Organizations and institutions that collect, store and process personal data are required to register in the Register of Holders (Owners) of Personal Data Arrays. Since November 23, 2025, administrative liability will be introduced for working with personal data without registration, providing for fines of up to 120 thousand soms.
Mandatory registration is established by the Law of the Kyrgyz Republic “On Personal Information” and is intended to ensure transparency of data processing processes and the protection of citizens’ rights.
“The key objectives of the registry are: protecting the rights of personal data subjects, recording holders and arrays of information, ensuring transparency of data processing and preventing their illegal use,” notes the State Agency for Personal Data Protection.
What is personal data in Kyrgyzstan, who is required to register in the Register of Holders and what fines are provided for individuals, officials and legal entities in case of violation of the law – Economist.kg answers these and other questions .
What is personal data?
According to the legislation, regulatory legal acts and official information of the state agency, personal data is understood as any information by which a specific person can be directly or indirectly identified.
Thus, personal data includes biographical and identification information about a citizen, personal characteristics, information about family, social and financial status, health status, etc. Simply put, personal data is any information about an individual that is related to this person or allows him to be identified.
For example, personal data includes:
- last name, first name, patronymic;
- personal identification number (PIN) or TIN;
- passport and biometric data;
- marital status;
- health information or medical records;
- educational and employment information;
- online identifiers (user login, IP address);
- photo or video materials that allow one to identify the person;
- other information that can be used to identify the individual.
A special category of personal data is the so-called „sensitive” data : for example, biometric characteristics, health status, personal life information, bank details. The processing and transfer of such data requires enhanced security and confidentiality measures.
At the same time, not all information is personal. Information that does not allow a specific person to be identified by itself is not considered personal data. For example, the following is not considered personal data:
- organization registration number;
- TIN of a legal entity;
- general company email address;
- name of the city (without reference to a specific address or person);
- a common name without a family name or other identifiers.
Who must register in the Register?
Almost any organization operating in Kyrgyzstan, in one way or another, collects or stores information about individuals – be it citizens, employees, clients or other entities. Thus, to one degree or another, all of them are holders of arrays of personal data and are subject to the requirements of the law.
The law defines holders of personal data as government bodies and local government bodies, as well as commercial and non-commercial organizations, enterprises, and institutions that work with arrays of personal data.
If an organization has any information about individuals (for example, a customer database, an archive of questionnaires or personal files of employees, contracts with citizens), then this set of information is considered an array of personal data. It does not matter in what form the data is stored – on paper or electronically, in the form of an archive, card index, database or information system.
For example, a standard HR department of an enterprise contains personal files of employees (questionnaires, copies of documents, contact information, etc.), i.e., it actually maintains an array of personal data. The same applies to client databases, subscriber lists, patient data, etc. Thus, any organization that has information about individuals acts as a holder of an array of personal data.
According to Article 30 of the Law of the Kyrgyz Republic „On Personal Information”, all arrays of personal data and their holders are subject to mandatory registration with the authorized state body. In fact, any company working with personal data of citizens must be registered in a special state registry.
Registration in the Register of Holders
The register of holders (owners) of personal data arrays is a unified system of state registration of all holders and their personal data arrays, as well as lists of personal data included in these arrays. This state database was created in development of the requirements of Article 30 of the law and is maintained by the relevant State Agency. The register is publicly available and functions in electronic format – data is submitted and published online.
The Register records detailed information about each holder and his personal data files, including:
- name of the personal data array;
- name of the holder and its details (address, legal form, departmental affiliation, telephone, last name and first name of the manager, e-mail, fax);
- purposes and methods of collecting and using personal data;
- conditions (modes) and periods of data storage;
- list of personal data collected;
- categories (groups) of personal data subjects whose information is contained in the array;
- sources of obtaining personal data;
- the procedure for informing subjects about the fact of collection and the possible transfer of their data;
- measures to ensure the safety and confidentiality of personal data;
- official responsible for working with personal data;
- the recipients or categories of recipients to whom the data is transferred;
- information on the proposed cross-border transfer of personal data (if planned).
At the same time, personal data and their arrays are not included in the Register if they contain information constituting a state secret.
Registration is carried out entirely online on the official website of the state agency – in the „Register” section of the portaldpa.gov.kg.
To register, the responsible employee of the organization must log in through the Unified Identification System (UIS) using the cloud electronic signature (EDS) of the legal entity. The registration procedure is regulated in detail by the Cabinet of Ministers resolution.
The State Agency has developed a detailedinstructionsto fill out the register. A video instruction on how to work with the system is also available. If you have any difficulties, you can get advice by calling the agency’s hotline: +996 997 950 850, +996 998 950 350 or +996 709 950 750.
