Personal data protection in Kazakhstan

On November 26, 2013, the Law of the Republic of Kazakhstan “On personal data and its protection” № 94-V ЗРК (hereinafter – “Personal Data Law”) entered into force. It states the rules on collection, processing, and protection of personal data (except for personal and family needs exclusively) for state archival purposes; for state secrets; for (counter)intelligence, operational, and investigative activities, as well as for security of protected persons and property.


Personal data protection

Security measures to protect personal data do not contain any specific requirements. Thus, under Articles 22 and 25 of the Personal Data Law, the owner and the operator of the databases, as well as a third party, shall take the necessary measures to protect personal data, to ensure detection and prevention of unauthorized access, and minimization of its adverse consequences.

These responsibilities begin from the moment of data collection until its destruction or depersonalization.


Transfer of personal data outside of Kazakhstan

According to Article 16 of the Law, the cross-border transfer of personal information to a foreign territory can be carried out only if these states provide protection for such data and in the following cases:

1) under the consent of the person or his legal representative;

2) for the protection of constitutional rights and freedoms of persons, if it is impossible to receive the consent of the person or his legal representative;

2) according to ratified international treaties;

3) for the protection of the constitutional order, public safety and the rights and freedoms of people, public health or morals.

It shall be noted that Kazakhstan is not a party to Strasburg Convention on the Protection of Individuals in the automatic processing of personal data (Strasbourg, 28 January 1981).


Transmission of data in violation of the law

Under Article 24, individuals have the right to request to block or erase his/her information, if there are violations of collection and processing terms.

Then, Article 25 sets certain obligations in case of breach of collecting data processing. The owner and/or operator must within one working day:

–       block or destroy the personal data;

–       remove the blocking of personal data in the event of non-confirmation of such a violation.

There are no mandatory requirements to notify the persons about such a breach.

Though Personal Data Law sets some extraterritorial rules on transfer of the data, we believe it has the effect only on activities within the territory of the Republic of Kazakhstan.


The Personal Data Law is silent on the issue of whether it applies to the processing and/or collecting of personal data within Kazakhstan exclusively, or only regarding residents of the Republic of Kazakhstan in any territory.


Arlan Yerzhanov, a partner of BMF Group LLP,

Julia Fattorini, a senior counsel of BMF Group LLP,