Researchers: Nurbek Arzymbaev, Talant Sultanov, Ayperi Bozoeva, Zhazgul Zuridinova
The main task of the study was to find out how the “market”, the commercial [1] sector in the Kyrgyz Republic ensure the implementation of legislation in the collection and processing of personal data directly provided by users [2], in the absence of a body that monitors the implementation of legislation.
Based on the results of our research, we can assert that the vast majority of the companies we studied illegally collect personal data, do not inform users about the list of collected personal data, the purposes of their collection and processing, their rights, storage periods and their protection.
Of the more than 500 company websites we have viewed, about 180 directly collect personal data (hereinafter PD) from users. The vast majority collect user contact information for feedback and sending information about the company’s promotions and products.
Of the 180 collecting PDs, only 44 companies receive consent. However, according to our research, the vast majority of online forms for obtaining consent for the processing of personal data do not comply with the legislation on personal data of the Kyrgyz Republic. According to the current legislation, there are no rules for giving electronic consent for the collection and processing of PD, except for the use of an electronic signature. Despite the fact that the law has a more simplified form – “simple electronic signature”, out of the number viewed, only a few web resources use it to obtain consent for the collection and processing of personal data.
Of the 180 websites that requested PD, over 40% of the websites were located outside the country. At the same time, only six companies in the consent form displayed clauses on cross-border data transfer.
Of the 519 websites, only 17 (or 3%) have published the Personal Data Processing Policy on the websites [3]. Accordingly, they do not inform users about the purposes of collecting PD, the conditions for their processing, storage, destruction, rights and other important aspects related to PD. It should also be noted that only one company out of 519 developed and published a Data Processing Policy in the Kyrgyz language.
It is difficult to draw unambiguous conclusions about the volume and excessiveness of the data collected due to the lack of collection targets published by the companies. But we have recorded cases of collection of special categories of PD [4] and collection of PD that do not correspond to the text of the consent received.
In general, you can make a portrait of companies in the commercial sector – the company collects personal data directly from users only for marketing mailings, feedback or discounts; does not receive legitimate consent from users to collect and process PD; does not notify users about the measures taken to protect PD, about the rights of users.
According to the results of the study, it can be concluded that the absence of an authorized body negatively affects the relationship of the PD subject with the private sector. Subjects of personal data cannot exercise their legal rights, the commercial sector does not actually comply with the legislation and other acts on the protection of personal data of the country. Also in the course of the study, having studied the legislation of the country, having checked the implementation of the rights of PD subjects, having analyzed the leakage of PD, we believe that there are significant gaps in the country’s legislation. For example, the main ones include the following: the rights to withdraw consent are not clearly spelled out, difficulties in giving electronic consent (only an electronic signature), there are no rules for notification of a leak, the ability to unsubscribe from marketing mailings and protect children’s personal data, etc.
[1] The issue of data collection and processing by the public sector requires a separate study.
[2] It should be noted that in the study we separate the concepts of “directly provided personal data” and “indirectly provided personal data”. The study was conducted only on the study of directly provided personal data. In subsequent studies, we will consider the indirectly provided personal data and the attitude of users towards them.
[3] The document, which is often also called the privacy policy, defines the policy of the holder / processor with respect to the processing of personal data (hereinafter the Policy).
[4] In the Personal Information Law, special categories are defined as racial or ethnic origin, national origin, political opinion, religious or philosophical beliefs, as well as data related to health and sexual inclinations.
A source: Research on Personal Data in the Commercial Sector of the Kyrgyz Republic