1. Governing Texts

The Code of the Republic of Kazakhstan of 7 July 2020 No. 360-VI on Public Health and Healthcare System ('the Health Code') replaced the previous Code enacted in 2009. The Health Code introduces a new national healthcare system whereby health is defined as a key factor of national development, in which the development of a healthcare system for the sake of national health is the sole responsibility of the State, employers, and the general population. 

The Health Code lays the ground for a range of integration processes related to electronic data collection, processing, and storage to be operated by all participants involved in medical and pharmaceutical activities in Kazakhstan, including the rules concerning the national introduction of medical information systems and respective certification. 

Following the adoption of the Health Code, respective amendments and additions were made to all principal laws of the Republic of Kazakhstan to enable the immediate force of the new healthcare system.

1.1. Legislation

The principal data protection laws of Kazakhstan applicable to the healthcare sector are as follows: 

• Constitution of the Republic of Kazakhstan of 30 August 1995, which establishes the right to privacy, including the privacy of correspondence, telephone, and other communications for every individual; 
• Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V on Personal Data and its Protection ('the Personal Data Law'), which regulates public relations with regard to personal data and defines the purpose, principles, and legal foundations of the activities related to the collection, processing, and protection of personal data; 
• the Health Code, which provides for the protection of patient privacy; and
• Law of the Republic of Kazakhstan of 24 November 2015 No.418-V on Informatisation ('the Informatisation Law'), which provides for measures to prevent unlawful access to digital information. 

In addition to this, if any international agreement ratified by Kazakhstan and other rules are established besides those contained in the Personal Data Law, such rules will also apply.

On 1 April 2022, the President signed the Law of the Republic of Kazakhstan 'On Ratification of the Agreement on Mutual Legal Assistance in Administrative Matters in the Sphere of Personal Data Exchange ('the Agreement on Mutual Legal Assistance’)'. According to the Agreement on Mutual Legal Assistance, each of the Party-signatory (the members of the Commonwealth of Independent States ('CIS'), at the request of the other Party, provides mutual legal assistance on administrative issues in the field of personal data exchange in accordance with national legislation and provisions of the Agreement of Mutual Legal Assistance. Request for legal assistance can be about the following personal data:

• on presence (absence) of a citizenship of the Parties; 
• on availability of the documents giving the right to permanent (temporary) stay (residence) in the territories of the Parties; 
• on migration registration or registration at the place of residence (place of stay) of citizens of the Parties, citizens of third countries and stateless persons; 
• on issuance of visas giving the right to enter the territory of the Parties; 
• on real estate registered in the name of the subject of personal data in the territories of the Parties; 
• on obligations of a property nature that the subject of personal data has in the territories of the Parties; 
• on ​​bringing the subject of personal data to criminal or administrative liability in the territories of the Parties; and
• about identity documents. 

At the time of writing, none of the signed international agreements have been ratified by Kazakhstan, particularly those relating to personal data. So far, Kazakhstan seems cautious towards the prospect of signing up to specific Eurasian Economic Union ('EAEU') regulations on cross-border data exchange. 

As can be seen from the above, the personal data protection system of Kazakhstan is regulated at the national level. In general, anticipated pressure on domestic companies affiliated with the companies based in the EU to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') has not been significant due to, inter alia, low business demand for obtaining and using personal data that falls within the scope of application of the GDPR. 

At the same time, upon review of the latest changes to the Personal Data Law, it is apparent that approaches to personal data protection in Kazakhstan are largely aligned with those in other jurisdictions, the EU included.

1.2. Supervisory authorities

The principal institutions involved in data protection regulation are:

• the Government of the Republic of Kazakhstan ('the Government');
• the Ministry of Healthcare ('MoH');
• the Ministry of Digital Development, Innovations, and Aerospace Industry ('MDIA');
• the Information Security Committee of the MDIA ('ISC');
• the Ministry of Internal Affairs ('MIA'); and
• the General Prosecutor's Office of the Republic of Kazakhstan.

The Government as a central body establishes the main direction of state policy in the field of personal data and its protection, as well as manages the activities of relevant ministries and/or specifically responsible divisions of those ministries, and local executive bodies in relation to personal data and its protection.

In line with the novelties regarding digital technologies regulation adopted in June 2020, the MDIA is defined as a central executive body with the competence of supervising the regulation of the personal data collection, processing, and protection terms.

The MDIA is responsible for the development, approval of the Rules of collection, processing, and storage of biometric data of individuals for their biometric authentication during provision of state services.

The MDIA is entrusted with, inter alia, the following functions:

• consideration of the subject's appeals on the correspondence of the personal data content and methods of its processing to the purposes of its processing and taking respective decisions;
• taking measures to bring the persons committing violations of the legislation on personal data and its protection to responsibility, as established by the laws of Kazakhstan; and
• requiring from the owner and/or operator, as well as third parties, to clarify, block, or destroy inaccurate or illicitly obtained personal data.

Even though a single authorised body in the field of personal data protection has been determined, the processing and protection of personal medical data stored at the national level are carried out by the MoH. In accordance with the assigned functions, the MoH developed and approved the rules of using technical means of control at healthcare organisations for the purpose of protecting patient rights and healthcare workers, which determine the procedure of using technical means of control, observation and recording devices, photo and video equipment used in medical organisations in order to ensure protection the rights of patients and healthcare workers.

Following the new powers of the MDIA, the functions of the ISC, initially approved in July 2019, were also updated. The ISC determines the performance of regulatory, implementation, and control functions and participates in the implementation of the strategic functions of the MDIA in the field of informatisation, information security, and personal data and its protection.

The functions of the MIA include the development of measures aimed at public order and the prevention of violations and crime in accordance with national legislation. Within their competence, the subdivisions of the MIA police are called to provide personal data protection and have the authority to collect and process personal data.

Higher supervision over compliance with the Personal Data Law is carried out by prosecution authorities. Acts (including orders, demands, instructions, and directions) of prosecutors are binding on all types of public bodies, organisations, officials, and citizens.

It is worth noting that, starting January 2023, a unified duty dispatcher service '112' will be introduced for acceptance and processing of all messages from individuals and legal entities for coordination of all services and divisions dealing with emergency, incidents, and accidents.

1.3. Guidelines

The collection, processing, and protection of personal data in Kazakhstan are based on the following principles:

• respect of the constitutional rights and liberties of individuals and citizens;
• lawfulness;
• confidentiality of personal data of limited access;
• equality of the rights of data subjects, owners, and operators; and
• ensuring the safety of identity, society, and the State.

In October 2020, the MDIA has approved the Rules of Collection and Processing Personal Data (only available in Kazakh and Russian here) ('the Rules on Personal Data'), which determine the relations between the owners, operators, subjects, and third parties in the course of personal data collection and processing.

The Rules on Personal Data also refer to a series of governmental resolutions that have been in force since November 2013, namely:

• Resolution of the Government No. 909 on Approval of the Rules on Accomplishment of Measures of Protection of Personal Data by the Owner and/or Operator, as well as Third Party (available in Kazakh, Russian, English here); and
• Resolution of the Government No. 1214 on Approval of the Rules on Determination by the Owner and/or Operator of the List of Personal Data Required and Sufficient to Perform its Tasks (available in Kazakh, Russian, English here).

Further, it is worth paying attention to Section 1 of Chapter 7 of the Health Code on Digital Healthcare, whereby one of the principles of digital healthcare is defined as maintaining the safety and confidentiality of electronic information healthcare resources containing personal medical data of individuals, and patients' access to their personal data.

1.4. Definitions

Data subject: Any individual to whom the relevant personal data relates.

Personal medical data: Personal data containing information about an individual's health and services provided to him/her fixed on electronic, hard copy, and other tangible media.

Owner of personal medical data: An individual in respect of which this data was formed.

Aggregator of personal medical data: A subject of digital healthcare maintaining the collection, processing, storage, security, and provision of personal medical data in accordance with the rules established by the MoH.

Informed consent: A procedure for voluntary written confirmation by an individual of their consent to receive medicinal aid and/or to participate in specifiс research, after receiving information about all aspects of medical aid and/or research that is important for their decision.

Subject identification code: A unique code assigned by a research centre to each subject of research for the purpose of ensuring the confidentiality of their personal data, replacing the use of the research subject's name in reports on adverse effects and/or other data related to research.

Bioethical examination: A preliminary review of the materials of a medical study and the issuance of a reasonable opinion of the Bioethics Commission from the standpoint of ethical acceptability, safety for participants, and the appropriateness of such research.

Good clinical practice ('GCP'): A standard for planning, organising, conducting, monitoring, auditing, and documenting clinical research, as well as analysing and presenting its results, that guarantees reliability and accuracy of the data and the results presented, as well as protecting the rights, health, and confidentiality of the subjects of research.

Bioethics Commission: An independent expert body with the MoH conducting the bioethical examination of the documents related to medical research, at the stages of planning and conducting the research, and after its completion, to ensure the safety and protection of the rights of medical research participants.

Council: An advisory body and research centre authorised to consider issues of scientific and/or scientific and technical activity (academic, scientific, clinical, expert council).

State service for controlling access to personal data (state service): A service that provides informational interaction of owners and/or operators, third parties with the subject of personal data and the authorised body when accessing personal data contained in the objects of informatisation of state bodies and/or state legal entities, including obtaining from the subject of personal data consent to the collection, processing of personal data or their transfer to third parties.

Non-state service for controlling access to personal data (non-state service): A service that provides informational interaction of owners and/or operators, third parties with the subject of personal data when accessing personal data contained in non-state informatisation objects, including receiving personal data from the subject consent to the collection, processing of personal data or their transfer to third parties.

Healthcare digitalisation: Use of digital technologies for transformation of medical and administrative-managerial healthcare processes aimed at increasing accessibility, effectiveness, quality, and security of medical help.

National electronic health passport: Electronic informational resource of the MoH containing electronic health passports, accessible to both individuals and healthcare professionals in accordance with the rules established by the MoH.

Electronic health passport: A combination of the structured personal medical data related to the health of an individual and medical aid provided to him/her, formed by the subjects of digital healthcare from electronic sources during entire life and accessible to both individual and healthcare professionals in accordance with the rules established by the MoH.

Telehealth: Distance medicinal services that include establishing clinical diagnoses and monitoring of an individual's condition over a distance, as well as other non-clinical functions such as preventive treatment, health promotion, social healthcare support, medical-sanitary education, and scientific medical research.

2. Clinical Research and Clinical Trials

Kazakhstan is guided by the Agreement on Common Principles and Rules of Circulation of Medical Products within the Eurasian Economic Union ('the Agreement'), having enacted it domestically in February 2016. The Agreement establishes that pre-clinical and clinical research (i.e. trials) on medicines shall be implemented by EAEU members in accordance with the EAEU Good Laboratory Practice, the EAEU Rules of 3 November 2016 No. 79 on Good Clinical Practice (only available in Russian here), and the procedures approved by the Eurasian Economic Commission ('EEC').

General principles for conducting clinical research and clinical trials are contained in the Health Code, which prescribes compliance with the GCP of Kazakhstan and/or the EAEU and international norms ratified by Kazakhstan.

The subject matter is further contemplated in the following new rules approved by the MoH:

• Rules of Conducting Clinical Research of Medicines and Medical Devices, Clinical and Laboratory Tests of Medical Devices for Diagnostics Outside a Living Organism (In Vitro), and Requirements for Clinical Bases, and the Provision of the State Service Issuance of a Permit for Conducting a Clinical Research and/or Testing of Pharmaceuticals, Medicines, and Medical Devices (only available in Kazakh and Russian here); and
• Rules of Biomedical Research and Requirements for Research Centres (only available in Kazakh, Russian and English here) ('the Rules for Conducting Biomedical Research').

These latest rules establish the norms aimed at harmonising national legislation with international standards of conducting medical research and to facilitate international cooperation.

Clinical research can be executed on the ground of licensed research centres that ensure proper standards are applied to clinical research operations and procedures, that medical personnel is trained in line with GCP standards, and that all conditions for intensive care, if applicable, are observed.

All clinical research of medicines and medical devices, or clinical and laboratory trials of medical devices for diagnostics outside a living organism (in vitro), conducted in the territory of the Republic of Kazakhstan, is subject to registration in the National Register of Biomedical Research in the manner determined by the Rules for Conducting Biomedical Research.

Clinical research is conducted subject to all the following conditions:

• observation of the rights of the subject of research on physical and mental well-being, as well as privacy and protection of personal data in accordance with the law requirements;
• termination of participation in a clinical trial at the request of the subject of research or their legal representative, at any time without any harm to him/herself; and
• conclusion of a sponsor's civil liability insurance contract in case of harm to the life and health of the subject of research or their legal representative (except for non-interventional research).

Medical research may be conducted only in case of compliance with all the following requirements:

• research is directed at receiving new scientific data, and the implementation of any relevant findings in medical/healthcare practice;
• the interests of research participants and the confidentiality of their medical information are safeguarded;
• the informed consent of research participants is obtained; and
• interventional clinical research is subject to authorisation by the relevant supervisory body.

Published research results must refer to intellectual contribution defined on the basis of authorship and intellectual property rights.

2.1. Data collection and retention

All information obtained in clinical research must be recorded, transmitted, and stored in a way that ensures accuracy in its presentation, interpretation, and verification. The clinical and statistical description related to research results, and the presentation and analysis of data obtained during implementation of the research study, is performed in the form of a single report, including tables and figures.

In the course of non-interventional clinical research, researchers and sponsors shall compile the main documents of clinical research, which should be kept in the clinical base and available with the sponsor for at least ten years after publication of the research results.

Generally, sponsors and researchers are obliged to archive the documents of clinical research and provide for the safety of the same for 25 years from the date of clinical research completion.

2.2. Consent

Medical assistance is provided after obtaining the patient's informed consent on receiving medical assistance.

Informed consent is also an obligatory part of GCP compliance, prescribing that the sponsor or head of research is responsible for ensuring the protection of the rights, health, and confidentiality of research subjects/participants. Thereafter, the relevant entities (namely, the MoH, monitoring persons, auditors, representatives of expert organisations, the Bioethics Commission, or local commissions), at any stage of clinical research, shall have direct access to the primary medical documentation of the subject of research for examination, analysis, review, and the copying of any notes and reports required for the assessment of clinical research. Such persons shall also undertake all measures for the protection of confidentiality of information that allows the identification of subjects of research, as well as information belonging to the sponsor.

For obtaining informed consent, a research subject/participant, a legal representative for non-adults, a guardian of a legally incapacitated/incompetent person, patient, or volunteer shall be provided with the following information, and informed of their right to withdraw participation (and consent) at any stage of the research:

• medical technology, pharmacological, or medicine product, essential nature, and the duration period of medical research;
• safety levels, risks, and the expected effectiveness of medical technology, and/or pharmacological or medicinal products;
• actions in case of unforeseen effects on health condition; and
• the terms of health insurance.

All medical research is required to have in place health and life insurance concerning its research subjects/participants and to have obtained the approval of the Bioethics Commission.

2.3. Data obtained from third parties

Data obtained from third parties should be observed for a subject of compliance with the Personal Data Law establishing that dissemination of personal data is allowed on a condition of obtaining the consent of the subject or their legal representative, and the legitimate interests of other individuals and/or legal entities are not affected.

In terms of sharing personal medical data with the third parties (the scope of which is stipulated by the Health Code and access to which can be only provided to the extent of specific services), consent of the individual would be required, except for the cases permitted by the Health Code and the Personal Data Law.

3. Pharmacovigilance

In 2008, Kazakhstan joined the World Health Organization ('WHO') International Programme on International Drug Monitoring. The adoption of the previous Health Code in 2009 marked the beginning of pharmacovigilance in Kazakhstan aimed at improving and harmonising the regulation of medicine safety.

Pharmacovigilance in Kazakhstan is performed by the entities directly subordinate to the MoH:

• the Committee for Medical and Pharmaceutical Control, which is authorised to take regulatory action with regard to medicines and medical devices; and
• the National Center for Expertise of Medicines and Medical Devices, which collects, and analyses reported cases of suspected adverse effects of medicines and studies the cause-effect relationships.

On 4 February 2021, the MoH approved the Good Pharmaceutical Practices (available in Russian and Kazakh here), which includes the Standard of Good Pharmacovigilance Practices ('the GPP Standard'). The GPP Standard is aimed at harmonising national legislation and practice with international requirements, such as those of the EU and the EAEU, and is subject to regular updates (not less than once every five years) with consideration to its application in Kazakhstan and changes in international pharmacovigilance practice.

Furthermore, on 23 December 2020, the MoH approved new Rules on Pharmacovigilance Conducting and Monitoring of Safety, Quality and Effectiveness of Medical Devices (available in Kazakh and Russian here), which prescribe that the adverse effects of medicine can be monitored:

• in healthcare and pharmaceutical organisations;
• during clinical research; and
• by market authorisation holders ('MAHs').

The collection of information on adverse effects is implemented by way of ad hoc reporting on the part of authorised parties.

In terms of data protection, Kazakhstan also observes the Rules of Good Practice and Pharmaceutical Inspection of the EAEU approved by Decision No. 87 of the Council of the EEC of 3 November 2016 (available in Armenian, English, Kazakh, and Russian here). These Rules require that document management systems include measures ensuring data safety and confidentiality of patient personal data in accordance with the laws of EAEU members, with database access granted to authorised persons only. Such document management systems must ensure the protection of pharmacovigilance data against damage and loss. Confidentiality must also be observed with regard to the personal data of the reporters.

The MAHs must ensure the proper documentation, circulation, and storage of all pharmacovigilance documentation for the purposes of accurate reporting, interpretation, and verification of data. The MAHs shall ensure that adverse effects reports can be traced and assessed further.

The data safety procedures must be implemented at all stages, including during data transfers between the parties involved in creating and exchanging data safety information (e.g. authorised bodies of the EAEU, other state bodies, and the MAHs).

4. Biobanking

Biobanking in Kazakhstan is regulated by the Rules of Establishing and Activity of the Biobanks (only available in Kazakh, Russian and English here).

Biobanks can be established on the basis of healthcare organisations, organisations of higher and/or postgraduate education, and scientific organisations. The research centres creating biobanks shall be subject to the following requirements:

• accreditation as a subject of scientific and/or scientific technical activity;
• possession of standardised operational procedures for carrying out biological and clinical research, if applicable, and biobank activity;
• personnel having field-specific education and education per standards of good pharmaceutical practices while using biomaterials in medical and/or clinical research as a part of the GCP;
• positive conclusions from the Bioethics Commission and the biosafety commission of the scientific centre or the biosafety expert of side organisation (in case the scientific centre has no biosafety commission);
• establishment of a protocol of assessment of biological risks of the procedures performed;
• compliance with regulations of the biosafety commission of research centre;
• presence of a three-tier system of physical protection (for RG1-2 biomaterials); and
• permission for works with RG I, II, III, and/or IV biomaterials.

Biobanking is subject to internal and external monitoring, which includes: monitoring of the procedures of collecting, storage, and use of biological samples; collecting; registration; storage; and protection and transfer of personal data. The research centre carries out internal monitoring on an annual basis. External monitoring is carried out by the Bioethics Commission once every five years.

Collection, records, storage, use, and destruction of biological materials and personal data in biobanks are carried out in accordance with standardised operational procedures.

The protection of privacy and confidentiality of the donors of biological materials and their personal information, including information received from the donors regarding other persons, remains privileged. The researchers and biobank managers must take into account religious and cultural views and heritage of people or social groups with regards to human cells.

The informed consent of donors should be obtained before the collection of biological material, with an indication of the purposes for any such collection, in accordance with GCP standards and bioethical principles. Consent can be of general or specific scope. Unlike specific consent, general consent is not limited to the use of biological material or personal data within a particular research project. At any time, a donor can object to the use of their data and/or biological material stored in a biobank for specific research purposes.

A local commission reviews and approves all agreements on providing access to data and/or biological samples, so as to ensure the best ethical treatment in line with donor consent.

Closure of biobank or destruction of biological samples, including personal data, by the research centre, will be subject to:

• notification of the Bioethics Commission;
• destruction of personal data and biological samples in accordance with the established order of collection, storage, transportation, and utilization of medical wastes; and
• transfer of biological samples, personal data in tangible form to other biobank functioning on the basis of research centre residing in Kazakhstan.

5. Data Management

Collection and processing of personal data by the owner and/or operator are subject to the permission of the data subject, except for the cases established by Article 9 of the Personal Data Law, for the purposes directly related to the means declared. A data subject or their legal representative may provide and withdraw their consent in writing, by state service, non-state service, or in another way that allows confirming the receipt of consent.

In the collecting and/or processing personal data contained in the objects of informatisation of state bodies and/or state legal entities, consent is provided through state service.. The storage of personal data is allowed through databases located in Kazakhstan.

The specifics of personal data collection and processing in e-informational resources containing personal data are established in accordance with the Personal Data Law and the Law on Informatisation.

Owners and/or operators, third parties, in case of interaction with the objects of informatisation of state bodies and/or state legal entities containing personal data, ensure the integration of their own informatisation objects involved in the collection and processing of personal data with the state service, except for cases, provided for in Article 9 of the Personal Data Law.

Integration is carried out in compliance with the norms of the legislation of the Republic of Kazakhstan on the provision of information classified as state secrets, personal, family, banking, commercial secrets, secrets of a medical worker, and other secrets protected by law, as well as other confidential information, in other cases, integration with the state service is carried out on voluntary basis.

The procedure for integration with the public service is determined by the authorized body and the rules for integrating objects of informatisation of 'electronic government'.

The following actions are available through the state service:

• provision by the subject or his legal representative of consent (refusal) to the collection and/or processing of personal data contained in the objects of informatisation of state bodies and (or) state legal entities;
• withdrawal by the subject or their legal representative of consent to the collection and/or processing of personal data contained in the objects of informatisation of state bodies and/or state legal entities;
• notification of the subject about actions with their personal data contained in the objects of informatisation of state bodies and/or state legal entities (access, viewing, modification, addition, transfer, blocking, destruction); and
• providing the subject with information about the owners and/or operators who have consent to the collection and/or processing of their personal data contained in the objects of informatisation of state bodies and/or state legal entities.

In the cases provided for in Article 9 of the Personal Data Law, the subject is notified of the initiators of requests for access (collection and processing) to their personal data contained in the objects of informatisation of state bodies and/or state legal entities through public service.

Owners and/or operators, third parties, in order to optimize procedures for obtaining the consent of the subject or their legal representative to collect and/or process personal data in the absence of interaction with the objects of informatisation of state bodies and/or state legal entities containing personal data, have the right to use non-state services.

Through a non-state service, the following are provided:

• provision by the subject or their legal representative of consent (refusal) to the collection and/or processing of personal data;
• notification of the subject about actions with their personal data (viewing, changing, supplementing, transferring, blocking, destroying); and
• notification of the subject about the access of third parties to his personal data.

Anonymisation allows data processing for analytical, statistical, scientific, and other research purposes without data subject consent. Consent can also be omitted in relation to the lawful exercise of functions by state bodies, as well as in relation to the activity of notaries, private judicial enforcement agents, and lawyers.

Requirements on how the collection, processing, and storage of personal medical data is performed include:

• electronic medical notes during medical assistance require the informed consent of a patient for receiving a medical aid;
• subjects of healthcare must ensure the data transfer to the National e-health passport and e-resources of the MoH;
• aggregators of personal medical data provide informational communication services for the purposes of collection, processing, storage, and protection of the personal medical data by the subjects of healthcare;
• subjects of digital healthcare form, store, and protect electronic medical notes; and
• in case of emergency medical aid, access to the personal medical data of an individual is provided to respective subjects of healthcare by default.

The MoH maintains processing and protection of personal medical data stored at a national level.

Medical workers and employees of the subjects of healthcare (any entity performing or entering relations in the sphere of digital healthcare) bear responsibility in accordance with the laws of Kazakhstan for the quality, timeliness, accuracy, and confidentiality of the e-medical data introduced to e-resources of the MoH.

Failure to observe the personal medical data protection measures that lead to loss, illegal collection, and processing of personal medical data related to the private life of individuals, including those constituting a secret of a medical worker, shall lead to liability established by the laws of Kazakhstan.

6. Outsourcing

The nature of pharmaceutical activities, which is multifaceted and involves high levels of responsibility, has led to the outsourcing of personal data collection and processing becoming quite widespread in Kazakhstan. It is a process that requires, among other things, contractual scrutiny with a focus on commercial, labour, and tax risks and solutions.

It is worth outlining the new requirement under the Personal Data Law that the owner and/or operator, if they are legal entities, must appoint a person responsible for arranging the personal data processing and performing internal compliance control.

7. Data Transfers

Cross-border transfer of personal data abroad is only allowed if the destination countries provide adequate protection of personal data. Transfers to countries not providing such protection can only be done subject to specific consent on the part of the data subject, or pursuant to the reasons contemplated under Article 16 of the Personal Data Law.

8. Breach Notification

National law does not provide for mandatory notification of data security breaches.

At the same time, the latest amendments to the Personal Data Law newly outline that individuals have the right to demand the exclusion of information from public sources if the collection and processing of publicly available personal data were carried out in violation of the law, and related costs shall be borne by the owner and/or operator, third party.

9. Data Subject Rights

In accordance with Article 24 of the Personal Data Law, the data subject has the right to:

• be aware of the availability of their personal data with the owner and/or operator, as well as a third party, and receive information containing:
  • confirmation of the fact, purpose, sources, methods of collecting and processing personal data;
  • list of personal data; and
  • terms of personal data processing, including periods of storage;
• require the owner and/or operator to amend and supplement their personal data if there is a ground confirmed by relevant documents;
• require the owner and/or operator, as well as a third party, to block their personal data if there is information indicating the violation of the conditions of collection or processing of personal data;
• demand from the owner and/or operator, as well as a third party, the destruction of their personal data, the collection and processing of which was carried out in violation of the law, as well as in other cases established by the Personal Data Law and other provisions of the law;
• withdraw consent to the collection, processing, dissemination in public sources, transfer to third parties, and cross-border transfer of personal data, except where it contradicts national law or in the case of unfulfilled obligation;
• give consent (refuse/withdraw) to the owner and/or operator to circulate their personal data in public sources;
• to protect their rights and legitimate interests, including the right to compensation for moral and material damage; and
• to exercise other rights provided for by the Personal Data Law and other provisions of national law.

Notwithstanding the above, the data subject remains under the obligation to provide their personal data where it is required by law.

10. Penalties

Administrative fines for illegal collection and/or processing of personal data, and/or non-observance of personal data safety measures, provided these acts do not involve the commission of a criminal offence, shall entail:

• a fine of up to approx. €1,200 for individuals;
• a fine of up to approx. €3,000 for officials, sm

  Aliya Zhumekenova Counsel
  [email protected]
  GRATA Law Firm LLP, Kazakhstan