Mongolia: New Law On Protection Of Personal Data In Mongolia

New regulations in the Law on Protection of Personal Data

Definitions:

• "Biometric information" means non-overlapping physical data related to the human body such as fingerprints, iris, face, voice and physical characteristics that can be identified with the help of equipment, hardware, and software;
• "Genetic information" means unique information indicating a person's physical condition, health and hereditary characteristics which result from an analysis of a biological sample;
• "Correspondence information" means letters, parcels, emails, and information exchanged via communication and information technology;
• "Property information" means information on the property owned, possessed and used by the data subject;
• "Sensitive information" means a person's race, ethnic origin, religion, beliefs, health, correspondence, genetic and biometric information, digital signature private key, information on whether serving or served any sentence, sexual and gender orientation, expression, information about sexual intercourse;
• "Health information" means information related to the physical or mental health, as well as information on whether received health care services.
• "Data subject" means a person identified by the abovementioned information;
• "Data controller" means a person, legal entity or non-legal entity that collects, processes and uses information in accordance with the law or with the consent of the data subject of the information.
• "Online identifier" means login name to access any information system, email address, social media account, wired and wireless technology addresses, and information on other types of equipment and information system.

Collection, processing and use of information by Government agency

The government agency shall collect and process information on the following grounds:

• with the consent of data subject;
• on the grounds specified by law;
• in cases provided by law, to exercise the rights and fulfil the obligations in the employment relations;
• to conclude contracts and ensure the implementation of concluded contracts;
• to fulfill obligations under Mongolian international agreements;
• to implement its legal obligations without affecting the rights and legitimate interests of data subject.

The government agency shall use the information on the following grounds:

• with the consents of data subject;
• on the grounds specified by law;
• to prevent harm to the life, body, rights, freedoms, and property of the data subject, and to protect his/her rights and legitimate interests;
• to prevent damage to the rights and legitimate interest of others;
• to create historical, scientific, artistic, literary works, open data and statistics making it impossible to identify a person.

Collection, processing and use of information by individuals, legal entities and nonlegal entities

Individuals, legal entities and non-legal entities other than government agency shall collect, process and use information on the following grounds:

• with the consent of data subject;
• on the grounds specified by law;
• in cases provided by law, to exercise his/her rights and fulfil his/her duties in the employment relations;
• to conclude contracts and ensure the implementation of concluded contracts;
• the information is disclosed to the public in accordance with the law;
• to create historical, scientific, artistic, literary works, open data and statistics making it impossible to identify a person.

Persons /individuals, legal entities, non-legal entities/ other than certain state organizations are prohibited to collect and use biometric and genetic information. While, employers are allowed to use their employers' biometric information /excluding fingerprints/ for the purpose of identification and verification of the employees in accordance with their internal labor policy.

Employers are prohibited to collect and use the following information of employees:

• Information related to personal secrets;
• Membership in political party, public organization, and trade unions.

Consent from data subject

In order to obtain a consent, the following conditions must be informed to data subject:

• purpose of data collection, processing and use;
• name of data collector, if it is a legal entity then the registered name and contact information;
• list of information to collect, process and use;
• duration of process and use of information;
• information on whether the information is made public;
• information on whether the information will be passed to others, and if so, the list of information to be transferred.
• form of revocation of consent.

Collection, processing and use of information after the death of data subject

• Unless otherwise provided by law, if the data subject is deceased or is considered to be deceased, the relevant information shall be collected, processed and used with the written consent of the his/her family member, legal representative or will.
• However, if 70 years passed since the death of data subject, then the consent is not required to collect, process or use of sensitive information.

Transfer of information to foreign individuals, legal entities and international organizations

• The law prohibits the transfer of information to foreign individuals, legal entities or international organizations, except as provided in international treaties which Mongolia is a party, or with the consent of data subject.

Erasure of information

Data collector shall erase the information on the following grounds:

• by the request of data subject, if the information has not been collected, processed or used in accordance with the grounds and procedures provided by law;
• data collector is obliged to erase the information by law, international treaties which is Mongolia is a party, or by a valid court decision;
• information other than collected and processed in accordance with the law has achieved the purpose for which it was originally collected, or has been specified in the contract or has been mutually agreed upon;
• other grounds as provided by law.

Collection, processing of information on a contractual basis

Data collector may transfer the responsibility for data collection and processing to the data processor on a contractual basis.

Data security assessment

Data will be collected, processed and used through electronic technology without the involvement of the person in charge, and will be evaluated on the following grounds:

• making decisions that affect the rights, freedoms and legitimate interests of the data subject;
• continuous processing of sensitive information.

Authorized organization that protects information

The National Human Rights Commission has the following authority to protect information:

• to receive, investigate, and resolve complaints and information on infringement or potential infringement of human rights and freedoms related to the personal data protection, or take such actions on its own initiative, to provide directions and recommendations to relevant organizations;
• to provide directions and recommendations to relevant organizations regarding collection, processing, use and protection of sensitive information;
• receive and review reports submitted by the respondent on violations identified in the collection, processing and use of information and measures taken to eliminate its negative consequences, and make recommendations on further issues to be considered.

Liability for the violation of the law

• In case of infringement of this law, an individual shall pay a fine in the amount around 170 USD to 680 USD, a legal entity shall pay a fine in the amount around 1,700 USD to 6,792 USD under the Law of Mongolia on Infringement.
• While, under the Criminal code of Mongolia, convicts are subject to a fine in the amount around 458 USD to 9,169 USD, or restriction of right to travel or imprisonment for a period of 6 months to 5 years.