Data & Privacy · Mongolia

Data protection & privacy laws in Mongolia (2026)

Comprehensive lawLaw of Mongolia on Personal Data Protection (adopted 17 December 2021, in force 1 May 2022); oversight shared between the National Human Rights Commission and the Ministry of Digital Development, Innovation and CommunicationsCountry index 69 · B

Mongolia shaded by its data & privacy status

Mongolia enacted a comprehensive personal data protection law in December 2021, effective May 2022, broadly aligned with GDPR principles and covering collection, processing, use, and security of personal data for all individuals and legal entities operating in Mongolia. The law grants data subjects rights to consent, access, rectification, erasure, objection, and portability. Enforcement remains an acknowledged weakness: there is no independent data protection authority, sanctions are lenient, and a UN Special Rapporteur who visited in April 2025 urged stronger oversight mechanisms and greater public awareness.

Key points

Primary Legislation

The Law of Mongolia on Personal Data Protection was adopted by Parliament on 17 December 2021 and entered into full force on 1 May 2022, making Mongolia the last Central Asian country to enact a standalone data-privacy law. It covers all individuals, legal entities, and organisations without legal status that collect, process, or use personal data in Mongolia.

source 1 ↗source 2 ↗

Supervisory Authorities

Oversight is split between the National Human Rights Commission (one designated member acts as an 'Information Protection Commissioner' and handles complaints) and the Ministry of Digital Development, Innovation and Communications. There is no standalone independent data protection authority; critics and the UN Special Rapporteur have identified this as a structural gap.

source 1 ↗source 2 ↗

Data Subject Rights

The law grants data subjects rights to provide or withdraw written consent, access their data, request rectification or deletion, object to processing, and demand data portability. Sensitive categories (genetic/biometric data, sexual orientation, race, digital-signature private keys) receive enhanced protection.

source 1 ↗source 2 ↗

Cross-Border Data Transfers

Transfers of personal data abroad are prohibited except where: (a) permitted by Mongolian law or an international treaty to which Mongolia is a party, or (b) the data subject has given consent and adequate protection is ensured in the receiving country.

source 1 ↗source 2 ↗

Enforcement & Sanctions

Data controllers face administrative fines for breaches; serious unlawful processing that harms individuals can trigger criminal liability under the Criminal Code of Mongolia. The UN Special Rapporteur's April 2025 visit and February 2026 Human Rights Council report found enforcement 'lacking in strength' due to excessively lenient sanctions and low public awareness.

source 1 ↗source 2 ↗

UN Review & Reform Outlook

The UN Special Rapporteur on the Right to Privacy visited Mongolia 8–14 April 2025 and praised the law as 'a much-needed comprehensive update' but urged amendments to create an independent DPA with binding powers, clearer oversight provisions, and accessible remedies. The full country report was submitted to the Human Rights Council in February 2026.

source 1 ↗source 2 ↗

Mongolia - other topics

Crypto & Digital Assets Artificial Intelligence Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Cybersecurity Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →