Draft Law On Protection Of Personal Data

The Law of Mongolia on Personal Privacy which approved in 1995 has a general regulation that individuals protect their privacy and determine their confidentiality themselves, therefore it needed an urgent renewal in order to meet requirements of rapidly evolving technology. Under Article 4.1.2 of the "Governance Policy" of the "Action Plan of the Government of Mongolia for 2020-2021" approved by the Appendix of the Resolution No 24 of the Parliament of Mongolia in 2020 stated that forming the legal environment which respects human rights, supports e-government and regulates the technological security and appropriate relations and under Article 4.1.6 of such Government policy stated that strengthens information security systems and enhances the capacity which ensured the integrity, confidentiality and accessibility of information of the government, citizen and legal entity, which protects the national interest. Within the framework of this action plan, the draft law on the Protection of personal data is in the process of being approved and we are providing an overview of highlighted regulations included in this draft law to you.

The draft law has a total of 8 chapters and 29 articles and its purpose is to regulate the relations in regards with collection, process, and use of personal data and ensure its security. Within the framework of specific regulations:

1. This law defines the new terms such as personal data, personal sensitive data, collection of personal data, process of personal data, use of personal data, owner of the data, data provider, genetic data, biometric data, health data and electronic identifier.
   
   
2. The data provider shall collect a data with the written consent of the owner of the data and shall introduce the following pre-conditions and obtain permission from the data owner:
   
   • Justification and purpose of data collection;
   • Name of the data provider, if a legal entity, given name and contact information;
   • List of data to be processed;
   • Data processing and storage time;
   • Whether to disclose data;
   • Whether to transfer data to others;
   • Terms of permission revocation.
   Government agencies, individuals or legal entities may be authorized persons who collect, process and use information, however, there are clear regulations for collecting and processing information. For instance, the legal entity shall collect, process and use information in the following cases:
   
   • If required by law;
   • To conclude a contract with an individual, to exercise his/her rights and fulfill his/her obligations in accordance with the concluded contract;
   • Disclosed by the data owner or in accordance with the law;
   • To prepare the statistic data and conduct research that makes impossible to identify individuals;
   • With the consent of the data owner
   Moreover, the criteria were set for collecting, processing and using the personal sensitive data, biometric data, historical and scientific research, statistical information, and for media purposes.
   
   
3. The rights and obligations of the data owner are regulated separately in Chapter 3, for example, the data owner has a right to know whether his/her collected, processed, or used the relevant information, being deleted his/her information, to protect his/her rights and freedoms if rights and freedoms of the data owner are violated and being indemnified the damage and non-material damage caused by others illegally, etc.
   
   
4. The new regulations have been introduced on data providers and data processors, which are not regulated by the current law and their responsibilities have been regulated in detail. Moreover, the data provider may transfer its obligation to collect, process the data to the data processor on the basis of the contract. If the data processor has breached its duty, direction, and assignment given by the data provider, the data provider shall not be released from his/her duties and responsibilities obliged to the data owner. The data provider does not transfer its obligation to collect, process the data to the data processor on the basis of the contract, the data provider shall be responsible for collecting, processing and using the data.
   
   
5. Within the framework of data protection activities, the data providers and data processors shall undertake structural and technical measures in order to ensure the data security. In addition, the data provider shall notify any of the following cases to the data owner :
   
   • Used personal sensitive data;
   • Data transferred a third party by justification and purposes other than processing the data per consent of the data owner.
   The data processor shall immediately notify the data owner as soon as he/she knew any violation in the collection, processing or use of the data or if the data may cause damage to rights and legitimate interests of the data owner.
   
   
6. One of the emphasized regulations of this law is use of audio, video and audio-visual recording system or device for collecting, processing and using the data. This regulation is classified places where audio, video, and audio-visual recordings can be set and places were prohibited to set it within the framework of this law. For example; toilets, dressing rooms, special-purpose service rooms of public service place, karaoke rooms, hotel rooms, and inpatient rooms for health care are prohibited to set the audio, video, and audio-visual recordings system or device.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.