News and developments

Personal Data Protection In Kazakhstan

The Law “On personal data and their protection” was adopted in 2013 in

Kazakhstan. Despite adopting such law, many companies in Kazakhstan still do

not know how to collect, process, store, transfer individuals` personal data.

In this article you

may find answers to the most relevant questions on personal data protection in

Kazakhstan.

What is personal data in Kazakhstan?

In Kazakhstan there are no

limits on how to understand “personal data”. Any information that refers to a

particular person is considered as personal data, according to the Law “On personal data and their protection” [1] (hereinafter – the “Personal Data Protection Act”) [2].

Any information may be

considered as personal data including but not limited to:

Surname, name;

Individual Identification

Number, identity card number;

Date of birth

Citizenship;

Criminal, administrative records;

Education;

Foreign languages skills;

Taste preferences;

Health information;

10.

Property information;

11.

Address of residence; work

address;

12.

Income amount;

13.

Nationality,

religion;

14.

Mobile phone number;

15.

Family status;

16.

Any other personal information

which can identify a person.

Which laws in Kazakhstan regulate personal data usage?

In Kazakhstan, the protection

of personal data is regulated by following laws:

Law of the Republic of Kazakhstan on Personal data and

their protection [3] (hereinafter - the “Personal Data Protection Act”);

Rules of personal data protection [4]

and Rules for determining the personal data list [5]

(hereinafter - the “Rules”).

What should companies do to comply with Personal Data

Protection Act?

Companies shall take certain

measures before using personal data of individuals.

Such measures are described in

the Personal Data Protection Act and

in the Rules mentioned above.

One of such measures is to

obtain an individual`s consent on collecting,

processing, storing his personal data. Such consent may be made in written or in

electronic form.

Once the Company has obtained

such consent, the Company shall take all measures to protect the individual’s

personal data.

Are there any restrictions on the storage of personal

data?

According to Article 12.2 of

the Personal Data Protection Act,

personal data that originates from Kazakhstan must be stored in Kazakhstan database.

Thus, companies should store

personal data in Kazakhstan database, if such personal data is originated in

Kazakhstan. However various

international companies store such personal data on abroad servers in order to

save resources.

If the Company does not comply

with the requirements of Personal Data

Protection Act and Rules, the

Company or its officials may bear civil, criminal, administrative liability.

Which authority regulates personal data protection in

Kazakhstan?

In Kazakhstan as of today there

is no specialized authority that regulates personal data protection.

However, the Kazakhstan Prosecutor's

Office is the most competent authority, which inspects companies’ compliance

with Personal Data Protection Act.

What liability is provided in Kazakhstan for violation

of Personal Data Protection Act?

In Kazakhstan, there are administrative, civil and criminal liabilities

for violation of the Personal Data

Protection Act and Rules. Please

see details below.

Administrative and criminal liability

Administrative liability for

violation of personal data protection acts is provided in Article 79 of the Administrative Offences Code of Kazakhstan.

A fine for administrative

violations could be from 140 US dollars to 7000 US dollars. [6]

However, if a damage to

individual from such violation exceeds 600 US dollars, administrative case

could proceed to a criminal case.

In criminal case, the fines could

go up to 35 000 US dollars. Or alternatively to this fine, the responsible

person could be restricted or deprived of liberty for up to 5 years.

Civil liability

Civil liability is directly

related to administrative and criminal liability.

An individual, whose rights

were violated, could proceed with a court claim to recover losses, damages or

harm from that violation.

Companies shall take

all measures to protect individuals’ personal data to avoid such civil,

administrative and criminal liability.

-----

[1] Law of the Republic of Kazakhstan on Personal data and their protection

dated 21 May 2013 № 94-V

[2] Article 1.2 of Personal Data Protection Act

[3] Law of the Republic of Kazakhstan on Personal data and their protection

dated 21 May 2013 № 94-V

[4] Rules of implementation by the owner and (or) the operator and a third

party measures for the personal data protection, approved by the Kazakhstan

government № 909 dated 3 September 2013

[5] Rules for determining by the owner and (or) operator the list of

personal data necessary and sufficient to perform their tasks, approved by the

Kazakhstan government № 1214 dated 12 November 2013

[6] for your convenience, we rounded the numbers

----

By Ms. Anar Kubeyeva, Ms. Symbat Tursyngali

Associates, Synergy Partners Law Firm LLC

SYNERGY PARTNERS

ANSWERS. SOLUTIONS. RESULTS

Content supplied by Synergy Partners Law Firm LLC

Legal 500

Our Team

FAQs

Marketing Resources

Newsletters

Contact us

Synergy Partners Law Firm LLC