Is my organization subject to the Agency's inspection?

Any organization (public, private) that aggregates information about the personal data of individuals (citizens, employees, customers, subscribers, etc.) is the holder (owner) of personal data arrays.

In accordance with the Law of the Kyrgyz Republic “On Personal Information”, the holder (owner) of personal data arrays is obliged to comply with the requirements of the legislation of the Kyrgyz Republic on the protection of the rights of personal data subjects.

In accordance with the Law of the Kyrgyz Republic "On Personal Information" and the Regulations on the State Agency for the Protection of Personal Data under the Cabinet of Ministers of the Kyrgyz Republic, the Agency has the authority to exercise control by conducting inspections for compliance with the requirements of the legislation of the Kyrgyz Republic on the protection of the rights of subjects of personal data.

The priority group for inspections includes those organizations that already have documented incidents of violations of legislation in the field of personal data protection.

For governmental bodies

In order to regulate the process of conducting inspections by the Agency with holders (owners) of personal data arrays from among state authorities, local state administrations and local governments, including in order to eliminate possible corruption risks and create an atmosphere of transparency, the Agency developed a draft resolution of the Cabinet of Ministers of the Kyrgyz Republic "On the exercise of control over the use of personal data received by state authorities, local state administrations and local governments."

Currently, the project is under the procedure of coordination with the interested state bodies of the Kyrgyz Republic.

For commercial organizations

The procedure for conducting inspections of business entities is regulated by the Law of the Kyrgyz Republic “On the procedure for conducting inspections of business entities”.

In accordance with Article 6 of this Law, the authorized body develops criteria by which the degree of risk is assessed in the implementation of entrepreneurial activities in the area referred to its jurisdiction, and are approved by the Cabinet of Ministers of the Kyrgyz Republic.

In this regard, the Agency has developed a draft resolution of the Cabinet of Ministers of the Kyrgyz Republic “On Amendments to the Resolution of the Government of the Kyrgyz Republic “On Approval of Criteria for Assessing the Degree of Risk in Entrepreneurial Activities” dated February 18, 2012 No. 108”, which takes into account the existing standards for identifying threats security in the collection, processing and storage of personal data, in particular the Requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of personal data security, approved by Decree of the Government of the Kyrgyz Republic dated November 21, 2017 No. 760 .

Currently, the project is under the procedure of public discussion and coordination with interested state bodies.