1) What laws in Mongolia regulate the protection of employee personal data, and how do they compare to international standards?
In Mongolia, the protection of employee personal data is primarily regulated by the following laws and regulations:
1. Law on Personal Data Protection (2021): The Law regulates the relations concerning the collection, processing, use, and security of personal data by a person, legal entity, or non-legal entity. In addition to this, relations concerning data collection, processing, use, and security with the assistance of hardware and software shall be applied to this Law.
2. Labor Law: contains specific provisions related to the non-disclosure of an employee's personal confidential information obtained during the employment relations, the requirements, and procedure for receipt, processing, maintenance, and use of the employee's data.
Comparison to International Standards:
The Law of Mongolia on Personal Data Protection aligns with international standards established primarily by the European Union's General Data Protection Regulation (GDPR), enacted and OECD Guidelines and Principles.
2) What types of employee personal data are typically protected under labor laws?
The Labor Law does not specify the types of employee personal data that are protected. In contrast, the Law on Personal Data Protection defines personal data and sensitive information that should be protected as follows:
1. Personal data means sensitive personal data and other information, including last name, first name, date of birth, place of birth, address of residence, location, citizen's registration number, property, education, membership, electronic identifiers, and other information that can directly or indirectly identify or potentially identify a person.
2. The sensitive information means information in regards with a person's race, ethnic origin, religion, beliefs, health, letter, genetic and biometric data, digital signature private key, criminal records, sexual and gender orientation, expression, and sexual relations.
3) How to ensure compliance with personal data protection legislation when transferring employee personal data to third parties (e.g., contractors, partners)?
The following requirements should be adhered to when transferring employee personal data to third parties (e.g., contractors, partners):
Per the Law on Personal Data Protection:
- 8.2.6 The data controller (or employer) must disclose whether the data will be transferred to third parties, identify the recipients, provide a list of the information to be transferred, and obtain consent from the data subject (or employee);
- 8.3 The data subject shall give written consent to the data controller, which shall be in paper or electronic form;
- 10.2 and 10.3 An employer may use biometric data other than non-overlapping physiological data (fingerprints) with the employees' consent in order to facilitate the identification and verification of employees under the internal labor procedures. However, the employer is prohibited from processing, changing, or transferring this data used to other persons;
- 14.1. Data transfer to foreign individuals, legal entities, or international organizations is prohibited, except as provided in laws, and international treaties to which Mongolia is a party, or with the consent of the data subject.
4) In what form is consent obtained for the processing of employees' personal data?
As specified by Articles 8.1 and 8.3 of the Law on Personal Data Protection, the data controller shall obtain written consent from the data subject for data processing, collection, and use, except as provided by law. The written consent shall be in paper or electronic form.
5) What personal data of employees may not be requested and processed by the employer?
Following Article 44.3 of the Labor Law, a receipt, processing, and maintenance of the data pertaining to an employee's personal secret or his/her membership to a political party, public organization, or trade union is prohibited unless otherwise stated in law.
6) What are the consequences of violating employee data protection laws?
Any breach of the Law on Personal Data Protection will result in penalties being imposed in accordance with the Law on Violations. If the breach results in criminal liability, it will be addressed under the Criminal Code.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.