Free checklists and diagnostics of operations on personal data collection and processing for compliance with Kazakhstan laws
Free checklists and diagnostics of operations on personal data collection and processing for compliance with Kazakhstan laws
The purpose of this alert is to prepare a checklist with requirements to personal data collection and processing, which are to be introduced by every entrepreneur in its business processes, while entrepreneurs have a lot of obligations in this area.
The Law of the Republic of Kazakhstan "On Personal Data and Protection Thereof" (the "Personal Data Law") was amended twice during summer 2020. The amendments impose a number of new obligations on entrepreneurs. One of the amendments obligates to appoint a person responsible for the arrangement of personal data processing in a company (applicable only to legal entities).
Apart from new obligations, there are also "old" obligations related to processing of personal data which entrepreneurs could forget about. In 2013, the Rules were approved for the implementation of measures by owners, operators and third parties to protect personal data. Most of the provisions in the named Rules are general provisions that duplicate the Personal Data Law, however, the Rules contain a number of specific measures for the protection of personal data.
The checklist below illustrates the requirements of the law that are to be met by entrepreneurs regardless of the area of their activities.
Please note that our lawyers are willing to conduct free diagnostics of personal data collection and processing documents of your company for compliance with the below requirements of the Personal Data Law and subordinate laws. The terms of free diagnostics are detailed below.
Requirement |
Normative act |
Comment |
To approve a list of personal data necessary and sufficient to perform the objectives of an entity |
Article 12.1 and Article 25 of the Personal Data Law and the Decree of the RK Government No. 1214 dated 12 November 2013
|
The normative acts describe in detail the procedure for approving this list of personal data. The procedure should be documented, for example, by an order on the appointment of a person responsible for drafting a list of personal data or by a contract with external consultants for the preparation of such list |
To elaborate a letter of consent to the collection and processing of personal data |
Articles 7 and 8 of the Personal Data Law |
A letter of consent may be incorporated into the Policy for Personal Data Collection and Processing. In such case, before giving a consent, an individual must first be familiarized with the said Policy. The entrepreneurs must keep the obtained letters of consent to confirm that the consent to the processing of data has been given |
To approve the Policy for Ensuring Confidentiality of Personal Data |
Implied by a number of legislative provisions, including Article 11 of the Personal Data Law, and also the Decree of the RK Government No. 909 dated 3 September 2013
|
Legal acts require entrepreneurs to ensure confidentiality of personal data, comply with the conditions for storing personal data carriers, appoint persons responsible for the implementation of measures to ensure confidentiality of data. These and other measures must be recorded in internal policies of entities, otherwise it is impossible to establish and follow the specified procedures. The confidentiality policy may be made broader and cover, apart from confidentiality issues, other issues on collection and processing of personal data |
To determine places for storage of personal data, carriers thereof and establish a list of persons to collect and process personal data or have access to the databases with personal data |
The Decree of the RK Government No. 909 dated 3 September 2013
|
Such provisions may form a part of a policy for ensuring confidentiality of personal data |
To appoint a person responsible for the arrangement of personal data processing in a company |
Article 25 of the Personal Data Law |
It is the new requirement of the Law. Such person's main function is to monitor compliance by a company with the legislation on personal data |
To approve a policy for monitoring compliance by a company and its employees with the legislation on personal data |
Implied by Article 25 of the Personal Data Law |
This requirement is not expressly stated but is implied by the law. The Personal Data Law vests certain functions upon an officer responsible for arranging the personal data processing. The procedures that will allow to perform the above functions must be developed, described, and then implemented |
Please note that the liability, both administrative and criminal, for the illegal collection and/or processing of personal data or for the failure to comply with the measures to protect personal data existed earlier as well. The novelty concerns the procedure for brining an entity to administrative liability. Before the recent amendments to the Personal Data Law, it was an administrative court which was competent to decide on holding an entity administratively liable.
Now, the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan (the “Ministry of Digital Development”) is appointed as a state body of the Republic of Kazakhstan which will perform the functions of the regulator of relations related to the processing of personal data in Kazakhstan. The Ministry of Digital Development is empowered to prosecute entrepreneurs for violation of legislation on personal data.
The Ministry of Digital Development will determine certain obligations of entrepreneurs in the area of personal data processing. It is expected that the Ministry will elaborate a procedure for taking measures to protect personal data, and the rules for the collection and processing of personal data. We will keep you informed on developments in this area via our regular alerts.
***
TKL is ready to conduct free diagnostics of a limited number of entrepreneurs for compliance with the above-mentioned requirements of the law. This will include reviewing documents of an entity to check whether they contain necessary procedures and processes that must be implemented in the entity's activities. We will also check the content of a letter of consent to processing of personal data and the method of obtaining such a consent (through the Internet, mobile application or otherwise) for compliance with Kazakhstan laws.
The outcome of our diagnostics will be brief recommendations for eliminating any non-compliance with the legislation of Kazakhstan. The recommendations may be prepared in Russian or in English, at the option of an applicant.
Depending on our workload, we may stop accepting applications at any time. The free diagnostic does not include implementation of recommendations/elimination of non-compliance with legislation.
Should you have any question please do not hesitate to contact us, and we will be happy to help you and your business. Please send the applications for free diagnostic to Nataliya Shapovalova by email to ns@tkl.kz, or by calling at 8 701 768 64 27.