Researchers: Nurbek Arzymbaev, Talant Sultanov, Aiperi Bozoeva, Zhazgul Zuridinova
The main objective of the study was to find out how the “market”, the commercial[1] sector in the Kyrgyz Republic enforces the legislation in the collection and processing of personal data directly provided by the users[2], in the absence of an enforcement authority.
According to the results of our research, we can state that the vast majority of companies we studied collect personal data illegitimately, do not inform users about the list of collected personal data, the purposes of their collection and processing, their rights, storage periods and their protection.
Of the more than 500 company websites we reviewed, about 180 directly collect personal data (hereinafter referred to as PD) from users. The vast majority collect users’ contact details to provide feedback and send information about company promotions and products.
Out of 180 companies collecting personal data, only 44 companies obtain consent. However, according to our research, the absolute majority of online consent forms for personal data processing do not comply with the personal data legislation of the Kyrgyz Republic. According to the current legislation, there are no norms for giving electronic consent to the collection and processing of personal data, except for the use of electronic signature. Despite the fact that the law has a more simplified form – “simple electronic signature”, of the number of web resources reviewed, only a few web resources use it to obtain consent to the collection and processing of personal data.
Of the 180 websites that requested a PD, over 40% of the websites were located outside the country. However, only six companies displayed cross-border data transfer clauses in the consent form.
Of the 519 websites, only 17 (or 3%) had published a Personal Data Processing Policy on their websites[3]. Accordingly, they do not familiarise users with the purposes of collecting PD, conditions of processing, storage, destruction, rights and other important aspects related to PD. It should also be noted that only one company out of 519 has developed and published its Data Processing Policy in Kyrgyz.
It is rather difficult to make unambiguous conclusions about the volume and excessiveness of collected data due to the lack of collection purposes published by the companies. However, we have recorded cases of collecting special categories of personal data[4] and collection of personal data that do not correspond to the text of the consents obtained.
In general, we can draw a portrait of companies in the commercial sector – the company collects personal data directly from users only for marketing mailings, feedback or discounts; does not obtain legitimate consent from users for the collection and processing of personal data; does not notify users about the measures taken to protect personal data, about the rights of users.
According to the results of the study, it can be concluded that the absence of an authorised body negatively affects the relationship of the subject of PD with the private sector. PD subjects cannot realise their legal rights, the commercial sector does not actually comply with the legislation and other acts on personal data protection in the country. Also during the research, having studied the legislation of the country, having checked the enforcement of the rights of the PD subjects, having analysed the leakage of PD, we believe that there are significant gaps in the legislation of the country. For example, the main ones include the following: the rights to revoke consent are not clearly defined, there are difficulties in giving electronic consent (only electronic signature), there are no norms on notification of leakage, the possibility of unsubscribing from marketing mailings and protection of children’s personal data, etc. [1]The issue of data collection and processing is a matter of data collection and processing.
[1]The issue of data collection and processing by the public sector requires a separate study.
[2]It should be noted that in the study we separate the concepts of “directly provided personal data” and “indirectly provided personal data”. The study was conducted only on the study of directly provided personal data. In subsequent studies, we will examine indirectly provided personal data and users’ attitudes towards it.
[3]A document, often also referred to as a privacy policy, defines the policy of the holder/processor regarding the processing of personal data (hereafter referred to as the Policy).
[4]In the Personal Information Act, special categories are defined as racial or ethnic origin, nationality, political opinions, religious or philosophical beliefs, as well as data concerning health conditions and sexual inclinations.
Source: Survey on personal data in the commercial sector of the Kyrgyz Republic
