Current situation:

Since the adoption of the Law of the Republic of Kazakhstan "On Personal Data and their Protection" dated May 21, 2013, its actual application has raised many questions. Mechanisms for storing and processing personal data of foreign nationals in Kazakhstan caused a special problem.

On July 7, 2020, changes in the sphere of personal data regulation, introduced by Law No. 347-VI of June 25, 2020, entered into force.

On July 19, 2020, the new Code of the Republic of Kazakhstan "On Public Health and the Healthcare System" (which also regulates the protection of personal data) came into force.

Main innovations:

The following new concepts have been introduced into the legislation on personal data protection:

- the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan became the competent authority in the area of the personal data protection;

- natural persons are allowed to demand the exclusion of their personal data from the open sources if their generally accessible personal data1 were collected and processed in violation of the law. The costs of the personal data deletion from the open sources are paid by the owner and/or the operator of the source in question;

- the entity which is the owner and/or the operator of the database containing personal data must appoint an officer responsible for the protection of the personal data;

- the list of personal data necessary and sufficient for the fulfilment of certain activities was amended;

- the concept of the "protection of the personal data service" is introduced. The service provides for the informational interaction of owners and (or) operators with the data subject, including reception from the subject of the consent to gathering, processing of the personal data or their transfer to the third parties, in particular via such interaction by owners and (or) operators independently.

- the concept of "Voluntary cyberinsurance" is introduced. This is a type of insurance activity in the sphere of personal data, the purpose of which is compensation of property damage caused to the subject, owner and/or operator, third party, in accordance with the legislation of the Republic of Kazakhstan on insurance and insurance activity.

Personal data in healthcare

- Processing, storage and protection of personal medical data stored at the national level is carried out by the Ministry of Health of the Republic of Kazakhstan;

- the Code introduces new definitions into the healthcare legislation of the Republic of Kazakhstan such as:

- "personal medical data" are personal data that contain information about an individual's health and the medical services provided to him/her, recorded on electronic, paper or other tangible media;

- "personal medical data aggregator" is a digital healthcare subject,

collecting, processing, storing, protecting and providing personal medical data in accordance with the rules approved by the authorized body;

- "set of structured personal medical data" - an electronic medical data records related to a specific case of medical care.

The Code defines a specific list of persons who have access to personal medical data of an individual with his/her consent only in the part necessary for the provision of the respective services.


1. "Generally accessible personal data" are personal data and information which according to the legislation of the Republic of Kazakhstan are not subject to confidentiality requirements and are freely accessible with the consent of the data subject.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.