Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Kazakhstan - Data Protection Overview
July 2024
1. Governing Texts
Data protection has been a significant area of interest for the Government of the Republic of Kazakhstan (the Government). At present, the Law of the Republic of Kazakhstan of May 21, 2013, No. 94-V on Personal Data and its Protection (the Personal Data Law) provides general regulations on the collection and processing of personal data and notably includes broad requirements for data localization. The Personal Data Law and other legal acts in the sphere of data protection are constantly under development, and various amendments are being implemented from time to time, i.e., the sphere is still undergoing its establishment stage in Kazakhstan.
1.1. Key acts, regulations, directives, bills
The following key legal acts contain provisions that regulate data protection and/or privacy:
- Constitution of the Republic of Kazakhstan (the Constitution);
- Civil Code of the Republic of Kazakhstan (General Part) of December 27, 1994 (the Civil Code);
- Civil Code of the Republic of Kazakhstan (Special Part) of July 1, 1999, No. 409-I;
- Entrepreneur Code of the Republic of Kazakhstan of October 29, 2015, No. 375-V ZRK (the Entrepreneur Code);
- Code of the Republic of Kazakhstan of July 5, 2014, No. 235-V on Administrative Infractions (the Code on Administrative Infractions);
- Penal Code of the Republic of Kazakhstan of July 3, 2014, No. 226-V (the Penal Code);
- the Personal Data Law;
- Law of the Republic of Kazakhstan on Banks and Banking Activities in the Republic of Kazakhstan of August 31, 1995, No. 2444;
- Law of the Republic of Kazakhstan of December 18, 2000, No. 126 on Insurance Activities;
- Law of the Republic of Kazakhstan of July 5, 2004, No. 567 on Communications (the Communications Law);
- Law of the Republic of Kazakhstan of November 26, 2012, No. 56-V on Microfinance Activities;
- Law of the Republic of Kazakhstan on Informatization of November 24, 2015, No.418-V (the Informatization Law);
- Law of the Republic of Kazakhstan on Online Platforms and Online Advertising of July 10, 2023, No. 18-VIII (the Online Platforms Law);
- Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan dated June 12, 2023, No. 179/HҚ on Approval of the Rules for the implementation of personal data protection measures by the owner and (or) operator, as well as by a third party (only available in Russian here) (the Order No. 179/NK);
- Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan dated June 21, 2023, No. 199/HҚ on Approval of the Rules for determining by the owner and (or) operator the list of personal data necessary and sufficient to perform the tasks they carry out (only available in Russian here) (the Order No. 199/NK);
- Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan of October 21, 2020, No. 395/НҚ on Approval of the Regulations for the collection and processing of personal data;
- Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan of April 30, 2021, No. 156/НҚ on Approval of the Rules for the implementation of a survey to ensure the security of the processes of storage, processing, and distribution of personal data of restricted access contained in electronic information resources;
- Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan of April 29, 2022, No. 144/НҚ on Approval of the Rules on the functioning of state service for controlling access to personal data (only available in Russian here); and
- Order of the Acting Minister of Digital Development, Innovations, and Aerospace Industry of the Republic of Kazakhstan of July 8, 2022, No. 236/НҚ on Approval of the Rules on integration with state service for controlling access to personal data (only available in Russian here).
1.2. Guidelines
Not applicable.
1.3. Case law
Not applicable.
2. Scope of Application
2.1. Personal scope
Article 18 of the Constitution guarantees the right to privacy. The Constitution guarantees the integrity of private life, personal and family secrets, the protection of honor, dignity, and confidentiality of personal deposits and savings, correspondence, telephone conversations, postal, telegraph, and other communications.
In addition, the provisions protecting commercial and service secrecy are contained in Article 126 of the Civil Code and Article 28 of the Entrepreneur Code. Article 126 of the Civil Code guarantees the protection of commercial and 'service' secrets in cases when the information has actual or potential commercial value due to its non-public nature in relation to third parties, there is no free access to it on lawful grounds, and the possessor of such information takes measures to keep it confidential.
Article 28 of the Entrepreneur Code contains provisions on the protection of commercial secrets and measures that could be taken to secure such information.
Provisions on personal data protection are outlined in the Personal Data Law.
As discussed below, the Personal Data Law will apply to foreign residents as well as Kazakh residents in the case of collecting and processing personal data in Kazakhstan, though it is not clear how relevant sanctions can be applied in practice to a foreign legal entity.
Additionally, confidentiality relating to banks, microfinance, insurance, etc., is subject to separate regulation.
2.2. Territorial scope
The law is unclear as to whether the Personal Data Law applies to non-Kazakhstan entities (whose activity is related to Kazakhstan and whose websites can be accessed from Kazakhstan). Normally, Kazakh laws apply in the territory of Kazakhstan unless provided otherwise within such laws themselves and, accordingly, shall cover all Kazakh companies (including subsidiaries), as well as branches and representative offices of foreign companies. The Personal Data Law, however, provides that it regulates relations in the sphere of personal data and provides for the purposes, principles, and legal basis of activity related to the collection, processing, and protection of personal data and does not clarify if its effect covers only relevant relations in the territory of Kazakhstan only.
The authorized state body, the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (Ministry of Digital Development), issued a letter dated May 6, 2024, whereby it was confirmed that the Personal Data Law shall apply to foreign persons, foreign legal entities, representative offices and branches of foreign legal entities registered in Kazakhstan if these subjects conduct collection and processing of personal data in the territory of Kazakhstan. The same letter confirmed that the Personal Data Law does not have extraterritorial effect.
Accordingly, the Personal Data Law will apply to foreign residents as well as Kazakh residents in the case of collecting and processing personal data in Kazakhstan, though it is not clear how relevant sanctions can be applied in practice to a foreign legal entity.
2.3. Material scope
Processing should be limited to the achievement of specific, predetermined, and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data should not be allowed. Personal data whose contents and volume are excessive for processing purposes should not be processed (See Article 7.8-7.9 of the Personal Data Law).
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The Ministry of Digital Development is the authorized body in the field of personal data protection. In addition, the Government and state bodies have specific competence in the area of personal data. The Prosecution's office supervises compliance with the law in the field of personal data and their protection (Chapter 5 of the Personal Data Law).
3.2. Main powers, duties and responsibilities
According to Article 26 of the Personal Data Law, the Government is authorized to develop the basic directions of state policy in the area of personal data and its protection.
According to Article 27 of the Personal Data Law, state bodies within their competence are authorized to:
- develop and/or approve regulatory acts in the area of personal data and its protection;
- review messages of individuals and/or legal entities on matters of personal data and its protection;
- take measures on holding violators of the legislation of the Republic of Kazakhstan in the area of personal data and its protection liable according to applicable laws; and
- perform other functions according to applicable laws and acts of the President as well as the Government.
Under Article 27-1 of the Personal Data Law, the Ministry of Digital Development is authorized to:
- formulate and implement the state policy in the field of personal data protection;
- exercise state control over compliance with the legislation of the Republic of Kazakhstan on personal data and their protection;
- develop procedures for the implementation of measures on the protection of personal data by an owner and/or operator, as well as a third party;
- develop rules for the determination by an owner and/or operator of a list of personal data required and sufficient to perform their tasks;
- determine the procedure for determining by the owner and (or) operator the list of personal data necessary and sufficient for the fulfillment of the tasks performed by them;
- determine the procedure of implementation of personal data protection measures by the owner and (or) operator, as well as by a third party;
- consider applications of personal data subjects or their legal representatives on the conformity between contents of personal data as well as methods of processing and the purposes of processing, and make an appropriate decision;
- take measures to make persons who have violated personal data protection legislation liable as set out by law;
- require an owner and/or operator and third party to clarify, block, or destroy personal data that is false or illegally obtained;
- implement measures aimed at improving the protection of the rights of personal data subjects;
- create an advisory council on issues of personal data and their protection, and determine the procedure for its formation and activities;
- send to the operator of information and communication infrastructure of 'electronic government' information on violation of personal data security, entailing the risk of violation of rights and legitimate interests of subjects, for the purposes provided by this Law and other regulatory legal acts of the Republic of Kazakhstan;
- approve the rules on the collection and processing of personal data;
- approve the rules for conducting inspection of security in ensuring processes of storage, processing, and distribution of personal data of restricted access contained in electronic information resources, subject to approval by the Committee for National Security of the Republic of Kazakhstan;
- approve the rules for the functioning of the state service for controlling access to personal data;
- coordinate the integration of non-state objects of informatization with objects of informatization of state bodies and/or state legal entities, in which personal data is transferred and/or access to personal data is provided;
- approves the rules for integration with the state service for controlling access to personal data; and
- perform other functions according to applicable laws and to applicable acts of the President as well as the Government.
Under Article 27-2 of the Personal Data Law, state control over compliance with the legislation of the Republic of Kazakhstan on personal data and its protection shall be exercised, generally, in the form of an unscheduled inspection in accordance with the Entrepreneurial Code of the Republic of Kazakhstan.
The Ministry of Digital Development is responsible for considering cases related to administrative violations related to personal data protection (See Article 692-2 of the Code on Administrative Infractions).
4. Key Definitions
Kazakh law does not define 'data controller' or 'data processor'. However, there are similar concepts under the law. The Personal Data Law recognizes:
- owners of databases containing personal data;
- operators of databases containing personal data;
- persons responsible for organizing the processing of personal data; and
- so-called 'third parties'.
A database owner means the state authority, natural person, and/or legal entity executing in accordance with the law the rights of possession, use, and disposal of the database containing personal data. According to Article 188.2 of the Civil Code, the right to possess means the legally enforceable ability to execute actual possession over the property (in our case, over the database). The right of use means the legally enforceable possibility to extract useful qualities from the property and receive other benefits from such property. The right to dispose of means the legally enforceable ability to determine the legal destiny of the property (i.e., the ability/competence of the rightsholder, at their discretion, to sell, transfer, or grant property, etc.).
The database operator means the state authority, individual, and/or legal entity engaged in the collection, processing, and protection of personal data. According to Article 1.5 of the Personal Data Law, 'collection' of personal data means actions aimed at obtaining personal data. According to Article 1.12 of the Personal Data Law, 'processing' of personal data means actions aimed at the accumulation, storage, change, supplement, use, distribution, depersonalization, blocking, and destruction of personal data. According to Article 1.11 of the Personal Data Law, 'protection' of personal data means a range of measures, including legal, organizational, and technical measures, taken for the purposes established by the Personal Data Law (according to Article 2 of the Personal Data Law, the purpose is generally to ensure the protection of the rights and freedoms of personal data subjects in the course of the collection and processing of their personal data).
Under Article 25.2(10) of the Personal Data Law, if the database owner and/or database operator is a legal entity (other than the court), it shall designate a person responsible for organizing the processing of personal data. Under Article 25.3 of the Personal Data Law, such person is required to:
- exercise internal control over the observance by the owner and/or operator and its employees of the legislation of the Republic of Kazakhstan on personal data and its protection, including the requirements for the protection of personal data;
- inform the employees of the owner and/or operator of the provisions of the legislation of the Republic of Kazakhstan on personal data and its protection regarding processing personal data, the requirements for the protection of personal data; and
- organize the reception and processing of requests and inquiries of personal data subjects or their legal representatives and/or exercise control over the reception and processing of such requests and inquiries (Article 25.3 of the Personal Data Law).
Data processor: Please refer to the above definition for data controllers.
Personal data: Under Article 1.2 of the Personal Data Law, 'personal data' means information related to the definite subject or related to the subject definable on the basis of such information, recorded on an electronic, paper and/or other tangible form (e.g. name, surname, age, address etc.). Under Article 1.16 of the Personal Data Law, a personal data subject is an individual, to whom the personal data refers to (i.e. personal data protection covers information about individuals and does not cover information about legal entities).
Personal data security breach: Under Article 1.15-1 of the Personal Data Law, ‘personal data security breach’ is a breach of personal data protection resulting in unlawful distribution, alteration, and destruction, unauthorized distribution of transmitted, stored or otherwise processed personal data or unauthorized access to such data.
Sensitive data: There is no definition or the equivalent of 'sensitive data' in the Personal Data Law.
Health data: There is no concept of 'health data'. 'Personal medical data' is a similar concept under Article 58.2 of the Code No. 360-VI of July 7, 2020, on Public Health and the Health Care System (the Health Code), 'personal medical data' means personal data containing information about the health of an individual and the medical services provided to him, recorded on electronic, paper, or other material carriers.
Biometric data: Under Article 1.1 of the Personal Data Law, 'biometric data' means personal data that characterizes physiological and biological features of the data subject, on the basis of which one may establish their identity.
Pseudonymization: The Personal Data Law does not contain the concepts of 'pseudonymization/encryption'. The closest concept seems to be 'depersonalization'. Article 1.7 of the Personal Data Law provides that the depersonalization of personal data means actions, as a result of which it becomes impossible to determine whether personal data belongs to a specific personal data subject. Under Article 17.1 of the Personal Data Law, when collecting and processing personal data for statistical, sociological, scientific, or marketing research, the owner and/or operator, as well as a third party, are obliged to depersonalize such data in accordance with the rules for the collection, processing of personal data.
State service: Under Article 1.2-1 of the Personal Data Law, 'state service' is a state service for controlling access to personal data that provides information interaction of owners and/or operators, third parties with the personal data subject, and the authorized body when accessing personal data contained in the objects of informatization of state bodies and/or state legal entities, including obtaining from the personal data subject consent to the collection, processing of personal data or their transfer to third parties.
Non-state service: Under Article 1.2-2 of the Personal Data Law, 'non-state service' is a non-state service for controlling access to personal data that provides information interaction of owners and/or operators, third parties with the personal data subject when accessing personal data contained in non-state objects of informatization, including obtaining consent from the personal data subject for the collection, processing of personal data or their transfer to third parties.
5. Legal Bases
5.1. Consent
According to Article 7 of the Personal Data Law, consent to the owner, operator, and/or third party by the personal data subject or their representative is generally required for the collection and processing of personal data (actions aimed at accumulation, storage, change, supplement, use, distribution, depersonalization, blocking, and destruction of the personal data), unless otherwise provided by law. Distribution of personal data in public sources is also only allowed with the consent of the subject or their legal representative. The collection and processing of personal data without such consent is possible only in cases provided by the Personal Data Law. According to Article 8 of the Personal Data Law, consent for the collection and processing of personal data can be obtained in one of the following forms:
- in written form;
- through the state service;
- through the non-state service; or
- other method ensuring confirmation of receipt of the consent.
According to Article 8.4 of the Personal Data Law, consent to the collection and processing of personal data includes:
- name (last name, first name, patronymic (if it is indicated in the identity document), business identification number (individual identification number) of the operator;
- last name, first name, patronymic (if it is indicated in the identity document) of the subject;
- the term or period during which the consent to the collection, processing of personal data is valid;
- information about whether or not the operator can transfer personal data to third parties;
- information about the presence or absence of cross-border transfer of personal data in the process of their processing;
- information about the distribution of personal data in publicly available sources;
- a list of collected data related to the subject; and
- other information determined by the owner and/or operator.
5.2. Contract with the data subject
A contract with the data subject per se, without consent for data processing given under the contract, does not constitute legal basis for data processing.
5.3. Legal obligations
Collection, processing without consent of the data subject is allowed in the following cases stipulated in Article 9 of the Personal Data Law:
- carrying out activities of law enforcement agencies, courts, and other authorized state bodies that initiate and consider cases of administrative offenses, enforcement proceedings;
- carrying out state statistical activities;
- use of personal data by state bodies for statistical purposes with their mandatory depersonalization.
- implementation of international treaties ratified by the Republic of Kazakhstan;
- protection of constitutional human and civil rights and freedoms, if obtaining the consent of the subject or their legal representative is impossible;
- carrying out activity related to the opening of pension accounts, providing information on the amount of pension savings, as well as on conditional pension accounts by the unified accumulative pension fund;
- carrying out legal professional activities of a journalist and/or activities of television, radio channels, periodicals, information agencies, online publications, or scientific, literary, or other creative activity, subject to compliance with the requirements of the legislation of the Republic of Kazakhstan to ensure human and civil rights and freedoms;
- publication of personal data in accordance with the laws of the Republic of Kazakhstan, including personal data of candidates for elective public office;
- failure by the subject to perform their obligations to provide personal data in accordance with the laws of the Republic of Kazakhstan;
- receipt by the state body that regulates, controls, and supervises the financial market and financial organizations; information from individuals and legal entities in accordance with the legislation of the Republic of Kazakhstan;
- receipt by state revenue bodies for tax (customs) administration and/or control of information from individuals and legal entities in accordance with the laws of the Republic of Kazakhstan;
- transfer for storage of a backup copy of electronic information resources containing personal data of restricted access to a single national backup platform for storing electronic information resources in cases provided for by the laws of the Republic of Kazakhstan;
- use of personal data of business entities related directly to their business activities to form a register of business partners, subject to the requirements of the legislation of the Republic of Kazakhstan;
- use of personal data of a citizen of the Republic of Kazakhstan from the day of submitting an application for extrajudicial or judicial bankruptcy procedure in accordance with the Law of the Republic of Kazakhstan of December 30, 2022, No. 178-VII on Restoring Solvency and Bankruptcy of Citizens of the Republic of Kazakhstan as well as for the period up to three years preceding the application of the extrajudicial or judicial bankruptcy procedure; and
- in other cases established by the laws of the Republic of Kazakhstan.
5.4. Interests of the data subject
Interests of the data subject do not constitute legal basis for data processing.
5.5. Public interest
Public interest does not constitute legal basis for data processing.
5.6. Legitimate interests of the data controller
Legitimate interests of the data controller do not constitute legal basis for data processing.
5.7. Legal bases in other instances
There are no other instances that constitute a legal basis for data processing.
6. Principles
Not applicable.
7. Controller and Processor Obligations
According to Article 25 of the Personal Data Law, an owner shall:
- approve a list of personal data necessary and sufficient for its operations unless otherwise provided by the law;
- approve documents defining the operator's policy regarding the collection, processing, and protection of personal data;
- undertake protective measures which:
- prevent unauthorized access to personal data;
- if unauthorized access cannot be prevented, detect such access in a timely manner;
- minimize any adverse consequences of such access;
- provide access to the state technical service to objects of informatization using, storing, processing, and distributing personal data of restricted access contained in electronic information resources for conducting the inspection of security in ensuring processes of storage, processing, and distribution of personal data of restricted access contained in electronic information resources in the manner determined by the authorized body; and
- register and record actions provided for by Articles 8.4(3), 8.4(4), 8.4(5), and 8.4(6) of the Personal Data Law (i.e., term and period of the consent validity, transfer of personal data to third parties, cross-border transfer of personal data, distribution of personal data in public sources);
- comply with the legislation of the Republic of Kazakhstan on personal data and their protection;
- provide, upon request of the authorized body within the framework of consideration of appeals of individuals and legal entities, information on the methods and procedures used to ensure compliance by the owner and (or) operator with the requirements of Personal Data Law;
- take measures to destroy personal data in case the purpose of their collection and processing is achieved, as well as in other cases established by this Law and other normative legal acts of the Republic of Kazakhstan;
- provide proof of obtaining the subject's consent to the collection and processing of his/her personal data in cases stipulated by the legislation of the Republic of Kazakhstan;
- at the subjects’ request, provide a description of their personal data or motivated answer why the description is not provided within the time limits stipulated by the legislation of the Republic of Kazakhstan;
- provide, at the request of the authorized body, within the framework of considering applications from individuals and legal entities, information on the methods and procedures used to ensure compliance by the owner and/or operator with the requirements of Personal Data Law; and
- within one business day:
- amend and/or supplement personal data on the basis of relevant documents confirming their correctness or destruct personal data in case of impossibility of amendment and/or supplementation;
- block personal data related to the personal data subject in cases where the information has been obtained through a breach of collection and processing regulations;
- destroy personal data where it is confirmed that its collection and processing breaches the law and, in other cases, provided by the Personal Data Law and other laws;
- unblock personal data in case of failure to confirm breach of conditions of collection and processing of personal data; and
- upon detection of a personal data security breach, notify the Ministry of Digital Development of such breach with an indication of the contact details of the person responsible for the organization of personal data processing (if any);
- provide personal data subject or their representative the opportunity to familiarize themselves with the personal data related to the personal data subject free of charge; and
- in case of an owner being a legal entity, designate a person responsible for organizing the processing of personal data (this provision does not apply to courts).
Please note that the rights and obligations of operators are the same as for owners.
According to Article 8-1 of the Personal Data Law, owners and/or operators, third parties, in case of interaction with the objects of informatization of state bodies and/or state legal entities containing personal data, ensure the integration of their own objects of informatization involved in the collection and processing of personal data with the state service, with the exception of cases provided for by Articles 9(1), 9(2), 9(9) and 9(9-2) of the Personal Data Law.
Integration is carried out in compliance with the norms of the legislation of the Republic of Kazakhstan on the provision of information classified as state secrets, personal, family, banking, commercial secrets, secrets of a medical worker and other secrets protected by law, as well as other confidential information. In other cases, integration with the state service is carried out on a voluntary basis. The procedure for integration with the state service is determined by the authorized body and the rules for integrating objects of informatization of 'electronic government'.
According to Article 8-2 of the Personal Data Law, owners and/or operators, third parties in order to optimize procedures for obtaining the consent of the subject or their legal representative for the collection and/or processing of personal data in the absence of interaction with objects of informatization of state bodies and/or state legal entities containing personal data have the right to use non-state services.
7.1. Data processing notification
According to Articles 8-1 and 9 of the Personal Data Law, owners and/or operators, third parties ensure integration of their objects of informatization with the state service when interacting with objects of informatization of state bodies and/or state legal entities containing personal data. Following notifications must be given to the personal data subject via that state service:
- on actions with its personal data contained in objects of informatization of state bodies and/or state legal entities (access, review, change, supplement, transfer, blocking, destruction);
- on initiators of requests for access to its personal data contained in objects of informatization of state bodies and/or state legal entities if collection or processing of personal data is carried out without the consent in the following cases:
- implementation of international treaties ratified by the Republic of Kazakhstan;
- carrying out legal professional activities of a journalist and/or activities of television, radio channels, periodicals, information agencies, online publications, or scientific, literary, or other creative activity, subject to compliance with the requirements of the legislation of the Republic of Kazakhstan to ensure human and civil rights and freedoms;
- failure by the subject to perform their obligations to provide personal data in accordance with the laws of the Republic of Kazakhstan; and
- use of personal data of business entities related directly to their business activities to form a register of business partners, subject to the requirements of the legislation of the Republic of Kazakhstan.
According to Article 8-2 of the Personal Data Law, owners and/or operators, third parties have the right to use non-state services for the purposes of optimization of procedures for obtaining consent of the personal data subject or their legal representative for collection and/or processing of personal data in the absence of interactions with objects of informatization of state bodies and/or state legal entities containing personal data. In the following circumstances the data subject must be notified via that non-state service:
- on actions with its personal data (review, change, supplement, transfer, blocking, destruction); and
- on access by third parties to its personal data.
Also, according to Article 19 of the Personal Data Law, if there is a condition on notification of the personal data subject on transfer of their personal data to a third party, owner and/or operator ,the data subject or its legal representative should be notified of the transfer of its personal data to the third party. This provision does not apply to:
- performance by state bodies of their functions provided for the legislation of the Republic of Kazakhstan as well as by private notaries, private enforcement officers, and attorneys;
- carrying out the collection and processing of personal data for statistical, sociological, or scientific purposes.
According to Article 22(5) of the Personal Data Law, owners and/or operators, as well as third parties, shall register and record the following actions and information:
- validity of consent to the collection and processing of personal data;
- transfer by operators of personal data to third parties;
- cross-border transfer of personal data; and
- distribution of personal data in public sources.
According to Article 6 of the Personal Data Law, personal data is subdivided, according to its accessibility, into public-access data and restricted-access data. However, according to Article 7 of the Personal Data Law, consent to the owner, operator, and/or third party by the personal data subject or their representative is generally required for the collection and processing of personal data (actions aimed at accumulation, storage, change, supplement, use, distribution, depersonalization, blocking, and destruction of the personal data), unless otherwise provided by law.
Distribution of personal data in public sources is also only allowed with the consent of the subject or their legal representative. Collection and processing of personal data without such consent is possible only in cases provided by the Personal Data Law (e.g. to the authorized state bodies, based on international treaties, etc.). According to Article 8 of the Personal Data Law, consent for the collection and processing of personal data can be obtained in one of the following ways:
- in written form;
- through the state service;
- through the non-state service; or
- other method ensuring confirmation of receipt of the consent.
7.2. Data transfers
Pursuant to Article 16.2 of the Personal Data Law, personal data may only be transferred from Kazakhstan to a foreign country (including for purposes of processing) without prior permission from the personal data subject only if the recipient of the personal data is located in a country that protects personal data (at either the national level (by adopting national laws and regulations) or the international level (through international treaties)). Pursuant to Article 16.3 of the Personal Data Law, if no such protection is available, cross-border transfers of personal data are only possible if:
- the subject gives specific consent;
- in cases specified by international treaties ratified by Kazakhstan;
- in cases stipulated in the laws of Kazakhstan in order to protect the constitutional order, public order, rights and freedoms of an individual and a citizen, and public health and morality; and
- in the case of the protection of the constitutional rights of an individual and citizen, where getting the consent of the subject or their legal representative is impossible.
The Personal Data Law does not specify the level of national protection which would be acceptable for the purposes of cross-border transfer and does not clarify whether national protection needs to be provided through specific or general regulations. The cross-border transfer of personal data may be restricted or prohibited by Kazakh law. However, as mentioned above, under Article 22 of the Personal Data Law, protection of personal data shall be performed by taking a set of measures, including legal, organizational, and technical measures, which guarantee:
- prevention of unauthorized access to personal data;
- timely detection of unauthorized access to personal data if such unauthorized access could not be prevented;
- minimization of the negative impact of unauthorized access to personal data;
- provision of access to the state technical service to objects of informatization that use, store, process, and distribute personal data of restricted access contained in electronic information resources in order to conduct an inspection of ensuring the security of the processes of storage, processing, and distribution of personal data of restricted access contained in electronic information resources in the manner determined by the authorized body; and
- registration and recording of actions provided for in Articles 8.4(3), 8.4(4), 8.4(5), and 8.4(6) of the Personal Data Law (such as term and period of the consent validity, transfer of personal data to third parties, cross-border transfer of personal data, distribution of personal data in public sources).
Data localization
Pursuant to Article 12.2 of the Personal Data Law, personal data should be stored in a database located on the territory of Kazakhstan by the owner and/or operator, as well as third parties. Storage of personal data means actions to ensure the integrity, confidentiality, and accessibility of personal data (Article 1.14 of the Personal Data Law).
The Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan issued an answer on April 22, 2022, stating that personal data may be stored in a database located on the territory of foreign states upon consent of the personal data subject or its legal representative for cross-border transfer of personal data provided that the same personal data is stored in a database located on the territory of the Republic of Kazakhstan. The Ministry for Digital Development issued a letter dated May 6, 2024, whereby it was confirmed that a database located on the territory of the Republic of Kazakhstan shall be identical and shall be supplemented upon updates of the database stored outside of Kazakhstan.
We believe that an argument may be made 'by the owner and/or operator' that either the owner or operator shall store the database in the territory of Kazakhstan and, accordingly, if the owner of the database does store the database in Kazakhstan, there is no need for the operator to also store the data in Kazakhstan. Please note, however, that the Personal Data Law does not provide for the express release of one entity to store the database in Kazakhstan if the same is stored in Kazakhstan by another entity.
Personal data should be handled separately from other information and fixed in a tangible form. It is required to determine the storing place of personal data and a list of persons engaged in the collection and processing or having access to such information.
Personal data storage devices should be stored in conditions providing the safety of personal data and preventing unauthorized access to personal data. Such conditions shall be established by the owner and/or operator, as well as third parties (Articles 5, 6, and 7 of the Order No. 179/NK).
7.3. Data processing records
The storage period for personal data is determined by the date when the purposes of collection and processing of personal data are achieved unless otherwise provided by law (Article 12.2 of the Personal Data Law).
7.4. Data protection impact assessment
There is no requirement to conduct a Data Protection Impact Assessment (DPIA).
7.5. Data protection officer appointment
According to Article 25.2(10) of the Personal Data Law, if the owner and/or operator are legal entities, they are required to appoint a person responsible for organizing the processing of personal data (this requirement does not apply to the activities of courts). According to Article 25.3 of the Personal Data Law, such a person is entrusted with the following duties:
- exercise internal control over the observance by the owner and/or operator and its employees of the legislation of the Republic of Kazakhstan on personal data and its protection, including the requirements for the protection of personal data;
- inform the employees of the owner and/or operator of the provisions of the legislation of the Republic of Kazakhstan on personal data and its protection regarding processing personal data, the requirements for the protection of personal data; and
- organize the reception and processing of requests and inquiries of personal data subjects or their legal representatives and/or exercise control over the reception and processing of such requests and inquiries (Article 25.3 of the Personal Data Law).
Furthermore, Chapter 2 of Order No. 199/NK has outlined the procedure with which the owner and (or) operator must comply in determining the list of personal data, as follows:
- the owner and/or operator must analyze their ongoing tasks and, accordingly, prepare a proposal of the list of personal data required and sufficient to perform their tasks;
- the proposed list is subject to approval by the owner and/or operator;
- based on results of activity, the owner and/or operator amend the list of personal data required and sufficient to perform their tasks annually.
7.6. Data breach notification
The Personal Data Law contains a requirement regarding the notification of personal data security breaches, according to which the owner and/or operator of the personal data database must, within one business day from the moment of discovering the personal data security breach, notify the authorized body (the Ministry of Digital Development) of such breach, indicating the contact details of the person responsible for organizing the processing of personal data (if available) (Article 25.2.8 of the Personal Data Law).
General requirements for notification on actions in relation to personal data are discussed in the section on data processing notification above.
Information about a subject that is collected and processed in violation of the legislation of the Republic of Kazakhstan shall be excluded from publicly available sources of personal data within one business day at the request of the subject or its legal representative or by a court decision or other authorized state bodies.
In this case, the costs arising from the destruction of personal data from publicly available sources of personal data shall be borne by the owner and/or the operator, a third party.
The amount of expenses incurred when revoking the consent of the subject or their legal representative to distribute their personal data in publicly available sources of personal data related to the destruction of personal data from publicly available sources of personal data, as well as the persons charged with these expenses, if necessary, shall be determined in court (Article 6 of the Personal Data Law).
The Personal Data Law introduces the concept of voluntary 'cyber-insurance' in case of property damage inflicted on personal data subjects, owner and/or operator, or third party (Article 23-1 of the Personal Data Law).
7.7. Data retention
According to Article 12 of the Personal Data Law, the accumulation of personal data is carried out by collecting personal data necessary and sufficient to perform the tasks carried out by the owner and/or operator, as well as a third party. The storage of personal data is carried out by the owner and/or operator, as well as by a third party in a database located in the territory of the Republic of Kazakhstan.
The storage period for personal data is determined by the date of achieving the purposes of their collection and processing unless otherwise provided by the legislation of the Republic of Kazakhstan.
Under Article 18 of the Personal Data Law, the personal data shall be subject to destruction by the owner and/or operator, as well as third parties:
- upon expiration of the period of storage in accordance with Article 12.2 of the Personal Data Law;
- upon termination of legal relations between the subject, owner, and/or operator, as well as third party;
- in the enforcement of a court decision;
- upon revealing the collection and processing of personal data without the consent of the subject or their legal representative, except for the cases provided for in Articles 7.5 and 9 of the Personal Data Law; and
- in other cases, established by the Personal Data Law and other regulatory legal acts of the Republic of Kazakhstan.
7.8. Children's data
Not applicable.
7.9. Special categories of personal data
There are specific regulations in relation to some categories of personal data, such as personal medical data under the Health Code and personal data of law enforcement officers under the Law of the Republic of Kazakhstan on Law Enforcement Service of January 6, 2011, No. 380-IV.
7.10. Controller and processor contracts
Not applicable. According to Article 10.3 of the Personal Data Law, relations between owner and/or operator and/or third party regarding access to personal data are regulated by the applicable legislation of the Republic of Kazakhstan.
8. Data Subject Rights
According to Article 24.1 of the Personal Data Law, the personal data subject has the following rights:
- to know about the presence of their personal data with an owner and/or operator and third party, as well as to receive information containing:
- evidence of the fact, purpose, sources, ways of collection, and processing of the personal data;
- list of the personal data; and
- time of processing of the personal data, including the time of its storage;
- to request the owner and/or operator amend and supplement their personal data if any grounds are confirmed by relevant documents;
- to request the owner and/or operator and third party block their personal data in cases where evidence of a breach of conditions regarding the collection or processing of personal data is available;
- to request the owner and/or operator and third-party destroy their personal data where the collection and processing were made in breach of law and in other cases established by the Personal Data Law and other regulatory acts;
- to revoke their consent to collect, process, distribute in public sources, transfer to third parties, and cross-border transfer personal data except for in cases envisaged by Article 8.2 of the Personal Data Law;
- to consent or object to the owner and/or operator's distribution of their personal data in public sources of personal data;
- to the protection of their rights and legal interests, including compensation for moral and material damage; and
- other rights envisaged by the Personal Data Law and other laws.
8.1. Right to be informed
According to Article 24.1(1) of the Personal Data Law, the personal data subject has the right to know about the presence of their personal data with an owner and/or operator and third party, as well as to receive information containing:
- evidence of the fact, purpose, sources, ways of collection and processing of the personal data;
- list of the personal data; and
- time of processing of personal data, including the time of its storage.
8.2. Right to access
According to Article 10.2 of the Personal Data Law, the personal data subject or their legal representative has the right to apply to the owner and/or operator in writing or in the form of an electronic document or in another way using elements of protective actions that do not contradict the legislation of the Republic of Kazakhstan to access their personal data.
8.3. Right to rectification
According to Article 24.1(2) of the Personal Data Law, the personal data subject has the right to request the owner and/or operator to amend and supplement their personal data if any grounds are confirmed by relevant documents.
8.4. Right to erasure
According to Articles 24.1(3) and 24.1(4) of the Personal Data Law, the personal data subject has the right to request the owner and/or operator and third party to block their personal data in cases where evidence of a breach of conditions regarding the collection or processing of personal data is available, and to request the owner and/or operator and third party to destruct personal data where the collection and processing were made in breach of law, and in other cases established by the Personal Data Law and other regulatory acts.
8.5. Right to object/opt-out
According to Articles 24.1(5) and 24.1(6) of the Personal Data Law, the data subject has the right to revoke their consent to collect, process, and distribute in public sources, transfer to third parties, and cross-border transfer personal data except for in cases envisaged by Article 8.2 of the Personal Data Law and to consent or object to the owner and/or operator's distribution of their personal data in public sources of personal data.
8.6. Right to data portability
There is no concept of 'data portability' under the Personal Data Law.
8.7. Right not to be subject to automated decision-making
Under Article 36.6 of the Informatization Law, owners or possessors of electronic information resources are prohibited from making decisions on the basis of solely automated processing of electronic information resources, including by intellectual robots resulting in the creation, alteration or termination of rights, legal interests of the personal data subject, except for cases when such a decision is made upon consent of the personal data subject or in cases provided for by the legislation of the Republic of Kazakhstan.
Owners or possessors of electronic information resources shall inform the personal data subject on the use of automated processing resulting in creation, alteration or termination of rights, legal interests of the personal data subject.
Under Article 1.43-1 of the Informatization Law, an intellectual robot means an automated device performing certain actions or inaction taking into account perceived and recognized external environment.
8.8. Other rights
Other rights include protection of their rights and legal interests, including compensation for moral and material damage and other rights envisaged by the Personal Data Law and other laws.
9. Penalties
According to Article 79 of the Code on Administrative Infractions, the unlawful collection and/or processing of personal data may lead to fines ranging from 10 monthly calculated indices (approx. €75) for individuals to 200 monthly calculated indices (approx. €1,500) for legal persons.
Failure to take measures for the protection of personal data by owner, operator, or third party may lead to a fine for an amount ranging from 50 monthly calculated indices for individuals (approx. €375) to 1,000 monthly calculated indices (approx. €7,485) depending on the category of violator (natural or legal person) and conditions of violation.
According to Article 147 of the Penal Code, non-compliance with measures for personal data protection (that may include non-compliance with data localization requirements) by a natural person responsible for taking such measures if such action caused significant harm to the rights and legitimate interests of other persons may lead to a fine up to 3,000 monthly calculated indices (approx. €22,455), correctional labor for the same amount, community service for 600 hours, restriction of freedom for up to two years, or imprisonment for up to two years with deprivation of the right to take certain positions or certain activity for a period of up to three years or without such deprivation depending on the violation.
Causing significant harm to the rights and legitimate interests of persons due to the unlawful collection of data on the private life of a person constituting their private or familial secrecy may lead to fines up to 5,000 monthly calculated indices (approx. €37,425) correctional labor for the same amount, community service for 800 hours, restriction of freedom for up to three years, or imprisonment for up to three years.
The same acts committed by a person using their official position or special technical means intended for secretly receiving information, or by unlawful access to electronic information resources, an information system, or illegal interception of information transmitted through the telecommunications network, or in order to derive benefits and advantages for themselves or for other persons or organizations as well as in relation to a person or their immediate relatives in connection with the performance by the person of an official activity or professional or public duty for the purpose of obstructing such activity or out of revenge for it, may lead to imprisonment for a term for up to five years with deprivation of the right to take certain positions or certain activity for a period from two to five years or without such deprivation.
Distribution of information about the private life of a person constituting their personal or familial secrecy without their consent or causing significant harm to the rights and legitimate interests of a person as a result of unlawful distribution of other personal data may lead to imprisonment for a period from three to six years.
Distribution of information about the private life of a person constituting their personal or familial secrecy without their consent or causing significant harm to the rights and legitimate interests of a person as a result of the unlawful distribution of other personal data in a public statement, publicly demonstrated piece, mass media or via a telecommunication network including internet, as well as in relation to a person or their immediate relatives in connection with the performance by this person of an official activity or professional or public duty for the purpose of obstructing such an activity or out of revenge for it, may lead to imprisonment for a period from three to seven years.
In addition, any person can apply to the court for damages caused by a breach of data protection legislation.
According to Article 9 of the Civil Code, an individual also has a right to claim compensation for the moral damage incurred.
9.1 Enforcement decisions
Not applicable.