Kazakhstan's laws regulate public relations in the sphere of personal data protection. The Republic of Kazakhstan's law titled On Personal Data and Protection Thereof, or simply the Law, which was enacted o 21 May 2013, provides for the concept of personal data, including matters concerning its use, collection, processing, protection, and so on. This article outlines the state regulations regarding personal data.

Personal data, which is either specific or determined, includes information about a subject, in hardcopy, softcopy, or other forms of physical media.

The Law divides personal data into two categories:

  • Public means that access to personal data is free with the consent of the subject or that confidentiality requirements do not apply under Kazakhstan's laws (e.g., biographical directories, address and telephone books, public information resources, and media).
  • Personal data of restricted access means that personal data is unavailable to the public under Kazakhstan's laws (e.g., workplace, residential address, identity card, and personal phone number).

Collection and processing of personal data are possible only with the owner's consent.

Moreover, the Law stipulates cases when the consent of the subject is not required:

  • Activities in law enforcement agencies, courts, and proceedings
  • Implementation of the state statistical objective
  • Protection of constitutional rights and freedoms of citizens, where obtaining the consent of the subject or his or her legal representative is impossible
  • Implementation of legal, professional, journalistic, and mass media activities or scientific, literary, or other creative activities subject to the observance of the statutory requirements for ensuring the rights and freedoms of each citizen
  • Other cases set by Kazakhstan's laws

Persons collecting and processing personal data must use it only for the abovementioned purposes.

Furthermore, the Law provides for a number of activities in the sphere of personal data protection.

For the purpose of protection, persons collecting and processing personal data are required to take various legal, organizational, and technical measures, including (1) ensuring integrity and safety, (2) observing confidentiality, (3) guaranteeing right to access, (4) preventing illegal collection and processing, and (5) other necessary measures.

Failure to comply with the statutory requirements for personal data protection entails administrative and criminal liability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.