The Personal Data Law was adopted in 2013 and was amended once in 2015. The amendment of 2015 relates to the localization of personal data in Kazakhstan. The requirement for localization of personal data came into effect on 1 January 2016.
Dentons’ Almaty office published two client alerts on the localization of personal data in 2015 and 2016. In consulting clients on the regulation of personal data processing, we may conclude that entrepreneurs still have questions about how to organize a company’s infrastructure for the collection and processing of personal data to ensure compliance with the law and whether a cross border transfer is possible.
In this alert, we provide answers to frequently asked questions in relation to requirements for the localization of personal data in Kazakhstan.
The personal data localization rule introduced in Kazakhstan only requires storing databases with personal data in the RK territory. The RK legislation does not contain any compulsory procedure on how to fulfill the localization of personal data. Therefore, we consider that technical issues are left to the discretion of entrepreneurs.
The RK law does not provide for any obligation of an entity to store databases with personal data in any specific form and on any specific medium. Entities may choose a form and medium for storage of the data. Databases with personal data may be stored electronically, in hard copies or recorded on a computer hard drive or saved on servers. All such media should be kept within the territory of Kazakhstan.
There is no prohibition to fulfill different processing actions abroad. The Personal Data Law does not require storage of databases with personal data exclusively in Kazakhstan, therefore personal data may be stored simultaneously in other states.
There is no requirement to store the data in Kazakhstan first, and then in another country. Therefore, collection, processing, use, and change of databases with personal data may be carried out abroad with subsequent storage of the database with personal data in the RK territory. In this case, companies should be prepared to provide evidence that the database with personal data is subsequently transferred and stored in Kazakhstan.
In case of initial storage of data abroad, it is important to ensure synchronization of databases abroad and in Kazakhstan. The frequency of synchronization is not defined in the Personal Data Law. Thus, it is also under the discretion of a company. However, the more often it will be done, the smaller the risk that the authorities may raise the question on the system of organization of the company’s infrastructure.
Let us consider some examples.
It is common practice in Kazakhstan to store personal data of employees in hard copies. Personal files of employees are kept in the HR Department of a company. Simultaneously most multinational companies upload the employee data to a single HR-system and store it on a server abroad. In this case, the RK personal data localization requirement does not prevent the Kazakhstan company from uploading employee data to a single information system and transferring the data to third parties for the storage and use abroad. The storage of personal files in hard copies means, in our opinion, that the data localization requirement is met.
Let us consider another example when data is subsequently stored in the Republic of Kazakhstan after initial storage abroad. Personal data is collected with the use of electronic devices. In the process of communicating with an individual, his/her personal data is inserted into a single system. This way of collection of data is common for multinational companies with the centralized storage of customer data and business partners’ data. Data is automatically stored in the group’s server abroad. In order to comply with the personal data localization requirement, a Kazakhstan subsidiary has to obtain personal data and save such information in any form on any medium in Kazakhstan. For example, to print out personal data from the system and store the data in the office or copy such data to a computer’s hard drive. Depending on the amount of information, the data may be stored in an Excel file on one of the computers or on a server.
The described approach applies to employee data and to customer data. It is important to remember in both situations that the consent of individuals must be obtained before processing their personal data, and to ensure synchronization of databases stored abroad and on the territory of Kazakhstan in case the initial storage is made outside Kazakhstan.
The requirement to localize personal data, same as any other RK law, applies only to persons who fulfill activities within the territory of the RK. The Kazakhstan law is not applied to foreign companies that do not perform their activities on the RK territory.
Based on this principle the Personal Data Law applies to:
- Companies incorporated in Kazakhstan
- Citizens of Kazakhstan
- Foreign citizens and stateless persons who are residing in Kazakhstan
- Branches and representative offices of foreign companies
- Foreign companies doing business in Kazakhstan through their dependent agents, employees situated/located within Kazakhstan territory (even without the establishment of a representative office or a branch)
Which entities are obliged to store personal data in Kazakhstan?
Personal data in Kazakhstan should be stored by both the database owners and database operators.
The owner of a database containing personal data is a person who collects the data (or causes collection of data on its behalf), uses the database in its business and has the right to dispose of such base itself at its own discretion.
Database operators are persons who use databases in their activities with the consent of the owner or render services to the owner on data storage and processing.
The term “personal data” in the Personal Data Law is not limited to data of citizens of Kazakhstan and includes, in our view, personal data of Kazakhstan citizens, foreign citizens and stateless persons. The new personal data localization requirement does not narrow the definition of personal data to personal data of Kazakhstan citizens. It is any personal data collected and processed by an entrepreneur, including personal data of foreign citizens and stateless persons.
Is it still lawful to perform cross border data transfers of personal data?
Cross-border transfer of personal data is possible. Personal data may be kept in the RK and abroad in parallel. The law does not restrict the entities in the term of storage of personal data abroad.
It is important to note that the localization requirement is not a ban on transfer of the data abroad. It is the requirement to store personal data in Kazakhstan. Once it is stored in any form, the requirement is fulfilled. Non-fulfilment of storage requirement is not an obstacle to transfer personal data abroad and would lead only to liability of a database owner or an operator (depending on the situation it may be civil, administrative or criminal liability).
It is important to remember that the cross-border data transfer is pre-conditioned by the consent of the subject of personal data (as well as collection and any other operations with personal data).
What are the procedures to transfer personal data to countries that do not provide an adequate protection of personal data, is such transfer is possible?
The Personal Data Law does not mention a difference between the states that provide a proper level of protection of personal data and the states that do not provide protection of personal data. There are no criteria in Kazakhstan law for determining the countries that provide a proper level of protection of personal data.
The prohibition in the RK law on the transfer of personal data to countries that do not provide an adequate protection of personal data may be overridden by the consent of data subjects to transfer their data to the countries which do not provide such level of protection.
Thus, the Law on Personal Data does not completely prohibit the transfer of personal data to states that do not ensure an adequate level of data protection. Such transfer may be done on the basis of the consent.
What are the penalties and consequences of being non-compliant with the personal data localization requirement?
The regulation adopted in 2015 does not introduce special responsibility for violation of the requirement of localization of personal data. Entrepreneurs may bear general liability for violation of the terms of personal data processing (processing includes, inter alia, storage of personal data.) The responsibility for this violation is provided for in the form of a fine in the amount up to 100 monthly calculated indexes or KZT 212,100 (approx. €589). By a decision of the court, confiscation of subjects of the administrative offense is also possible.
Individuals (including officials of companies) can be held criminally liable for such actions as unlawful collection and/ or processing of personal data causing substantial harm to the rights and interests of an individual. Substantial harm may include, for example, the emergence of a difficult situation for the affected person, property damage caused to an individual. Criminal liability is provided for in the form of a fine in the amount up to 5,000 monthly calculated indexes or KZT 10,605,000 (approx. €29,458) or correctional works or limitation of freedom for up to three years or imprisonment for the same term.
The RK Civil Code provides liability for violation of non-property rights of individuals (the right to dispose of personal data constitutes a non-property right of an individual). A data subject may claim, inter alia, restitution of the situation existed prior to the violation of the right, suppression of acts violating the right or creating the threat of its violation, compensation of damages, compensation of moral losses, termination or alteration of legal relations.