RESOLUTION 

Dated November 18 , 2022 No. 638


On approval of the Procedure for registration of holders (owners) of personal data arrays, personal data arrays and lists of personal data in the Registry of holders (owners) of personal data arrays, as well as its maintenance and publication


In accordance with Articles 18, 30 of the Law of the Kyrgyz Republic “On Personal Information”, Articles 13, 17 of the constitutional Law of the Kyrgyz Republic "On the Cabinet of Ministers of the Kyrgyz Republic" The Cabinet of Ministers of the Kyrgyz Republic resolves:

  1. Approve the Procedure for registration of holders (owners) of personal data arrays, personal data arrays and lists of personal data in the Registry of holders (owners) of personal data arrays, as well as its maintenance and publication in accordance with the Appendix.
  2. Before the adoption of this resolution, organizations that have begun collecting, Processing and storing personal data must undergo registration in the Registry of Holders (Owners) of Personal Data Arrays within six months from the date this resolution enters into force.
  3. The control over the execution of this resolution shall be entrusted to the department for control over the execution of decisions of the President and the Cabinet of Ministers of the Administration of the President of the Kyrgyz Republic.This Resolution comes into force upon expiry of seven days from the date of its official publication.
  4. This Resolution comes into force upon expiry of seven days from the date of its official publication.



Chairman

Cabinet of Ministers

Kyrgyz Republic                                                                                                  A.U. Japarov



Application


The procedure for registering holders (owners) of personal data arrays, personal data arrays and lists of personal data in the Registry of holders (owners) of personal data arrays, as well as its maintenance and publication

1. General Provisions

1. This Procedure defines the procedure for registering holders (owners) of personal data arrays and lists of personal data in the Registry of holders (owners) of personal data arrays, as well as maintaining and publishing.

2. The goals and objectives of this Procedure are:

- protection of the rights and freedoms of the individual when using information of a personal character and the protection of this information;

- accounting of holders (owners) of arrays of personal data;

- accounting of arrays of personal data;

- creation of conditions for transparency in the processes of collection, processing and storage of personal data;

- establishing control over arrays of personal data;

- establishing the procedure for working with personal information;

- ensuring that personal data is collected for precisely and predetermined, declared and legitimate purposes and not used in conflict with those purposes.

3. Holder (owner) of an array of personal

data (hereinafter referred to as the holder), prior to the collection and processing of personal data, analyzes the tasks carried out by him for the use of personal data and is registered with the authorized body for personal data.

4. The goals must be unambiguous, legitimate and consistent with the tasks carried out by the holder.

5. The registry of holders (owners) of personal data arrays (hereinafter referred to as the Registry) is a unified system of state accounting of holders and arrays of personal data, as well as lists of personal data included in certain arrays of personal data.

6. The Registry is public.

7. Access to the Registry is carried out across the Internet, which is why additional publication is not required.

8. The following shall be included in theRegistry:

- the name of the array of personal data;

– the name and details of the holder who works with the array of personal data (address, form of ownership, subordination, telephone, last name, first name, patronymic of the head, e-mail, fax);

– purposes and methods of collecting and using personal data;

– modes and terms of their storage;

– list of collected personal data;

– categories or groups of personal data subjects;

– sources of personal data collection;

– the procedure for informing subjects about the collection and possible transfer of their personal data;

– measures to ensure the safety and confidentiality of personal data;

– a person directly responsible for handling personal data;

– recipients or categories of recipients to whom the data may be transmitted;

– alleged cross-border transfer of personal data.

 Arrays of personal data containing information classified as state secrets on the basis of the Law of the Kyrgyz Republic "On the protection of state secrets of the Kyrgyz Republic" are not subject to inclusion in the Registry.

 9. The Registry is maintained by the authorized state body for personal data in electronic form in the state and official languages.

10. Registration in the Registry is carried out by the holders independently in accordance with this Procedure.

11. Registration of holders in the Registry is carried out from the moment of submission of an application filled in electronic form for consideration by the authorized state body for personal data.

12. When entering incomplete or inaccurate information, the holder must eliminate the inaccuracies identified by the authorized state body on personal data.

13. Correspondence on the maintenance of the Registry between the authorized state body for personal data and holders is conducted using electronic document management, e-mail and on paper.

14. Registration in the Registry is carried out free of charge via the Internet through the official website of the authorized state body for personal data (in the "Registry" section).

2. The procedure for registration in the Registry of holders (owners) of personal data arrays

15. Registration in the Registry consists of three stages. During the first two stages, the holder fills out electronic forms to obtain a registration number in the Registry. During the third stage, the holder undergoes the procedure of approval and registration of lists of personal data for their collection, processing and storage in the framework of the implementation of their functions and goals.

16. Registration of holders in the Registry is carried out after authorization in the Registry by means of a Unified identification system through a cloud-based electronic signature of a legal entity.

17. Registration of holders and arrays of personal data in the Registry is carried out in the following form:

1) registration of the holder and the array of personal data, as well as changes to the Registry, are carried out on the official website of the authorized state body for personal data;

2) to registry on the official website of the authorized state body for personal data in the navigation panel, go to the "Registry" section;

3) the identification and authorization process for registration and making changes to the Registry is carried out through a Unified Identification System according to the rules defined by the Regulation on the Unified Identification System of the Kyrgyz Republic, approved by the Resolution of the Government of the Kyrgyz Republic "On Certain Issues of electronic Management in the Kyrgyz Republic" dated December 31, 2019 No. 748;

4) after passing the identification procedure, the holder proceeds to fill out registration forms and make changes to the Registry;

5) information about the holder is entered in the registration forms in accordance with Article 30 of the Law of the Kyrgyz Republic 

"On personal information";

6) fields marked with asterisks are mandatoryд

7) the name of the holder is filled in Cyrillic without abbreviations;

8) when listing information in the application fields, when there are more than one names, the data is entered in the field separated by a comma or semicolon. 

18. Completion of all stages of registration in the Registry is a prerequisite for registration as a holder.


19. The fields related to the first part of the registration form, that is, to the registration data of a legal entity, are filled in automatically through the system of interdepartmental electronic interaction from the information system of the authorized state body for registration of legal entities.

At the same time, the holder should indicate the current contact details of the person directly responsible for working with personal data, as well as the address of his actual location.

20. The fields of the second stage of the registration form are filled in with up-to-date information by the holder, marks are made in the proposed options or the proposed options are selected from pop-up windows, including: 

– name of the personal data array;

– modes and terms of their storage;

– the procedure for informing subjects about the collection and possible transfer of their personal data;

– measures to ensure the safety and confidentiality of personal data;

– contact details of the person directly responsible for working with personal data;

– recipients or categories of recipients to whom data can be transmitted;

– presence or absence of cross-border transfer of personal data;

– the term or condition for the termination of the processing of personal data.

21. Registration of lists of personal data is the third and final stage of registration in the Registry, during which information is filled in on the lists of personal data collected, including: 

– list of personal data collected;

– categories or groups of personal data subjects;

– sources of personal data collection;

– purposes and methods of collecting and using personal data.

22. At the third stage, the registered holder enters data on the collected lists of personal data (indicating the goals and objectives) into the Registry.

23. The entered data on the lists of personal data are sent to the authorized state body for personal data for approval and registration through the Registry, after which the holder receives an automatic notification of acceptance of the application for consideration.

24. After submitting the application, the holder receives a unique registration number in the Registry. The procedure for approving the application by the authorized state body for personal data should not exceed 10 (ten) working days from the date of receipt of the electronic application from the holders.

Based on the results of registration in the Registry, the holder receives the right to collect, process and store personal data in accordance with the legislation of the Kyrgyz Republic in the field of personal information.

3. Control over the implementation of this Procedure and final provisions

25. The authorized state body for personal data makes reasonable comments on the completed application both in full and in parts, in cases where there are inconsistencies with the Law of the Kyrgyz Republic "On Personal Information" from the justification, including when there are inaccuracies in matters relating to the registration of personal data arrays, the completeness of the information entered, and also in the case when the personal data collected does not correspond to precisely and pre-defined and stated goals.

26. Upon receipt of reasonable comments by the authorized state body on personal data on filling out the registration form, the holder shall make appropriate changes within 10 (ten) working days after receiving the comments.

27. Comments of the authorized state body on personal data on submitted applications for registration are given in the form of comments in the Registry. Additionally, letters can be sent using electronic document management, e-mail and on paper.

28. Subsequent updates of the lists, necessary and sufficient for the implementation of its activities, are agreed by the holder with the authorized state body for personal data by editing an electronic application for registration in the Registry.

29. The Holder must ensure the accuracy and relevance of the data entered into the Registry, as well as ensure the storage and processing of personal data in strict accordance with precisely and pre-determined, declared and legitimate purposes of their collection.

30. The registration of lists of personal data is carried out after the final confirmation by the authorized state body for personal data of compliance with the pre-defined, declared and legitimate purposes of their collection.

31. Collection, storage and processing of personal data without registration in the Registry is prohibited and entails liability in accordance with the legislation of the Kyrgyz Republic on offenses.

32. If the holder repeatedly (more than 5 times) fails to remove objections from the authorized state body on personal data in the process of approving lists of personal data during registration, registration is suspended, and repeated applications without eliminating the identified errors, inaccuracies and inconsistencies are not accepted for registration.

Objections to the decisions of the authorized state body on personal data on the suspension of registration in the Registry are sent to the authorized state body on personal data and are considered by it in accordance with the procedure provided for by the Law of the Kyrgyz Republic "On the basics of Administrative Activities and administrative Procedures".

33. If the holder's entry in the Registry is inactive due to the lack of coordination of the lists of personal data and the application for registration, the holder has no opportunity to collect and process personal data, since such registration is considered incomplete.

34. Termination/suspension of registration as a holder is carried out by the authorized state body for personal data at the request of the holder in the presence of supporting documents, including court decisions that have entered into force, requests and demands of state bodies in the event of termination/suspension of personal data processing, indicating the reasons, as well as due to a change in the type of activity of the holder and registration of termination holder's activities.

35. Termination/suspension of registration as a holder transfers an entry in the Registry to the form of archival storage, while leaving it available for viewing with simultaneous indication of the reasons for termination of registration.

36. Holders who collected, processed and stored personal data prior to the introduction of this regulation shall be registered in the manner prescribed for the initial registration of the holder. At the same time, prior to registration, the holder does not stop collecting, processing and storing personal data.