DLA Piper Intelligence

Data Protection
Laws of the World

Law

Kazakhstan
Kazakhstan

The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 'On Personal Data and Its Protection' (the 'Law').

There are also a number of other laws providing for personal data protection requirements, including:

  • The Law on Informatisation
  • The Law on Communication
  • The Labour Code of Kazakhstan
Last modified 6 Feb 2019
Law
Kazakhstan

The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 'On Personal Data and Its Protection' (the 'Law').

There are also a number of other laws providing for personal data protection requirements, including:

  • The Law on Informatisation
  • The Law on Communication
  • The Labour Code of Kazakhstan
Last modified 6 Feb 2019
Definitions

'Personal data' is any information relating to a specific individual (personal data subject) or a personal data subject who can be identified on the basis of such information which is recorded on electronic, paper and / or another tangible medium.

The law divides personal data into:

  • 'Generally accessible personal data', which is personal data that can be accessed freely with the consent of the personal data subject or to which confidentiality requirements do not apply in accordance with Kazakh law, and
  • 'Limited access personal data', which is personal data, access to which is limited by Kazakh law

Kazakh law does not provide an express definition of sensitive personal data. In certain cases, sensitive personal data may qualify as limited access personal data and, as such, it is additionally regulated by sector-specific laws of Kazakhstan (eg, medical secrecy, subscriber data).

Last modified 6 Feb 2019
Authority

State regulation of personal data and its protection is carried out by various state authorities. 

The government of Kazakhstan

  • Develops the main directions of state policy
  • Manages activities of central and local executive bodies
  • Approves the procedure for determining by an owner and / or operator of a database containing personal data of the list of personal data that are necessary and sufficient for performing the owner’s and / or operator’s tasks
  • Approves the procedure for implementation of measures for the protection of personal data by an owner and / or an operator of a database containing personal and a third party having access to such database, etc

State authorities, each within its competence

  • Develop and / or approve regulatory acts
  • Consider appeals of individuals and / or legal entities regarding personal data and protection of personal data issues
  • Take measures for bringing persons who have violated personal data legislation of Kazakhstan to liability
  • Exercise other powers provided for by Kazakh law

Prosecution authorities

  • Carry out the highest supervision over observance of law in the field of personal data and its protection
Last modified 6 Feb 2019
Registration

Under Kazakh law, there is no express registration requirement in relation to personal data and its protection.

Last modified 6 Feb 2019
Data Protection Officers

Under Kazakh law, an owner and / or operator of a database containing personal data and a third party having access to such database should, inter alia, when collecting and processing personal data, determine:

  • A list of persons carrying out collection and processing of personal data or having access to it, and
  • A list of persons responsible for compliance with data protection requirements.
Last modified 6 Feb 2019
Collection & Processing

Kazakh law requires those collecting and processing personal data to have the consent of the personal data subject or his / her legal representative. Such consent should be given in writing or in the form of an electronic document with the use of protective measures.

As a general rule, personal data subjects or their representatives may revoke their consent. However, the consent may not be revoked in cases where such revocation contradicts requirements of Kazakh law or there are any unfulfilled obligations.

Kazakh law allows the collection and processing of personal data without the consent of a personal data subject or his / her legal representative in cases explicitly prescribed by Kazakh law. Such cases may include, inter alia:

  • Exercise of activities of law enforcement bodies and courts
  • Implementation of state statistical activities
  • Implementation of international treaties ratified by Kazakhstan
  • Protection of constitutional rights and freedoms of a person, if obtaining the consent of a personal data subject or his / her legal representative is impossible
  • Carrying out legal professional activities of a journalist, carrying out mass media, scientific, literary or other creative activities, subject to compliance with requirements of Kazakh law

Under Kazakh law, access to personal data is determined by the terms of consent for collection and processing of personal data, unless otherwise provided by Kazakh law. A person should be denied access to personal data if he / she refuses to assume obligations to ensure compliance with the requirements of the Law or may not ensure it.

Persons having access to limited access personal data should ensure its confidentiality. 

Under Kazakh law, accumulation of personal data is carried out by collecting personal data that is necessary and sufficient to fulfill the tasks performed by an owner and / or an operator of a database containing personal data and by a third party having access to such database.

Personal data should be stored in databases located in Kazakhstan.

The period for retention of personal data is determined by the date of fulfillment of the purpose(s) for collection and processing of the personal data, unless otherwise provided by Kazakh law.

Last modified 6 Feb 2019
Transfer

Transfers of personal data are allowed if they do not violate the rights and freedoms of a personal data subject and do not affect the legitimate interests of other individuals and / or legal entities.

The transfer of personal data in cases that go beyond the previously stated purposes of its collection is permitted if carried out with the consent of a personal data subject or his / her legal representative.

The cross-border transfer of personal data to other countries is carried out only in cases where such countries ensure protection of personal data.

The cross-border transfer of personal data to countries that do not ensure protection of personal data is possible:

  • With the consent of the personal data subject or his / her legal representative to the cross-border transfer of his / her personal data
  • In cases stipulated by international treaties ratified by Kazakhstan
  • In cases provided for by Kazakh law, if it is necessary for protecting the constitutional system, public order and public health and morals and rights and the freedoms of a person in Kazakhstan
  • In case of protection of constitutional rights and freedoms of a person, if obtaining the consent of a personal data subject or his / her legal representative is impossible

Kazakh law may in certain cases prohibit the cross-border transfer of personal data.

Last modified 6 Feb 2019
Security

Collection and processing of personal data is carried out only if its protection is ensured. Kazakh law defines protection of personal data as a set of legal, organization and technical measures.

The owner and / or operator of a database containing personal data and a third party having access to such database are required to take measures for protecting personal data, which ensure:

  • Prevention of unauthorized access to personal data
  • Timely detection of the facts relating to an incident of unauthorized access to personal data, if such unauthorized access could not be prevented
  • Minimizing adverse effects of unauthorized access to personal data

The obligations of an owner and / or operator of a database containing personal data and a third party having access to such database to protect personal data arise from the moment of collecting the personal data and remain in force until such personal data is destroyed or depersonalized.
 
Kazakh law provides for additional requirements with regard to protection of electronic resources containing personal data.

Last modified 6 Feb 2019
Breach Notification

There is no express breach notification requirement under Kazakh law in relation to personal data and its protection. However, an owner and / or operator of a database containing personal data and a third party having access to such database may be required to notify personal data subjects or state authorities about a breach based on the general principles of Kazakh law.

There is no express mandatory breach notification requirement under Kazakh law in relation to personal data and it protection.

Last modified 6 Feb 2019
Enforcement

Generally, all state authorities of Kazakhstan, depending on their competences, (1) may consider appeals of individuals and / or legal entities regarding personal data and protection of personal data issues and (2) take measures against persons who have violated the personal data legislation of Kazakhstan.

The Prosecution Authorities of Kazakhstan supervise compliance with the personal data legislation of Kazakhstan and may also take measures against persons who have violated the personal data legislation of Kazakhstan. Interested persons may file complaints to the Prosecutor’s Office regarding breaches of the legislation in relation to personal data and its protection.

Kazakh law provides for administrative and criminal liability for the violation of legislation in relation to personal data and its protection.

Last modified 6 Feb 2019
Electronic Marketing

Kazakh law does not expressly regulate personal data and its protection in relation to electronic marketing. However, electronic marketing should be carried out in compliance with the law 'On Advertisement' and the law. As such, for example, the consent of a personal data subject should be obtained for the collection and processing of his / her personal data for electronic marketing purposes.

Last modified 6 Feb 2019
Online Privacy

Kazakh law does not specifically regulate online privacy.

Last modified 6 Feb 2019
Contacts
Dinara Jarmukhanova
Dinara Jarmukhanova
Partner, Head of Kazakh practice
Centil Law Firm
T +7 727 315 0784
Dariga Adanbekova
Dariga Adanbekova
Associate
Centil Law Firm
T +7 727 315 0784
Last modified 6 Feb 2019