PERSONAL DATA

The Kazakhstan Law On Personal Data and Protection Thereof defines “personal data” as information that relates to an identified or identifiable individual recorded on electronic, paper and/or other media.

“Personal data subject” means the individual to whom personal data relate.

Categories of Personal Data

In terms of accessibility, personal data may be categorized either as generally accessible or as restricted.

“Generally accessible personal data” mean any personal data or information which are not applied the confidentiality requirement provided for by Kazakhstan law and which are easily accessible with consent of such data/information subject (e.g. information in mass media, telephone directories, etc.).

“Restricted personal data” mean any personal data the access to which is restricted by Kazakhstan law, including personal particulars (first name, middle name, surname, date of birth and nationality), residence and domicile details, individual identification number (IIN, identification document and number thereof, and other personal particulars).

Collection and Processing of Personal Data

“Collection of personal data” means any activity aimed at the acquisition of personal data.

“Processing of personal data” means any activity aimed at the accumulation, storage, modification, complementation, use, distribution, anonymization, blocking or destruction of personal data.

Personal data may be collected and processed subject to a prior consent of such personal data subject or their lawful representative in the manner prescribed by Kazakhstan law.

Personal data may be collected and processed, only if adequately protected, to the extent required for the achievement of particular predetermined legitimate goals and objectives.

Personal data may not be processed for any goals that are inconsistent with the goals of such personal data collection.

Personal data may be collected and processed without a prior consent of such personal data subject or their lawful representative in certain exceptional circumstances, including, but not limited to, the following:

  • when requested by government authorities for highly restricted purposes; or
  • when required to protect constitutional rights and liberties of a man or a citizen, provided, however, that it is impossible to obtain consent of the personal data subject or their lawful representative; or
  • when required for the performance of professional journalistic and/or mass media, scientific, literature or other artistic engagements, provided, however, that the engaged professionals strictly abide by Kazakhstan laws safeguarding the rights and liberties of man and citizen.

Cross-border Transfer of Personal Data (General Principles)

“Cross-border transfer of personal data” means the transfer of personal data to a third country.

Subject to the Kazakhstan Law On Personal Data and Protection Thereof, personal data may not be transferred to a third country until such third country ensures adequate protection of the transferred personal data in compliance with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (28 January 1981, Strasbourg), if the third country is a member of the Convention.

Personal data may be transferred to a certain third country which cannot ensure adequate protection of the transferred personal data when:

the personal data subject or their lawful representative has granted consent to such cross-border transfer of their personal data;

  • such cross-border transfer of personal data is provided for by international treaties ratified by the Republic of Kazakhstan;
  • such cross-border transfer of personal data is provided for by Kazakhstan laws and is absolutely necessary for the protection of the constitutional system and for the enforcement of public order, rights and liberties of man and citizen, as well as public health and moral; or
  • such cross-border transfer of personal data is required for the protection of constitutional rights and liberties of man and citizen, if it is impossible to obtain consent of the personal data subject or their lawful representative.

When transferring data to a third country, due regard should be given to other provisions regulating the issues of personal data storage.  For example, the Kazakhstan Law On Personal Data and Protection Thereof states that “personal data must be stored by the owner and/or operator and/or a third party in a database located in the Republic of Kazakhstan”.

Liability for Breach of Personal Data Protection Laws

A breach of personal data protection laws is punishable by a penalty of up to US$7,000 (in practice, maximum US$1,500) under Articles 79, 451 and 641 of the Kazakhstan Code of Administrative Offences, or by imprisonment for up to 7 years under Articles 147 and 211 of the Kazakhstan Criminal Code.