Newly Found Data Privacy Regulations in Kazakhstan

November 04, 2021 | 5 minutes read
Newly Found Data Privacy Regulations in Kazakhstan

Kazakhstan’s Law on Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on the Regulation of Digital Technologies, also known as the Amendment Law for short, is a data privacy law that was recently passed in 2020. The Amendment Law was introduced to increase the level of obligation that organizations and individuals within Kazakhstan must adhere to when collecting, processing, storing, and disclosing personal data. To this point, the Amendment law establishes the legal grounds and guidelines for data activities that occur within Kazakhstan, as well as the punishments that can be levied against individuals and organizations who fail to comply with the various provisions that are set forth in the law.

How are data controllers and processors defined under the law?

As is the case with many other data privacy laws that have been passed within Central Asian countries in recent years, such as Uzbekistan’s Law on Personal Data and Tajikstan’s Law on Personal data, the Amendment Law does not provide a definition for the term “data processor”. Instead, the law uses the concept of a “database owner” defined to mean the “state authority, natural person and/or legal entity executing in accordance with the law the right of possession, use, and disposal of the database containing personal data”. Conversely, the law does not provide a definition for the term “data controller” either.

Alternatively, the Amendment Law uses the concept of a “database operator” defined to mean “the state authority, individual, and/or legal entity engaged in the collection, processing, and protection of personal data”. Moreover, the law defines personal data as “information related to the definite subject or related to the subject definable on the basis of such information, recorded on an electronic, paper and/or other tangible form (e.g. name, surname, age, address etc.)”. In terms of the scope and application of the law, the personal scope of the law applies to all “relations in the sphere of personal data”, while the material scope of the law is not explicitly stated. Furthermore, mandates that data processing is “limited to the achievement of specific, predetermined, and legitimate purposes”.

What are the responsibilities of database owners and operators under the Amendment Law?

Under the provisions set forth in the Amendment Law, database owners and operators within Kazakhstan are required to abide by the following principles when engaging in data processing activities:

In addition to following these data protection principles, database owners and operators are also required to meet several other obligations as it relates to data protection. These obligations include providing data subjects with data breach notifications in the event that a data breach occurs, as well as appointing a data protection officer or DPO to ensure that the provisions of the Amendment Law are complied with at all times. Additionally, database owners and operators are also required to follow specific procedures and regulations as it relates to special categories of personal data under the law. Such categories include personal data relating to the personal health of data subjects within Kazakhstan.

What are the rights of data subjects under the Amendment Law?

Under the Amendment Law, data subjects within Kazakhstan are entitled to the following rights as it relates to the protection of personal data and privacy:

In terms of penalties that can be imposed as a result of failing to comply with the law, Article 147 of the Penal Code states that “non-compliance with measures for personal data protection by a natural person responsible for taking such measures if such action caused significant harm to rights and legitimate interests of other persons may lead to a fine up to 3,000 monthly calculated indices ($20,261), correctional labor for the same amount, community service for 600 hours, restriction of freedom for up to two years, or imprisonment for up to two years with deprivation of the right to take certain positions or certain activity for a period of up to three years or without such deprivation depending on the violation”, among various other administrative punishments and monetary penalties.

While the Constitution of the Republic of Kazakhstan does provide data subjects with the rights to data protection and privacy, the Amendment Law manifests these rights in modernized terms. As such, the Amendment Law outlines the requirements that database owners and operators within Kazakhstan must follow in order to maintain compliance with the law. What’s more, the law also puts Kazakhstan in league with various other countries throughout Asia that have passed data privacy legislation in the last few years, such as Malaysia’s Personal Data Protection Act 2010 and Thailand’s Personal Data Protection Act. More importantly, data subjects within Kazakhstan have an avenue for recourse in the event that their personal data is improperly collected, processed, or disclosed.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »