February 3, 2022

Protection of personal data under the legislation of the Republic of Kazakhstan (as amended and supplemented as of January 2021)

Introduction

  1. Rights of the subject and obligations of the operator when processing personal data
  2. Consent to the collection and processing of personal data
  3. Measures to protect personal data
  4. Interaction with government agencies. Responsibility for violation of legislation on the protection of personal data.

 Introduction

Modern society is increasingly meeting with information exchange in their daily lives. Each of us regularly provides information about ourselves that allows us to directly or indirectly identify and identify us. The current legislation of the Republic of Kazakhstan classifies such information as personal data, and some of them require confidentiality.

According to the definition contained in the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V “On Personal Data and their Protection” (hereinafter referred to as the Law), personal data is information related to a certain or determined on their basis subject of personal data, recorded on electronic, paper and (or) other tangible media.

According to accessibility, personal data is divided into public and restricted access.

Publicly available personal dataare personal data or information that, in accordance with the legislation of the Republic of Kazakhstan, is not subject to confidentiality requirements, access to which is free with the consent of the subject.

Restricted personal dataare personal data, access to which is limited by the legislation of the Republic of Kazakhstan (for example, fingerprint and genomic information, medical, insurance, tax and other information).

Persons who collect, process and protect personal data, including the accumulation, storage, modification, addition, use, distribution, depersonalization, blocking and destruction of personal data are database operators. In turn, the owners of personal databases have the right to own, use and dispose of the personal data base. They are government bodies, individuals and (or) legal entities (for example, employers).

Based on this, in order to ensure the fulfillment of our legitimate interests and the protection of our privacy, it is necessary to know and control the fulfillment of the obligations assigned to the personal data controller.

1. The rights of the subject and the obligations of the operator when processing personal data.

The rights of the subject are listed in paragraph 1 of Article 24 of the Law, which contains the following rights:

1) to know about the presence of the owner and (or) operator, as well as a third party of their personal data, as well as to receive information containing:

– confirmation of the fact, purpose, sources, methods of collecting and processing personal data;

– list of personal data;

– terms of personal data processing, including the terms of their storage;

2) require the owner and (or) operator to change and supplement their personal data if there are grounds, confirmed by relevant documents;

3) require the owner and (or) operator, as well as a third party to block their personal data if there is information about a violation of the conditions for the collection, processing of personal data;

4) demand from the owner and (or) operator, as well as a third party, the destruction of their personal data, the collection and processing of which was carried out in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by this Law and other regulatory legal acts of the Republic of Kazakhstan;

5) withdraw consent to the collection, processing of personal data, except for the cases provided for in paragraph 2 of Article 8 of the Law;

6) give consent (refuse) to the owner and (or) operator to distribute their personal data in publicly available sources of personal data;

7) to protect their rights and legitimate interests, including compensation for moral and material damage;

8) to exercise other rights provided for by the Law and other laws of the Republic of Kazakhstan.

If the subject of personal data believes that the operator is processing his personal data in violation of the requirements of the Law or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal in the order of pre-trial appeal (to the appropriate authorized body), and then in the order of administrative legal proceedings.

The obligations of the operator are established in Article 25 of the Law, and the same obligations apply to the owner.

So, before starting to collect information about personal data, the owner and (or) operator must approve the list of personal data necessary and sufficient to perform the tasks they carry out according to the special approved Decree of the Government of the Republic of Kazakhstan dated November 12, 2013 No. 1214form.

In order to protect personal data, the operator is obliged to take and comply with the necessary measures, including legal, organizational and technical ones in accordance with the legislation of the Republic of Kazakhstan.

Upon reaching the purpose of processing personal data, the operator is obliged to take measures to destroy personal data.

The obligation to provide proof of obtaining the consent of the subject of personal data to the processing of his personal data rests with the operator.

If the subject applies to the operator and (or) the owner, the latter, in turn, are obliged to provide information related to the subject within three working days from the date of receipt of the request of the subject or his legal representative. Otherwise, the operator is obliged to submit a reasoned response within the same time frame.

Tougher deadlines, within one working day, are established in case of changing and (or) supplementing personal data, blocking, destruction on the basis of the submitted documents, as well as the fact of their collection, processing in violation of the legislation of the Republic of Kazakhstan.

According to the amendments and additions to the law on personal data and their protection of January 2, 2021, the obligations of the operator, as well as the owner, were supplemented by the following. Now the operator and (or) the owner are obliged to register and record the period or period during which the consent to the collection, processing of personal data is valid, information about the operator’s ability or lack thereof to transfer personal data to third parties, information about the presence or absence of cross-border transfer of personal data in the course of their processing, information about the dissemination of personal data in public sources.

In addition, the operator and (or) the owner are obliged to approve the documents defining the operator’s policy regarding the collection, processing and protection of personal data and provide, upon request of the authorized body, as part of the consideration of applications from individuals and legal entities, information on the methods and procedures used to ensure compliance by the owner and (or) the operator of the requirements of the law.

Regarding the storage of personal data, it must be carried out by the owner and (or) operator, as well as by a third party in a database located on the territory of the Republic of Kazakhstan. Therefore, if the owner and (or) operator are non-residents, they are required to either lease or acquire ownership of a server for storing personal data on the territory of the Republic of Kazakhstan.

2. Consent to the collection and processing of personal data.

The subject or his legal representative consents to the collection, processing of personal data in writing, in the form of an electronic document or through a personal data security service, or in any other way using elements of protective actions that do not contradict the legislation of the Republic of Kazakhstan (for example, consent can be expressed by transmitting a one-time password or by sending a short text message to the subscriber’s number, by clicking, ticking, etc.)

The written consent of the subject of personal data to the processing of their personal data must include:

Consent to the collection and processing of personal data includes:

1) name (last name, first name, patronymic (if it is indicated in the identity document), business identification number (individual identification number) of the operator;

2) last name, first name, patronymic (if it is indicated in the identity document) of the subject;

3) the term or period during which the consent to the collection, processing of personal data is valid;

4) information about the possibility of the operator or its absence to transfer personal data to third parties;

5) information about the presence or absence of cross-border transfer of personal data in the process of their processing;

6) information about the dissemination of personal data in publicly available sources;

7) a list of collected data related to the subject;

8) other information determined by the owner and (or) operator.

3. Measures to protect personal data

To ensure the protection of personal data, it is necessary:

– allocation of business processes containing personal data;

– separation of personal data into public and restricted access;

– determination of the list of persons who collect and process personal data or have access to them;

– establishing the procedure for access to personal data.

In addition, the operator and (or) owner is obliged to appoint a person responsible for organizing the processing of personal data if the owner and (or) operator are legal entities. A similar position “Data Protection Officer” (DPO) was introduced in 2018 in Europe.

4. Interaction with government agencies. Responsibility for violation of legislation on the protection of personal data.

Now legal entities are required to notify the Ministry of Digital Development, Innovation and Aerospace Industry of information security incidents related to illegal access to personal data.

In addition, a new function of the State Technical Service has been introduced to examine the security of personal data. Legal entities are obliged to provide access to the State Technical Service to conduct a survey upon their request.

For violation of the legislation of the Republic of Kazakhstan “On personal data and their protection” entails both administrative and criminal liability, in accordance with the legislation of the Republic of Kazakhstan.

In accordance with Art. 79 of the Code of Administrative Offenses of the Republic of Kazakhstan, the following violations of the law on the protection of personal data are fixed (if the act does not have signs of a crime):

– illegal collection and (or) processing of personal data committed by the owner, operator or third party using his / her official position;

– non-compliance by the owner, operator or third party with measures to protect personal data;

may entail penalties in the amount of 20 to 1000 MCI, depending on the category of the business entity and the qualifying signs of the composition of the administrative offense.

Article 147 of the Criminal Code provides for criminal liability for violation of data protection law, if such an act caused significant damage to the rights and legitimate interests of individuals. Thus, a person who must take measures to protect personal data may be fined or sent to corrective labor or imprisonment for up to two years, with possible deprivation of the right to hold certain positions or engage in certain activities for up to three years. .