Currently, technical means allow the collection and processing of significant amounts of socially significant information necessary for the effective functioning of state mechanisms, the flow of social processes, as well as the realisation of human rights. The rapid development of information technologies makes it possible for almost any subjects of information relations to access and use various data banks. The constantly accelerating informatisation of society and the active development of open information systems significantly simplify the leakage and other forms of illegal access to personal information, which makes the task of providing the necessary legal protection of personal information particularly relevant and significant.

Declared by the Universal Declaration of Human Rights (1948), the Convention for the Protection of Human Rights and Fundamental Freedoms (1950), and many other acts, the inviolability of the privacy of every person includes the right to protect the personal data of each of us, the right to control information about ourselves, a ban on the collection, storage, use and dissemination of information about a person's private life without his consent.

On the territory of Kazakhstan and Uzbekistan, the Law on Personal Data and their protection No. 94-V of 21.05.2013 (RK) and the Law on Personal Data No. ZRU-547 of 01.07.2019 (RUz) apply to any actions and processes related in one way or another to the personal data of citizens and residents. In the European Union, such regulation is described in the GDPR (General Data Protection Regulation), and in the USA there are a dozen regulatory legal acts regulating personal data and their protection.

According to the legislation of the two countries, the laws apply to all organisations registered in the respective territories, representative offices of foreign companies and other persons who are somehow connected with the processing of personal data.

Below, Unicase will introduce the basic concepts, requirements and regulations on legislative regulation in Kazakhstan and Uzbekistan.

What is personal data?

The legal definition of the two countries is similar.

Personal data is information related to a certain or determined on their basis subject of personal data, recorded on electronic, paper and (or) other material media.

The laws do not establish an exhaustive list of personal data, thus blurring the concept and its protection. However, other laws still define the types of information that are subject to protection in accordance with the legislation of Kazakhstan and Uzbekistan.

The laws also provide for and introduced the division of personal data into: public and restricted access.

Publicly available data in simple words: all data that is freely available (Internet sources, address books, references and any other information sources.

However, all publicly available sources of personal data of the subject may be disclosed only with the personal consent of the subject. Information about the subject may be excluded from publicly available sources of personal data upon his request, submitted in the form in which consent was given, or in writing, including in the form of an electronic document, as well as by decision of an authorised state body or court.

Basic rules of personal data processing

Participants in the processing of personal data are the subject and the operator. Participants in the processing of personal data may also be the legal representative of the subject, the owner and third parties.

1. The collection and processing of personal data is carried out only with the consent of the subject or his legal representative.

Thus, in Uzbekistan, the personal data database is formed by collecting personal data necessary and sufficient to perform tasks performed by the owner and (or) the operator, as well as by a third party. Such procedure and principles of collection, systematization of personal data are determined by the owner and (or) the operator independently. The storage of personal data is carried out in a form that allows the identification of the subject to the extent required by the purposes previously stated when collecting personal data. The storage period of personal data is determined by the date of achievement of the purposes of their collection and processing.

The processing of personal data can be carried out in the following cases:

  • with the consent of the subject to the processing of this data;
    • the need to process this data in order to fulfill the contract to which the subject is a party, or
    to take measures at the request of the subject prior to the conclusion of such a contract;
  • the need to process this data in order to fulfill the obligations of the owner and (or) operator defined by law;
  • the need to process this data to protect the legitimate interests of the subject or another person;
  • the need to process this data in order to exercise the rights and legitimate interests of the owner and/or operator or a third party, or to achieve socially significant goals, provided that the rights and legitimate interests of personal data subjects are not violated;
  • processing of this data for statistical or other research purposes, subject to mandatory depersonalization of personal data;
  • if this data is obtained from publicly available sources.

However, the law protects the rights of the subject. The owner or operator, as well as his employees associated with the processing of personal data, are obliged to monitor and take all measures to protect and store, and are also obliged to prevent the disclosure of personal data that they have been entrusted with or have become aware of in connection with the processing or other duties.

2. Accumulation (storage) of personal data is carried out by collecting personal data necessary and sufficient to perform tasks performed by the owner and (or) the operator, as well as by a third party.

The storage of personal data is carried out by the owner and (or) the operator, as well as by a third party in a database located on the territory of the country whose citizens are collecting and storing personal data. Such databases of personal data should be located on the territory of Kazakhstan or Uzbekistan, depending on the citizens of which country the information is processed and stored.

Recent proceedings in Uzbekistan and written notifications from such giants as Google, Facebook, Apple, Telegram, VK Group and others have made it clear to other operators about the seriousness of the application of the legislative framework in the field of personal data protection in relation to such persons. The immediate blocking of websites and applications has stalled the work of many individuals.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.