LAW OF THE KYRGYZ REPUBLIC


No. 58 of April 14, 2008. Bishkek

On personal data


(As amended by Law No. 129 of July 20, 2017, and No. 142 of November 29, 2021)


This Law is aimed at legal regulation of work with personal data on the basis of generally accepted international principles and norms in accordance with the Constitution and laws of the Kyrgyz Republic in order to ensure the protection of human and civil rights and freedoms related to the collection, processing and use of personal data.

Chapter 1

General provisions


Article 1. Objectives of this Law


The purposes of this Law are: - activation of purposeful state policy in the field of work with personal data;

- protection of personal rights and freedoms when using personal data and protection of this information;

- definition of working conditions with personal data;

- determination of the procedure for the formation of arrays of personal information by state authorities, local authorities, as well as legal entities;

- determination of the rights and obligations of subjects of personal data, holders (owners) and recipients of arrays of such information;

- establishment of forms of state regulation and the procedure for working with personal data, as well as conditions for ensuring its safety.


Article 2. Scope of this Law


1. This Law applies to relations arising from the handling of personal data, regardless of the means of processing this information, including the use of information technology.

2. This Law does not apply to the storage, processing and use of personal data in connection with personal, family or business affairs of an individual, unless the rights of personal data subjects are violated.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 3. Terms and definitions


For the purposes of this Law, the following basic terms and definitions are applied:


Personal information (personal data) - is recorded information on a tangible medium about a specific person, identified with a specific person or which can be identified with a specific person, allowing to identify this person directly or indirectly by reference to one or more factors specific to his biological, economic, cultural, civil or social identity.

Personal data includes biographical and identification data, personal characteristics, information about marital status, financial status, health status, and so on.

The list of personal data is a list of categories of data about one subject.

An array of personal data - is a structured collection of personal data of an indefinite number of subjects, regardless of the type of information carrier and the means of their processing used(archives, card files, electronic databases, etc.)

Public arrays of personal data - arrays of personal data, access to which is not restricted by law, and intended for general use (reference books, phone books, address books, etc.).

The personal data confidentiality regime - is the legally established rules that define restrictions on access, transfer, provision and storage conditions of personal data.

The subject of personal data (subject) is an individual to whom the relevant personal data relates.

Holder (owner) of an array of personal data - public authorities, local authorities and legal entities that are authorized to determine the purposes, categories of personal data and control the collection, storage, processing and use of personal data in accordance with this Law.

The authorized state body for personal data (hereinafter referred to as the authorized state body) - is a state body authorized by the Government of the Kyrgyz Republic to exercise functions and powers to ensure compliance of personal data processing with the requirements of this Law, protection of the rights of personal data subjects (subjects), registration of holders (owners) of personal data arrays, maintaining a Register of holders of personal data arrays, other tasks, functions and powers provided for by this Law.

The processor of personal data - is an individual or legal entity, determined by the holder (owner) of personal data, who processes personal data on the basis of a contract concluded with him.

The recipient of personal data - is a public authority or local authorities, legal entities and individuals, as well as a subject of a personal data (subject) to whom personal data is transferred and provided in accordance with this Law.

Personal data collection - is a procedure for obtaining personal data by the holder (owner) of an array of personal data from the subjects of this data or from other sources in accordance with the legislation of the Kyrgyz Republic.

Personal data processing - any operation or set of operations performed independently of the methods by the holder (owner) of personal data or on his behalf, by automatic means or without them, for the purpose of collecting, recording, storing, updating, grouping, blocking, erasing and destroying personal data.

Consent of the personal data subject - expressed in the form prescribed by this Law, free, specific, unconditional and conscious expression of the will of the person, according to which the subject notifies his/her consent to the procedures related to the processing of his/her personal data.

Transfer of personal data - provision of personal data by the holder (owner) to third parties in accordance with this Law and international treaties.

Cross-border transfer of personal data - is the transfer by the holder (owner) of personal data to holders under the jurisdiction of other states.

Updating personal data - is the prompt introduction of changes to personal data in accordance with the procedures established by the current legislation of the Kyrgyz Republic.

Blocking of personal data - is the temporary termination of the transfer, clarification, use and destruction of personal data.

Destruction (erasure or destruction) of personal data - actions of the holder (owner) of personal data to bring this data into a state that does not allow restoring their content.

Depersonalization of personal data - is the removal of that part of personal data that allows you to identify them with a specific person.

The personal data information system - is a set of personal data contained in databases and information technologies and technical means that ensure their processing.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 4: Basic Principles of Personal Data Processing


1. Personal data must be received and processed in accordance with the procedure provided for by this Law.

2. Personal data must be collected for precisely and predetermined, declared and legitimate purposes, it should not be used in contradiction with these purposes and not further processed in any way incompatible with these purposes.

3. The initial data must be accurate and updated if it is necessary.

4. Personal data should be stored no longer than the purposes for which they were accumulated require and are subject to destruction upon achievement of the goals or passing the need for them.

5. For personal data stored on longer time frames for historical or other purposes, the necessary guarantees should be established to ensure their protection.

6. It is not allowed to combine arrays of personal data collected by holders (owners) for different purposes, for automated information processing.

7. Personal data must be stored and protected by the holders (owners) of arrays of personal data from illegal access, amendments, changes and destruction.

8. The basic principles of working with personal data are not exhaustive and may be supplemented in accordance with the legislation of the Kyrgyz Republic.


Chapter 2.


Conditions for the Legitimacy of Working with Personal Data


Article 5: Legal basis for the processing of personal data

Work with personal data may be carried out by the holder (owner) of the array of personal data only in cases:

- If the personal data subject has given his/her consent to its execution;

- if it is necessary for the fulfillment by the public authorities, local authorities of their competence, established by the legislation of the Kyrgyz Republic;

if it is needed to achieve the legitimate interests of the holders (owners);

- when the realization of these interests does not interfere with the exercise of the rights and freedoms of personal data subjects in relation to the processing of personal data;

- when it is necessary to protect the interests of the subject of personal data;

- if the processing of personal data is carried out exclusively for the purposes of journalism or for the purposes of artistic or literary creativity, provided that such actions will be agreed with the subject of personal data in compliance with the right to privacy and freedom of speech.


Article 6. Legal regime of personal data


1. Personal data held by the holder (owner) is classified as confidential information, except in cases defined by this Law.

2. The holder (owner) of personal data and the processor are obliged to ensure the protection of personal data in order to avoid unauthorized access, blocking, transfer, as well as their accidental or unauthorized destruction, modification or loss.

3. The regime of confidentiality of personal data is removed in cases of

- depersonalization of personal data;

- at the request of the subject of personal data.

4. Legal regime of personal data obtained as a result of law enforcement agencies is established in accordance with the legislation of the Kyrgyz Republic.

4/1. The procedure for working with personal data within the framework of the application of legislation in the field of protection of the rights of participants in criminal proceedings is determined by the Cabinet of Ministers of the Kyrgyz Republic.

5. At the request of the subject, a regime of publicly available information can be established for his personal data (bibliographic reference books, telephone books, address books, private announcements, etc.). Exceptions are cases when the information must be public in accordance with the requirements of the legislation of the Kyrgyz Republic.

6. From the moment of death of the subject of personal data the legal regime of personal data shall be replaced by the regime of archival storage or other legal regime provided for by the legislation of the Kyrgyz Republic.

7. The protection of personal data of a deceased person may be carried out by other persons, including heirs, in accordance with the procedure provided for by the legislation of the Kyrgyz Republic.


(As amended by the Law of the Kyrgyz Republic dated November 29, 2021 N 142)


Article 7: Publicly accessible arrays of personal data


1. In order to provide the public with information, publicly accessible sets of personal data (directories, phone books, address books, etc.) may be created.

2. The following personal data may be included in publicly available personal data arrays with the written consent of the subject: last name, first name, middle name, year and place of birth, address of residence, contact phone number, information about the profession, other information provided by the subject and/or obtained from open sources, other publicly available personal data arrays, if these the sources are formed with the consent of the subject of personal data.

3. If personal data is received by the holder (owner) of a publicly available array of personal data from open sources or other publicly available arrays of personal data, the holder (owner) of the publicly available array, at the request of the subject, informs within a week about the content of his personal data and about the sources of receipt and purpose of use.

4. The personal data of a particular subject is immediately excluded by the holder (owner) of personal data from the publicly available array of personal data, and in the case of a printed publication when the next edition is published - on the basis of an order of this subject or a decision of a law enforcement agency.

5. The confidentiality regime for publicly available arrays of personal data is not established.


Article 8. Special categories of personal data


1. The collection, accumulation, storage and use of personal data revealing racial or ethnic origin, nationality, political opinions, religious or philosophical beliefs, or concerning health status and sexual inclinations, solely for the purpose of revealing these factors, are not permitted.

2. Part 1 of this Article does not apply in the following cases:

a) if the subject of personal data has given his consent to the communication and processing of such data;

b) if the processing is necessary to protect the health and safety of the data subject, another person or a relevant group of persons and it is impossible to obtain the consent of the personal data subject.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Chapter 3


Rights of the subject of personal data


Article 9. Consent of the subject of personal data to the provision and processing of his personal data


1. The subject of personal data independently decides whether to provide any of his personal data to anyone, and gives consent to their processing freely, consciously and in a form that allows confirming the fact of its receipt, except for the cases provided by the Article 15 of this Law. Personal data is provided by the subject personally or through a proxy. The consent of the subject must be expressed in writing on paper or in the form of an electronic document signed in accordance with the legislation of the Kyrgyz Republic with an electronic signature.

2. In order to exercise their rights and freedoms, the subject provides data, as well as information about their changes, to the relevant public authorities, local authorities that have the right to work with personal data within their competence.

3. Before providing their personal data, the subject must be acquainted by the holder (owner) of the personal data array with the list of collected data, the grounds and purposes of their collection and use with the possible transfer of personal data to a third party, as well as informed about other possible use of personal data.

4. The subject of personal data, when refusing to provide his data has the right not to indicate the reasons for his refusal.

5. The obligation to provide proof of obtaining the consent of the personal data subject to the collection and processing of his personal data or proof of the existence of the grounds specified in subparagraph "b" of Part 2 of Article 8, paragraphs 1 and 2 of Part 1 of Article 15 of this Law is assigned to the holder (owner) of the personal data array.

6. The procedure for obtaining the consent of the personal data subject to the collection and processing of his personal data, including in the form of an electronic document, including the purpose of providing state and municipal services, is established by the Government of the Kyrgyz Republic.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 10. Subject's access to their personal data


1. The subject of personal data has the right to know about the presence of the holder (owner) of personal data related to him and to have access to them. The right of access may be restricted only in the cases provided for in article 15 of this Law.

11. In particular, the subject of personal data has the right to receive from the holder (owner) of an array of personal data information concerning the processing of his/her personal data, containing:

a) confirmation of the fact of processing of personal data by the holder (owner) of the personal data array;

b) legal grounds and purposes of personal data processing;

c) the purposes and methods of processing personal data used by the holder (owner) of the personal data array;

d) the name and location of the holder (owner) of the personal data array, information about persons (with the exception of employees of the holder (owner) who have access to personal data or to whom personal data may be transferred on the basis of an agreement with the holder (owner) of the personal data array or on the basis of the law;

e) processed personal data related to the relevant personal data subject, the source of their receipt;

f) terms of processing of personal data, including the terms of their storage;

g) the procedure for the exercise by the subject of personal data of their rights provided for by this Law;

h) information on the transborder data transfer carried out or proposed;


i) other information provided for by this Law and (or) other regulatory legal acts.

(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)

2. Informing citizens about the availability of personal data from holders (owners) of data arrays is carried out on the basis of a publicly available Register of holders (owners) of personal data arrays published in the mass media in accordance with Article 30 of this Law.

3. The provision of personal data to their subject on the initiative of the subject is made on the basis of a written request of the subject and a document certifying his/her identity, free of charge. The fee is charged only if such information is provided on tangible media (paper, floppy disk, etc.) in an amount not exceeding their cost. Information about the availability of personal data and the personal data itself is provided to the data subject within a period not exceeding 7 days from the date of submission of the application.

4. Information about the availability and content of the subject's personal data must be provided to him/her by the holder (owner) of the array of personal data in a publicly accessible form, accurately and clearly expressed, and must not contain personal data related to other subjects.

5. The subject of personal data has the right to get acquainted with documents containing personal information about him/her.


Article 11. Amendments of personal data by the data subject


If there are grounds, confirmed by relevant documents, the subject of personal data has the right to demand from the holder (owner) of this data to amend his personal data. Changes to personal data are made in accordance with the procedure established by Article 28 of this Law.


Article 12. Blocking and removal of blocking of personal data


If the subject of personal data reveals their unreliability or disputes the legality of actions in relation to his personal data, he has the right to demand from the holder (owner) to block this data. Blocking and removal of blocking of personal data is carried out in accordance with Article 19 of this Law.


Article 13. Appeal against illegal actions in relation to personal data


If the subject of personal data believes that illegal actions have been committed in relation to his personal data, he has the right to appeal these actions in court.


Article 14. Compensation for losses and (or) compensation for moral damage


The subject of personal data has the right to compensation for the damage caused and to compensation for moral damage in court.


Article 15. Restriction of the rights of the subject


1. Restriction of the subject's rights to provide and receive their personal data is possible in relation to:

1) the right of a subject to provide his personal data to holders (owners) of personal data arrays - for personal data subjects admitted to information constituting a state secret - in accordance with the Law of the Kyrgyz Republic “On the Protection of State Secrets of the Kyrgyz Republic";

2) the subject's right of access to their personal data, making changes to their personal data, blocking their personal data:

a) for personal data obtained as a result of operational investigative activities, except in cases when this activity is carried out in violation of the legislation of the Kyrgyz Republic;

b) for the personal data of subjects detained on suspicion of committing a crime or who have been charged in a criminal case, or to whom a preventive measure has been applied before the indictment in the bodies carrying out these actions.

2. Restriction of the subject's access rights to their personal data, not provided for in part 1 of this Article is not allowed.

Chapter 4


Rights and obligations of the holder (owner) and processor to work with arrays of personal data


Article 16. Holders (owners) of personal data arrays


1. The public authorities, local authorities, dealing with arrays of personal data in accordance with this Law and other legal acts of the Kyrgyz Republic have the right to act as the holder (owner) of personal data.

2. Legal entities have the right to work with personal data after registration with the authorized state body as the holder (owner) of the array of personal data in accordance with Article 30 of this Law.

3. (No longer valid in accordance with the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 17. Obligations of the holder (owner) of personal data array


1. The holder (owner) of personal data array shall:

a) receive personal data directly from the subject of personal data, his/her proxies;

b) ensure the confidentiality of personal data in cases provided by the legislation of the Kyrgyz Republic and this Law;

c) determine the processor for the processing of personal data, providing guarantees with respect to technical security measures and organizational measures, regulating the processing of personal data, except in cases where the holder (owner) independently assigns the functions and responsibilities of the processor;

d) ensure the safety and reliability of personal data, as well as the regulatory regime of access to it;

e) provide personal data within one week after receipt of the request from the subject;

g) in case of refusal to provide to the data subject, upon his/her request, information on availability of personal data concerning him/her, as well as the personal data itself, to issue a written reasoned reply, containing reference to the relevant paragraph of Article 15 of this Law, within a period not exceeding one week from the date of request of the data subject;

h) provide upon request of the authorized state body or the Ombudsman (Akyikatchy) of the Kyrgyz Republic, within one week, the information necessary to perform their powers.

2 Persons to whom personal data has become known by virtue of their official position undertake obligations and responsibilities to ensure the confidentiality of those personal data. Such obligations shall remain in force even after termination of work of these persons with personal data during the period of confidentiality regime preservation according to Article 6 of this Law.


Article 18. Obligations of personal data holder (owner) to make the lists of personal data


1. The holders (owners) dealing with personal data shall, within their competence, elaborate and be guided by the lists of personal data according to the specificity of their activity.

2. The mentioned lists shall be coordinated with the authorized state body, registered with this body and published in the Registry of holders (owners) of personal data arrays, published annually by this authorized state body. These lists shall establish the scope of information used by public authorities, local authorities to exercise their powers.

3. The procedure for registering lists of personal data shall be determined by the Government of the Kyrgyz Republic.

4. Holders (owners) of personal data arrays, dealing with personal data by decision of the Government of the Kyrgyz Republic, shall develop lists of personal data in accordance with the specifics of their activities and shall coordinate them with the authorized state body.

5. The lists of personal data must be consistent with the purposes for which the data is collected. Expansion of the established lists for purposes of a different nature shall not be permitted.


(As amended by Law No. 129 of July 20, 2017)


Article 19. Obligations of the holder (owner) of the personal data array to block, remove blocking and destroy personal data


1. If the subject of personal data reveals the unreliability of personal data or the illegality of the actions with them of the holder (owner) of the array of personal data, the subject may submit an application to the holder (owner) of the array of these data or to the authorized body.The holder (owner) is obliged to accept the subject's application for production and block his personal data from the moment of its receipt for the period of verification of the application.


2. If personal data is confirmed to be inaccurate, the holder (owner) of the data array shall, on the basis of documents submitted by the subject, correct it and remove the blocking.

3. In case of establishing the illegality of the collection of personal data, the holder (owner) is obliged to destroy the relevant data immediately from the moment of such establishment and to notify the subject of personal data about it.

4. In case of mutual recognition of the legality of actions with personal data or their reliability, the holder (owner) of the personal data array is obliged to immediately remove their blocking.

5. In case of disagreement of the holder (owner) of the personal data array with the application of the personal data subject, conflict situations are considered in an administrative or judicial manner.


Article 20. Duties of personal data processor


1. The Processor shall process personal data on the basis of an agreement concluded with the personal data holder (owner).

2. The processor shall collect, record, store, update, block, destroy personal data, regardless of the method and means of processing, on behalf of the personal data holder (owner).


Article 21. Organizational and technical measures to protect personal data


1. The holder (owner) of an array of personal data and the processor shall take the necessary legal, organizational and technical measures and (or) ensure their adoption to protect personal data from unauthorized or accidental access, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data.

2. When processing personal data, the holder (owner) of the personal data array and the processor are obliged to:

- to exclude access of unauthorized persons to the equipment used for processing personal data (access control);

- prevent unauthorized reading, copying, modification or removal of data carriers (control over the use of data carriers);

- to prevent unauthorized recording of personal data and the modification or destruction of recorded personal data (control over writing) and to ensure the possibility of establishing retroactively when, by whom and what personal data was changed;

- to ensure the security of data processing systems intended for the transfer of personal data regardless of the means of data transmission (control over the means of data transmission);

- ensure that each user of the data processing system has access only to those personal data to which he has access (access control);

- to provide the possibility of establishing retroactively when, by whom and what personal data was entered into the data processing system (input control);

- to prevent unauthorized reading, copying, modification and destruction of personal data during the transfer and transportation of personal data (transport control);

- to ensure the confidentiality of information obtained during the processing of personal data.

- to ensure compliance with the requirements established by the Government of the Kyrgyz Republic for the protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of personal data security;

- keep records of machine-readable personal data carriers;

- to ensure the recovery of personal data modified or destroyed due to unauthorized access to them.

3. The Government of the Kyrgyz Republic establishes the levels of protection of personal data during their processing in information systems, requirements for security and protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of protection of personal data.


(As amended by the Law of the Kyrgyz Republic of July 20, 2017 No. 129)


Article 22. Responsibilities of state authorities and local self-government bodies in the mutual exchange of personal data


1. State authorities and local authorities in their activities may use personal data held by other holders (owners) of personal data, if there are legal grounds for this to work with personal data and only within the limits of their powers and competence established by the legislation of the Kyrgyz Republic, have the right to create personal data information systems corresponding to requirements established by this Law.

2. The formation of consolidated information systems and arrays of personal data received by state authorities or local authorities from various state holders (owners) of personal data is not allowed.


3. Control over the use of personal data received by state authorities, local state administrations and local authorities from other state holders (owners) of personal data is carried out by the authorized state body, higher authorities, law enforcement agencies, as well as the Ombudsman (Akyikatchy) Of the Kyrgyz Republic in accordance with this Law.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 23. Organization of state reference services with personal data


(No longer valid in accordance with the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 24. Transfer of personal data


1. The holder (owner) of an array of personal data has the right to transfer this data to another holder (owner) without the consent of the subject of personal data in the following cases:

- of extreme necessity in order to protect the interests of the personal data subject;

- on request of state authorities, local self-government bodies, if the requested list of personal data corresponds to the powers of the requesting body;

- on the basis of the legislation of the Kyrgyz Republic.

2. The holder (owner) of the personal data array is obliged to inform the subject of personal data about the transfer of his personal data to a third party in any form within a week.

The procedure and form of notification of the subject of personal data about the fact of transfer of his personal data to a third party is established by the Government of the Kyrgyz Republic.

3. When transferring personal data, the recipient of personal data shall be obliged to observe the confidentiality regime of such data.

4. Personal data collected at the expense of the state budget are transferred to state authorities and organizations of the budgetary sphere, as well as personal data to the subject itself - free of charge.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 25. Сross-border transfer of personal data


1. In the case of cross-border transfer of personal data, the holder (owner) of an array of personal data under the jurisdiction of the Kyrgyz Republic transmitting the data proceeds from the existence of an international agreement between the parties, according to which the receiving party ensures an adequate level of protection of the rights and freedoms of personal data subjects and protection of personal data established in the Kyrgyz Republic.

2. The Kyrgyz Republic provides legal measures for the protection of personal data located on its territory or transmitted through its territory, excluding their distortion and unauthorized use.

3. The transfer of personal data to countries that do not provide an adequate level of protection of the rights and freedoms of personal data subjects may take place under the condition:

- the consent of the subject of personal data to this transfer;

- If the transfer is necessary to protect the interests of the personal data subject;

- If personal data is contained in a publicly accessible array of personal data.

4. When transferring personal data via the global information network (Internet, etc.) the holder (owner) of the personal data array, which transfers such data, shall ensure the transfer by the necessary means of protection, while respecting the confidentiality of information.


(As amended by the Law of the Kyrgyz Republic of July 20, 2017 No. 129)


Article 26. Depersonalization of personal data


In order to conduct statistical, sociological, historical, medical and other scientific and practical research, the holder (owner) of an array of personal data performs depersonalization of the data used, giving them the form of anonymous information.In this case, the confidentiality regime established for personal data is removed.

Depersonalization shall exclude the possibility of identification of the subject of personal data.


Article 27. Storage of personal data


1. Personal data should not be stored for longer than is necessary to fulfill the purposes of their collection. The storage period may be extended only in the interests of the subject of personal data or if this is provided for by the legislation of the Kyrgyz Republic. After the expiration of the storage period and the achievement of the purposes of collecting personal data, they are subject to destruction within two weeks. The destruction is confirmed by the act.

Depending on the significance of the personal data of certain subjects for historical, sociological, medical and other scientific purposes, instead of destroying personal data, depersonalization of such data by the holder (owner) of the array is allowed in accordance with the procedure established by the Government of the Kyrgyz Republic.

2. If a decision is made in accordance with the established procedure on the need to preserve personal data after the expiration of the storage period, to achieve the established purposes of their collection, the holder (owner) of the personal data array is obliged to ensure the appropriate storage regime of personal data and notify the data subject about it.


3. Certain personal data (personal files, metric books, etc.), after passing the practical need for them, may remain in permanent storage, acquiring the status of an archival document, or another status provided for by the legislation of the Kyrgyz Republic.


Article 28. Updating of personal data


1. The holder (owner) of an array of personal data shall make changes to the personal data in his possession, subject to documentary confirmation of the accuracy of the new data:

- in cases provided for by the legislation of the Kyrgyz Republic;

- (the paragraph is not valid in accordance with the Law of the Kyrgyz Republic of July 20, 2017 № 129)

- on the initiative of the personal data subject, whose personal data is subject to change in accordance with Article 11 of this Law.

2. Changes to personal data at the request of the subject of this data are made no later than one week from the date of submission of the application. Changes are made at the initiative of the holder (owner) in accordance with the internal rules.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Chapter 5


State regulation of work with personal data


Article 29. Forms of state regulation of work with personal data


The State regulates the work with personal data in the following forms:

- the Government of the Kyrgyz Republic determines the authorized state body of the Kyrgyz Republic;

- keeps records and registration of arrays of personal data and their holders (owners);

- concludes international agreements on the cross-border transfer of personal data, except in cases that contradict the legislation of the Kyrgyz Republic on the protection of state secrets.


Article 29/1. Authorized state body


1. The authorized state body is charged with ensuring control over the compliance of personal data processing with the requirements of this Law, protection of the rights of personal data subjects.

2. The authorized state body cooperates with the bodies authorized in the field of personal data protection in foreign countries, in particular, the international exchange of information on the protection of the rights of personal data subjects.

3. Decisions of the authorized state body for the protection of the rights of personal data subjects may be appealed in accordance with the procedure provided for by the Law of the Kyrgyz Republic "On the Basics of Administrative Activities and Administrative Procedures".

4. The regulation on the authorized state body is approved by the Government of the Kyrgyz Republic.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 30. Registration of arrays and holders (owners) of personal data


1. Arrays of personal data and holders (owners) of these arrays are subject to mandatory registration with the authorized state body. When registering , the following are recorded:

- name of the personal data array;

- the name and details of the holder (owner) of the personal data array that works with the personal data array (address, form of ownership, subordination, telephone, surname, first name, patronymic of the head, e-mail, fax);

- the purposes and methods of collecting and using personal data;

- regimes and terms of their storage;

- the list of personal data to be collected;

- categories or groups of subjects of personal data;

- sources of personal data collection;

- the procedure for informing subjects about the collection and possible transfer of their personal data;

- measures to ensure security and confidentiality of personal data;

- the person directly responsible for handling personal data.

- recipients or categories of recipients to whom the data may be transferred data;

- expected cross-border transfer of personal data.

2. Arrays of personal data containing information classified as a state secret on the basis of the Law of the Kyrgyz Republic "On the Protection of State Secrets of the Kyrgyz Republic" are not registered.

3. The authorized state body shall keep records of arrays of personal data and holders (owners) who work with personal data.

4. The specified body annually publishes in the mass media a Register of holders of personal data for general information.


(As amended by the Law of the Kyrgyz Republic dated July 20, 2017 No. 129)


Article 31. Responsibility for violation of this Law


Violation of this Law entails liability in accordance with the legislation of the Kyrgyz Republic.


Chapter 6


Final provisions


Article 32. On the entry into force of this Law


This Law comes into force from the date of its official publication.


Published in the newspaper "Erkin too" dated April 18, 2008 N 28



President of the Kyrgyz Republic K.Bakiyev


Adopted by the Jogorku Kenesh

Of the Kyrgyz Republic on February 21, 2008