DLA Piper Intelligence

Data Protection
Laws of the World

Law

Kazakhstan
Kazakhstan

The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 'On Personal Data and Its Protection' (the 'Law').

There are also a number of other laws providing for personal data protection requirements, including:

  • The Law on Informatisation
  • The Law on Communication
  • The Labour Code of Kazakhstan
Last modified 22 Jan 2021
Law
Kazakhstan

The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 'On Personal Data and Its Protection' (the 'Law').

There are also a number of other laws providing for personal data protection requirements, including:

  • The Law on Informatisation
  • The Law on Communication
  • The Labour Code of Kazakhstan
Last modified 22 Jan 2021
Definitions

Definition of personal data

'Personal data' is any information relating to a specific individual (personal data subject) or a personal data subject who can be identified on the basis of such information which is recorded on electronic, paper and / or another tangible medium.

The law divides personal data into:

  • 'Generally accessible personal data', which is personal data that can be accessed freely with the consent of the personal data subject or to which confidentiality requirements do not apply in accordance with Kazakh law, and
  • 'Limited access personal data', which is personal data, access to which is limited by Kazakh law

Definition of sensitive personal data

Kazakh law does not provide for express definition of sensitive personal data. 

In certain cases, sensitive personal data may qualify as limited access personal data and, as such, it is additionally regulated by sector-specific laws of Kazakhstan (e.g. medical secrecy, subscriber data). In our replies, we do not consider sector-specific restrictions which may affect personal data regulation (e.g. Kazakh law prohibits transfer of subscriber data, which includes, inter alia, personal data of subscribers).

Last modified 22 Jan 2021
Authority

State regulation of personal data and its protection is carried out by various state authorities. 

The main state authority in the field of personal data protection is the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (“Ministry”). The Ministry:   

  • participates in implementation of the state policy on personal data and its protection;
  • develops the procedure for implementation of personal data protection measures by the owner and/or operator of a personal data database and a third party related to the owner and/or operator of a personal data database;
  • reviews requests of a personal data subject or his/her legal representative on compliance of the content of personal data and methods of its processing with the purpose of its processing and makes a respective decision;
  • takes measures on bringing persons who have violated personal data laws of Kazakhstan to liability in accordance with the laws of Kazakhstan;
  • requests the owner and/or operator of a personal data database and a third party related to the owner and/or operator of a personal data database to clarify, block or destroy inaccurate or illegally obtained personal data;
  • takes measures on improving protection of rights of personal data subjects;
  • approves the rules for collection and processing of personal data;
  • exercises other powers provided by Kazakh law.

In relation to personal data and its protection, the Government of Kazakhstan:

  • develops the main directions of state policy
  • manages activities of central and local executive bodies
  • approves the procedure for determining by an owner and / or operator of a database containing personal data of the list of personal data that are necessary and sufficient for performing the owner’s and / or operator’s tasks
  • approves the procedure for implementation of measures for the protection of personal data by an owner and / or an operator of a database containing personal and a third party having access to such database, etc

In relation to personal data and its protection, state Authorities, each within its competence:

  • develop and / or approve regulatory acts
  • consider appeals of individuals and / or legal entities regarding personal data and protection of personal data issues
  • take measures for bringing persons who have violated personal data legislation of Kazakhstan to liability
  • exercise other powers provided for by Kazakh law

Supervision over observance of Kazak law in respect of personal data and its protection is carried out the prosecution authorities of Kazakhstan.

Last modified 22 Jan 2021
Registration

Under Kazakh law, there is no express registration requirement in relation to personal data and its protection.

Last modified 22 Jan 2021
Data Protection Officers

Under Kazakh law, an owner and/or operator of a personal data database, which is a legal entity, should appoint a person responsible for organizing the processing of personal data. Such person is obliged to: 

  • exercise internal control over observance by the owner and/or operator of a personal data database and its employees of Kazakh law requirements in relation to personal data and its protection;
  • inform the employees of an owner and/or operator of the provisions of Kazakh law in respect of processing and protection of personal data;
  • exercise control over receipt and processing of applications from personal data subjects or their legal representatives. 

In addition, an owner and/or operator of a database containing personal data and a third party related to the owner and/or operator should, inter alia, when collecting and processing personal data, determine list of persons carrying out collection and processing of personal data or having access to it.

Last modified 22 Jan 2021
Collection & Processing

Kazakh law requires to carry out collection and processing of personal data with the consent of a personal data subject or his/her legal representative. Such consent should be given in writing, in the form of an electronic document, via the personal data protection service or otherwise using protective measures that do not contradict Kazakh law.

As a general rule, personal data subjects or their representatives may revoke their consent. However, the consent may not be revoked in cases where such revocation contradicts requirements of Kazakh law or there are any unfulfilled obligations.

Kazakh law allows the collection and processing of personal data without the consent of a personal data subject or his / her legal representative in cases explicitly prescribed by Kazakh law. Such cases may include, inter alia:

  • implementation of activities of law enforcement bodies and courts;
  • implementation of state statistical activities;
  • use of depersonalised personal data by the state authorities for statistical purposes;
  • implementation of international treaties ratified by Kazakhstan;
  • protection of constitutional rights and freedoms of a person, if obtaining the consent of a personal data subject or his/her legal representative is impossible;
  • carrying out legal professional activities of a journalist, carrying out mass media, scientific, literary or other creative activities, subject to compliance with requirements of Kazakh law;
  • publication of personal data in accordance with Kazakh law, including of personal data of candidates for elective public offices;
  • failure by a personal data subject to fulfil its obligation to provide personal data in accordance with Kazakh law;
  • receipt by the state authority regulating, controlling and supervising financial market and financial organisations of information from individuals and legal entities in accordance with Kazakh law;
  • receipt by the state revenue authorities of information from individuals and legal entities for purposes of tax administering and control; etc.

Under the Law, processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed. Personal data, the content and volume of which is excessive in relation to the purposes of its processing, should not be processed.

Under Kazakh law, access to personal data is determined by the terms of consent for collection and processing of personal data, unless otherwise provided by Kazakh law. A person should be denied access to personal data if he / she refuses to assume obligations to ensure compliance with the requirements of the Law or may not ensure it.

Persons having access to limited access personal data should ensure its confidentiality. 

Under Kazakh law, accumulation of personal data is carried out by collecting personal data that is necessary and sufficient to fulfill the tasks performed by an owner and / or an operator of a database containing personal data and by a third party having access to such database.

Personal data should be stored in databases located in Kazakhstan.

The period for retention of personal data is determined by the date of fulfillment of the purpose(s) for collection and processing of the personal data, unless otherwise provided by Kazakh law.

Kazakh law provides for additional requirements in respect of electronic resources containing personal data.

Last modified 22 Jan 2021
Transfer

Transfers of personal data are allowed if they do not violate the rights and freedoms of a personal data subject and do not affect the legitimate interests of other individuals and / or legal entities.

The transfer of personal data in cases that go beyond the previously stated purposes of its collection is permitted if carried out with the consent of a personal data subject or his / her legal representative.

The cross-border transfer of personal data to other countries is carried out only in cases where such countries ensure protection of personal data.

The cross-border transfer of personal data to countries that do not ensure protection of personal data is possible:

  • With the consent of the personal data subject or his / her legal representative to the cross-border transfer of his / her personal data
  • In cases stipulated by international treaties ratified by Kazakhstan
  • In cases provided for by Kazakh law, if it is necessary for protecting the constitutional system, public order and public health and morals and rights and the freedoms of a person in Kazakhstan
  • In case of protection of constitutional rights and freedoms of a person, if obtaining the consent of a personal data subject or his / her legal representative is impossible

Kazakh law may in certain cases prohibit the cross-border transfer of personal data.

Last modified 22 Jan 2021
Security

Collection and processing of personal data is carried out only if its protection is ensured. Kazakh law defines protection of personal data as a set of legal, organization and technical measures.

The owner and / or operator of a personal data database and a third party having access to such database are required to take measures for protecting personal data, which ensure:

  • Prevention of unauthorized access to personal data
  • Timely detection of the facts relating to an incident of unauthorized access to personal data, if such unauthorized access could not be prevented
  • Minimizing adverse effects of unauthorized access to personal data

The obligations of an owner and / or operator of a database containing personal data and a third party having access to such database to protect personal data arise from the moment of collecting the personal data and remain in force until such personal data is destroyed or depersonalized.
 
Kazakh law provides for additional requirements with regard to protection of electronic resources containing personal data.

Last modified 22 Jan 2021
Breach Notification

There is no express breach notification requirement under Kazakh law in relation to personal data and its protection. However, an owner and / or operator of a database containing personal data and a third party having access to such database may be required to notify personal data subjects or state authorities about a breach based on the general principles of Kazakh law.

There is no express mandatory breach notification requirement under Kazakh law in relation to personal data and it protection.

Last modified 22 Jan 2021
Enforcement

Generally, all state authorities of Kazakhstan, depending on their competences, (1) may consider appeals of individuals and / or legal entities regarding personal data and protection of personal data issues and (2) take measures against persons who have violated the personal data legislation of Kazakhstan.

Prosecution Authorities of Kazakhstan carry out supervision over compliance with personal data legislation of Kazakhstan and may also take measures on bringing persons who have violated personal data legislation of Kazakhstan to liability. Interested persons may file complaints to the Prosecutor’s Office and the Ministry regarding breach of the legislation in relation to personal data and its protection.

Kazakh law provides for administrative and criminal liability for violation of Kazakh law in relation to personal data and its protection.

Last modified 22 Jan 2021
Electronic Marketing

Kazakh law does not expressly regulate personal data and its protection in relation to electronic marketing. However, electronic marketing should be carried out in compliance with the law 'On Advertisement' and the law. As such, for example, the consent of a personal data subject should be obtained for the collection and processing of his / her personal data for electronic marketing purposes.

Last modified 22 Jan 2021
Online Privacy

Kazakh law does not specifically regulate online privacy.

Last modified 22 Jan 2021
Contacts
Dinara Jarmukhanova
Dinara Jarmukhanova
Partner, Head of Kazakh practice
Centil Law Firm
T +7 727 315 0784
Dariga Adanbekova
Dariga Adanbekova
Associate
Centil Law Firm
T +7 727 315 0784
Last modified 22 Jan 2021