What is personal data in Kazakhstan?

In Kazakhstan there are no limits on how to understand “personal data”. Any information that refers to a particular person is considered as personal data, according to the Law “On personal data and their protection” [1] (hereinafter – the “Personal Data Protection Act”) [2].

Any information may be considered as personal data including but not limited to:

1.            Surname, name;

2.            Individual Identification Number, identity card number;

3.            Date of birth

4.            Citizenship;

5.            Criminal, administrative records;

6.            Education;

7.            Foreign languages skills;

8.            Taste preferences;

9.            Health information;

10.          Property information;

11.          Address of residence; work address;

12.          Income amount;

13.          Nationality, religion;

14.          Mobile phone number;

15.          Family status;

16.          Any other personal information which can identify a person.

Which laws in Kazakhstan regulate personal data usage?

In Kazakhstan, the protection of personal data is regulated by following laws:

1           Law of the Republic of Kazakhstan on Personal data and their protection [3] (hereinafter - the “Personal Data Protection Act”);

2           Rules of personal data protection [4] and Rules for determining the personal data list [5] (hereinafter - the “Rules”).

What should companies do to comply with Personal Data Protection Act?

Companies shall take certain measures before using personal data of individuals.

Such measures are described in the Personal Data Protection Act and in the Rules mentioned above.

One of such measures is to obtain an individual`s consent on collecting, processing, storing his personal data. Such consent may be made in written or in electronic form.

Once the Company has obtained such consent, the Company shall take all measures to protect the individual’s personal data.

Are there any restrictions on the storage of personal data?

According to Article 12.2 of the Personal Data Protection Act, personal data that originates from Kazakhstan must be stored in Kazakhstan database.

Thus, companies should store personal data in Kazakhstan database, if such personal data is originated in Kazakhstan.  However various international companies store such personal data on abroad servers in order to save resources.

If the Company does not comply with the requirements of Personal Data Protection Act and Rules, the Company or its officials may bear civil, criminal, administrative liability.

Which authority regulates personal data protection in Kazakhstan?

In Kazakhstan as of today there is no specialized authority that regulates personal data protection.

However, the Kazakhstan Prosecutor's Office is the most competent authority, which inspects companies’ compliance with Personal Data Protection Act.

What liability is provided in Kazakhstan for violation of Personal Data Protection Act?

In Kazakhstan, there are administrative, civil and criminal liabilities for violation of the Personal Data Protection Act and Rules. Please see details below.

Administrative and criminal liability

Administrative liability for violation of personal data protection acts is provided in Article 79 of the Administrative Offences Code of Kazakhstan.

A fine for administrative violations could be from 140 US dollars to 7000 US dollars. [6]

However, if a damage to individual from such violation exceeds 600 US dollars, administrative case could proceed to a criminal case.

In criminal case, the fines could go up to 35 000 US dollars. Or alternatively to this fine, the responsible person could be restricted or deprived of liberty for up to 5 years.

Civil liability

Civil liability is directly related to administrative and criminal liability.

An individual, whose rights were violated, could proceed with a court claim to recover losses, damages or harm from that violation.

Companies shall take all measures to protect individuals’ personal data to avoid such civil, administrative and criminal liability.

-----

[1] Law of the Republic of Kazakhstan on Personal data and their protection dated 21 May 2013 № 94-V

[2] Article 1.2 of Personal Data Protection Act

[3] Law of the Republic of Kazakhstan on Personal data and their protection dated 21 May 2013 № 94-V

[4] Rules of implementation by the owner and (or) the operator and a third party measures for the personal data protection, approved by the Kazakhstan government № 909 dated 3 September 2013

[5] Rules for determining by the owner and (or) operator the list of personal data necessary and sufficient to perform their tasks, approved by the Kazakhstan government № 1214 dated 12 November 2013

[6] for your convenience, we rounded the numbers

----

By Ms. Anar Kubeyeva, Ms. Symbat Tursyngali

Associates, Synergy Partners Law Firm LLC

SYNERGY PARTNERS

ANSWERS. SOLUTIONS. RESULTS