Amendments to the regulation of digital technologies and to the Personal Data Law entered into force in Kazakhstan, on July 7, 2020. This review lists the main amendments that affect the protection of personal data.
1. An authorized body to provide guidance in the area of personal data protection will be appointed (hereinafter, the "Authorized Body").
The Personal Data Law establishes that the competence of the Authorized Body includes, inter alia, considering appeals of personal data subjects (their legal representatives), taking measures to hold violators accountable, the right to demand from owners, operators and third parties clarification, blocking or destruction of inaccurate or illegally obtained personal data.
2. Rules for the collection and processing of personal data will be developed and approved. We note that earlier the collection and processing of personal data was carried out on the basis of the provisions of the Personal Data Law. The rules will be approved by the Authorized Body in the form of a by-law. The draft rules are not currently available.
3. A new concept has been introduced into the Personal Data Law: “personal data safety protection service”. Through this service, information interaction between owners and/or operators on the subject of personal data will be provided. This service will allow the entity to provide (withdraw) consent to the collection, processing and/or transfer of personal data to third parties. That is, such a service will become a new form of granting (withdrawal of) consent in addition to those forms (written, in the form of an electronic document or using elements of protective actions that do not contradict Kazakh legislation) that were previously provided.
4. A new concept “voluntary cyber insurance” has been introduced into the Personal Data Law. The purpose of voluntary cyber insurance is to compensate for property damage caused to the subject, owner, operator, and/or third party, in accordance with legislation on insurance and insurance activities. The types, conditions and procedure for voluntary cyber insurance will be determined by agreement of the parties.
5. The Personal Data Law includes a requirement that the content and amount of personal data collected strictly correspond to the specific, previously declared and legal purposes of their processing.
6. If the owner and/or operator are legal entities, they are required to appoint a person responsible for organizing the processing of personal data (this requirement does not apply to the activities of courts). Such a person is entrusted, inter alia, with the following duties: to exercise internal control over compliance with legislation on the protection of personal data; to inform employees of the provisions of the legislation on the protection of personal data; to control the reception and processing of appeals of entities or their legal representatives. Please note that a similar Data Protection Officer (DPO) post was introduced in 2018 in Europe with the adoption of the General Data Protection Regulation (GDPR).
7. According to the amendments, depersonalization of personal data may be carried out not only for statistical, sociological, and/or scientific research, but also for marketing research.
8. A personal data subject or his/her legal representative is entitled at any time to demand the exclusion of the personal data of the subject from public sources of personal data, if the collection and/or processing of data are carried out with a violation of the legislation. Public sources include, but are not limited to, biographical directories, telephone address books, public electronic information resources and the media. Personal data may also be excluded from public sources by decision of the court or other authorized state bodies.
The Personal Data Law expressly establishes that the costs incurred in the destruction of personal data from public sources will be borne by the owner, operator and/or third party. If the destruction of personal data from publicly available sources is a consequence of the withdrawal of the consent, then the amount of the costs, as well as the persons who will be charged with such costs, as necessary, will be determined in court.
Moreover, on July 17, 2020, an important amendment to the Personal Data Law will come into force. It establishes that the collection and processing of personal data will be carried out without the consent of the subject or his/her legal representative in case of receipt of personal data by state revenue authorities for tax administration purposes and/or for control of information from individuals and legal entities in accordance with Kazakh laws.
At the same time, the Code of Administrative Offenses regarding liability for the illegal collection and/or processing of personal data has been amended: now the liability of offenders is limited to a fine, while the confiscation of subjects and/or instruments of an administrative offense is excluded from the liability.
This review has been prepared based on an analysis of the amendments to the Personal Data Law and can be supplemented after the adoption of the additional by-laws, in particular on the appointment of the authorized body, as well as the approval of the rules for collecting and processing of personal data.
- Law of the Republic of Kazakhstan No. 347-VI dated June 25, 2020 “On Amending Some Legislative Acts of the Republic of Kazakhstan on Regulation of Digital Technologies”.↩
- The Law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 “On Personal Data and Their Protection” (hereinafter, the “Personal Data Law”).↩
- Law of the Republic of Kazakhstan No. 359-VI dated July 3, 2020 “On Amending Some Legislative Acts of the Republic of Kazakhstan on Mortgage Loans in Foreign Currency, Improving Regulation of Payment Services Market Entities, Universal Declaration and Recovery of Economic Growth”.↩
- RK Code on Administrative Offenses No. 235-V of July 5, 2014↩