"The one, who owns the
information, owns the world".
Sir Winston Churchill
We live in the world of high technologies, where information is available for everyone. Nowadays, well-developed technologies afford people to have an access for any type of data. In the Information Age personal data became a crucial topic in the area of the Human Rights protection. Personal data laws are developed in order to protect civil rights and freedoms of people, to secure the privacy of individuals' lives.
In Kazakhstan personal data protection law was introduced in 2013, and lately the State introduced some amendments to the Law of the Republic of Kazakhstan On Personal Data Protection dated 21 May 2013 No.94-V (hereinafter the "Personal data law"), which raised discussion within population and legal community.
In order to understand the issue regarding introduced amendments which led to the discussion, we need to understand the core of personal data protection law. According to the legislation1, personal data shall be defined as data related to a specific individual or an individual who may be identified on the basis thereof and which are recorded on electronic, paper and/or other objects. While personal data protection is the package of measures, including legal, organisational and technical. These measures are performed in order to protect an individual's rights and freedoms in connection with the collection and processing of its personal data2.
Below are given some of the major regulatory legal acts which form a base for regulation of personal data protection:
- Constitution of the Republic of Kazakhstan;
- Labour Code of the Republic of Kazakhstan dated 23 November 2015 No.414-V;
- Code on Administrative Offences of Republic of Kazakhstan dated 30 January 2001 No.155-II (hereinafter the "Administrative Code");
- Civil Code of the Republic of Kazakhstan dated 27 December 1994 (General Part);
- Criminal Code of Republic of Kazakhstan 16 July 1997 No.167-I (hereinafter the "Criminal Code");
- Law on Personal data protection of the Republic of Kazakhstan dated 21 May 2013 No.94-V;
- Law on Informatisation of the Republic of Kazakhstan dated 24 November 2015 No.418-V (hereinafter the "Informatisation law");
- Law on Banks and banking activity of the Republic of Kazakhstan dated 31 August 1995 No.2444;
- Rules on protection of personal data by the owner and (or) operator, and third parties dated 3 September 2013 No.909; and
- List of individuals' personal data which are included into state data resource 26 February 2016 No.117.
Let us start with the collection and processing of personal data. The terms for "collection of personal data" and "processing of personal data" in order to understand the core of personal data protection. Collection of personal data means the actions directed on receipt of personal data. And processing of personal data means the actions directed on accumulating, storage, change, amendment, use, distribution, depersonalisation, blocking and destruction of personal data.
So, who can collect and process personal data and what is the procedure for it? According to the legislation3, personal data may be collected and stored by:
- owner4 of the database which contains personal data (hereinafter the "owner"); and (or)
- operator5 of the database which contains personal data (hereinafter the "operator"); and (or)
- third party6.
In order to collect and store personal data, owners and operators must define and agree a list of personal data necessary for their activities and clearly specify the purpose for initiating the collection of personal data, so the subject7 of personal data would understand such purpose of collection and storage. It is significant to mention that processing of personal data by owners, operators, or third parties must always correspond with the specified purpose of the collection.
It is important to note that the subject of personal data shall give consent for collection and processing of his/her personal data, and such consent must be in:
- written form; and (or)
- electronic document with verified digital signature; and (or)
- other ways not contrary to the legislation of the Republic of Kazakhstan.
The subject of personal data may withdraw consent for collection processing of his/her personal data, except for the cases when such an action contradicts the legislation of the Republic of Kazakhstan or there is an unperformed obligation which is directly connected with the right to process such personal data.
However, according to the legislation8, personal data may be collected and processed without an individual's consent in the following cases:
- in the course of court and enforcement proceedings;
- in the course of statistical activities by the government;
- use of personal data by the government for statistical activities with depersonalisation condition;
- under international treaties ratified by the Republic of Kazakhstan;
- for the purpose of protection of the constitutional rights and freedoms of the individual;
- publication of personal data according to the legislation of the Republic of Kazakhstan;
- for the purpose of performing of the journalist activity and (or) the activity of the mass media, as well as in the course of scientific, literature or other activity, if it does not contradict the legislation of the Republic of Kazakhstan;
- in the case the individual fails to provide personal data in accordance with the legislation of the Republic of Kazakhstan;
- by state authorities performing regulation, control and supervision of financial market and financial organisations, in accordance with the legislation of the Republic of Kazakhstan;
- other occasions stipulated by the Personal data law and other laws of the Republic of Kazakhstan.
Personal data storage in Kazakhstan is the issue which created a basis for debates in legal community. According to the legislation9, the owner, operator and (or) a third party shall store the database10 which contains personal data of individuals in Kazakhstan. The Minister of Investments and Development11 gave his comments regarding this amendment, he said that it states that as long as personal data is stored in Kazakhstan, it may also be stored outside Kazakhstan.
So, as we understand, this amendment did not affect the cross-border transfer of personal data. According to the legislation12, the cross-border transfer of personal data in the state which provides the data protection is not prohibited. In case, there is no protection of personal data by the party transferring personal data shall obtain prior permission of the subject of personal data.
Please also note that the Personal data law itself does not have retroactive effect. It means that any personal data collected and processed before adoption of this law will be recognized as collected and processed in compliance with the legislation of the Republic of Kazakhstan, if further collection and protection of such personal data corresponds the purposes of initial collection13. Consequently, storage of personal data has an expiration date. Expiration date of personal data storage comes on the occasion when the purposes of initial collection and processing are achieved. Then such data must be destroyed14.
With regards to the personal data of an employee the Labour Code provides that the employee has the right for protection of personal data which is stored by the employer. And the employer is obliged to collect, process and protect personal data of his/her employees which is necessary for the purposes of the employment agreement. But first, the employee must give consent to collect and process his/her personal data in the form specified above (in general, it is in writing). In order to ensure protection of personal data the employer must store it in the special database according to the Personal data law.
Moreover, it is important to mention the liability for violation of the Personal data law, it arises two types of liability: administrative and criminal. The prosecutor office is the body which executes supervision of implementation of the Personal data law in the Republic of Kazakhstan and initiates administrative proceedings15 for its violation. The Administrative Code16 provides penalties for violation of provisions on protection, collection and processing of personal data by the owner, operator or a third party in the amount of 20-1,000 MCI17 (approximately US $120 - US $6,200).
In addition, the Criminal Code18 also provides penalties for violation of provisions on protection, collection and processing of personal data by the owner, operator or a third party. According to the legislation, the Ministry of Internal Affairs of the Republic of Kazakhstan, its territorial departments and services of economic inspection shall investigate cases on violation of the Personal data law. The responsibility for such violation is provided for in the form of a fine in the amount of 3,000-5,000 MCI (approximately US $18,500 - US $30,800) or in the form of restriction of freedom/imprisonment from 2 to 7 years.
With regard to violations of personal data protection which happen outside Kazakhstan, any person may address his/her claims to the Ministry of Internal Affairs of the Republic of Kazakhstan or its territorial departments. According to the clarification19 of the Minister of Internal Affairs, information on violation of Personal data law will be directed to the Ministry of Investments and Development of the Republic of Kazakhstan, which will take special measures. Such measures include banning access from Kazakhstan to foreign web-sites which contain illegally obtained personal data.
In conclusion, the Personal data law correspondingly affects all commercial and non-commercial legal entities, state authorities and individuals in Kazakhstan. There were series of discussions regarding lately introduced amendment on storage of personal data, which made the Ministry of Investments and Development to give its comments and clarify the situation. But, in general, the field of personal data protection in Kazakhstan still needs improvement in terms of applying these regulations to the real situation.
1 Article 1 of the Personal data law;
2 Article 2 of the Personal data law;
3 Article 7 of the Personal data law;
4 The owner means state authority, individual and/or the legal entity which according to the legislation of the Republic of Kazakhstan has the right to possess, use and dispose database which contains personal data;
5 The operator means state authority, individual and/or the legal entity which performs collection, processing and protection of personal data;
6 A third party is a person/legal entity/authority connected to collection, processing and protection of personal data, being neither a subject of personal data, nor owner, nor operator;
7 The subject of personal data is an individual to whom relates personal data;
8 Article 9 of the Personal data law;
9 Article 12 of the Personal data law;
10 The database which contains personal data in particular order;
12 Article 16 of the Personal data law;
13 Article 31 of the Personal data law;
14 Article 18 of the Personal data law;
15 Article 805 of the Administrative Code;
16 Article 79 of the Administrative Code;
17 Monthly calculation index (MCI) is an index used in Kazakhstan for calculating pensions, allowances and other social payments and also for incrementing fines and calculating taxes and other payments. It is set annually by the law of the Republic of Kazakhstan on the Budget. For 2016 it is equal to 2121 Tenge (approximately US $6);
18 Article 147 of the Criminal Code;
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.