New regulations in the Law on Protection of Personal Data
|
Definitions:
|
- "Biometric information"
means non-overlapping physical data related to the human body such
as fingerprints, iris, face, voice and physical characteristics
that can be identified with the help of equipment, hardware, and
software;
- "Genetic information" means
unique information indicating a person's physical condition,
health and hereditary characteristics which result from an analysis
of a biological sample;
- "Correspondence
information" means letters, parcels, emails, and
information exchanged via communication and information
technology;
- "Property information"
means information on the property owned, possessed and used by the
data subject;
- "Sensitive information"
means a person's race, ethnic origin, religion, beliefs,
health, correspondence, genetic and biometric information, digital
signature private key, information on whether serving or served any
sentence, sexual and gender orientation, expression, information
about sexual intercourse;
- "Health information" means
information related to the physical or mental health, as well as
information on whether received health care services.
- "Data subject" means a
person identified by the abovementioned information;
- "Data controller" means a
person, legal entity or non-legal entity that collects, processes
and uses information in accordance with the law or with the consent
of the data subject of the information.
- "Online identifier" means
login name to access any information system, email address, social
media account, wired and wireless technology addresses, and
information on other types of equipment and information
system.
|
Collection, processing and use of information by Government
agency
|
The government agency shall collect and process information
on the following grounds:
- with the consent of data subject;
- on the grounds specified by law;
- in cases provided by law, to exercise the rights and
fulfil the obligations in the employment relations;
- to conclude contracts and ensure the implementation of
concluded contracts;
- to fulfill obligations under Mongolian international
agreements;
- to implement its legal obligations without affecting the rights
and legitimate interests of data subject.
The government agency shall use the information on the
following grounds:
- with the consents of data subject;
- on the grounds specified by law;
- to prevent harm to the life, body, rights, freedoms, and
property of the data subject, and to protect his/her rights and
legitimate interests;
- to prevent damage to the rights and legitimate interest of
others;
- to create historical, scientific, artistic, literary works,
open data and statistics making it impossible to identify a
person.
|
Collection, processing and use of information by individuals,
legal entities and nonlegal entities
|
Individuals, legal entities and non-legal entities other
than government agency shall collect, process and use information
on the following grounds:
- with the consent of data subject;
- on the grounds specified by law;
- in cases provided by law, to exercise his/her rights and fulfil
his/her duties in the employment relations;
- to conclude contracts and ensure the implementation of
concluded contracts;
- the information is disclosed to the public in accordance with
the law;
- to create historical, scientific, artistic, literary works,
open data and statistics making it impossible to identify a
person.
Persons /individuals, legal entities, non-legal
entities/ other than certain state organizations are prohibited to
collect and use biometric and genetic information. While, employers
are allowed to use their employers' biometric information
/excluding fingerprints/ for the purpose of identification and
verification of the employees in accordance with their internal
labor policy.
Employers are prohibited to collect and use the following
information of employees:
- Information related to personal secrets;
- Membership in political party, public organization, and trade
unions.
|
Consent from data subject
|
In order to obtain a consent, the following conditions must
be informed to data subject:
- purpose of data collection, processing and use;
- name of data collector, if it is a legal entity then the
registered name and contact information;
- list of information to collect, process and use;
- duration of process and use of information;
- information on whether the information is made public;
- information on whether the information will be passed
to others, and if so, the list of information to be
transferred.
- form of revocation of consent.
|
Collection, processing and use of information after the death
of data subject
|
- Unless otherwise provided by law, if the data subject is
deceased or is considered to be deceased, the relevant information
shall be collected, processed and used with the written consent of
the his/her family member, legal representative or will.
- However, if 70 years passed since the death of data subject,
then the consent is not required to collect, process or use of
sensitive information.
|
Transfer of information to foreign individuals, legal entities
and international organizations
|
- The law prohibits the transfer of information to foreign
individuals, legal entities or international organizations, except
as provided in international treaties which Mongolia is a party, or
with the consent of data subject.
|
Erasure of information
|
Data collector shall erase the information on the following
grounds:
- by the request of data subject, if the information has not been
collected, processed or used in accordance with the grounds and
procedures provided by law;
- data collector is obliged to erase the information by law,
international treaties which is Mongolia is a party, or by a valid
court decision;
- information other than collected and processed in accordance
with the law has achieved the purpose for which it was originally
collected, or has been specified in the contract or has been
mutually agreed upon;
- other grounds as provided by law.
|
Collection, processing of information on a contractual
basis
|
Data collector may transfer the responsibility for data
collection and processing to the data processor on a contractual
basis.
|
Data security assessment
|
Data will be collected, processed and used through
electronic technology without the involvement of the person in
charge, and will be evaluated on the following grounds:
- making decisions that affect the rights, freedoms and
legitimate interests of the data subject;
- continuous processing of sensitive information.
|
Authorized organization that protects information
|
The National Human Rights Commission has the following
authority to protect information:
- to receive, investigate, and resolve complaints and information
on infringement or potential infringement of human rights and
freedoms related to the personal data protection, or take such
actions on its own initiative, to provide directions and
recommendations to relevant organizations;
- to provide directions and recommendations to relevant
organizations regarding collection, processing, use and protection
of sensitive information;
- receive and review reports submitted by the respondent on
violations identified in the collection, processing and use of
information and measures taken to eliminate its negative
consequences, and make recommendations on further issues to be
considered.
|
Liability for the violation of the law
|
- In case of infringement of this law, an individual shall pay a
fine in the amount around 170 USD to 680 USD, a legal entity shall
pay a fine in the amount around 1,700 USD to 6,792 USD under the
Law of Mongolia on Infringement.
- While, under the Criminal code of Mongolia, convicts are
subject to a fine in the amount around 458 USD to 9,169 USD, or
restriction of right to travel or imprisonment for a period of 6
months to 5 years.
|