Law came into effect.
    What Businesses Are Affected
    • Any business operating in Mongolia that collects or processes personal data.
    • International companies targeting Mongolian residents.
    • Public institutions and NGOs handling personal data.
    • Entities using hardware and software for data collection and processing.
    Exemptions
    • Personal Use: Data processed for private, non-commercial purposes.
    • Security Recordings: Use of video and audio recordings for personal or property protection.
    • Other Laws: Activities covered by intelligence or public security laws.
    Responsibilities for Businesses
    • Obtain clear and explicit consent before collecting personal data.
    • Limit data collection to what is strictly necessary.
    • Implement security measures to protect stored and processed data.
    • Maintain transparency regarding data usage and processing.
    • Ensure accountability by keeping processing records.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Obtain explicit consent for non-essential cookies.
    • Privacy Policy: Publish a clear, detailed privacy notice covering:
      • Types of data collected
      • Processing purposes
      • Data retention policies
      • Third-party sharing
      • User rights
    • User Rights Portal: Provide an accessible way for users to manage their data.
    • Secure Data Transmission: Use encryption for submitted data (e.g., contact or payment forms).
    Additional Requirements
    • Cross-Border Data Transfers: Restricted unless specific safeguards are in place.
    • Sensitive Data Protection: Stricter rules apply to biometric, health, and genetic data.
    • Compliance Records: Businesses must document their data processing activities.
    Data Subject Rights
    • Access: Request a copy of their personal data.
    • Rectification: Correct inaccurate or incomplete data.
    • Erasure: Request deletion under certain conditions.
    • Portability: Obtain their data in a machine-readable format.
    • Objection: Opt out of processing for marketing or other purposes.
    • Restriction: Limit processing under specific circumstances.
    Enforcement
    • Regulatory Authorities:
      • The National Human Rights Commission of Mongolia oversees compliance.
      • The Ministry of Digital Development and Communication enforces digital security.
    • Penalties: Fines range from MNT 500,000 (≈ USD 145) to MNT 20,000,000 (≈ USD 5,832), depending on the severity of the violation. Infractions include misuse of data beyond lawful purposes, automated processing without oversight, and illegal data collection, processing, or transfer.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596