Kazakhstan - Data Protection.

3 December 2021

One of the main components of a person's right to privacy is the protection of his personal data.

Currently, technical means allow the collection and processing of significant amounts of socially significant information necessary for the effective functioning of state mechanisms, the flow of social processes, as well as the realisation of human rights. The rapid development of information technologies makes it possible for almost any subjects of information relations to access and use various data banks. The constantly accelerating informatisation of society and the active development of open information systems significantly simplify the leakage and other forms of illegal access to personal information, which makes the task of providing the necessary legal protection of personal information particularly relevant and significant.

Declared by the Universal Declaration of Human Rights (1948), the Convention for the Protection of Human Rights and Fundamental Freedoms (1950), and many other acts, the inviolability of the privacy of every person includes the right to protect the personal data of each of us, the right to control information about ourselves, a ban on the collection, storage, use and dissemination of information about a person's private life without his consent.

On the territory of Kazakhstan and Uzbekistan, the Law on Personal Data and their protection No. 94-V of 21.05.2013 (RK) and the Law on Personal Data No. ZRU-547 of 01.07.2019 (RUz) apply to any actions and processes related in one way or another to the personal data of citizens and residents. In the European Union, such regulation is described in the GDPR (General Data Protection Regulation), and in the USA there are a dozen regulatory legal acts regulating personal data and their protection.

According to the legislation of the two countries, the laws apply to all organisations registered in the respective territories, representative offices of foreign companies and other persons who are somehow connected with the processing of personal data.

Below, Unicase will introduce the basic concepts, requirements and regulations on legislative regulation in Kazakhstan and Uzbekistan.

What is personal data?

The legal definition of the two countries is similar.

Personal data is information related to a certain or determined on their basis subject of personal data, recorded on electronic, paper and (or) other material media.

The laws do not establish an exhaustive list of personal data, thus blurring the concept and its protection. However, other laws still define the types of information that are subject to protection in accordance with the legislation of Kazakhstan and Uzbekistan.

The laws also provide for and introduced the division of personal data into: public and restricted access.

Publicly available data in simple words: all data that is freely available (Internet sources, address books, references and any other information sources.

However, all publicly available sources of personal data of the subject may be disclosed only with the personal consent of the subject. Information about the subject may be excluded from publicly available sources of personal data upon his request, submitted in the form in which consent was given, or in writing, including in the form of an electronic document, as well as by decision of an authorised state body or court.

Basic rules of personal data processing

Participants in the processing of personal data are the subject and the operator. Participants in the processing of personal data may also be the legal representative of the subject, the owner and third parties.

1. The collection and processing of personal data is carried out only with the consent of the subject or his legal representative.

Thus, in Uzbekistan, the personal data database is formed by collecting personal data necessary and sufficient to perform tasks performed by the owner and (or) the operator, as well as by a third party. Such procedure and principles of collection, systematization of personal data are determined by the owner and (or) the operator independently. The storage of personal data is carried out in a form that allows the identification of the subject to the extent required by the purposes previously stated when collecting personal data. The storage period of personal data is determined by the date of achievement of the purposes of their collection and processing.

The processing of personal data can be carried out in the following cases:

with the consent of the subject to the processing of this data;
the need to process this data in order to fulfill the contract to which the subject is a party, or to take measures at the request of the subject prior to the conclusion of such a contract;
the need to process this data in order to fulfill the obligations of the owner and (or) operator defined by law;
the need to process this data to protect the legitimate interests of the subject or another person;
the need to process this data in order to exercise the rights and legitimate interests of the owner and/or operator or a third party, or to achieve socially significant goals, provided that the rights and legitimate interests of personal data subjects are not violated;
processing of this data for statistical or other research purposes, subject to mandatory depersonalization of personal data;
if this data is obtained from publicly available sources.

However, the law protects the rights of the subject. The owner or operator, as well as his employees associated with the processing of personal data, are obliged to monitor and take all measures to protect and store, and are also obliged to prevent the disclosure of personal data that they have been entrusted with or have become aware of in connection with the processing or other duties.

2. Accumulation (storage) of personal data is carried out by collecting personal data necessary and sufficient to perform tasks performed by the owner and (or) the operator, as well as by a third party.

The storage of personal data is carried out by the owner and (or) the operator, as well as by a third party in a database located on the territory of the country whose citizens are collecting and storing personal data. Such databases of personal data should be located on the territory of Kazakhstan or Uzbekistan, depending on the citizens of which country the information is processed and stored.

Recent proceedings in Uzbekistan and written notifications from such giants as Google, Facebook, Apple, Telegram, VK Group and others have made it clear to other operators about the seriousness of the application of the legislative framework in the field of personal data protection in relation to such persons. The immediate blocking of websites and applications has stalled the work of many individuals.

The way out of the situation is obvious. To carry out duplicate collection and storage of personal data on the territory of the country of collection, as well as on the territory of the operator's location.

3. The dissemination of personal data is actions aimed at the disclosure of personal data to an indefinite circle of persons, including the publication of personal data in the media, posting on the World Information Network Internet or providing access to personal data in any other way.

The dissemination of personal data is allowed if the rights and freedoms of the subject are not violated, as well as the legitimate interests of other individuals and (or) legal entities are not affected.

4. Cross-border transfer of personal data

Cross-border transfer of personal data is the transfer of personal data by the owner and/or operator outside the country. At the same time, such transfer of personal data is carried out to those foreign states that can provide adequate protection of the rights of personal data subjects.

The cross-border transfer of personal data to the territory of foreign states that do not provide adequate protection of personal data may be carried out in the following cases:

the subject's consent to the cross-border transfer of his personal data;  the need to protect the constitutional order of the country, the protection of public order, the rights and freedoms of citizens, the health and morals of the population;
stipulated by international treaties.

The cross-border transfer of personal data may be prohibited or restricted in order to protect the rights and foundations of the constitutional system, morality, health, rights and legitimate interests of citizens, to ensure the defense of the country and the security of the state.

Responsibility for violation

Kazakhstan

The legislation of Kazakhstan is not so cruel in punishing violations of the legislation on personal data.

Thus, according to Article 79. Violation of the legislation of the Republic of Kazakhstan on personal data and their protection:

Illegal collection and (or) processing of personal data, if these acts do not contain signs of a criminally punishable act,

entail a fine for individuals in the amount of ten, for officials, private notaries, private bailiffs, lawyers, small businesses or non-profit organizations – in the amount of twenty, for medium-sized businesses – in the amount of thirty, for large businesses – in the amount of seventy monthly calculation indices, with or without confiscation of items and (or) instruments of an administrative offense.

The same acts committed by the owner, operator or a third party using their official position, if these actions do not entail criminal liability established by law –

entail a fine for individuals in the amount of fifty, for officials, small businesses or non-profit organizations – in the amount of seventy-five, for medium-sized businesses – in the amount of one hundred, for large businesses – in the amount of two hundred monthly calculation indices, with or without confiscation of items and (or) instruments of an administrative offense.

Non-compliance by the owner, operator or a third party with measures to protect personal data, if this act does not contain signs of a criminally punishable act, –

entails a fine for individuals in the amount of fifty, for officials, small businesses or non-profit organizations – in the amount of one hundred, for medium-sized businesses – in the amount of one hundred and fifty, for large businesses – in the amount of two hundred monthly calculation indices.

The act provided for in part three of this article, which entailed the loss, illegal collection and (or) processing of personal data, if these acts do not entail criminal liability established by law, –

entails a fine for individuals in the amount of two hundred, for officials, small businesses or non-profit organizations – in the amount of five hundred, for medium-sized businesses – in the amount of seven hundred, for large businesses – in the amount of one thousand monthly calculation indices.

Uzbekistan

Recent amendments to the Criminal Code and the Code of Administrative Responsibility have toughened penalties in the field of violations of personal data legislation. Thus, the changes will come into force on January 30, 2022:

Article 141-2 of the Criminal Code (violation of the legislation on personal data) will now be set out as follows (BRV at the time of publication is 270K USD):

Illegal collection, systematization, storage, modification, addition, use, provision, distribution, transfer, depersonalization and destruction of personal data, as well as non-compliance with the processing of personal data of citizens of the Republic of Uzbekistan using information technologies, including on the world information network Internet, requirements for the collection, systematization and storage of personal data on technical means physically located on the territory of the Republic of Uzbekistan, and in personal data databases, registered in accordance with the established procedure in the State Register of Personal Data databases, committed after the application of an administrative penalty for the same actions, is

punishable by a fine of 100 to 150 basic calculated values or deprivation of a certain right for up to 3 years or correctional labor for up to 2 years.

The same actions:

a) committed by prior agreement by a group of persons;
b) committed repeatedly or by a dangerous recidivist:
c) committed from selfish or other base motives; d) committed using official position:
e) entailed grave consequences, —

shall be punished by a fine of 150 to 200 basic calculated values or correctional labor from two to three years or restriction of liberty from 1 to 3 years or imprisonment for up to 3 years.

Article 46-2 of the Administrative Code (violation of the legislation on personal data) is set out in almost the same way, and the punishment is tougher.

"Illegal collection, systematization, storage, modification, addition, use, provision, distribution, transfer, depersonalization and destruction of personal data, as well as non-compliance with the processing of personal data of citizens of the Republic of Uzbekistan using information technologies, including on the world information network Internet, requirements for the collection, systematization and storage of personal data on technical means physically located on the territory of the Republic of Uzbekistan, and in personal data databases, registered in accordance with the established procedure in the State Register of Personal Data databases".

Now administrative responsibility for violation of this article entails a fine of 7 BRV for citizens, 50 BRV for officials.

Authorised bodies in the field of personal data protection:

Kazakhstan

The authorized body in the field of personal data protection is the central executive body that provides guidance in the field of personal data protection.

participates in the implementation of the state policy in the field of personal data and their protection;
develops the procedure for the implementation by the owner and (or) the operator, as well as by a third party of measures to protect personal data;
develops rules for determining by the owner and (or) operator the list of personal data necessary and sufficient to perform the tasks performed by them;
considers the requests of the subject or his legal representative on the compliance of the content of personal data and methods of their processing with the purposes of their processing and makes an appropriate decision;
takes measures to bring persons who have committed violations of the legislation of Kazakhstan on personal data and their protection to responsibility established by the laws of Kazakhstan;
requires the owner and/or operator, as well as a third party to clarify, block or destroy false or illegally obtained personal data;
implements measures aimed at improving the protection of the rights of subjects;
approves the rules for the collection and processing of personal data;
Approves the rules for conducting a security survey of the processes of storing, processing and distributing restricted personal data contained in electronic information resources, in coordination with the National Security Committee of Kazakhstan;
exercises other powers provided for by this Law, other laws of Kazakhstan, acts of the President and the Government.

Uzbekistan

State regulation in the field of personal data is carried out by the Cabinet of Ministers of the Republic of Uzbekistan and the authorized state body in the field of personal data.

Cabinet of Ministers:

implements the state policy in the field of personal data;
participates in the development and implementation of state and other programs in the field of personal data;
approves the Standard Procedure for processing personal data;
approves the Standard Procedure for organizing the activities of a structural subdivision or an authorized person of the owner and (or) operator who ensures the processing of personal data and their protection;
maintains the State Register of Personal Data Databases;
issues a certificate of registration of the personal data database in the State Register of Personal Data Databases;
carries out, within the limits of its powers, state control over compliance with the requirements of the legislation on personal data;
submits proposals to the Cabinet of Ministers of the Republic of Uzbekistan on improving the regulatory framework in the field of personal data;
sends to the state bodies authorized in the field of state security, in relation to the scope of their activities, the established information;
determines the required level of personal data security; Taras Shevchenko 21A, BC Gross Plaza, Tashkent 100060, Republic of Uzbekistan info@unicaselaw.com www.unicaselaw.com
analyzes the volume and content of the processed personal data, the type of activity, the reality of threats to the security of personal data;
introduces mandatory instructions for legal entities and individuals to eliminate violations of the legislation on personal data;
cooperates with the competent authorities of foreign states and international organizations in the field of personal data.

For further information, please contact:

Saniya Perzadayeva, Managing Partner, Unicase Law Firm

saniya.p@unicaselaw.com

Kazakhstan – Data Protection.

Employer Sponsorship And Work Permits In Indonesia.

- Stephen Igor Warokka - SSEK,

Labor And Employment Law Updates From Indonesia And The World.

Gross Split Production Sharing Contracts: Commercial Insights From Indonesia’s MEMR Regulation No. 13 Of 2024.

- Fitriana Mahiddin - SSEK, SSEK

UK – Shifts Workers – A New Right To Reasonable Notice.

Hong Kong – Keepwell Deeds: A Workable Solution To PRC’s Foreign Exchange Control?

The Catch And Kill Of Non-Disclosure Agreements? New UK Guidance.

EU – Tightening The European Union’s Powers To Review Foreign Direct Investments.

Malaysia – General Average And Salvage.

- Philip Teoh - Azmi & Associates, Azmi & Associates

Role Of Technology In Legal Service Delivery.

Process Optimisation In Legal Teams: Improving Workflow Efficiency.

CONVENTUS LAW

OTHERS

Kazakhstan – Data Protection.

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

Footer

CONVENTUS LAW

OTHERS