In the 26 years since the Personal Secrets Law was enacted in 1995, legal revise and reform for personal data protection was required due to changes in social interactions and digital transition. Therefore, on December 17, 2021, the Parliament adopted a new Law on the Personal data protection (PDPL), which began to be implemented on May 1, 2022.
This law applies to all individuals, legal entities and organizations without legal status collecting, processing, using and protecting personal data in Mongolia. Under the previous Personal Secrets Law, only the data subject was responsible for the security of his/her information but now the PDPL provides that the data controller and collector are obliged to ensure information security and protect personal data as well.
Personal data protection is categorized as personal information and sensitive information and it is defined as below.
- Personal data means sensitive data, first and last name, date and place of birth, residence address, location, ID number, assets, education, membership, online identifier, and other information that directly or indirectly identifies a person or makes it identifiable;
- Sensitive data encompasses a person’s race, ethics origin, religion, beliefs, health, correspondence, genetic and biometric information, digital signature private key, information on whether an individual is serving or served any sentence, sexual orientation, gender identity, expression, and information about sexual intercourse.
When governmental authorities or legal entities collecting, processing, and using personal data, the data owner’s consent must be obtained in writing or electronically. Unless otherwise allowed by law or a convention to which Mongolia is a party, it is forbidden to transfer personal data outside of Mongolia without the consent of the data subject. Transferring personal data from one group company to another in oversees would be considered a personal data transfer because the legislation does not allow an exception to this rule of permission.
The data processors and controllers are required to undertake data security assessment. When data is collected, processed, and used electronically, it is especially important to conduct a data security assessment in the following situations:
- when making decisions that have an impact on the rights, freedoms, and legitimate interests of the data subject;
- when processing sensitive data on a regular basis.
the National Human Rights Commission (NHRC) is responsible to review and recommend for assessment whether data shall be collected, processed and used using electronic data processing technology.
Moreover, data controller shall keep a record of the response taken to eliminate the violation and its negative consequences. The record shall be submitted to the NHRC in January of each year or as requested.