RUENKZ
Call request
 

Article: Personal data protection in Kazakhstan

29 May 2019

 Personal data protection in Kazakhstan

Anar Kubeyeva, Associate, Synergy Partners Law Firm LLC

Symbat Tursyngali, Associate, Synergy Partners Law Firm LLC 

The Law “On personal data and their protection” (hereinafter – the “Personal Data Protection Act”) was adopted in 2013 in Kazakhstan. Despite adopting such law, many companies in Kazakhstan still do not know how to collect, process, store, transfer individuals` personal data.

In this article you may find answers to the most relevant questions on personal data protection in Kazakhstan.

What is personal data in Kazakhstan?

In Kazakhstan there are no limits on how to understand “personal data”. Any information that refers to a particular person is considered as personal data, according to the Personal Data Protection Act.

Any information may be considered as personal data including but not limited to:

  1. Surname, name;
  2. Individual Identification Number, identity card number;
  3. Date of birth;
  4. Citizenship;
  5. Criminal, administrative records;
  6. Education;
  7. Foreign languages skills;
  8. Taste preferences;
  9. Health information;
  10. Property information;
  11. Address of residence; work address;
  12. Income amount;
  13. Nationality, religion;
  14. Mobile phone number;
  15. Family status;
  16. Any other personal information which can identify a person.

Which laws in Kazakhstan regulate personal data usage?

In Kazakhstan, the protection of personal data is regulated by following laws:

1. Law of the Republic of Kazakhstan on Personal data and their protection (hereinafter - the “Personal Data Protection Act”);
2. Rules of personal data protection and Rules for determining the personal data list (hereinafter - the “Rules”).

What should companies do to comply with Personal Data Protection Act?

Companies shall take certain measures before using personal data of individuals.

Such measures are described in the Personal Data Protection Act and in the Rules mentioned above.

One of such measures is to obtain an individual`s consent on collecting, processing, storing his personal data. Such consent may be made in written or in electronic form.

Once the Company has obtained such consent, the Company shall take all measures to protect the individual’s personal data. 

Are there any restrictions on the storage of personal data?

According to Article 12.2 of the Personal Data Protection Act, personal data that originates from Kazakhstan must be stored in Kazakhstan database. 

Thus, companies should store personal data in Kazakhstan database, if such personal data is originated in Kazakhstan. However various international companies store such personal data on abroad servers in order to save resources.

If the Company does not comply with the requirements of Personal Data Protection Act and Rules, the Company or its officials may bear civil, criminal, administrative liability.

Which authority regulates personal data protection in Kazakhstan?

In Kazakhstan as of today there is no specialized authority that regulates personal data protection.

However, the Kazakhstan Prosecutor's Office is the most competent authority, which inspects companies’ compliance with Personal Data Protection Act.

What liability is provided in Kazakhstan for violation of Personal Data Protection Act?

In Kazakhstan, there are administrative, civil and criminal liabilities for violation of the Personal Data Protection Act and Rules. Please see details below.

Administrative and criminal liability

Administrative liability for violation of personal data protection acts is provided in Article 79 of the Administrative Offences Code of Kazakhstan.

A fine for administrative violations could be from 140 US dollars to 7000 US dollars.

However, if a damage to individual from such violation exceeds 600 US dollars, administrative case could proceed to a criminal case.

In criminal case, the fines could go up to 35 000 US dollars. Or alternatively to this fine, the responsible person could be restricted or deprived of liberty for up to 5 years.

Civil liability

Civil liability is directly related to administrative and criminal liability.

An individual, whose rights were violated, could proceed with a court claim to recover losses, damages or harm from that violation. 

Companies shall take all measures to protect individuals’ personal data to avoid such civil, administrative and criminal liability.