Despite the legal regulation of personal data collection and processing having become a global hot topic in recent times, Kazakhstan has not yet developed a culture of respect for personal data.  Many employers, business managers, particularly in the area of retail, and other users of personal data are not even aware of their responsibilities in this area, and persons to whom the data relates (“data subjects”) are not aware of their rights.

On 25 November 2013, Law No. 94-V of the Republic of Kazakhstan "On Personal Data and Protection Thereof" entered into force (the "Law").  The Law greatly expanded the regulatory materials, which govern the collection, processing and protection of personal data, and filled a number of gaps that existed in the legislation on personal data prior to its adoption.

A number of commitments, which are prescribed to owners and operators of databases containing personal data, are new, namely:

  • to approve a list of personal data that are necessary to perform the tasks of an owner and an operator of resources that contain personal data;
  • to destroy personal data upon the expiry of the period of storage thereof;
  • to inform a data subject of the personal data held in relation to him/her within three business days of receiving an application from the data subject.

‘Owners’ of databases containing personal data are those companies that collect (including under an agency agreement) and use personal data of subjects. Such companies include, among others, all employers in respect of personal data of their employees, companies that sell goods of public consumption and form a customer base in respect of personal data of their clients, companies operating on the principle of network marketing that collect personal data of persons employed in the sale of the company's products.  An ‘operator’ of database containing personal data is a company that primarily collects, processes and protects personal data on the instructions of an owner of such database.  Database operators may be companies that provide services for the storage of data, processing of data on the instructions of clients, personal data depersonalization services and other services, i.e., provide technical support to owners of databases.

The owners and operators of resources containing personal information are required, within three months from the date of enactment of the Law, to bring their internal documentation into conformity with the Law.

The collection and processing of personal data carried out according to the legislation of Kazakhstan before the enactment of the Law shall be recognized as complying with the requirements of the Law, if the further processing of such personal data complies with the purposes of collection thereof. The principles of personal data collection and processing remain the same:

  1. collection and processing of personal data should be carried out only with the consent of the data subject;
  2. persons engaged in the collection and processing of personal data should ensure confidentiality of such data (achieved by taking organizational, technical and legal measures);
  3. personal data should be processed only for purposes declared at the time of collection thereof;
  4. there should not be dissemination (transfer) of personal data to third parties without the consent of the data subject.

The above principles should be taken into account, in particular, when preparing a letter of consent to the transfer of personal data.

The Law is accompanied by the introduction of administrative liability for violation of the legislation on personal data.  The Code of Administrative Offences of the Republic of Kazakhstan (hereinafter referred to as the "Code") provides for the punishment of such acts in the form of fines and confiscation of items used in the commission of the administrative offence.  Fines for legal entities, depending on the type of business activities (small, medium or large businesses), range from 50 up to 100 monthly calculation indices (approximately US$ 570 - 1,140).  The Code also provides for administrative liability for the failure of an owner, an operator or a third party to comply with personal data protection measures.  The failure to ensure the confidentiality of personal data is punishable by a fine from between 200 and 300 monthly calculation indices (approx. US$ 2,300 - 3,500).
It should be noted that there are some shortcomings of the Law, which may lead to its inconsistent implementation.  In particular, these relate to the form of a letter of consent of a data subject to the transfer and processing of his/her personal data, as well as periods of storage of personal data.