Territorial and material scope of the Law

More specifically, the Law applies:

• to the collection, processing, use, and security of personal data with the help of hardware and software;
• in connection with personal secrets, except for those specifically regulated by the Law on Intelligence Activity; and
• in connection with the installation of video recorders in public streets, roads, squares, public places, or for the purpose of ensuring traffic safety in order to prevent crimes and infringements, except for cases specified in the Law on Prevention of Crimes and Infringements ('Law on Infringement').

The Law does not apply to:

• the collection, processing, use, and security of personal data belonging to an individual or their family members without violating their right to inviolability and freedom;
• the placement of audio, video, and audio-video recording devices in order to protect an individual's movable and immovable properties that are in their ownership, possession, and use, and the life and health of themselves and their family members;
• the use of an individual's biometric data in order to protect their movable and immovable properties that are in their ownership, possession, and use, as well as to store their data; and
• the disclosure of personal data to the public in accordance with the law.

New definitions provided by the Law

Personal data means sensitive data, first and last name, date and place of birth, residence address, location, ID number, assets, education, membership, online identifier, and other information that directly or indirectly identifies a person or makes it identifiable.

Biometric data is defined as non-overlapping physical data related to the human body, such as fingerprints, iris, face, voice, and physical characteristics that can be identified with the help of equipment, hardware, and software.

Genetic data refers to unique information indicating an individiual's physical condition, health, and hereditary characteristics which result from an analysis of a biological sample.

Correspondence data includes letters, parcels, e-mails, and information exchanged via communication and IT.

Property data covers information on the property owned, possessed, and used by the data subject.

Sensitive data encompasses a person's race, ethic origin, religion, beliefs, health, correspondence, genetic and biometric information, digital signature private key, information on whether an individual is serving or served any sentence, sexual orientation, gender identity, expression, and information about sexual intercourse.

Data concerning health refers to information related to physical or mental health, as well as information on whether an individual has received healthcare services.

A data subject is defined as a natural person identified by the above-mentioned information.

A data controller is a person, legal, or non-legal entity that collects, processes, and uses information in accordance with the Law or with the consent of the data subject.

A data processor is, however, not defined by the Law. But processing of data is defined as classification, storage, analysis, modification, deletion/erasure, and restoration of information, and any combination of such actions according to the Law on Public Information Transparency and Right to Information.

In this regard, data collecting means obtaining, constituting, and recording of personal data.

The use of data includes using, transferring, and getting acquainted with the information in forms other than collecting and processing.

An online identifier is a login name to access any information system, e-mail address, social media account, wired and wireless technology addresses, and information on other types of equipment and information systems.

Personal secrets include data concerning health and correspondence, genetic and biometric data, digital signature private key, sexual orientation, gender identity, expression, and information on an individual's sexual life.

Legal bases of processing

Individuals, legal entities, and non-legal entities other than government agencies can collect, process, and use personal data on the following grounds:

• with the consent of the data subject;
• on the grounds provided by the law;
• in cases provided by the law, to exercise the rights and fulfil obligations of the data controller in the course of employment relations;
• to conclude contracts and ensure their implementation;
• when information is disclosed to the public in accordance with the law; and
• to create historical, scientific, artistic, literary works, open data, and statistics, making it impossible to identify a person.

Individuals, legal, and non-legal entities, other than certain state organisations, are prohibited to collect and use biometric and genetic information. Conversely, employers are allowed to use their employees' biometric information, excluding fingerprints, for the purpose of identification and verification of the employees, in accordance with their internal labour policy,

Employers are, however, prohibited to collect and use the following information of employees relating to:

• personal secrets; and
• membership in a political party, public organisation, and trade unions.

Cross-border data transfers

According to Article 14(1) of the Law, 'It is prohibited to transfer personal data to a person, legal entity, and international organisation, except as provided by law and international treaties to which Mongolia is a party, or with the consent of the data subject'.

Provisions relating to a data protection supervisory authority

There are different authorised organisations in charge of protection of personal data.

The National Human Rights Commission of Mongolia ('the Commission') has the following powers to protect personal data:

• monitoring the implementation of the legislation on protection of personal data, organising public awareness and advocacy activities, submitting requirements and recommendations to relevant organisations, and commenting on relevant regulations;
• receiving, reviewing, and resolving complaints and information, or investigating and resolving these on its own initiative if it is considered that human rights and freedoms protected by the Law have been infringed or bear the potential to be infringed in the course of the collection, processing, use, and protection of personal data, as well as providing orders and recommendations to relevant organisations;
• providing orders and recommendations to relevant organisations in the field of collection, processing, use, and protection of sensitive data;
• receiving and reviewing reports submitted by a data controller on response measures taken to eliminate violations identified in the collection, processing, and use of information and its negative consequences, and making recommendations on further issues to be considered;
• providing recommendations in order to prevent violations of human rights and freedom in the course of the collection, processing, and use of personal data using technology that processes online without any human interference; and
• including information on data protection activities, violations, and implementation of data subject rights in reports on the state of human rights and freedoms in Mongolia.

The state central administrative body in charge of e-development and communication can exercise powers to protect personal data in the electronic environment, such as:

• ensuring the implementation of legislation on the protection of personal data, raising awareness to the public, cooperating with relevant organisations, and providing professional and methodological assistance;
• adopting technological safety requirements and procedures for the processing of sensitive, genetic, and biometric data; and
• receiving and registering notifications, submitted by the data controller, regarding the failure of security of the information system used for the collection, processing, and use of personal data, and cyber attacks, as well as immediately taking appropriate action.

Other significant provisions within the Law

Personal secrets

It is prohibited to collect, process, and use personal secrets without the consent of the data subject for the purpose of journalism, or the protection of the public interest.

Erasure/deletion of personal data

The data controller should erase/delete personal data on the following grounds:

• upon the data subject's request, if the personal data has not been collected, processed, or used in accordance with the grounds and procedures under the law;
• upon obligation to erase/delete the personal data under the law, international treaties to which Mongolia is a party, or a legally valid court decision;
• upon fulfillment of the initial purpose for collection the personal data other than the ones collected and processed in accordance with the law, or upon contractual clause or mutual agreement on erasure/deletion of it; or
• others provided by the law.

Processing of data under an agreement

The data controller may transfer its functions to collect and process personal data to a data processor upon an agreement. The agreement should include the purposes of collection and processing of personal data, duration, list of data, and conditions to protect the rights of data subjects.

Ensuring the safety of personal data

The data controller and data processor (under an agreement with the data controller) should implement the following actions to ensure the personal data safety, including:

• adopting and complying with internal policy on ensuring the personal data safety;
• adopting a programme on actions to be taken against personal data leakage, and the provision of notice to data subjects and the relevant state authority;
• having taken all necessary actions to ensure integrity, confidentiality, and accessibility of information system to be used for the collection, processing, and use of personal data;
• adopting and complying with a procedure and guidance on the restriction of the use and erasure/deletion of personal data, and making the data subject unidentifiable; and
• making assessments to ensure the safety of the processing of personal data.

Notification obligation of violations regarding personal data

The data processor (under an agreement with the data controller) is obliged to notify the data controller of any violations identified in the course of the collection and processing of personal data. If such violations affect the rights and legitimate interests of the data subject, the data controller should notify the data subject. The data controller should record response measures taken against such violations and their negative consequences, and submit the record to the Commission annually in January, or upon the Commission's request.

Concerns regarding the placement of video recorders

Video recorders should be prohibited to be placed in the following locations:

• locations where the right to inviolability and freedom can be infringed, such as bathrooms, dressing rooms, VIP rooms of public serving places, karaoke rooms, hotel rooms, and patient rooms for healthcare; and
• the entrances and exits of households living in public apartments.

It is prohibited to disseminate video footage of public entrances and exits of public apartments and common areas on public media. Further, video footage and its copy should not be presented or given to the data subject if it includes other individuals' data.

Liability for violations of the Law

In case of infringement of the Law, an individual must pay a fine of around $170 to 680, a legal entity a fine of around $1,700 to 6,792 under the Law on Infringement.

Additionally, under the Criminal Code of Mongolia, convicts are subject to a fine of around $458 to 9,169, a restriction of the right to travel, or imprisonment for a period of six months to five years.

Buyanjargal Tungalag Associate
[email protected]
Grata International, Ulaanbaatar, Mongolia