In the Kyrgyz Republic, the level of digitalization of the state and municipal sector, as well as commercial structures, is increasing every year. New digital tools are emerging, the list of digital services is expanding, and paper databases are being actively converted to digital format. Since 2018, state information systems have been dynamically exchanging data through the Tunduk interdepartmental electronic interaction system.

However certain risks come along with digitalization. Every day many businesses are collecting and processing personal data of citizens - in stores, gas stations, clinics, cafes and, of course, in the Internet - on websites and in mobile applications. This increases the risks for the security of citizens. Violations of security measures while working with such data may lead to the increase of risks of fraud and other criminal acts.

International experience shows that simultaneously with the spread of information interaction between public bodies, the state must undertake measures to protect personal data by identifying the state body authorized in this area, as well as establishing responsibility for violation of legislation in the field of personal data.

To solve strategic problems in the field of improving legislation and the entire system of personal data protection, as well as to control over the collection, storage and processing of personal data, the Cabinet of Ministers of the Kyrgyz Republic created the Agency for the Protection of Personal Data.

On the basis of what normative legal acts the Agency was created?

In 2008, the Law of the Kyrgyz Republic “On Personal Information” was adopted to regulate the work with personal data at the legislative level. The law was adopted on the basis of generally accepted international principles and norms in accordance with the Constitution and laws of the Kyrgyz Republic. The purpose of this law was to ensure the protection of human and civil rights and freedoms related to the collection, processing and use of personal data.

Thus, according to Article 291 of the Law, the state body authorized in the field of personal data protection is entrusted with ensuring control over the compliance of the processing of personal data with the requirements of this Law, protecting the rights of personal data subjects.

Further, in accordance with Article 19 of the Law, if the subject of personal data reveals the inaccuracy of personal data or the illegality of actions with them, then he or she can file an application, including the one to the authorized body.

However, despite the existence of the Law, until December 2021 there was no state body that could become a mechanism for protecting personal data. There were also neither mechanisms to oversee the compliance of the collection, processing, storage and protection of personal data, nor procedures for appealing against illegal actions of data holders and nor sanctions for violation of established requirements.

Creation of the Agency in 2021

The State Agency for the Protection of Personal Data under the Cabinet of Ministers of the Kyrgyz Republic (hereinafter referred to as the Agency) was established in accordance with the Decree of the President of the Kyrgyz Republic “On the Cabinet of Ministers of the Kyrgyz Republic” dated September 14, 2021.

The Regulation on the Agency was adopted by the Resolution of the Cabinet of Ministers of the Kyrgyz Republic “On the State Agency for the Protection of Personal Data under the Cabinet of Ministers of the Kyrgyz Republic” dated December 22, 2021 No. 325.

On January 10, 2022, the Agency was registered with the justice authorities.

Structure of the Agency

The agency consists of two departments:

• department of legislative examination of personal data;
• department for ensuring the protection and control of personal data processing.

Expert Council

To improve the personal data protection system, the Agency established an Expert Council, which includes independent experts and representatives of civil society in the field of cybersecurity and digital law.

The Agency approved the Regulation “On the Expert Council of the State Agency for the Protection of Personal Data under the Cabinet of Ministers of the Kyrgyz Republic” by the order dated April 22, 2022 No. 4-A.

The purpose of the Expert Council is to make recommendations on existing legislation and make proposals for the development of new regulatory legal acts and acts of the Agency.