Mongolia introduces Personal Data Protection Law effective from 1 May 2022

Mongolia • No. 02/2022 • March 2022

On 17 December 2021, the Parliament of Mongolia passed the Law on Personal Data Protection (the “PDPL”) effective from 1 May 2022. The PDPL, once effective, will establish broader and more stringent regulatory regimes surrounding personal data in Mongolia, compared to its preceding law the Law on Personal Secrecy (1995).

The PDPL is intended to regulate together with the Cybersecurity law (2021), Public Information Transparency Law (2021), and Electronic Signature Law (2021) (each effective from 1 May 2022) and create a comprehensive framework governing cybersecurity and data privacy protection in Mongolia. We highlight the key aspects of the PDPL and its impact on businesses.


The PDPL applies to all individuals, legal entities and organizations without legal status (representative offices and permanent establishments) collecting, processing, using and protecting personal data in Mongolia.

Scope of personal information and definitions

  1. What is personal data?
  2. What is sensitive data?
  3. Who is data subject?
  4. Who is data controller?

Data use, Data collecting, Data processing

Key requirements

  1. Legal basis for collecting, processing and using personal data
  2. Requirement for notification and consent
  3. Transfer of personal data outside of Mongolia
  4. Use of data processors
  5. Data security assessment
  6. Requirement to destroy personal data

Data subject’s rights

Data controller’s obligations

Notification and reporting requirements


Further actions to be taken

Contact us

Sergi Kobakhidze

Tax and Legal Services Partner, PwC Mongolia

Tsendmaa Choijamts

Director, Tax and Legal services, PwC Mongolia

Tel: +976 70009089

Follow us