May 2021 – Kazakhstan’s parliament is currently considering changes to the law on the protection of personal data. This note discusses the most notable amendments introduced in the draft law and their possible consequences for businesses operating in Kazakhstan. Our note is intended to be helpful guide – it is not comprehensive and does not constitute legal advice. As of the date of this note, the draft bill is not yet adopted.
Formation of an electronic service to ensure personal data protection
To protect the rights of data subjects (i.e., individuals), prevent leaks and suppress the misuse of personal data, it is expected that an electronic service will be created that will contain citizens’ personal data and which will serve as a central platform for access to the personal data of citizens and for all organisations regardless of their legal form. This service will enable data subjects to give and revoke their consent for data collection and processing. Operators will be able to send to the authority a notice through this service and, after receiving the relevant consent from the data subject, to receive access to personal data. Moreover, the platform will also allow data subjects to file complaints to the authorised body in case of a violation of their rights.
Owners and/or operators collecting and processing personal data will be obliged to notify the authorised body on the collection and processing of personal data
Owners and/or operators collecting and processing personal data will be required to send to the authorised body a notification on collection and processing of personal data within one year from the date of entry into force of the draft law. It is expected that a unified register of operators will be created. Thus, for operators to collect or process personal data it will be necessary, in addition to a data subject’s consent, to notify the authorised body on the collection and processing of personal data.
Changes to the procedure for giving (withdrawing) consent to the collection or processing of personal data
It is proposed that the data subject or his/her legal representative gives (withdraws) consent to the collection and processing of personal data in writing, through the service for ensuring personal data protection or in another way that allows confirmation of the fact of obtaining consent. Consent to the collection or processing of personal data is given through a clear, affirmative action through which the data subject or his/her legal representative demonstrates the voluntary, definite and unambiguous consent to the processing of personal data relating to him or her. The draft law also provides the list of information that the consent to the collection and processing of personal data must include.
The authorised body will be able to inspect all organisations collecting or processing personal data
Draft amendments also include state control over compliance with the legislation of the Republic of Kazakhstan on personal data and their protection, which is given to the authorised body, i.e., the Ministry of Digital Development, Innovations and Aerospace Industry. The authorised body will be able to conduct inspections of companies that collect or process personal data.
The list of cases when collection or processing of personal data may be carried out without the consent of the subject will be clarified
The draft law provides a list of exceptions, where state bodies and organisations have the right to collect and process personal data without the consent of data subjects. For instance, it is expected that provision of personal medical data by medical workers will be carried out without the consent of the data subject.
This note has been prepared by members of Kinstellar’s Kazakhstan team: Joel Benjamin (Managing Partner), Kuanysh Shekerbekov (Senior Associate) and Zhanat Temirova (Junior Associate).