On December 11, 2023 the Law of the Republic of Kazakhstan No. 44-VIII “On Introduction of Amendments and Supplements to Certain Legislative Acts on Information Security,Informatization and Digital Assets” (hereinafter referred to as the “Law Amending Legislative Acts on Information Security and Digital Assets”) was adopted in the Republic of Kazakhstan (hereinafter referred to as “Kazakhstan”).

On December 12, 2023, the Law Amending Legislative Acts on Information Security and Digital Assets was officially published.  It enters into force on February 11, 2024, except for certain provisions that enter into force on July 1, 2024.

We will focus below on the most important legal amendments.

The following amendments were introduced to the Law of Kazakhstan No. 94-V dated May 21, 2013 “On Personal Data Protection”:

A new term “infringement of the security of personal data” is provided. An infringement of the security of personal data is defined as an infringement of the protection of personal data, which resulted in the illegal dissemination, modification and destruction, unauthorized dissemination of transmitted, stored, or otherwise processed personal data or unauthorized access to them.

A prohibition related to collection and processing of copies of identity documents on paper was introduced. However, it does not apply to the cases where there is lack of integration with the objects of informatization of the government agencies and/or the state legal entities, or when it is impossible to identify the subject by using software tools.

In case of an infringement of the security of personal data a new obligation is imposed on the owner and/or the operator. The owner and/or operator are now obliged to notify the Ministry of Digital Development, Innovations and Aerospace Industry of Kazakhstan (hereinafter referred to as the “Authorized Body“) on this infringement within 1 (one) business day from the moment of detection of the infringement of personal data security. This notice shall contain the contact details of the person responsible for organizing the processing of personal data (if any).

The competence of the Authorized Body was expanded, and it now also includes:

    1. The state control over compliance with the Kazakhstan legislation on personal data protection (hereinafter referred to as the “Control over Personal Data Compliance”);
    2. Submission of the information to the operator of the communication infrastructure of the “electronic government” about an infringement of the security of personal data. This information entails the risk of the infringement of the rights and legitimate interests of subjects, for the purposes provided by this Law and other regulatory legal acts of Kazakhstan.

The Control over Personal Data Compliance is set for the abovementioned purposes.  In addition, in relation to the government agencies, the procedure for conducting the Сontrol over Personal Data Compliance was established.

The Control over Personal Data Compliance is carried out in the form of an unscheduled inspection in accordance with the Entrepreneurial Code of Kazakhstan.

The following amendments were introduced to the Law of Kazakhstan No. 418-V dated November 24, 2015 “On Informatization”:

The following new basic terms are now provided:

Threat to information security is a set of conditions and factors that create prerequisites for the occurrence of an information security incident;

Operational information security center is a legal entity or a structural subdivision of a legal entity engaged in the protection of electronic information resources, information systems, telecommunications networks and other informatization facilities.

In addition, the terms as the information security incident response service, vulnerability, and a single repository of the “electronic government” are provided.

The competence of the Authorized Body was expanded, and it now also includes:

    1. Approval of the rules of operation of the unified repository of the “electronic government”;
    2. Approval of the rules for the functioning of the program of interaction with information security researchers.

The competence of National Information Technologies JSC (hereinafter referred to as the “Operator”) was also expanded. The Operator based on information received from the Authorized Body notifies personal data subjects of an infringement of the security of personal data or processing of personal data by sending information. These notices are sent to the users’ account on the “electronic government” web portal or to their cellular subscriber number in the form of a short text message.

The following amendments were introduced to the Law of Kazakhstan No. 193-VII dated February 6, 2023 “On Digital Assets in Kazakhstan”:

There are cases of suspension of the license on digital mining activity. The suspension of the license on digital mining activity is carried out by the resolution of the Authorized Body for a period of 1 (one) to 6 (six) months in the following cases:

    1. Identifying false information when obtaining the license on digital mining activity;
    2. Non-compliance of the digital miner with the requirements established by the Kazakhstan laws;
    3. Failure to eliminate infringements within the set period based on the results of an unscheduled inspection by the Authorized Body;
    4. Failure to provide to the Authorized Body by the digital miner the information on changes in data within the time limits set by the Kazakhstan laws on digital assets.

The resolution to suspend the license on digital mining activity must specify the grounds and the period of suspension of the license on digital mining activity.

The suspension of the license on digital mining activity entails a prohibition on performing digital mining activities for the period of suspension.

Supplements regarding the areas of activity of business entities in which control were provided including for compliance with the legislation of Kazakhstan on personal data protection, were introduced to the Entrepreneurial Code of Kazakhstan No. 375-V dated October 29, 2015.

Supplements establishing a prohibition on the collection and processing of the copies of identity documents, except for documents certifying the identity of immigrants, were introduced to the Code of the Republic of Kazakhstan No. 360-VI dated July 7, 2020 “On the People’s Health and the Healthcare System”.

The following amendments were introduced to the Law of Kazakhstan No. 2444 dated August 31, 1995 “On Banks and Banking Activities in Kazakhstan”:

It is provided that an individual has the right to establish a voluntary refusal to receive bank loans or withdraw it through the “electronic government” web portal.

A bank, an organization engaged in certain types of banking operations, is prohibited from granting of bank loans to an individual if there is information that he has voluntarily refused to receive a bank loan in his credit report.

Author: Zafar Vakhidov and Almas Tleupov

More from Vakhidov & Partners