Important changes to the Personal Data Law of Kazakhstan

Amendments to the Personal Data Law will come into force in March 2022.

In this review, we would like to focus on several notable changes to the Personal Data Law. There are additional amendments that are not covered in this newsletter.

Re-collection and processing of personal data

One of the significant changes concern a repeated collection and processing of personal data that is available on public sources. The new amendment now permit the repeated collection and processing of such data provided that data has been originally distributed with the consent of a data subject.

This change is in line with the current trend of accessing information for the purpose of developing information services. At the same time, the new rule is a departure from the principle of informed use of personal data. Additionally, this has a potential to interfere with the rights of database owners who tend to allocate significant amount of resources for the collection of data.

The new rule may be relevant for the long-lasting IT dispute between VKontakte and Double – a social network and an IT company respectively – in Russia. Double collects and processes data of VKontakte users. Double then passes the collected data to banks as an aid to determine the credit rating of potential borrowers.

In the new Kazakhstan realities, our recommendation for database owners is to pay particular attention to what policies and procedures Internet resources and mobile apps have. Databases can be protected with the help of intellectual property laws.

Consent form

Another important amendment concerns the consent forms for collection and processing of personal data. Several approved methods of collecting consent from data subjects have been excluded.

The new rule provides that consent can be obtained either in writing (current practice) or using the service of personal data access control (a new option).

There are certain requirements for how personal data access control service should operate. The functions of the service have to include the collection of consent, notification of a data owner regarding actions with personal data (viewing, changing, supplementing, transferring, blocking), as well as notifying the data owner of any third-party access to personal data.

The list of approved methods for obtaining the consent of data subjects will now be non-exhaustive. This is good news, as this means that consent may be obtained by any method provided it allows to acknowledge the consent of a data subject (this requirement is currently in force). This also means that the established methods of obtaining users’ consent via Internet resources or mobile apps can still be used.

Keeping records of operations involving personal data processing

The last amendment we would like to discuss concerns data safety measures. The Personal Data Law now contains a requirement for the entities to keep records of the following actions: data storage periods, data transfer, including cross-border transfers, and data dissemination on publicly available sources.

We should note that this rule to keep records of actions is not new, rather, the amendment has provided more detail for the existing requirement.

What steps should companies take in view of these changes?

The very first thing to do is to have company’s operations and documents audited for compliance with personal data laws. Second, it is essential to comprise a checklist for transforming company’s operations to be in line with the statutory requirements.

We should note that there has been a number of significant changes introduced since 2020.

We will be happy to share our overview of the changes over the past two years, as well as our checklist with all statutory requirements concerning protection of personal data. This list can be used by companies as a self-diagnostic tool for legal compliance.

If you would like to get a copy of our overview of changes and checklist, please contact us at: [email protected].