Key changes in the legislation on personal data of the Republic of Kazakhstan

Legal Digest News
The President of the Republic of Kazakhstan has signed a law that has made significant changes to the legislation on personal data and information security.

According to the Law, the following provisions have been amended:

  • Introduction of the concept of "Violation of personal data security". This term includes a violation of personal data protection, which resulted in the illegal dissemination, modification, destruction or unauthorized dissemination of personal data being processed, as well as unauthorized access to them.
  • Expanding the powers of the Authorized Body, which will now carry out state control over compliance with the legislation on personal data and their protection in the form of periodic and unscheduled inspections.

The term of periodic inspections will be no more than 1 time per year, the inspection plan will be published on the Internet resource no later than December 1 of the year preceding the year of inspections.

An unscheduled inspection will be appointed in cases approved by the Authorized Body (for example, when applying to individuals and legal entities, in case of repeated inspection, the need to monitor the execution of the act on the results of the inspection, etc.).

Officials during inspections have the right to get unhindered access to the territory of the inspected object, receive documents, carry out audio, photo- and videography, involve consultants, etc.

In addition, the Authorized body has the right to send information to the operator of the information and communication infrastructure of the "electronic government" about a violation of the security of personal data that poses a risk of violating the rights and legitimate interests of subjects.

  • The obligation of the owner or operator of personal data to notify the Authorized Body of a detected violation of the security of personal data. The notification period is 1 working day after the discovery. When informing the authority, it is necessary to specify the contact details of the person responsible for organizing the processing of personal data protection (if any).
  • Prohibition on the collection and processing of copies of paper identity documents. The exceptions are the following cases:

  1. lack of integration with the computer system of a government agency or a state-owned legal entity
  2. the impossibility of identifying the subject using technological means
  3. provided for by the legislative acts of the Republic of Kazakhstan.

  • Introduction of new key terms in the field of information security: "threat to information security", "information security incident response service", "vulnerability" and others.

These changes are aimed at strengthening information security in Kazakhstan by providing clearer definitions of key concepts and expanding the powers of regulatory authorities to ensure compliance with the requirements of the law.

For questions about the application of the legislation of the Republic of Kazakhstan in the field of personal data, please contact the legal department of Acsour. Our specialists are ready to provide support to your company in connection with the upcoming changes.