Fines of up to 120,000 soms have been introduced in Kyrgyzstan for violation of rules for handling personal data.
On April 10, 2025, the Parliament adopted amendments to the Code of Offenses, increasing liability for violation of legislation on the protection of personal data.
The document contains a new chapter (Articles 4132-4135) devoted to personal data.
Administrative liability is introduced for:
1. Violation of the procedure of working with personal data (Article 4132)
Fine for the first violation:
- Individuals — 7,500 soms;
- Officials — 10,000 soms;
- Legal entities — 65,000 soms.
For repeated violation within a year:
- Individuals — 25,000 soms;
- Officials — 30,000 soms;
- Legal entities — 120,000 soms.
For absence of registration in the Register of Personal Data Holders:
- Legal entities — 45,000 soms.
2. Illegal cross-border transfer of personal data (Article 4133)
Initial violation:
- Individuals — 15,000 soms;
- Officials — 17,500 soms;
- Legal entities — 65,000 soms.
Repeated violation:
- Individuals — 30,000 soms;
- Officials — 35,000 soms;
- Legal entities — 100,000 soms.
3. Refusal to provide data to the subject himself (Article 4134)
Fine for unjustified refusal:
- Legal entities — 25,000 soms;
- Repeatedly within a year — 45,000 soms.
4. Failure to comply with the requirements of a government agency regarding personal data (Article 4135)
- Individuals — 10,000 soms;
- Officials — 20,000 soms;
- Legal entities — 30,000 soms.
A special authorized government agency has also been established to consider such violations and issue fines.
The law will come into force in six months. During this time, government and private organizations must bring their internal processes into compliance with the new requirements.
