Newly Found Data Privacy Regulations in Kazakhstan
Kazakhstan’s Law on Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on the Regulation of Digital Technologies, also known as the Amendment Law for short, is a data privacy law that was recently passed in 2020. The Amendment Law was introduced to increase the level of obligation that organizations and individuals within Kazakhstan must adhere to when collecting, processing, storing, and disclosing personal data. To this point, the Amendment law establishes the legal grounds and guidelines for data activities that occur within Kazakhstan, as well as the punishments that can be levied against individuals and organizations who fail to comply with the various provisions that are set forth in the law.
How are data controllers and processors defined under the law?
As is the case with many other data privacy laws that have been passed within Central Asian countries in recent years, such as Uzbekistan’s Law on Personal Data and Tajikstan’s Law on Personal data, the Amendment Law does not provide a definition for the term “data processor”. Instead, the law uses the concept of a “database owner” defined to mean the “state authority, natural person and/or legal entity executing in accordance with the law the right of possession, use, and disposal of the database containing personal data”. Conversely, the law does not provide a definition for the term “data controller” either.
Alternatively, the Amendment Law uses the concept of a “database operator” defined to mean “the state authority, individual, and/or legal entity engaged in the collection, processing, and protection of personal data”. Moreover, the law defines personal data as “information related to the definite subject or related to the subject definable on the basis of such information, recorded on an electronic, paper and/or other tangible form (e.g. name, surname, age, address etc.)”. In terms of the scope and application of the law, the personal scope of the law applies to all “relations in the sphere of personal data”, while the material scope of the law is not explicitly stated. Furthermore, mandates that data processing is “limited to the achievement of specific, predetermined, and legitimate purposes”.
What are the responsibilities of database owners and operators under the Amendment Law?
Under the provisions set forth in the Amendment Law, database owners and operators within Kazakhstan are required to abide by the following principles when engaging in data processing activities:
- Ensuring that personal data is only collected and processed for purposes that are necessary for its operation.
- Ensuring that personal data is only processed for purposes that are in accordance with the purposes for which said personal data was collected.
- Taking protective measures to ensure that personal data is not accessed via unauthorized means, as well as minimizing any adverse consequences that may result from such access. In instances where database owners or operators are unable to prevent the unauthorized access of personal data, they are still responsible for detecting and reporting such access in a timely manner.
- Ensuring that all laws pertaining to data protection are followed and observed at all times.
- Ensuring that personal data is deleted after the purpose for which it was collected has been fulfilled and as such, the personal data is no longer relevant.
- Providing evidence proving that all personal data that has been collected and processed has been done so with the consent of all applicable data subjects.
In addition to following these data protection principles, database owners and operators are also required to meet several other obligations as it relates to data protection. These obligations include providing data subjects with data breach notifications in the event that a data breach occurs, as well as appointing a data protection officer or DPO to ensure that the provisions of the Amendment Law are complied with at all times. Additionally, database owners and operators are also required to follow specific procedures and regulations as it relates to special categories of personal data under the law. Such categories include personal data relating to the personal health of data subjects within Kazakhstan.
What are the rights of data subjects under the Amendment Law?
Under the Amendment Law, data subjects within Kazakhstan are entitled to the following rights as it relates to the protection of personal data and privacy:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to object or opt-out.
- The right of a data subject to protect their legal rights and interests.
- The right of data subjects to seek compensation in the event that their rights are violated under the law.
In terms of penalties that can be imposed as a result of failing to comply with the law, Article 147 of the Penal Code states that “non-compliance with measures for personal data protection by a natural person responsible for taking such measures if such action caused significant harm to rights and legitimate interests of other persons may lead to a fine up to 3,000 monthly calculated indices ($20,261), correctional labor for the same amount, community service for 600 hours, restriction of freedom for up to two years, or imprisonment for up to two years with deprivation of the right to take certain positions or certain activity for a period of up to three years or without such deprivation depending on the violation”, among various other administrative punishments and monetary penalties.
While the Constitution of the Republic of Kazakhstan does provide data subjects with the rights to data protection and privacy, the Amendment Law manifests these rights in modernized terms. As such, the Amendment Law outlines the requirements that database owners and operators within Kazakhstan must follow in order to maintain compliance with the law. What’s more, the law also puts Kazakhstan in league with various other countries throughout Asia that have passed data privacy legislation in the last few years, such as Malaysia’s Personal Data Protection Act 2010 and Thailand’s Personal Data Protection Act. More importantly, data subjects within Kazakhstan have an avenue for recourse in the event that their personal data is improperly collected, processed, or disclosed.