The President of#nbsp;the Republic of#nbsp;Kazakhstan has signed a#nbsp;law that has made significant changes to#nbsp;the legislation on#nbsp;personal data and information security.
According to#nbsp;the Law, the following provisions have been amended:
Introduction of#nbsp;the concept of "Violation of#nbsp;personal data security". This term includes a#nbsp;violation of#nbsp;personal data protection, which resulted in#nbsp;the illegal dissemination, modification, destruction or#nbsp;unauthorized dissemination of#nbsp;personal data being processed, as#nbsp;well as#nbsp;unauthorized access to#nbsp;them.
Expanding the powers of#nbsp;the Authorized Body, which will now carry out state control over compliance with the legislation on#nbsp;personal data and their protection in#nbsp;the form of#nbsp;periodic and unscheduled inspections.
The term of#nbsp;periodic inspections will be#nbsp;no#nbsp;more than 1 time per year, the inspection plan will be#nbsp;published on#nbsp;the Internet resource no#nbsp;later than December 1 of#nbsp;the year preceding the year of#nbsp;inspections.
An#nbsp;unscheduled inspection will be#nbsp;appointed in#nbsp;cases approved by#nbsp;the Authorized Body (for example, when applying to#nbsp;individuals and legal entities, in#nbsp;case of#nbsp;repeated inspection, the need to#nbsp;monitor the execution of#nbsp;the act on#nbsp;the results of#nbsp;the inspection, etc.).
Officials during inspections have the right to#nbsp;get unhindered access to#nbsp;the territory of#nbsp;the inspected object, receive documents, carry out audio, photo- and videography, involve consultants, etc.
In#nbsp;addition, the Authorized body has the right to#nbsp;send information to#nbsp;the operator of#nbsp;the information and communication infrastructure of#nbsp;the "electronic government" about a#nbsp;violation of#nbsp;the security of#nbsp;personal data that poses a#nbsp;risk of#nbsp;violating the rights and legitimate interests of#nbsp;subjects.
The obligation of#nbsp;the owner or#nbsp;operator of#nbsp;personal data to#nbsp;notify the Authorized Body of#nbsp;a#nbsp;detected violation of#nbsp;the security of#nbsp;personal data. The notification period is#nbsp;1 working day after the discovery. When informing the authority, it#nbsp;is#nbsp;necessary to#nbsp;specify the contact details of#nbsp;the person responsible for organizing the processing of#nbsp;personal data protection (if#nbsp;any).
Prohibition on#nbsp;the collection and processing of#nbsp;copies of#nbsp;paper identity documents. The exceptions are the following cases:
lack of#nbsp;integration with the computer system of#nbsp;a#nbsp;government agency or#nbsp;a#nbsp;state-owned legal entity
the impossibility of#nbsp;identifying the subject using technological means
provided for by#nbsp;the legislative acts of#nbsp;the Republic of#nbsp;Kazakhstan.
Introduction of#nbsp;new key terms in#nbsp;the field of#nbsp;information security: "threat to#nbsp;information security", "information security incident response service", "vulnerability" and others.
These changes are aimed at#nbsp;strengthening information security in#nbsp;Kazakhstan by#nbsp;providing clearer definitions of#nbsp;key concepts and expanding the powers of#nbsp;regulatory authorities to#nbsp;ensure compliance with the requirements of#nbsp;the law.
For questions about the application of#nbsp;the legislation of#nbsp;the Republic of#nbsp;Kazakhstan in#nbsp;the field of#nbsp;personal data, please contact the legal department of#nbsp;Acsour. Our specialists are ready to#nbsp;provide support to#nbsp;your company in#nbsp;connection with the upcoming changes.