Personal data: important changes that will come into force in 2024.

In December 2023, the Law of the Republic of Kazakhstan “On Amendments to Certain Legislative Acts of the Republic of Kazakhstan on Information Security, Informatization and Digital Assets”. No. 44-VIII, dated 11 December 2023 (the “Law”) was adopted. The Law, among other things, introduces amendments to the Law of the Republic of Kazakhstan “On Personal Data and Protection”, No. 94-V, dated 21 May 2013 (the “Personal Data Law”).

In this alert, we discuss the amendments that we believe deserve special attention from businesses.

The changes affected the responsibilities of owners and operators of databases with personal data. Owners and/or database operators will now be required to notify the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan (“MDDIAI”) of any breach of the security of personal data. Such notification should specify the contact details of a person responsible for organizing the processing of personal data.

The notification period is one (1) business day from the moment of detecting the breach of the personal data security. This amendment will come into force on 1 July 2024.

The law describes what is considered a breach of the personal data security and introduces the term “breach of personal data security”.

A breach of the personal data security means the breach of the protection of personal data resulting in the illegal distribution, modification or destruction, unauthorized circulation of personal data transmitted, stored or processed otherwise or unauthorized access thereto.

Thus, if the organizational and/or technical and/or legal measures for the protection of personal data were disturbed, which fact entailed the said consequences, then the owner and the operator of the operator with personal data must notify the MDDIAI of the incident.

It should be noted that no change was made as to the control of entrepreneurs over the compliance with law on personal data. As before, an entrepreneur may only be assigned with an unscheduled inspection at the request of a subject of personal data.

There are no scheduled inspections of entrepreneurs yet. We do not rule out such changes to the Personal Data Law in the near future. Such inspections are in place in other jurisdictions and are carried out under an inspection plan, which is announced at the beginning of a year. Changes to the Personal Data Law in recent years have shown that the personal data protection regime in Kazakhstan is being actively harmonized with the regime in other countries.

We believe that the register of notifications of personal data protection breaches may serve as a source of information for initiating scheduled inspections.

In the meantime, scheduled inspections of operations on collection and processing of personal data have only been introduced in respect of the state authorities.

We believe that, at a minimum, an internal audit is required as follows:

1) check whether a person has been appointed in the company to be responsible for organizing the processing of personal data (by an order of the CEO), and whether the work procedures of such person are set out in the company’s internal policies;
2) describe in the company’s policies how the internal process of reporting a breach of personal data protection is structured, and also identify a person responsible for preparing and sending notifications to MDDIAI of any breach of personal data security. Is such person an information security specialist or a person responsible for organizing the processing of personal data or another person? It is necessary to describe the said procedures in policies, as well as inform employees about such procedures, first of all, because the notification period is only one (1) business day. Given such short timeframe, it is recommended that all procedures and processes be described and practiced in advance.

For additional information, please send your request to Ulzhan Ashimbay (lawyer of 3i) by email at u.ashimbay@3ilaw.kz. If you need a list of requirements of the legislation of the Republic of Kazakhstan to the personal data protection, please also send your request at the above email address. Such list will be useful for companies for the purpose of self-diagnosis for compliance of their operations with the laws of the Republic of Kazakhstan on personal data.

We also note that other amendments have been made to the Personal Data Law, which we do not address in this release.