Personal Data Protection In Kazakhstan

The Law “On personal data and their protection” was adopted in 2013 in
Kazakhstan. Despite adopting such law, many companies in Kazakhstan still do
not know how to collect, process, store, transfer individuals` personal data.

In this article you
may find answers to the most relevant questions on personal data protection in
Kazakhstan.

What is personal data in Kazakhstan?

In Kazakhstan there are no
limits on how to understand “personal data”. Any information that refers to a
particular person is considered as personal data, according to the Law “On personal data and their protection” [1] (hereinafter – the “Personal Data Protection Act”) [2].

Any information may be
considered as personal data including but not limited to:

1.           
Surname, name;

2.           
Individual Identification
Number, identity card number;

3.           
Date of birth

4.           
Citizenship;

5.           
Criminal, administrative records;

6.           
Education;

7.           
Foreign languages skills;

8.           
Taste preferences;

9.           
Health information;

10.         
Property information;

11.         
Address of residence; work
address;

12.         
Income amount;

13.         
Nationality,
religion;

14.         
Mobile phone number;

15.         
Family status;

16.         
Any other personal information
which can identify a person.

Which laws in Kazakhstan regulate personal data usage?

In Kazakhstan, the protection
of personal data is regulated by following laws:

1          
Law of the Republic of Kazakhstan on Personal data and
their protection [3] (hereinafter – the “Personal Data Protection Act”);

2          
Rules of personal data protection [4]
and Rules for determining the personal data list [5]
(hereinafter – the “Rules”).

What should companies do to comply with Personal Data
Protection Act?

Companies shall take certain
measures before using personal data of individuals.

Such measures are described in
the Personal Data Protection Act and
in the Rules mentioned above.

One of such measures is to
obtain an individual`s consent on collecting,
processing, storing his personal data. Such consent may be made in written or in
electronic form.

Once the Company has obtained
such consent, the Company shall take all measures to protect the individual’s
personal data.

Are there any restrictions on the storage of personal
data?

According to Article 12.2 of
the Personal Data Protection Act,
personal data that originates from Kazakhstan must be stored in Kazakhstan database.

Thus, companies should store
personal data in Kazakhstan database, if such personal data is originated in
Kazakhstan.  However various
international companies store such personal data on abroad servers in order to
save resources.

If the Company does not comply
with the requirements of Personal Data
Protection Act and Rules, the
Company or its officials may bear civil, criminal, administrative liability.

Which authority regulates personal data protection in
Kazakhstan?

In Kazakhstan as of today there
is no specialized authority that regulates personal data protection.

However, the Kazakhstan Prosecutor's
Office is the most competent authority, which inspects companies’ compliance
with Personal Data Protection Act.

What liability is provided in Kazakhstan for violation
of Personal Data Protection Act?

In Kazakhstan, there are administrative, civil and criminal liabilities
for violation of the Personal Data
Protection Act and Rules. Please
see details below.

Administrative and criminal liability

Administrative liability for
violation of personal data protection acts is provided in Article 79 of the Administrative Offences Code of Kazakhstan.

A fine for administrative
violations could be from 140 US dollars to 7000 US dollars. [6]

However, if a damage to
individual from such violation exceeds 600 US dollars, administrative case
could proceed to a criminal case.

In criminal case, the fines could
go up to 35 000 US dollars. Or alternatively to this fine, the responsible
person could be restricted or deprived of liberty for up to 5 years.

Civil liability

Civil liability is directly
related to administrative and criminal liability.

An individual, whose rights
were violated, could proceed with a court claim to recover losses, damages or
harm from that violation.

Companies shall take
all measures to protect individuals’ personal data to avoid such civil,
administrative and criminal liability.

—–

[1] Law of the Republic of Kazakhstan on Personal data and their protection
dated 21 May 2013 № 94-V

[2] Article 1.2 of Personal Data Protection Act

[3] Law of the Republic of Kazakhstan on Personal data and their protection
dated 21 May 2013 № 94-V

[4] Rules of implementation by the owner and (or) the operator and a third
party measures for the personal data protection, approved by the Kazakhstan
government № 909 dated 3 September 2013

[5] Rules for determining by the owner and (or) operator the list of
personal data necessary and sufficient to perform their tasks, approved by the
Kazakhstan government № 1214 dated 12 November 2013

[6] for your convenience, we rounded the numbers

—-

By Ms. Anar Kubeyeva, Ms. Symbat Tursyngali

Associates, Synergy Partners Law Firm LLC

SYNERGY PARTNERS

ANSWERS. SOLUTIONS. RESULTS