The Parliament of the Republic of Kazakhstan is considering a draft law of the Republic of Kazakhstan 'On the Introduction of Amendments to Some Legislative Acts of the Republic of Kazakhstan on the Regulation of Digital Technologies' (hereinafter - the 'Draft Law').
The Draft Law introduces a number of amendments to the Law of the Republic of Kazakhstan, dated 21 May 2013, 'On Personal Data and Protection Thereof' (hereinafter – the 'Law'). Main changes to the Law are summarised below.
Competent Authority for Personal Data Protection
The Draft Law proposes to introduce the concept of a competent authority for personal data protection (hereinafter - the 'Competent Authority'). This body is defined as the central executive authority managing in the area of personal data protection. Its competence will include, inter alia:
- taking part in the implementation of state policy in the area of personal data protection;
- development of rules for the implementation by the Owner1/Operator2/third parties of measures to protect personal data;
- addressing applications of the Subjects4 for compliance of the personal data content and methods of their processing to the purposes of their processing and taking an appropriate decision;
- taking measures to make persons, who has violated the legislation of the Republic of Kazakhstan on personal data and protection thereof, liable;
- requiring from the Operator to clarify, block or destruct personal data, where they are unreliable or were obtained illegally;
- approval of the Rules for the Personal Data Collection and Processing.
We believe that the creation of the Competent Authority should lead to increased control over the activities of persons involved in the collection and processing of personal data.
1 The owner of the personal database (hereinafter - the 'Owner') means a state authority, individual and(or) legal entity that, in accordance with the laws of the Republic of Kazakhstan, exercise the right to own, use and dispose of the database containing personal data.
2 Operator of the database containing personal data (hereinafter - the 'Operator') means the state authority, individual and(or) legal entity engaged in the collection, processing and protection of personal data.
3 Third party means a person, which is not the Subject, Owner and(or) Operator, but is connected therewith by legal circumstances or relations for the collection, processing and protection of the personal data.
4 Personal Data Subject (hereinafter - the 'Subject') means an individual, to whom the personal data refers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.