Key considerations for the technical requirements in processing sensitive data, including genetic and biometric data

No. 02/25                     February 2025    

In Brief

With the enactment of the Personal Data Protection Law ("PDPL") in 2021, Mongolia introduced several advanced and novel legal concepts in the realm of data protection. Notably, the PDPL categorizes personal data based on its nature into various types, including sensitive, confidential, biometric, and genetic information. It also imposes restrictions on the use of such data and requires data controllers to comply with more stringent legal requirements when collecting, using, or processing this type of sensitive data.

In conjunction with the PDPL, the Regulation on Processing Sensitive Data was adopted. This Regulation specifies the principles to be adhered to when processing sensitive, biometric, and genetic data. It details the technological security measures and server requirements necessary for the processing of sensitive data. This Legal Insight highlights these aspects and provides key considerations associated with the Regulation.

CLASSIFICATION OF PERSONAL DATA: WHAT ARE SENSITIVE, BIOMETRIC, AND GENETIC DATA?

Biometric Data: This term refers to information that can identify an individual through the use of equipment, technology, and software. It encompasses unique physical characteristics such as fingerprints, iris patterns, facial features, voice, and distinctive body movements.

Genetic Data:This refers to unique information about an individual's body, health, and inherited traits, which is determined through the analysis of biological samples. (Biometric and genetic data are considered types of sensitive data.)

Sensitive data: This encompasses details about an individual's ethnicity, religion, beliefs, health, correspondence, genetic and biometric data, digital signature keys, criminal record, sexual orientation, gender identity, and sexual behavior.

Personal Data: This includes any data that can directly or indirectly identify an individual. Examples include a person's full name, date of birth, place of birth, address, assets, education, memberships, and digital identifiers.

PRINCIPLES FOR PROCESSING SENSITIVE DATA:

The Regulation outlines the principles for processing sensitive data, some of which align with the European Union's General Data Protection Regulation 2016 (GDPR). These principles include:

• Transparency - Clearly and transparently informing the data subject about which data is used, for what purpose, and how it will be used
• Purpose Limitation - Using the personal data only for its intended purpose and not for any other purposes
• Storage limitations - Deleting personal data that is no longer necessary
• Accountability - Complying with legal and regulatory requirements
• Based on Risk assessment - Regularly conducting risk assessments and implementing necessary measures based on the findings of assessments
• Integrated information system  - Maintaining a secure, integrated system for processing sensitive data

TECHNOLOGICAL REQUIREMENTS FOR PROCESSING SENSITIVE DATA:

Technology for processing sensitive data encompasses all types of software, servers, and other technological solutions used in the collection and processing of such data. In this context, the Regulation outlines the following main obligations for entities processing sensitive data using any technological solutions. These obligations include:

• Establish and implement internal regulations on ensuring information security
• Appoint an information security officer or unit
• Ensure that all programs, networks, and devices used for processing sensitive data are authorized by the appropriate authorities
• Use only officially licensed software and conduct information security risk assessments every two years or as needed.
• Perform information security audits annually or whenever a security breach occurs
• The data controller must maintain and monitor a historical record of any modifications, deletions, or restorations of data to ensure its integrity and confidentiality.

REQUIREMENTS FOR SERVERS PROCESSING SENSITIVE PERSONAL INFORMATION:

When processing sensitive personal data using any server, the Regulation imposes the following common requirements on such servers. These include:

• The Server must be located within the territory of Mongolia
• The Server shall be accessible only from Mongolia
• The Server shall be placed in a dedicated technical room
• Capable of increasing server capacity if needed
• Connected to the network time server of the Communications Regulatory Commission
• Able to exchange information through the state information exchange system "KHUR”
• Protected by an "SSL" certificate for information exchange systems
• Regularly back up the information system

Can servers processing sensitive data of Mongolian citizens be located outside Mongolia?

As previously mentioned, the Regulation outlines several specific requirements regarding the location of data processing servers within Mongolia. Consequently, there is a common concern among the public and businesses about whether it is permissible to process sensitive data using servers located abroad and whether transferring such data to foreign countries poses any issues. Therefore, if you are seeking consultation on this matter or any other issues related to data protection, please do not hesitate to contact us for expert advice from our specialized legal professionals in the field of data protection.