Outsourcing of Data Protection Officer services may include:

- launching Data Protection Officer’s department;

- day-to-day oversight over compliance with internal processes and procedures;

- processing applications of personal data owners (complaints, inquiries);

- interacting with regulatory authorities; 

- staff training.  

Conducting due diligences of internal processes and procedures related to the collection, use, storage and transfer of personal data, assessment of compliance with personal data laws, developing recommendations to eliminate any non-compliance found.

Developing personal data policies and other internal documentation, such as:

- privacy policy;

- data protection compliance policy;

- policy for accepting and processing applications from data owners;  

- policy for eliminating non-compliance with personal data laws;

- data owners’ letters of consent;

- adapting foreign personal data practices in conformity with requirements of the Kazakhstan legislation;

- amending the policies or other documents as per the amendments to the Kazakhstan legislation.

Employee trainings on personal data matters, and trainings on internal processes and procedures.

Control over the implementation of procedures for the collection and processing of personal data, legal support during the implementation. 

Legal support in the course of proceedings involving personal data violations, including representation before courts and state authorities

Who should appoint a data protection officer?

Any legal entity regardless of its business area, if such entity collects and processes, at least, data of its employees, and candidates for vacant positions, personal data of its counterparties’ employees.

Who is a data protection officer?

An employee of a company, or a specialist who arranges personal data processing under a service contract. The main function of such data protection officer is to monitor the compliance of a company with the personal data legislation, as well as control over acceptance and processing of applications from data owners.

What are other functions of a data protection officer?

The Republic of Kazakhstan Law "On Personal Data and Its Protection" vests three statutory functions upon a data protection officer:

- to exercise internal control over the compliance of a company and its employees with the personal data laws of the Republic of Kazakhstan, including the requirements to the protection of personal data;

- inform the company’s employees about the personal data law provisions;

- control over the acceptance and processing of applications from data owners concerning withdrawal of their personal data, infringement of their rights, etc.

A list of functions may be expanded at the option of entrepreneurs.