August 2023

1. Governing Texts

Data protection has been a significant area of interest for the Government of the Republic of Kazakhstan ('the Government'). At present, the Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V on Personal Data and its Protection ('the Personal Data Law') provides general regulations on the collection and processing of personal data and notably includes broad requirements for data localization. In addition, the Laws on Amendments to the Personal Data Law were introduced in January and December 2021, July, November, and December 2022, significantly extending data protection obligations for organizations. Those amendments introduce, among other things, further requirements for personal data collection and processing, and obligations for data operators (similar to data processors). Those amendments further establish the competency of the personal data protection authority including its powers and role.

1.1. Key acts, regulations, directives, bills

The following legal acts contain provisions that regulate data protection and/or privacy:

• Constitution of the Republic of Kazakhstan ('the Constitution');
• Civil Code of the Republic of Kazakhstan (General Part) of 27 December 1994 ('the Civil Code');
• Civil Code of the Republic of Kazakhstan (Special Part) of 1 July 1999 No.409-I;
• Entrepreneur Code of the Republic of Kazakhstan of 29 October 2015 No. 375-V ZRK ('the Entrepreneur Code');
• Code of the Republic of Kazakhstan of 5 July 2014 No. 235-V on Administrative Infractions ('the Code on Administrative Infractions');
• Penal Code of the Republic of Kazakhstan of 3 July 2014 No.226-V ('the Penal Code');
• the Personal Data Law;
• Law of the Republic of Kazakhstan on Banks and Banking Activities in the Republic of Kazakhstan of 31 August 1995 No.2444;
• Law of the Republic of Kazakhstan of 18 December 2000 No. 126 on Insurance Activities;
• Law of the Republic of Kazakhstan of 5 July 2004 No. 567 on Communications ('the Communications Law');
• Law of the Republic of Kazakhstan of 26 November 2012 No. 56-V on Microfinance Activities;
• Law of the Republic of Kazakhstan on Informatization of 24 November 2015 No.418-V ('the Informatization Law');
• Decree of the Government of the Republic of Kazakhstan of 3 September 2013 No. 909 on Approval of the Rules on Accomplishment of Measures of Protection of Personal Data by the Owner and/or Operator, as well as Third Party ('Decree No. 909');
• Decree of the Government of the Republic of Kazakhstan of 12 November 2013 No. 1214 on Approval of the Rules on Determination by the Owner and/or Operator of the List of Personal Data Required and Sufficient to Perform its Tasks ('Decree No. 1214');
• Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan of 21 October 2020 No. 395/НҚ on Approval of the Rules on Collection Processing of Personal Data;
• Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan of 30 April 2021 No. 156/НҚ on Approval of the Rules on Conducting Inspection of Security Ensurance of Processes of Storage, Processing, and Distribution of Personal Data of Restricted Access Contained in Electronic Information Resources;
• Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan of 29 April 2022 No. 144/НҚ on Approval of the Rules on Functioning of State Service for Controlling Access to Personal Data (available in Russian here);
• Order of the Acting Minister of Digital Development, Innovations, and Aerospace Industry of the Republic of Kazakhstan of 8 July 2022 No. 236/НҚ on Approval of the Rules on Integration with State Service for Controlling Access to Personal Data (available in Russian here).

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

Article 18 of the Constitution guarantees the right to privacy. The Constitution guarantees the integrity of private life, personal, and family secrets, the protection of honor, dignity, and confidentiality of personal deposits and savings, correspondence, telephone conversations, postal, telegraph, and other communications.

In addition, the provisions protecting commercial and service secrecy are contained in Article 126 of the Civil Code and Article 28 of the Entrepreneur Code. Article 126 of the Civil Code guarantees the protection of commercial and 'service' secrets in cases when the information has actual or potential commercial value due to its non-public nature in relation to third parties, there is no free access to it on lawful grounds, and the possessor of such information takes measures to keep it confidential.

Article 28 of the Entrepreneur Code contains provisions on the protection of commercial secrets and measures that could be taken to secure such information. Provisions on personal data protection are outlined in the Personal Data Law. The preamble of the Personal Data Law provides that it regulates relations in the sphere of personal data, and provides for the purposes, principles, and legal basis of activity related to the collection, processing, and protection of personal data. However, the Personal Data Law does not clarify whether its application is restricted to the territory of Kazakhstan. Accordingly, there is a risk that the Personal Data Law may apply to foreign as well as to Kazakh residents, though it is not clear how relevant sanctions and fines may be applied in practice to a foreign legal entity.

Additionally, confidentiality relating to banks, microfinance, insurance, etc. are subject to separate regulation.

2.2. Territorial scope

The law is unclear as to whether the Personal Data Law applies to non-Kazakhstan entities (whose activity is related to Kazakhstan and whose websites can be accessed from Kazakhstan). Normally, Kazakh laws apply in the territory of Kazakhstan unless provided otherwise within such laws themselves and, accordingly, shall cover all Kazakh companies (including subsidiaries), as well as branches and representative offices of foreign companies. The Personal Data Law, however, provides that it regulates relations in the sphere of personal data and provides for the purposes, principles, and legal basis of activity related to the collection, processing, and protection of personal data and does not clarify if its effect covers only relevant relations in the territory of Kazakhstan only.

There is no official clarification of the relevant state bodies from court decisions on this matter. The only available answers we managed to get from the websites of the state bodies contradict each other. In particular, a public statement issued, on December 10, 2015, by the Ministry for Investments and Development, now established as the Ministry of Industry and Infrastructural Development of the Republic of Kazakhstan, which suggested that personal data localization requirements apply in any case, if the personal data of Kazakh residents is being processed. Additionally, a public statement issued, on January 5, 2016, by the Ministry of Internal Affairs of the Republic of Kazakhstan suggested that the Personal Data Law, including personal data localization requirements, shall apply only to relations connected with the collection, processing, and protection of personal data in the territory of Kazakhstan. Please note that the answers of state bodies in Kazakhstan may be inconsistent and contradictory and state bodies generally tend to narrowly interpret the law. The authorized state body, the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan ('MDAI'), also did not issue any statements with regards to this issue.

Currently, Kazakh law and state bodies' clarifications do not provide clear guidance and there is high probability that the Personal Data Law may apply to foreign residents as well as to Kazakh residents though it is not clear how relevant sanctions can be applied in practice to a foreign legal entity.

2.3. Material scope

Processing should be limited to the achievement of specific, predetermined, and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data should not be allowed. Personal data which contents and volume are excessive to the processing purposes should not be processed (See Article 7.8-7.9 of the Personal Data Law).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Following the amendments introduced to the Personal Data Law in June 2020, the MDAI has become the authorized body in the field of personal data protection. Before that, there was no single data protection authority. In addition, the Government and state bodies have specific competence in the area of personal data. The Prosecution's office supervises compliance with the law in the field of personal data and their protection. (Chapter 5 of the Personal Data Law).

3.2. Main powers, duties and responsibilities

According to Article 26 of the Personal Data Law, the Government is authorized to:

• develop the basic direction of state policy in the area of personal data and its protection;
• manage activities of the central executive/government bodies, local executive bodies in the area of personal data and its protection;
• approve procedures for the determination by owners and/or operators of a list of personal data required and sufficient to perform tasks;
• approve procedures for the implementation of measures on the protection of personal data by the owner and/or operator, as well as third parties; and
• perform other functions as may be required by the Constitution, other applicable laws of the Republic of Kazakhstan, and applicable Presidential acts.

According to Article 27 of the Personal Data Law, state bodies within their competence are authorized to:

• develop and/or approve regulatory acts in the area of personal data and its protection;
• review messages of individuals and/or legal entities on matters of personal data and its protection;
• take measures on holding violators of the legislation of the Republic of Kazakhstan in the area of personal data and its protection liable according to applicable laws; and
• perform other functions according to applicable laws and acts of the President as well as the Government.

Under Article 27-1 of the Personal Data Law, the MDAI is authorized to:

• participate in the implementation of state policy in the field of personal data protection;
• develop procedures for the implementation of measures on the protection of personal data by an owner and/or operator, as well as a third party;
• develop rules for the determination by an owner and/or operator of a list of personal data required and sufficient to perform their tasks;
• consider applications of personal data subjects or their legal representatives on the conformity between contents of personal data as well as methods of processing and the purposes of processing, and make an appropriate decision;
• take measures to make persons who have violated personal data protection legislation liable as set out by law;
• require an owner and/or operator and third party to clarify, block or destroy personal data that is false or illegally obtained;
• implement measures aimed at improving the protection of the rights of personal data subjects;
• create an advisory council on issues of personal data and their protection, and determine the procedure for its formation and activities;
• approve rules on collection, processing of personal data;
• approve the rules for conducting inspection of security ensurance of processes of storage, processing, and distribution of personal data of restricted access contained in electronic information resources, subject to approval by the Committee for National Security of the Republic of Kazakhstan;
• approve the rules for the functioning of the state service for controlling access to personal data;
• coordinate the integration of non-state objects of informatization with objects of informatization of state bodies and/or state legal entities, in which personal data is transferred and/or access to personal data is provided;
• approves the rules for integration with the state service for controlling access to personal data; and
• perform other functions according to applicable laws and to applicable acts of the President as well as the Government.

The Ministry of Information and Social Development of the Republic of Kazakhstan is responsible to consider cases related to administrative violations related to personal data protection (See Article 692-2 of the Code on Administrative Infractions).

4. Key Definitions

Data controller: Kazakh law does not define 'data controller' or 'data processor', however, there are similar concepts under the law. The Personal Data Law recognizes:

• owners of databases containing personal data;
• operators of databases containing personal data;
• persons responsible for organizing the processing of personal data; and
• so-called 'third parties'.

A database owner means the state authority, natural person, and/or legal entity executing in accordance with the law the rights of possession, use, and disposal of the database containing personal data. According to Article 188.2 of the Civil Code, the right to possess means the legally enforceable ability to execute actual possession over property (in our case, over the database). The right of use means the legally enforceable possibility to extract useful qualities from the property and receive other benefits from such property. The right to dispose of means the legally enforceable ability to determine the legal destiny of the property (i.e. the ability/competence of the rightsholder, at their discretion, to sell, transfer or grant, property, etc.).

The database operator means the state authority, individual, and/or legal entity engaged in the collection, processing, and protection of personal data. According to Article 1.5 of the Personal Data Law, 'collection' of personal data means actions aimed at obtaining personal data. According to Article 1.12 of the Personal Data Law, 'processing' of personal data means actions aimed at the accumulation, storage, change, supplement, use, distribution, depersonalization, blocking, and destruction of personal data. According to Article 1.11 of the Personal Data Law, 'protection' of personal data means a range of measures, including legal, organizational, and technical measures, taken for the purposes established by the Personal Data Law (according to Article 2 of the Personal Data Law, the purpose is generally to ensure the protection of the rights and freedoms of personal data subjects in the course of the collection and processing of their personal data).

Under Article 25.2(10) of the Personal Data Law, if the database owner and/or database operator is a legal entity (other than court), it shall designate a person responsible for organizing the processing of personal data. Under Article 25.3 of the Personal Data Law, they are required to:

• exercise internal control over the observance by the owner and/or operator and its employees of the legislation of the Republic of Kazakhstan on personal data and its protection, including the requirements for the protection of personal data;
• inform the employees of the owner and/or operator of the provisions of the legislation of the Republic of Kazakhstan on personal data and its protection regarding processing personal data, the requirements for the protection of personal data; and
• organize the reception and processing of requests and inquiries of personal data subjects or their legal representatives and/or exercise control over the reception and processing of such requests and inquiries (Article 25.3 of the Personal Data Law).

Data processor: Please refer to the above definition for data controllers.

Personal data: Under Article 1.2 of the Personal Data Law, 'personal data' means information related to the definite subject or related to the subject definable on the basis of such information, recorded on an electronic, paper and/or other tangible form (e.g. name, surname, age, address etc.). Under Article 1.16 of the Personal Data Law, a personal data subject is ​​​​​​an individual, to whom the personal data refers to (i.e. personal data protection covers information about individuals and does not cover information about legal entities).

Sensitive data: There is no definition or the equivalent of 'sensitive data' in the Personal Data Law.

Health data: There is no concept of 'heath data'. 'Personal medical data' is a similar concept under Article 58.2 of the Code No. 360-VI of 7 July 2020 On Public Health and the Health Care System ('the Health Code'), 'personal medical data' means personal data containing information about the health of an individual and the medical services provided to him, recorded on electronic, paper, or other material carriers.

Biometric data: Under Article 1.1 of the Personal Data Law, 'biometric data' means personal data that characterizes physiological and biological features of the data subject, on the basis of which one may establish their identity.

Pseudonymization: The Personal Data Law does not contain the concepts 'pseudonymization/encryption'. The closest concept seems to be 'depersonalization'. Article 1.7 of the Personal Data Law provides that the depersonalization of personal data means actions, as a result of which it becomes impossible to determine whether personal data belongs to a specific personal data subject. Under Article 17.1 of the Personal Data Law, when collecting, processing personal data for statistical, sociological, scientific, or marketing research, the owner and/or operator, as well as a third party, are obliged to depersonalize such data in accordance with the rules for collection, processing of personal data.

State service: Under Article 1.2-1 of the Personal Data Law, 'state service' is a state service for controlling access to personal data that provides information interaction of owners and/or operators, third parties with the personal data subject and the authorized body when accessing personal data contained in the objects of informatization of state bodies and/or state legal entities, including obtaining from the personal data subject consent to the collection, processing of personal data or their transfer to third parties.

Non-state service: Under Article 1.2-2 of the Personal Data Law, 'non-state service' is a non-state service for controlling access to personal data that provides information interaction of owners and/or operators, third parties with the personal data subject when accessing personal data contained in non-state objects of informatization, including obtaining consent from the personal data subject for the collection, processing of personal data or their transfer to third parties.

5. Legal Bases

5.1. Consent

According to Article 7 of the Personal Data Law, consent to the owner, operator, and/or third party by the personal data subject or their representative is generally required for the collection and processing of personal data (actions aimed at accumulation, storage, change, supplement, use, distribution, depersonalization, blocking, and destruction of the personal data), unless otherwise provided by law. Distribution of personal data in public sources is also only allowed with the consent of the subject or their legal representative. The collection and processing of personal data without such consent is possible only in cases provided by the Personal Data Law. According to Article 8 of the Personal Data Law, consent for the collection and processing of personal data can be obtained in one of the following forms:

• in written form;
• through the state service;
• through the non-state service; or
• other method ensuring confirmation of receipt of the consent.

According to Article 8.4 of the Personal Data Law, consent to the collection and processing of personal data includes:

• name (last name, first name, patronymic (if it is indicated in the identity document), business identification number (individual identification number) of the operator;
• last name, first name, patronymic (if it is indicated in the identity document) of the subject;
• the term or period during which the consent to the collection, processing of personal data is valid;
• information about whether or not the operator can transfer personal data to third parties;
• information about the presence or absence of cross-border transfer of personal data in the process of their processing;
• information about the distribution of personal data in publicly available sources;
• a list of collected data related to the subject; and
• other information determined by the owner and/or operator.

5.2. Contract with the data subject

A contract with the data subject per se, without consent for data processing given under the contract, does not constitute legal basis for data processing.

5.3. Legal obligations

Collection, processing without consent of the data subject is allowed in the following cases stipulated in Article 9 of the Personal Data Law:

• carrying out activities of law enforcement agencies, courts, and other authorized state bodies that initiate and consider cases of administrative offenses, enforcement proceedings;
• carrying out state statistical activities;
• use of personal data by state bodies for statistical purposes with their mandatory depersonalization.
• implementation of international treaties ratified by the Republic of Kazakhstan;
• protection of constitutional human and civil rights and freedoms, if obtaining the consent of the subject or their legal representative is impossible;
• carrying out legal professional activities of a journalist and/or activities of television, radio channels, periodicals, information agencies, online publications or scientific, literary or other creative activity, subject to compliance with the requirements of the legislation of the Republic of Kazakhstan to ensure human and civil rights and freedoms;
• publication of personal data in accordance with the laws of the Republic of Kazakhstan, including personal data of candidates for elective public office;
• failure by the subject to perform their obligations to provide personal data in accordance with the laws of the Republic of Kazakhstan;
• receipt by the state body that regulates, controls and supervises the financial market and financial organizations, information from individuals and legal entities in accordance with the legislation of the Republic of Kazakhstan;
• receipt by state revenue bodies for tax (customs) administration and/or control of information from individuals and legal entities in accordance with the laws of the Republic of Kazakhstan;
• transfer for storage of a backup copy of electronic information resources containing personal data of restricted access to a single national backup platform for storing electronic information resources in cases provided for by the laws of the Republic of Kazakhstan;
• use of personal data of business entities related directly to their business activities to form a register of business partners, subject to the requirements of the legislation of the Republic of Kazakhstan;
• use of personal data of a citizen of the Republic of Kazakhstan from the day of submitting of an application for extrajudicial or judicial bankruptcy procedure in accordance with the Law of the Republic of Kazakhstan on Restoring Solvency and Bankruptcy of Citizens of the Republic of Kazakhstan of 30 December 2022 No. 178-VII as well as for the period up to three years preceding the application of the extrajudicial or judicial bankruptcy procedure; and
• in other cases, established by the laws of the Republic of Kazakhstan.

5.4. Interests of the data subject

Interests of the data subject do not constitute legal basis for data processing.

5.5. Public interest

Public interest does not constitute legal basis for data processing.

5.6. Legitimate interests of the data controller

Legitimate interests of the data controller do not constitute legal basis for data processing.

5.7. Legal bases in other instances

There are no other instances that constitute a legal basis for data processing.

6. Principles

According to Articles 22 and 25 of the Personal Data Law, an owner shall:

• collect and process personal data strictly for purposes which are necessary for its operations;
• process personal data only for the purposes for which it was collected; and
• undertake protective measures which:
  • prevent unauthorized access to personal data;
  • if unauthorized access cannot be prevented, detect such access in a timely manner;
  • minimize any adverse consequences of such access;
  • provide access to the state technical service to objects of informatization using, storing, processing, and distributing personal data of restricted access contained in electronic information resources for conducting the inspection of security ensurance of processes of storage, processing, and distribution of personal data of restricted access contained in electronic information resources in the manner determined by the authorized body;
  • register and record actions provided for by Articles 8.4(3), 8.4(4), 8.4(5), and 8.4(6) of the Personal Data law (i.e., term and period of the consent validity, transfer of personal data to third parties, cross-border transfer of personal data, distribution of personal data in public sources).
• observe the laws on personal data protection;
• destruct personal data after the reason for its collection and processing is no longer relevant, and in other cases established by the Personal Data Law and other regulatory acts; and
• provide evidence of obtaining consent from the subject to collect and process their personal data in cases provided by law.

Please note that the rights and obligations of operators are the same as for owners.

7. Controller and Processor Obligations

According to Article 25 of the Personal Data Law an owner shall:

• approve a list of personal data necessary and sufficient for its operations unless otherwise provided by the law;
• approve documents defining the operator's policy regarding the collection, processing, and protection of personal data;
• at the subject's request, provide a description of their personal data or motivated answer why description is not provided, within the time limits stipulated by the legislation of the Republic of Kazakhstan;
• provide, at the request of the authorized body, within the framework of considering applications from individuals and legal entities, information on the methods and procedures used to ensure compliance by the owner and/or operator with the requirements of Personal Data Law; and
• within one business day:
  • amend and/or supplement personal data on the basis of relevant documents confirming their correctness or destruct personal data in case of impossibility of amendment and/or supplementation;
  • block personal data related to the personal data subject in cases where the information has been obtained through a breach of collection and processing regulations;
  • destroy personal data where it is confirmed that its collection and processing breaches the law and in other cases provided by the Personal Data Law and other laws;
  • unblock personal data in case of failure to confirm breach of conditions of collection, processing of personal data;
  • provide personal data subject or their representative the opportunity to familiarize themselves with the personal data related to the personal data subject free of charge;
  • in case of an owner being a legal entity, designate a person responsible for organizing the processing of personal data (this provision does not apply to courts).

Please note that the rights and obligations of operators are the same as for owners.

According to Article 8-1 of the Personal Data Law, owners and/or operators, third parties, in case of interaction with the objects of informatization of state bodies and/or state legal entities containing personal data, ensure the integration of their own objects of informatization involved in the collection and processing of personal data with the state service, with the exception of cases provided for by Articles 9(1), 9(2), 9(9) and 9(9-2) of the Personal Data Law.

Integration is carried out in compliance with the norms of the legislation of the Republic of Kazakhstan on the provision of information classified as state secrets, personal, family, banking, commercial secrets, secrets of a medical worker and other secrets protected by law, as well as other confidential information. In other cases, integration with the state service is carried out on a voluntary basis. The procedure for integration with the state service is determined by the authorized body and the rules for integrating objects of informatization of 'electronic government'.

According to Article 8-2 of the Personal Data Law, owners and/or operators, third parties in order to optimize procedures for obtaining the consent of the subject or their legal representative for the collection and/or processing of personal data in the absence of interaction with objects of informatization of state bodies and/or state legal entities containing personal data have the right to use non-state services.

7.1. Data processing notification

According to Articles 8-1 and 9 of the Personal Data Law, owners and/or operators, third parties ensure integration of their objects of informatization with the state service when interacting with objects of informatization of state bodies and/or state legal entities containing personal data. Following notifications must be given to the personal data subject via that state service:

• on actions with its personal data contained in objects of informatization of state bodies and/or state legal entities (access, review, change, supplement, transfer, blocking, destruction);
• on initiators of requests for access to its personal data contained in objects of informatization of state bodies and/or state legal entities if collection, processing of personal data is carried out without the consent in the following cases:
  • implementation of international treaties ratified by the Republic of Kazakhstan;
  • carrying out legal professional activities of a journalist and/or activities of television, radio channels, periodicals, information agencies, online publications or scientific, literary or other creative activity, subject to compliance with the requirements of the legislation of the Republic of Kazakhstan to ensure human and civil rights and freedoms;
  • failure by the subject to perform their obligations to provide personal data in accordance with the laws of the Republic of Kazakhstan;
  • use of personal data of business entities related directly to their business activities to form a register of business partners, subject to the requirements of the legislation of the Republic of Kazakhstan.

According to Article 8-2 of the Personal Data Law, owners and/or operators, third parties have the right to use non-state services for the purposes of optimization of procedures for obtaining consent of the personal data subject or their legal representative for collection and/or processing of personal data in the absence of interactions with objects of informatization of state bodies and/or state legal entities containing personal data. In the following circumstances the data subject must be notified via that non-state service:

• on actions with its personal data (review, change, supplement, transfer, blocking, destruction); and
• on access by third parties to its personal data.

Also, according to Article 19 of the Personal Data Law, if there is a condition on notification of the personal data subject on transfer of their personal data to a third party, owner and/or operator ,the data subject or its legal representative should be notified of the transfer of its personal data to the third party. This provision does not apply to:

• performance by state bodies of their functions provided for the legislation of the Republic of Kazakhstan as well as by private notaries, private enforcement officers and attorneys;
• carrying out collection and processing of personal data in statistical, sociological, or scientific purposes.

According to Article 22(5) of the Personal Data Law, owners and/or operators as well as third parties shall register and record the following actions and information:

• validity of a consent to collection, processing of personal data;
• transfer by operators of personal data to third parties;
• cross-border transfer of personal data; and
• distribution of personal data in public sources.

According to Article 6 of the Personal Data Law, personal data is subdivided, according to its accessibility, into public-access data and restricted-access data. However, according to Article 7 of the Personal Data Law, consent to the owner, operator, and/or third party by the personal data subject or their representative is generally required for collection and processing of personal data (actions aimed at accumulation, storage, change, supplement, use, distribution, depersonalization, blocking, and destruction of the personal data), unless otherwise provided by law.

Distribution of personal data in public sources is also only allowed with the consent of the subject or their legal representative. Collection and processing of personal data without such consent is possible only in cases provided by the Personal Data Law (e.g. to the authorized state bodies, based on international treaties, etc.). According to Article 8 of the Personal Data Law, consent for the collection and processing of personal data can be obtained in one of the following ways:

• in written form;
• through the state service;
• through the non-state service; or
• other method ensuring confirmation of receipt of the consent.

7.2. Data transfers

Pursuant to Article 16.2 of the Personal Data Law, personal data may only be transferred from Kazakhstan to a foreign country (including for purposes of processing) without prior permission from the personal data subject only if the recipient of the personal data is located in a country that protects personal data (at either the national level (by adopting national laws and regulations) or the international level (through international treaties)). Pursuant to Article 16.3 of the Personal Data Law, if no such protection is available, cross-border transfers of personal data are only possible if:

• the subject gives specific consent;
• in cases specified by international treaties ratified by Kazakhstan;
• in cases stipulated in the laws of Kazakhstan in order to protect the constitutional order, public order, rights and freedoms of an individual and a citizen, and public health and morality; and
• in the case of the protection of the constitutional rights of an individual and citizen, where getting the consent of the subject or their legal representative is impossible.

The Personal Data Law does not specify the level of national protection which would be acceptable for the purposes of cross-border transfer and does not clarify whether national protection needs to be provided through specific or general regulations. The cross-border transfer of personal data may be restricted or prohibited by Kazakh law. However, as mentioned above, under Article 22 of the Personal Data Law, protection of personal data shall be performed by taking a set of measures, including legal, organizational, and technical measures, which guarantee:

• prevention of unauthorized access to personal data;
• timely detection of unauthorized access to personal data, if such unauthorized access could not be prevented;
• minimization of the negative impact of unauthorized access to personal data;
• provision of access to the state technical service to objects of informatization that use, store, process, and distribute personal data of restricted access contained in electronic information resources in order to conduct an inspection of ensuring the security of the processes of storage, processing, and distribution of personal data of restricted access contained in electronic information resources in the manner determined by the authorized body; and
• registration and recording of actions provided for in Articles 8.4(3), 8.4(4), 8.4(5), and 8.4(6) of the Personal Data Law (such as term and period of the consent validity, transfer of personal data to third parties, cross-border transfer of personal data, distribution of personal data in public sources).

Data localization

Pursuant to Article 12.2 of the Personal Data Law, personal data should be stored in a database located on the territory of Kazakhstan by the owner and/or operator, as well as third parties. Storage of personal data means actions to ensure the integrity, confidentiality, and accessibility of personal data (Article 1.14 of the Personal Data Law).

The Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan issued an answer on 22 April 2022 stating that personal data may be stored in a database located on the territory of foreign states upon consent of the personal data subject or its legal representative for cross-border transfer of personal data provided that the same personal data is stored in a database located on the territory of the Republic of Kazakhstan.

We believe that an argument may be made 'by the owner and/or operator' that either the owner or operator shall store the database in the territory of Kazakhstan and, accordingly, if the owner of the database does store the database in Kazakhstan, there is no need for the operator to also store the data in Kazakhstan. Please note, however, that the Personal Data Law does not provide for the express release of one entity to store the database in Kazakhstan if the same is stored in Kazakhstan by another entity.

Personal data should be handled separately from other information and fixed in a tangible form. It is required to determine the storing place of personal data and a list of persons engaged in the collection and processing or having access to such information.

Personal data storage devices should be stored in conditions providing the safety of personal data and preventing unauthorized access to personal data. Such conditions shall be established by the owner and/or operator, as well as third parties (Articles 7, 8, and 9 of Decree No. 909).

7.3. Data processing records

The storage period for personal data is determined by the date when the purposes of collection and processing of personal data are achieved unless otherwise provided by law (Article 12.2 of the Personal Data Law).

7.4. Data protection impact assessment

There is no requirement to conduct a Data Protection Impact Assessment ('DPIA').

7.5. Data protection officer appointment

According to Article 25.2(10) of the Personal Data Law, if the owner and/or operator are legal entities, they are required to appoint a person responsible for organizing the processing of personal data (this requirement does not apply to the activities of courts). According to Article 25.3 of the Personal Data Law, such a person is entrusted with the following duties:

• exercise internal control over the observance by the owner and/or operator and its employees of the legislation of the Republic of Kazakhstan on personal data and its protection, including the requirements for the protection of personal data;
• inform the employees of the owner and/or operator of the provisions of the legislation of the Republic of Kazakhstan on personal data and its protection regarding processing personal data, the requirements for the protection of personal data; and
• organize the reception and processing of requests and inquiries of personal data subjects or their legal representatives and/or exercise control over the reception and processing of such requests and inquiries (Article 25.3 of the Personal Data Law).

Furthermore, Chapter 2 of the Decree No. 1214 has outlined the procedure with which the owner and/or operator must comply in determining the list of personal data, as follows:

• the owner and/or operator must analyze their ongoing tasks and, accordingly, prepare a proposal of the list of personal data required and sufficient to perform their tasks;
• the proposed list is subject to approval by the owner and/or operator;
• based on results of activity, the owner and/or operator amend the list of personal data required and sufficient to perform their tasks annually.

In regard to the role of the person responsible for organizing the processing of personal data, according to Article 25.3 of the Personal Data Law, the appointed person is required to:

• exercise internal control over the observance by the owner and/or operator and its employees of the legislation of the Republic of Kazakhstan on personal data and its protection, including the requirements for the protection of personal data;
• inform the employees of the owner and/or operator of the provisions of the legislation of the Republic of Kazakhstan on personal data and its protection regarding processing personal data, the requirements for the protection of personal data; and
• organize the reception and processing of requests and inquiries of personal data subjects or their legal representatives and/or exercise control over the reception and processing of such requests and inquiries (Article 25.3 of the Personal Data Law).

7.6. Data breach notification

There is no specific legal requirement to notify government authorities or clients regarding breaches of data related to individuals and legal entities, unless the breach of data occurs in relation to personal data of restricted access and/or in facilities of e-government informatization and is crucial to public facilities of information and communication infrastructure, in which case owners of the relevant facilities shall notify the technical service of the State.

General requirements for notification on actions in relation to personal data are discussed in Section 7.1 above.

Information about a subject that is collected and processed in violation of the legislation of the Republic of Kazakhstan shall be excluded from publicly available sources of personal data within one business day at the request of the subject or its legal representative, or by a court decision or other authorized state bodies.

In this case, the costs arising from the destruction of personal data from publicly available sources of personal data shall be borne by the owner and/or the operator, a third party.

The amount of expenses incurred when revoking the consent of the subject or their legal representative to distribute their personal data in publicly available sources of personal data related to the destruction of personal data from publicly available sources of personal data, as well as the persons charged with these expenses, if necessary, shall be determined in court (Article 6 of the Personal Data Law).

The Personal Data Law introduces the concept of voluntary 'cyber-insurance' in case of property damage inflicted on personal data subjects, owner and/or operator, third party (Article 23-1 of the Personal Data Law).

7.7. Data retention

According to Article 12 of the Personal Data Law, the accumulation of personal data is carried out by collecting personal data necessary and sufficient to perform the tasks carried out by the owner and/or operator, as well as a third party. The storage of personal data is carried out by the owner and/or operator, as well as by a third party in a database located in the territory of the Republic of Kazakhstan.

The storage period for personal data is determined by the date of achieving the purposes of their collection and processing unless otherwise provided by the legislation of the Republic of Kazakhstan.

Under Article 18 of the Personal Data Law, the personal data shall be subject to destruction by the owner and/or operator, as well as third parties:

• upon expiration of the period of storage in accordance with Article 12.2 of the Personal Data Law;
• upon termination of legal relations between the subject, owner, and/or operator, as well as third party;
• in the enforcement of a court decision;
• upon revealing the collection and processing of personal data without the consent of the subject or their legal representative, except for the cases provided for in Articles 7.5 and 9 of the Personal Data Law; and
• in other cases, established by the Personal Data Law and other regulatory legal acts of the Republic of Kazakhstan.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

There are specific regulations in relation to some categories of personal data, such as personal medical data under the Health Code and personal data of law enforcement officer under the Law of the Republic of Kazakhstan on Law Enforcement Service of 6 January 2011 No. 380-IV.

7.10. Controller and processor contracts

Not applicable. According to Article 10.3 of the Personal Data Law relations between owner and/or operator and/or third party regarding access to personal data is regulated by the applicable legislation of the Republic of Kazakhstan.

8. Data Subject Rights

According to Article 24.1 of the Personal Data Law, the personal data subject has the following rights:

• to know about the presence of their personal data with an owner and/or operator and third party, as well as to receive information containing:
  • evidence of the fact, purpose, sources, ways of collection, and processing of the personal data;
  • list of the personal data; and
  • time of processing of the personal data, including the time of its storage;
• to request the owner and/or operator amend and supplement their personal data if any grounds are confirmed by relevant documents;
• to request the owner and/or operator and third party block their personal data in cases where evidence of a breach of conditions regarding the collection or processing of personal data is available;
• to request the owner and/or operator and third party destroy their personal data where the collection and processing were made in breach of law and in other cases established by the Personal Data Law and other regulatory acts;
• to revoke their consent to collect, process, distribute in public sources, transfer to third parties, and cross-border transfer personal data except for in cases envisaged by Article 8.2 of the Personal Data Law;
• to consent or object to the owner and/or operator's distribution of their personal data in public sources of personal data;
• to the protection of their rights and legal interests, including compensation for moral and material damage; and
• other rights envisaged by the Personal Data Law and other laws.

8.1. Right to be informed

According to Article 24.1(1) of the Personal Data Law, the personal data subject has right to know about the presence of their personal data with an owner and/or operator and third party, as well as to receive information containing:

• evidence of the fact, purpose, sources, ways of collection and processing of the personal data;
• list of the personal data; and
• time of processing of personal data, including the time of its storage.

8.2. Right to access

According to Article 10.2 of the Personal Data Law, the personal data subject or their legal representative has right to apply to the owner and/or operator in writing or in the form of an electronic document or in another way using elements of protective actions that do not contradict the legislation of the Republic of Kazakhstan to access their personal data.

8.3. Right to rectification

According to Article 24.1(2) of the Personal Data Law, the personal data subject has the right to request the owner and/or operator to amend and supplement their personal data if any grounds are confirmed by relevant documents.

8.4. Right to erasure

According to Articles 24.1(3) and 24.1(4) of the Personal Data Law, the personal data subject has the right to request the owner and/or operator and third party to block their personal data in cases where evidence of a breach of conditions regarding the collection or processing of personal data is available, and to request the owner and/or operator and third party to destruct personal data where the collection and processing were made in breach of law, and in other cases established by the Personal Data Law and other regulatory acts.

8.5. Right to object/opt-out

According to Articles 24.1(5) and 24.1(6) of the Personal Data Law, the data subject has the right to revoke their consent to collect, process, and distribute in public sources, transfer to third parties and cross-border transfer personal data except for in cases envisaged by Article 8.2 of the Personal Data Law and to consent or object to the owner and/or operator's distribution of their personal data in public sources of personal data.

8.6. Right to data portability

There is no concept of 'data portability' under the Personal Data Law.

8.7. Right not to be subject to automated decision-making

 Under Article 36.6 of the Informatization Law, owners or possessors of electronic information resources are prohibited from making decisions on the basis of solely automated processing of electronic information resources including by intellectual robots resulting in the creation, alteration or termination of rights, legal interests of the personal data subject, except for cases when such a decision is made upon consent of the personal data subject or in cases provided for by the legislation of the Republic of Kazakhstan.

Owners or possessors of electronic information resources shall inform the personal data subject on the use of automated processing resulting in creation, alteration or termination of rights, legal interests of the personal data subject.

Under Article 1.43-1 of the Informatization Law, an intellectual robot means an automated device performing certain actions or inaction taking into account perceived and recognized external environment.

8.8. Other rights

Other rights include protection of their rights and legal interests, including compensation for moral and material damage and other rights envisaged by the Personal Data Law and other laws.

9. Penalties

According to Article 79 of the Code on Administrative Infractions, the unlawful collection and/or processing of personal data may lead to fines ranging from ten monthly calculated indices (approx. $76) for individuals to 200 monthly calculated indices (approx. $1,530) for legal persons.

Failure to take measures for the protection of personal data by owner, operator, or third party may lead to a fine for an amount ranging from 50 monthly calculated indices for individuals (approx. $382) to 1,000 monthly calculated indices (approx. $7,652) depending on the category of violator (natural or legal person) and conditions of violation.

According to Article 147 of the Penal Code, non-compliance with measures for personal data protection (that may include non-compliance with data localization requirements) by a natural person responsible for taking such measures if such action caused significant harm to the rights and legitimate interests of other persons may lead to a fine up to 3,000 monthly calculated indices (approx. $22,955), correctional labor for the same amount, community service for 600 hours, restriction of freedom for up to two years, or imprisonment for up to two years with deprivation of the right to take certain positions or certain activity for a period of up to three years or without such deprivation depending on the violation.

Causing significant harm to the rights and legitimate interests of persons due to the unlawful collection of data on their private life or familial secrecy may lead to fines up to 5,000 monthly calculated indices (approx. $38,260) correctional labor for the same amount, community service for 800 hours, restriction of freedom for up to three years, or imprisonment for up to three years.

The same acts committed by a person using their official position or special technical means intended for secretly receiving information, or by unlawful access to electronic information resources, an information system or illegal interception of information transmitted through the telecommunications network, or in order to derive benefits and advantages for themselves or for other persons or organizations as well as in relation to a person or their immediate relatives in connection with the performance by the person of an official activity or professional or public duty for the purpose of obstructing such an activity or out of revenge for it, may lead to imprisonment for a term for up to five years with deprivation of the right to take certain positions or certain activity for a period from two to five years or without such deprivation.

Distribution of information about the private life of a person constituting their personal or familial secrecy without their consent or causing significant harm to the rights and legitimate interests of a person as a result of unlawful distribution of other personal data may lead to imprisonment for a period from three to six years.

Distribution of information about the private life of a person constituting their personal or familial secrecy without their consent or causing significant harm to the rights and legitimate interests of a person as a result of the unlawful distribution of other personal data in a public statement, publicly demonstrated piece, mass media or via a telecommunication network including internet, as well as in relation to a person or their immediate relatives in connection with the performance by this person of an official activity or professional or public duty for the purpose of obstructing such an activity or out of revenge for it, may lead to imprisonment for a period from three to seven years.

In addition, any person can apply to the court for damages caused by a breach of data protection legislation.

According to Article 9 of the Civil Code, an individual also has a right to claim compensation for the moral damage incurred.

9.1 Enforcement decisions

Not applicable.