On December 17, 2021, State Great Khural of Mongolia ('Parliament') of Mongolia adopted The  Law of Mongolia on Protection of Personal Data (available in Mongolian here) ('the Law on Personal Data Protection) 

The Law on Personal Data Protection was adopted to substantially revise and reform the previous Personal Secrets Law, which did not fully comply with international standards such as obliging the data controller or collector to be responsible for the protection of personal data. The Law on Personal Data Protection provides for the principles, grounds, and purposes to collect, process, and use the personal data, rights, and obligations of both the data subject and data controller; 

Scope and Applicability. 

Territorial scope 

The Law on Personal Data Protection applies to the Mongolian territory.   

Material scope 

This act is applicable for the data processing and categorization of personal data and the use of personal data. 

Legal bases 

1. consent 

2. Contract with the data subject 

3. Legal Obligation 

4. Interest in the data subject. 

5. Public Interest. 

6. Legitimate interests of the data controller 

Principles 

• Under the Law on Personal Data Protection, the following principles shall be followed in the collection, processing, and use of data. 

• refrain from violating human rights and freedom; 

• respect human rights and legal interests; 

• refrain from discrimination; 

• collect, process, and use data based on the law or with the consent of the data subject; 

• ensure data security, and ensure the accuracy and completeness of the data. 

Controller and Processor Obligation. 

 Data transfers 

The Law on Personal Data Protection offers limited regulation on cross-border data transfers. It prohibits transferring data to individuals, legal entities, or international organizations in foreign countries unless permitted by law, international treaties, or with the data subject's consent (Article 14.1). Additionally, transferring personal data to a third party is not allowed without the data subject's consent (Articles 8.2.6 and 8.11). With consent, data controllers may also contractually assign data collection and processing tasks to data processors. 

Data processing records 

The data controller must keep records of its operation and activities for data collection, processing, and use. 

Data protection impact assessment 

Under the Law on Personal Data Protection, the data controller and data processor shall conduct a risk assessment to ensure the security of data processing operations. 

Data Protection Officer appointment 

Not applicable. 

Data Breach notification. 

The Law on Personal Data Protection lacks clear regulations on how to respond when a data subject's rights are violated. While the law requires notifications of violations, only the data processor must inform the data controller, who then notifies the data subject.  

Data Retention 

The data controller and the processor are obligated to store data obtained during the collection, processing, and use process. 

The data controller may delete data only in specific situations: at the data subject's request if the data was not collected, processed, or used legally; if required by Mongolian law, international treaties, or a court decision; when the purpose for collecting the data has been fulfilled; or for other reasons specified in the law. 

Children's data 

Under the Law on Personal Data Protection, the "owner of personal information" includes their legal representative Consent for collecting personal information can also be obtained from a legal representative. 

Special categories of personal data 

The Law on Personal Data Protection includes special provisions for two categories of sensitive personal data 

1. Personal data related to an individual's private key of a digital signature, sexual and gender orientation, sexuality, race, religion, belief, health and correspondence data, and conviction status. 

2. Human genetic and biometric data. 

Controller and processor contracts.

 The data controller may transfer its responsibility and obligation of data collection and processing to the data processor based on the contract Data Subject Rights 

1. Right to be informed 

2. Right to access 

3. Right to rectification 

4. Right to erasure 

5. . Right to object/opt out 

6. Right to data portability 

7. Right not to be subject to automated decision-making 

8. Right to file a complaint. 

 Penalties

 Illegally acquiring, disclosing, or transferring personal data without consent is punishable under the Criminal Code. Additionally, the Minor Offences Law imposes fines of MNT 500,000 (about $144) for individuals and MNT 5 million (about $1,450) for legal entities for violations of the Law on Personal Data Protection that aren't classified as crimes. If the breach involves sensitive personal data, the fines increase to MNT 2 million (about $589) for individuals and MNT 20 million (about $5,890) for legal entities.