What are the cases of violations of the law by legal entities in the field of personal data protection, as well as the Agency's measures of influence, can be seen in the following examples.
- Displaying on the website of the medical clinic “S.” the results of medical tests of patients in open form. When random five-digit numbers are entered, the results of diagnostic studies (computed tomography, mammography, digital X-ray, ultrasound, bone densitometry and ECG) of patients are displayed on the site. The results indicate the patient's full name, date of treatment, protocol of the study, date of birth, gender, description of the study, state of health, conclusion and full name of the doctor.
The Agency sent letters to the medical clinic indicating violations of citizens' rights in the field of personal data protection and the need to eliminate them. These violations on the part of the medical clinic “S.” were eliminated.
- Forced transfer of personal data to third parties from the mobile application “E.M.”. A citizen complained about the inability to register in the mobile application without indicating consent (putting a tick) about consent to the collection, processing and transfer of personal data to third parties, to the processing and cross-border transfer of personal data.
Letters were sent to the owner of the application indicating violations of citizens' rights in the field of personal data protection and their elimination. Currently, the company is taking appropriate measures to eliminate these violations. In the absence of actions, materials on this fact will be sent to law enforcement agencies to give a legal assessment of the actions of “E.M.” and take appropriate measures.
- Issuing a loan through a mobile application to a non-personalized person. A fraudster who has access to a copy of another person's passport has issued a loan for him through the mobile application “S.”. The loan amounts exceed 10 thousand soms. A criminal case was initiated by the Ministry of Internal Affairs of the Kyrgyz Republic on this fact.
Relevant letters were sent to the owner of the mobile application to provide detailed information on the user identification mechanisms used in the web application, on internal procedures to ensure the protection of personal data of citizens during the collection, processing and storage of such information, as well as whether there is a cross-border transfer of collected personal data and measures taken to strengthen and ensure security personal data of web application users.
On the part of the organization, work was carried out to change the identification procedures: another identification factor was added when applying for a loan, and a cybersecurity department was created that implements a risk management system and ensures the confidentiality of personal data.
- Requesting someone else's personal data. In the bank “F.” without the consent of the subject, someone else's personal data was requested through the State Portal of Electronic Services in violation of the requirements of the concluded Agreement between the parties.
To the address of the bank “F.” the Agency sent a request for detailed information on taking measures to eliminate the incident, as well as on carrying out organizational and legal measures in the field of information security in the context of working with personal information.
According to the information provided by the organization, disciplinary measures were applied against employees, and employment relations were terminated against the head of the department on the basis of an application submitted by him.
Bank “F.” in order to prevent possible risks, procedures and instructions for working with the system have been developed, training has been conducted for all employees involved, non-disclosure agreements have been signed, and employees are constantly monitored in order to prevent the occurrence of risks.