Frequently asked questions

Any organization (public, private) that aggregates information about the personal data of individuals (citizens, employees, customers, subscribers, etc.) is the holder (owner) of personal data arrays.

In accordance with the Law of the Kyrgyz Republic “On Personal Information”, the holder (owner) of personal data arrays is obliged to comply with the requirements of the legislation of the Kyrgyz Republic on the protection of the rights of personal data subjects.

In accordance with the Law of the Kyrgyz Republic "On Personal Information" and the Regulations on the State Agency for the Protection of Personal Data under the Cabinet of Ministers of the Kyrgyz Republic, the Agency has the authority to exercise control by conducting inspections for compliance with the requirements of the legislation of the Kyrgyz Republic on the protection of the rights of subjects of personal data.

The priority group for inspections includes those organizations that already have documented incidents of violations of legislation in the field of personal data protection.

For governmental bodies

In order to regulate the process of conducting inspections by the Agency with holders (owners) of personal data arrays from among state authorities, local state administrations and local governments, including in order to eliminate possible corruption risks and create an atmosphere of transparency, the Agency developed a draft resolution of the Cabinet of Ministers of the Kyrgyz Republic "On the exercise of control over the use of personal data received by state authorities, local state administrations and local governments."

Currently, the project is under the procedure of coordination with the interested state bodies of the Kyrgyz Republic.

For commercial organizations

The procedure for conducting inspections of business entities is regulated by the Law of the Kyrgyz Republic “On the procedure for conducting inspections of business entities”.

In accordance with Article 6 of this Law, the authorized body develops criteria by which the degree of risk is assessed in the implementation of entrepreneurial activities in the area referred to its jurisdiction, and are approved by the Cabinet of Ministers of the Kyrgyz Republic.

In this regard, the Agency has developed a draft resolution of the Cabinet of Ministers of the Kyrgyz Republic “On Amendments to the Resolution of the Government of the Kyrgyz Republic “On Approval of Criteria for Assessing the Degree of Risk in Entrepreneurial Activities” dated February 18, 2012 No. 108”, which takes into account the existing standards for identifying threats security in the collection, processing and storage of personal data, in particular the Requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of personal data security, approved by Decree of the Government of the Kyrgyz Republic dated November 21, 2017 No. 760 .

Currently, the project is under the procedure of public discussion and coordination with interested state bodies.


The registry of personal data arrays and holders (owners) of personal data arrays (hereinafter referred to as the Registry) is a unified system of state accounting of holders (owners) and their personal data arrays, as well as lists of personal data included in certain personal data arrays.

According to Article 30 of the Law "On Personal Information", the Registry must contain:

  • the name and details of the holder (owner) of the personal data array that works with the personal data array (address, form of ownership, subordination, telephone, last name, first name, patronymic of the head, e-mail, fax);
  • name of the array of personal data;
  • purposes and methods of collecting and using personal data;
  • modes and terms of their storage;
  • list of collected personal data;
  • categories or groups of personal data subjects;
  • sources of personal data collection;
  • the procedure for informing subjects about the collection and possible transfer of their personal data;
  • measures to ensure the safety and confidentiality of personal data;
  • person directly responsible for handling personal data.
  • the recipients or categories of recipients to whom the data may be communicated;
  • alleged cross-border transfer of personal data.

Arrays of personal data and their holders (owners) containing state secrets are not subject to inclusion in the Registry.

One can find the step-by-step instructions for filling out the Registry in the User Guide for the Registry of Holders (Owners) of Personal Data Arrays. It is available here.

Also the "Help" section of the Agency's website there is a video instruction on filling out the Register.


According to Article 17 of the Law of the Kyrgyz Republic "On Personal Information", the holder of an array of personal data is obliged to:

a)    receive personal data directly from the subject of personal data or his/her authorized representatives;

b)    ensure the confidentiality of personal data in cases provided by the legislation of the Kyrgyz Republic and this Law;

c)    determine the processor for the processing of personal data, providing guarantees regarding technical security measures and organizational measures governing the processing of personal data, unless the holder independently assumes the functions and obligations of the processor;

d)    ensure the safety and reliability of personal data, as well as the statutory access regime to them;

e)    provide personal data within a week after receiving a request from the subject;

f)    in case of refusal to provide the subject at his/her request with information about the availability of personal data about him/her, as well as the personal data themselves, issue a written reasoned response containing a reference to the relevant paragraph of Article 15 of this Law, within a period not exceeding one week from the date of the subject's application;

g)    at the request of the authorized state body or the Ombudsman (Akyikatchy) of the Kyrgyz Republic, within a week submit the information necessary for the exercise of their powers.

Persons who have become aware of personal data due to their official position assume obligations and are responsible for ensuring the confidentiality of these personal data. Such obligations remain in force after the end of the work of these persons with personal data during the period of maintaining the confidentiality regime in accordance with Article 6 of the Law "On Personal Information"


1.    Limit access to your data

Do not tell about your name, surname and marital status, and even more so do not let strangers take pictures or make copies of your documents/

2.    Do not post a photo of your passport on the Internet and do not send it via e-mail or via instant messengers (Telegram, WhatsApp). You can only present your passport when receiving services from government agencies or banks.

3.    Do not share information about your bank cards

Do not show or tell anyone (especially over the phone) the passwords and codes indicated on the bank card, or the data for entering Internet banking.

4.    Be careful with information on digital media

Do not access Internet banking from other people's computer devices or phones. The browser may save your password automatically, which may result in data loss. Also, do not share flash cards if they have passport photos, forms indicating passport data, or other personal data.

5.    Read and learn more about changing data protection laws and digital technologies that are introduced to simplify the transfer of data and protect it.


If you believe that your personal data rights have been violated, you can take the following actions:

1.    You can directly contact the holder or processor of your personal data through whose fault your rights have been violated.

Upon a written request, a citizen can receive all information about himself or herself from the holder of an array of personal data free of charge, except when the information is provided by the holder on a tangible medium (paper, floppy disk, flash drive, etc.).

Information about the availability of personal data and the personal data themselves must be provided within 7 days after receiving the request of the subject of personal data.

The subject of personal data has the right to get acquainted with documents containing personal information about him.

The right of access may be limited only in cases provided for in Article 15 of the Law of the Kyrgyz Republic “On Personal Information”.

2.    If your actions were not successful, and your rights are still violated, then you can contact the State Agency for the Protection of Personal Data under the Cabinet of Ministers to establish the facts of the violation. If these facts are confirmed, the Agency will take appropriate measures.

3.    You can also challenge the wrongful actions of the holder or processor of your personal data in court.

According to the Law of the Kyrgyz Republic "On Personal Information", citizens have the right to know what personal data of a citizen is collected, processed, and stored by state, municipal or commercial organizations (owners of personal data arrays), and whether they do it legally.

The right to consent or refuse to provide personal data

According to the Law “On Personal Information”, the subject of personal data (a citizen) independently decides whether to provide anyone with any of his/her personal data, and agrees to their processing freely, consciously and in a form that allows confirming the fact of his/her receipt, except as provided in the article 15 of this Law.

In order to exercise their rights and freedoms, citizens provide data, as well as information about their changes to the relevant state authorities, local governments that have the right to work with personal data within their competence.

Before providing his/her personal data, a person must be acquainted with the holder (owner) of the array of personal data, with the list of data collected, the grounds and purposes for their collection and use, with the possible transfer of personal data to a third party, and also be informed about other possible use of personal data.

In case of refusal a citizen has the right not to indicate the reasons for the refusal to provide his or her data.

Access right

The subject of personal data (a citizen) has the right to know that the holder has personal data relating to him or her and to have access to them. The citizen also has the right to receive from the holder of the array of personal data information regarding the processing of his or her personal data, containing:

a)    confirmation of the fact of processing personal data by the holder of an array of personal data;

b)    legal grounds and purposes of personal data processing

c)    purposes and methods of processing personal data used by the holder (owner) of the array of personal data

d)    name and location of the holder (owner) of the array of personal data, information about persons (with the exception of employees of the holder (owner) who have access to personal data or to whom personal data may be transferred on the basis of an agreement with the holder (owner) of the array of personal data or on the basis of the law;

e)    processed personal data relating to the relevant subject of personal data, the source of their receipt;

f)    terms of processing personal data, including the terms of their storage

g)    the procedure for the exercise by the subject of personal data of their rights provided for by this Law;

h)    information about the performed or proposed cross-border data transfer;

i)    other information provided by this Law and other regulatory legal acts.

At his/her written request, the subject can obtain all information about himself/herself from the holder of the personal data array free of charge, except when the information is provided by the holder on a tangible medium (paper, floppy disk, flash drive, etc.).

Information about the availability of personal data and the personal data themselves must be provided within 7 days after receiving the request of the subject of personal data.

The subject of personal data has the right to get acquainted with documents containing personal information about him.

The right of access may be limited only in cases provided for in Article 15 of the Law of the Kyrgyz Republic “On Personal Information”.

Right to make a change

If there is basis, confirmed by relevant documents, the subject of personal data has the right to demand from the holder of these data to make changes to their personal data. Changes to personal data should be made at the initiative of the subject of personal data, whose personal data will change.

Right to block

If the subject of personal data reveals unreliability of data or disputes the legality of actions in relation to his or her personal data, he/she has the right to demand that the holder (possessor) block this data.

The holder (possessor) is obliged to accept the application of the subject for processing and block his/her personal data from the moment of its receipt for the period of verification of the application.

Right to appeal

If the subject of personal data believes that illegal actions have been committed to his or her personal data, he/she has the right to appeal against these actions in court.

Right to damages and/or compensation for non-pecuniary damage

The subject of personal data has the right to compensation for the damage caused and to compensation for non-pecuniary damage in court.

According to the legislation of the Kyrgyz Republic, personal data includes biographical and identification data of citizens, personal characteristics, information about family and financial status, health status etc.

Personal data is any information with the help of which a person can be directly or indirectly recognized (identified). For example:

  • full name;
  • personal identification number;
  • biometric data;
  • marital status;
  • online identifier (social media username, IP-address);
  • CCTV camera footage allowing identification of an individual;
  • other identifying features.

Examples of a special category (“sensitive”) personal data are:

  • biometric data of citizens, 
  • medical records of patients, 
  • bank details.

The processing and transmission of such information requires additional security controls.

Examples of non-personal data:

  • registration number of the organization;
  • identification number of a legal entity;
  • organization's email address;
  • the name of the city without specific reference to the address and name of a person;
  • the name of a person without simultaneous links to the surname and patronymic name, and if the combination is common, then without additional identifying features.