Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kazakhstan - Data Protection Overview
Back

Kazakhstan - Data Protection Overview

July 2022

1. Governing Texts

Data protection has been a significant area of interest for the Government of the Republic of Kazakhstan ('the Government'). At present, the Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V on Personal Data and its Protection ('the Personal Data Law') provides general regulations on the collection and processing of personal data, and notably includes broad requirements for data localisation. In addition, the Law on Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on the Regulation of Digital Technologies (only available in Kazakh here) ('the Amendment Law') was introduced in July 2020, significantly extending data protection obligations for organisations. The Amendment Law introduces, among other things, further requirements for data collection and processing, obligations for data operators (similar to data processors), and redefines key concepts. The Amendment Law further establishes the competency of the data protection authority including its powers and role.

1.1. Key acts, regulations, directives, bills

The following legal acts contain provisions that regulate data protection and/or privacy:

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

Article 18 of the Constitution guarantees the right to privacy. The Constitution guarantees the integrity of private life, personal, and family secrets, the protection of honour and dignity, confidentiality of personal deposits and savings, correspondence, telephone conversations, postal, telegraph, and of other communications.

In addition, the provisions protecting commercial and service secrecy are contained in Article 126 of the Civil Code and Article 28 of the Entrepreneur Code. Article 126 of the Civil Code guarantees the protection of commercial and 'service' secrets in cases when the information has actual or potential commercial value due to its non-public nature in relation to third parties, there is no free access to it on lawful grounds, and the possessor of such information takes measures to keep it confidential.

Article 28 of the Entrepreneur Code contains provisions on the protection of commercial secrets and measures that could be taken to secure such information. Provisions on personal data protection are outlined in the Personal Data Law. The preamble of the Personal Data Law provides that it regulates relations in the sphere of personal data, and provides for the purposes, principles, and legal basis of activity related to the collection, processing, and protection of personal data. However, the Personal Data Law does not clarify whether its application is restricted to the territory of Kazakhstan.

Accordingly, there is a risk that the Personal Data Law may apply to foreign as well as to Kazakh residents, though it is not clear how relevant sanctions and fines may be applied in practice to a foreign legal entity.

Additionally, confidentiality relating to banks, microfinance, insurance, etc. are subject to separate regulation.

2.2. Territorial scope

The law is unclear as to whether the Personal Data Law applies to non-Kazakhstan entities (whose activity is related to Kazakhstan and whose websites can be accessed from Kazakhstan). Normally, Kazakh laws apply in the territory of Kazakhstan unless provided otherwise within such laws themselves and, accordingly, shall cover all Kazakh companies (including subsidiaries), as well as to branches and representative offices of foreign companies. The Personal Data Law, however, provides that it regulates' relations in the sphere of personal data and provides for the purposes, principles, and legal basis of activity related to collection, processing, and protection of personal data' and does not clarify if its effect covers only relevant relations in the territory of Kazakhstan only.

There is no official clarification of the relevant state bodies from court decisions on this matter. The only available answers we managed to get from the websites of the state bodies contradict each other. In particular, a public statement issued, on 10 December 2015, by the Ministry for Investments and Development, now established as the Ministry of Industry and Infrastructural Development of the Republic of Kazakhstan, which suggested that personal data localisation requirements apply in any case, if the personal data of Kazakh resident are being processed. Additionally, a public statement issued, on 5 January 2016, by the Ministry of Internal Affairs of the Republic of Kazakhstan suggested that the Personal Data Law, including personal data localisation requirements, shall apply only to relations connected with the collection, processing, and protection of personal data in the territory of Kazakhstan. Please note that answers of state bodies in Kazakhstan may be inconsistent and contradictory and state bodies generally tend to narrowly interpret the law. The authorised state body, the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan ('MDAI'), also did not issue any statements with regards to this issue.

Currently, Kazakh law and state bodies' clarifications do not provide clear guidance and there is high probability that the Personal Data Law may apply to foreign residents as well as to Kazakh residents though it is not clear how relevant sanctions can be applied in practice to a foreign legal entity.

2.3. Material scope

Processing should be limited to the achievement of specific, predetermined, and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data should not be allowed. Personal data which contents and volume are excessive to the processing purposes should not be processed (See Article 7.4-7.5 of the Personal Data Law).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Following the amendments introduced to the Personal Data Law in June 2020, the MDAI has become the authorised body in the field of personal data protection. Before that there was no single data protection authority. In addition, the Government and state bodies have specific competence in the area of personal data. The Prosecution's office supervises compliance with law in the field of personal data and their protection. (Chapter 5 of the Personal Data Law).

3.2. Main powers, duties and responsibilities

According to Article 26 of the Personal Data Law, the Government is authorised to:

  • develop the basic direction of state policy in the area of personal data and its protection;
  • manage activities of the central executive/government bodies, local executive bodies in the area of personal data and its protection;
  • approve procedures for the determination by owners and/or operators of a list of personal data required and sufficient to perform tasks;
  • approve the implementation of measures on protection of personal data by the owner and/or operator, as well as third party; and
  • perform other functions as may be required by the Constitution, other applicable laws of the Republic of Kazakhstan, and applicable Presidential acts.

According to Article 27 of the Personal Data Law, state bodies within their competence are authorised to:

  • develop and/or approve regulatory acts in the area of personal data and its protection;
  • review messages of private individuals and/or legal entities on matters of personal data and its protection;
  • take measures on holding violators of the legislation of the Republic of Kazakhstan in the area of personal data and its protection liable according to applicable laws; and
  • perform other functions according to applicable laws and acts of the President as well as the Government.

Under Article 27-1 of the Personal Data Law, the MDAI is authorised to:

  • participate in the implementation of state policy in the field of personal data protection;
  • develop procedures for the implementation of measures on the protection of personal data by an owner and/or operator, as well as a third party;
  • consider applications of personal data subjects on the conformity between contents of personal data as well as methods of processing and the purposes of processing, and make an appropriate decision;
  • take measures to make persons who have violated personal data protection laws liable as set out by law;
  • require an owner and/or operator and third party to clarify, block or destroy personal data that is false or illegally obtained;
  • implement measures aimed at improving the protection of the rights of personal data subjects;
  • create an advisory council on issues of personal data and their protection, and determine the procedure for its formation and activities;
  • approve rules on collection, processing, accumulation, and storage of personal data;
  • approve the rules for the functioning of the state service for controlling access to personal data;
  • coordinate the integration of non-state objects of informatisation with objects of informatisation of state bodies and (or) state legal entities, in which personal data is transferred and (or) access to personal data is provided;
  • approves the rules for integration with the state personal data access control service; and
  • perform other functions according to applicable laws and to applicable acts of the President as well as the Government.

In addition, the MDAI is responsible to consider cases related to administrative violations related to personal data protection (See Article 692-2 of the Code on Administrative Infractions).

4. Key Definitions

Data controller: Kazakh law does not define 'data controller' or 'data processor', however, there are similar concepts under the law. The Personal Data Law recognises:

  • owners of databases containing personal data;
  • operators of databases containing personal data;
  • person responsible for organising the processing of personal data; and
  • so-called 'third parties'.

A database owner means the state authority, natural person and/or legal entity executing in accordance with the law the right of possession, use, and disposal of the database containing personal data. According to Article 188.2 of the Civil Code, the right to possess means the legally enforceable ability to execute actual possession over property (in our case, over the database). The right of use means the legally enforceable possibility to extract useful qualities from the property and receive other benefits from such property. The right to dispose of means the legally enforceable ability to determine the legal destiny of the property (i.e. the ability/competence of the rightsholder, at their discretion, to sell, transfer, grant, etc. property etc.).

The database operator means the state authority, individual, and/or legal entity engaged in the collection, processing, and protection of personal data. According to Article 1.5 of the Personal Data Law, 'collection' of personal data means actions aimed at obtaining personal data. According to Article 1.12 of the Personal Data Law, 'processing' of personal data means actions aimed at the accumulation, storage, change, amendment, use, distribution, depersonalisation, blocking, and liquidation of personal data. According to Article 1.11 of the Personal Data Law, 'protection' of personal data means a range of measures, including legal, organisational, and technical measures, taken for the purposes established by the Personal Data Law (according to Article 2 of the Personal Data Law, the purpose is generally to ensure the protection of the rights and freedoms of personal data subjects in the course of the collection and processing of their personal data).

If the database owner and (or) database operator is a legal entity (other than court), it shall designate a person responsible for organising the processing of personal data. They would be required to:

  • exercise internal control over the observance by the operator and its employees of the legislation of the Republic of Kazakhstan on personal data, including the requirements for the protection of personal data;
  • inform the employees of the provisions of personal data legislation; and
  • organise the reception and processing of requests and inquiries of personal data subjects or their representatives and/or exercise control over the reception and processing of such requests and inquiries (Article 25.3 of the Data Protection Law).

Data processor: Please refer to the above definition for data controllers.

Personal data: Under Article 1.2 of the Personal Data Law, 'personal data' means information related to the definite subject or related to the subject definable on the basis of such information, recorded on an electronic, paper and/or other tangible form (e.g. name, surname, age, address etc.). A personal data subject is ​​​​​​an individual, to whom the personal data refers to (i.e. personal data protection covers information about individuals and does not cover information about legal entities).

Sensitive data: There is no definition or the equivalent of 'sensitive data' in the Personal Data Law.

Health data: There is no concept of 'heath data'. 'Personal medical data' is a similar concept under Article 58.2 of the Law No. 360-VI of 7 July 2020 About Public Health and the Health Care System (only available in Kazakh here) ('the Health Code'), 'personal medical data' means personal data containing information about the health of an individual and the medical services provided to him, recorded on electronic, paper, or other material carriers.

Biometric data: Under Article 1.1 of the Personal Data Law, 'biometric data' means personal data that characterises physiological and biological features of the data subject, on the basis of which one may establish their identity.

Pseudonymisation: The Personal Data Law does not contain the concepts 'pseudonymisation/encryption'. The closest concept seems to be 'depersonalisation'. Article 1.12 of the Personal Data Law provides that the depersonalisation of personal data means actions, as a result of which it becomes impossible to determine whether personal data belongs to a specific personal data subject. When processing personal data for historical, statistical, sociological, scientific research, the owner and operator, as well as a third party, are obliged to depersonalise such data.

State service: Under Article 1.2-1 of the Personal Data Law, 'state service' is a state service for controlling access to personal data that provides information interaction of owners and (or) operators, third parties with the subject of personal data and the authorised body when accessing personal data contained in the objects of informatisation of state bodies and (or) state legal entities, including obtaining from the subject of personal data consent to the collection, processing of personal data or their transfer to third parties.

Non-state service: Under Article 1.2-2 of the Personal Data Law, 'non-state service' is a non-state personal data access control service that provides information interaction of owners and (or) operators, third parties with the personal data subject when accessing personal data contained in non-state informatisation objects, including obtaining consent from the personal data subject for the collection, processing of personal data or their transfer to third parties.

5. Legal Bases

5.1. Consent

According to Article 7 of the Personal Data Law, consent to the owner, operator, and/or third party by the personal data subject or its representative is generally required for collection and processing of restricted-access data (actions aimed at storage, keeping, amendment, supplement, use, disposal, depersonalisation, blocking, and elimination of the personal data), unless otherwise provided by law. Distribution of personal data in public sources is also only allowed with the consent of the subject or their legal representative. The collection and processing of personal data without such consent is possible only in cases provided by the Personal Data Law. According to Article 8 of the Personal Data Law, consent for the collection and processing of personal data can be obtained in one of the following forms:

  • in written form;
  • through the state service;
  • through the non-state service; or
  • other methods with the use of elements of protective actions that do not contradict national law.

According to Article 8.4 of the Personal Data Law, consent to the collection and processing of personal data includes:

  • name (last name, first name, patronymic (if it is indicated in the identity document), business identification number (individual identification number) of the operator;
  • last name, first name, patronymic (if it is indicated in the identity document) of the subject;
  • the term or period during which the consent to the collection, processing of personal data is valid;
  • information about the possibility of the operator to transfer personal data to third parties or its absence;
  • information about the presence or absence of cross-border transfer of personal data in the process of their processing;
  • information about the dissemination of personal data in publicly available sources;
  • a list of collected data related to the subject; and
  • other information determined by the owner and (or) operator.

5.2. Contract with the data subject

A contract with the data subject per se, without consent for data processing given under the contract, does not constitute legal basis for data processing.

5.3. Legal obligations

Processing without consent of the data subject is allowed in the following cases stipulated in Article 9 of the Personal Data Law:

  • carrying out activities of law enforcement agencies, courts, and other authorised state bodies that initiate and consider cases of administrative offenses, enforcement proceedings;
  • carrying out state statistical activities;
  • use of personal data by state bodies for statistical purposes with their mandatory depersonalisation;
  • implementation of international treaties ratified by the Republic of Kazakhstan;
  • protection of constitutional human and civil rights and freedoms, if obtaining the consent of the subject or their legal representative is impossible;
  • carrying out legal professional activities of a journalist and (or) activities of television, radio channels, periodicals, news agencies, online publications or scientific, literary or other creative activity, subject to compliance with the requirements of the legislation of the Republic of Kazakhstan to ensure human and civil rights and freedoms;
  • publication of personal data in accordance with the laws of the Republic of Kazakhstan, including personal data of candidates for elective public office;
  • failure by the subject to perform their obligations to provide personal data in accordance with the laws of the Republic of Kazakhstan;
  • receipt by the state body that regulates, controls and supervises the financial market and financial organisations, information from individuals and legal entities in accordance with the legislation of the Republic of Kazakhstan;
  • receipt by state revenue bodies for tax (customs) administration and (or) control of information from individuals and legal entities in accordance with the laws of the Republic of Kazakhstan;
  • transfer for storage of a backup copy of electronic information resources containing personal data of limited access to a single national backup platform for storing electronic information resources in cases provided for by the laws of the Republic of Kazakhstan;
  • use of personal data of business entities related directly to their business activities to form a register of business partners, subject to the requirements of the legislation of the Republic of Kazakhstan; and
  • in other cases established by the laws of the Republic of Kazakhstan.

5.4. Interests of the data subject

Interests of the data subject do not constitute legal basis for data processing.

5.5. Public interest

Public interest does not constitute legal basis for data processing.

5.6. Legitimate interests of the data controller

Legitimate interests of the data controller do not constitute legal basis for data processing.

5.7. Legal bases in other instances

Legal bases in other instances do not constitute as a legal basis for data processing.

6. Principles

According to Article 25 of the Personal Data Law an owner shall:

  • collect and process personal data strictly for purposes which are necessary for its operations;
  • process personal data only for the purposes for which it was collected; and
  • undertake protective measures which:
    • prevent unauthorised access to personal data;
    • if unauthorised access cannot be prevented, detect such access in a timely manner; and
    • minimise any adverse consequences of such access;
  • observe the laws on personal data protection;
  • delete personal data after the reason for its collection and processing is no longer relevant, and in other cases established by the Personal Data Law and other regulatory acts; and
  • provide evidence of obtaining consent from the subject to collect and process their personal data in cases provided by law.

Please note that the rights and obligations of operators are the same as for owners.

7. Controller and Processor Obligations

According to Article 25 of the Personal Data Law an owner shall:

  • approve a list of personal data necessary and sufficient for its operations unless otherwise provided by the law;
  • approve documents defining the operator's policy regarding the collection, processing, and protection of personal data;
  • at an individual's request, provide a description of their personal data stored by the owner or motivated answer why description is not provided, within the time limits stipulated by the legislation of the Republic of Kazakhstan;
  • provide, at the request of the authorised body, within the framework of considering applications from individuals and legal entities, information on the methods and procedures used to ensure compliance by the owner and (or) operator with the requirements of Personal Data Law; and
  • within one business day:
    • amend and/or supplement personal data on the basis of relevant documents confirming their correctness or delete personal data in case of impossibility of amendment and/or supplementation;
    • block personal data related to the personal data subject in cases where the information has been obtained through a breach of collection and processing regulations;
    • delete personal data where it is confirmed that its collection and processing breaches the law and in other cases provided by the Personal Data Law and other laws;
    • unblock personal data in case of failure to confirm breach of conditions of collection, processing of personal data;
    • provide personal data subject or their representative the opportunity to familiarise themselves with the personal data the owner has related to the personal data subject free of charge; or
    • in case of an owner being a legal entity, designate a person responsible for organising the processing of personal data.

Please note that the rights and obligations of operators are the same as for owners.

According to Article 8-1 of the Personal Data Law, owners and (or) operators, third parties, in case of interaction with the objects of informatisation of state bodies and (or) state legal entities containing personal data, ensure the integration of their own objects of informatisation involved in the collection and processing of personal data with the state service, with the exception of cases provided for by Articles 9(1), 9(2), 9(9) and 9-2 the Personal Data Law.

Integration is carried out in compliance with the norms of the legislation of the Republic of Kazakhstan on the provision of information classified as state secrets, personal, family, banking, commercial secrets, secrets of a medical worker and other secrets protected by law, as well as other confidential information. In other cases, integration with the public service is carried out on a voluntary basis. The procedure for integration with the public service is determined by the authorised body and the rules for integrating objects of informatisation of 'electronic government'.

According to Article 8-2 of the Personal Data Law, owners and (or) operators, third parties in order to optimise procedures for obtaining the consent of the subject or their legal representative for the collection and (or) processing of personal data in the absence of interaction with objects of informatisation of state bodies and (or) state legal entities containing personal data have the right to use non-state services.

7.1. Data processing notification

Neither mandatory notification nor registration applies to actions related to personal data protection.

According to Article 6 of the Personal Data Law, personal data is subdivided, according to its accessibility, into public-access data and restricted-access data. However, according to Article 7 of the Personal Data Law, consent to the owner, operator, and/or third party by the personal data subject or its representative is generally required for collection and processing of restricted-access data (actions aimed at storage, keeping, amendment, supplement, use, disposal, depersonalisation, blocking, and elimination of the personal data), unless otherwise provided by law. Distribution of personal data in public sources is also only allowed with the consent of the subject or their legal representative. Collection and processing of personal data without such consent is possible only in cases provided by the Personal Data Law (e.g. to the authorised state bodies, based on international treaties etc.). According to Article 8 of the Personal Data Law, consent for the collection and processing of personal data can be obtained in one of the following forms:

  • in written form;
  • through the state service;
  • through the non-state service; or
  • other methods with the use of elements of protective actions that do not contradict national law.

7.2. Data transfers

Pursuant to Article 16.2 of the Personal Data Law, personal data may only be transferred from Kazakhstan to a foreign country (including for purposes of processing) without prior permission from the personal data subject only if the recipient of the personal data is located in a country that protects personal data (at either the national level (by adopting national laws and regulations) or the international level (through international treaties)). If no such protection is available, cross-border transfers of the personal data are only possible if:

  • based upon an individual's specific consent;
  • in cases specified by international agreements ratified by Kazakhstan;
  • in cases stipulated in the laws of Kazakhstan in order to protect the constitutional order, public order, rights and freedoms of an individual and a citizen, and public health and morality; and
  • in the case of the protection of constitutional rights of an individual and citizen, where getting the consent of an individual is impossible.

The Personal Data Law does not specify the level of national protection which would be acceptable for the purposes of cross-border transfer and does not clarify whether national protection needs to be provided through specific or general regulations. The cross-border transfer of personal data may be restricted or prohibited by Kazakh law. However, as mentioned above, under Article 22 of the Personal Data Law, protection of personal data shall be performed by taking a set of measures, including legal, organisational, and technical measures, which guarantees:

  • prevention of unauthorised access to personal data;
  • timely detection of unauthorised access to personal data, if such unauthorised access could not be prevented;
  • minimisation of the negative impact of unauthorised access to personal data;
  • provision of access to the state technical service to informatisation objects that use, store, process, and distribute personal data of restricted access contained in electronic information resources in order to conduct a survey of ensuring the security of the processes of storage, processing and distribution of personal data of restricted access contained in electronic information resources in the manner determined by the authorised body; and
  • registration and accounting of actions provided for in Articles 8(4)(3) to 8(4)(6) of the Personal Data Law.

Data localisation

Pursuant to Article 12.2 of the Personal Data Law, personal data should be stored in the territory of Kazakhstan by the owner and/or operator, as well as third parties. Storage of personal data means actions to ensure the integrity, confidentiality, and accessibility of personal data (Article 1.14 of the Personal Data Law).

We believe that an argument may be made 'by the owner and/or operator' that either the owner or operator shall store the database in the territory of Kazakhstan and, accordingly, if the owner of the database does store the database in Kazakhstan, there is no need for the operator to also store the data in Kazakhstan. Please note, however, that the Personal Data Law does not provide for the express release of one entity to store the database in Kazakhstan if the same is stored in Kazakhstan by another entity.

Personal data shall be handled separately from other information and fixed in a tangible form. It is required to determine the storing place of personal data and a list of persons engaged in the collection and processing or having access to such information.

Data storage devices shall be stored in conditions providing the safety of personal data and preventing unauthorised access to personal data. Such conditions shall be established by the owner and/or operator, as well as third party (Articles 7, 8, and 9 of Decree No. 909).

7.3. Data processing records

The retention period for personal data is determined by the date when the objectives of collection and processing of personal data are achieved, unless otherwise provided by law (Article 12 of the Personal Data Law).

7.4. Data protection impact assessment

There is no requirement to conduct a Data Protection Impact Assessment ('DPIA').

7.5. Data protection officer appointment

According to Article 25.2.10. of the Personal Data Law, if the owner and/or operator are legal entities, they are required to appoint a person responsible for organising the processing of personal data (this requirement does not apply to the activities of courts). Such a person is entrusted with the following duties:

  • to exercise internal control over compliance with legislation on the protection of personal data;
  • to inform employees of the provisions of the legislation on the protection of personal data; and
  • to control the reception and processing of appeals of entities or their legal representatives.

Furthermore, Article 7 of the Database Decree has outlined the procedure with which responsible persons must comply in determining the list of personal data, as follows:

  • the responsible person must analyse the ongoing tasks of the owner and/or operator and, accordingly, prepare a proposal of the list of personal data to be processed by the owner and/or operator;
  • the owner and/or operator must consider the proposed list, and either approve it or return it for revision;
  • if the proposed list is returned to the responsible person for revision, the responsible person must return the amended list within five working days to the owner and/or operator for finalisation; and
  • the term for the preparation of the proposal, from the moment of appointment of the responsible person, must not exceed 30 calendar days.

In regard to the role of the DPO, According to Article 25(3) of the Personal Data Law, the appointed person is required to:

  • monitor and ensure compliance by the owner and/or operator of the database, as well as their employees, with the Personal Data Law;
  • inform employees of the owner and/or operator of the provisions of the Personal Data Law, including requirements for the protection of personal data; and
  • exercise control over the reception and processing of applications from data subjects or their legal representatives.

7.6. Data breach notification

There is no specific legal requirement to notify government authorities or clients regarding breaches of data related to individuals and legal entities, unless the breach of data occurs in facilities of e-government informatisation and is crucial to public facilities of information and communication infrastructure, in which case owners of the relevant facilities shall notify the technical service of the State.

Information about a subject that is collected and processed in violation of the legislation of the Republic of Kazakhstan shall be excluded from publicly available sources of personal data within one business day at the request of the subject or its legal representative, or by a court decision or other authorised state bodies.

In this case, the costs arising from the destruction of personal data from publicly available sources of personal data shall be borne by the owner and/or the operator, a third party.

The amount of expenses incurred when revoking the consent of the subject or their legal representative to distribute their personal data in publicly available sources of personal data related to the destruction of personal data from publicly available sources of personal data, as well as the persons charged with these expenses, if necessary, shall be determined in court (Article 6 of the Personal Data Law).

The Personal Data Law introduces the concept of voluntary 'cyber-insurance' in case of property damage inflicted on personal data subjects, owner and/or operator, third party (Article 23-1 of the Personal Data Law).

7.7. Data retention

According to Article 12 of the Personal Data Law, the accumulation of personal data is carried out by collecting personal data necessary and sufficient to perform the tasks carried out by the owner and/or operator, as well as a third party. The storage of personal data is carried out by the owner and/or operator, as well as by a third party in a database located on the territory of the Republic of Kazakhstan.

The storage period for personal data is determined by the date of achieving the goals of their collection and processing, unless otherwise provided by the legislation of the Republic of Kazakhstan.

Under Article 18 of the Personal Data Law, the personal data shall be subject to destruction by the owner and/or operator, as well as third person:

  • upon expiration of the term of storage in accordance with paragraph 2 of Article 12 of the Personal Data Law;
  • upon termination of legal relations between the subject, owner and/or operator, as well as third person;
  • upon entering of court decision into legal force;
  • upon revealing the collection and processing of personal data without the consent of the subject or their legal representative, except for the cases provided for in Articles 7.5 and 9 of the Personal Data Law; and
  • in other cases, established by the Personal Data Law and other regulatory legal acts of the Republic of Kazakhstan.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

There are specific regulations in relation to some categories of personal data, such as personal medical data under the Health Code and personal data of law enforcement officer under the Law of the Republic of Kazakhstan on Law Enforcement Service of 6 January 2011 No.380-IV.

7.10. Controller and processor contracts

Not applicable. According to Article 10.3 of the Personal Data Law relations between owner, operator and/or third-party regarding access to personal data is regulated by the applicable legislation of the Republic of Kazakhstan.

8. Data Subject Rights

According to Article 24.1 of the Personal Data Law, the personal data subject has the following rights:

  • to know about the presence of their personal data with an owner, operator, and/or third-party, as well as to receive information containing:
    • evidence of the fact, purpose, sources, ways of collection, and processing of the personal data;
    • list of the personal data; and
    • timing of processing of the personal data, including timing of its storage;
  • to request the owner and/or operator amend and supplement their personal data if any grounds are confirmed by relevant documents;
  • to request the owner, operator, and/or third party block their personal data in cases where evidence of a breach of conditions regarding the collection or processing of personal data is available;
  • to request the owner, operator, and/or third party eliminate personal data where the collection and processing were made in breach of law, and in other cases established by the Personal Data Law and other regulatory acts;
  • to recall their consent to collect, process, distribute in public sources, transfer to third parties and cross-border transfer personal data except for in cases envisaged by Article 8.2 of the Personal Data Law;
  • to consent or object to the owner and/or operator's dissemination of their personal data in public sources of personal data;
  • to the protection of their rights and legal interests, including compensation for moral and material damage; and
  • other rights envisaged by the Personal Data Law and other laws.

8.1. Right to be informed

According to Article 24.1.1. of the Personal Data Law, the personal data subject has right to know about the presence of their personal data with an owner, operator, and/or third-party, as well as to receive information containing:

  • evidence of the fact, purpose, sources, ways of collection and processing of the personal data;
  • list of the personal data; and
  • timing of processing of the personal data, including timing of its storage.

8.2. Right to access

According to Article 10.2 of the Personal Data Law, the personal data subject has right to apply to the owner and/or operator in writing or in the form of an electronic document or in another way using elements of protective actions that do not contradict the legislation of the Republic of Kazakhstan to access their personal data.

8.3. Right to rectification

According to Article 24.1.2 of the Personal Data Law, the personal data subject has the right to request the owner and/or operator to amend and supplement their personal data if any grounds are confirmed by relevant documents.

8.4. Right to erasure

According to Articles 24.1.3. and 24.1.4. of the Personal Data Law, the personal data subject has the right to request the owner, operator, and/or third party to block their personal data in cases where evidence of a breach of conditions regarding the collection or processing of personal data is available, and to request the owner, operator, and/or third party to eliminate personal data where the collection and processing were made in breach of law, and in other cases established by the Personal Data Law and other regulatory acts.

8.5. Right to object/opt-out

According to Articles 24.1.5 and 24.1.6 of the Personal Data Law, the data subject has the right to recall their consent to collect, process, and distribute in public sources, transfer to third parties and cross-border transfer personal data except for in cases envisaged by Article 8.2 of the Personal Data Law and to consent or object to the owner and/or operator's dissemination of their personal data in public sources of personal data.

8.6. Right to data portability

There is no concept of 'data portability' under the Personal Data Law.

8.7. Right not to be subject to automated decision-making

There is no concept of 'right to not be subject to automated decision-making' under the Personal Data Law.

8.8. Other rights

Other rights include protection of their rights and legal interests, including compensation for moral and material damage and other rights envisaged by the Personal Data Law and other laws.

9. Penalties

According to Article 79 of the Code on Administrative Infractions, the unlawful collection and processing of personal data may lead to fines ranging from ten monthly calculated indices (approx. €67) for private individuals to 200 monthly calculated indices (approx. €1,333) for legal persons.

Failure to take measures for the protection of personal data by owner, operator or third party may lead to a fine for an amount ranging from 50 monthly calculated indices for private individuals (approx. €330) to 1,000 monthly calculated indices (approx. €6,660) depending on the category of violator (natural or legal person) and conditions of violation.

According to Article 147 of the Penal Code, non-compliance with measures for personal data protection (that may include non-compliance with data localisation requirements) by a natural person responsible for taking such measures if such action caused significant harm to rights and legitimate interests of other persons may lead to a fine up to 3,000 monthly calculated indices (approx. €19,990), correctional labour for the same amount, community service for 600 hours, restriction of freedom for up to two years, or imprisonment for up to two years with deprivation of the right to take certain positions or certain activity for a period of up to three years or without such deprivation depending on the violation.

Causing significant harm to the rights and legitimate interests of persons due to the unlawful collection and/or processing of personal data (that may include non-compliance with data localisation requirements) and/or the unlawful collection of data on the private life of a person constituting their private or familial secrecy may lead to fines up to 5,000 monthly calculated indices (approx. €33,320) correctional labour for the same amount, community service for 800 hours, restriction of freedom for up to three years, or imprisonment for up to three years.

The same acts committed by a person using their official position or special technical means intended for secretly receiving information, or by unlawful access to electronic information resources, an information system or illegal interception of information transmitted through the telecommunications network, or in order to derive benefits and advantages for themselves or for other persons or organisations, may lead to imprisonment for a term for up to five years with deprivation of the right to take certain positions or certain activity for a period from two to five years or without such deprivation.

Dissemination of information about the private life of a person constituting their personal or familial secrecy without their consent or causing significant harm to the rights and legitimate interests of a person as a result of illegal collection and/or processing of other personal data may lead to imprisonment for up to five years.

Dissemination of information about the private life of a person constituting their personal or familial secrecy without their consent or causing significant harm to the rights and legitimate interests of a person which is the result of the illegal collection and/or processing of other personal data in a public statement, publicly demonstrated piece, mass media or via a telecommunication network, may lead to imprisonment for up to seven years.

In addition, any person can apply to the court for damages caused by a breach of data protection legislation.

According to Article 9 of the Civil Code, a private individual also has a right to claim compensation for the moral damage incurred.

9.1 Enforcement decisions

Not applicable.