From July 1, 2024, the norms establishing new obligations for participants in the IT market of Kazakhstan, as well as the mandatory procedure for notifying the owner of personal data of a violation of his rights, come into force in Kazakhstan .

On December 11, 2023, the Law of the Republic of Kazakhstan "On Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on Information Security, Informatization and Digital Assets" No. 44-VIII was adopted.

According to article 2, the Law comes into force after 60 calendar days after the date of its first official publication (i.e. from February 13 , 2024).

At the same time, this article also provides that some points of the Law will come into force on July 1, 2024. So what will change from July 1, 2024, and what new commitments will take effect?

· Sub-paragraph 8) paragraph 2 of Article 25 of the Law of the Republic of Kazakhstan "On Personal Data and their protection" No. 94-V dated May 21, 2013: 

From July 1, 2024, the owner and (or) the operator of the personal data database , within one working day from the moment of detection of a violation of personal data security (PD), are obliged to notify the authorized body of such a violation , indicating the contact details of the person responsible for organizing the processing of personal data (if any).

Thus, based on this paragraph, among other things, in cases, for example, of detection of leakage of PD or other unauthorized access to PD, the company storing, processing and collecting them is obliged to notify the ICRIAP RK within 1 day.

It seems that market participants have the right questions regarding : what is considered the moment of detection of a traffic violation? In what form and form is such a notification sent to the ICRIAP RK? And the most important thing is, what measures of responsibility will be taken for those who do not fulfill these requirements or do not fulfill them on time?

·         Law of the Republic of Kazakhstan "On Informatization" No. 418-V of the Air Defense System dated November 24, 2015:

From July 1, 2024, the Operational Information Security Center (and the Information Security Incident Response Service) notifies the authorized body in the field of personal data protection (ICRIAP RK) within one working day from the moment of detection of a violation of personal data security about such a violation.

In addition, amendments to the Law on Informatization also provide that the Operator (i.e. JSC National Information Technologies), based on information received from the authorized body in the field of personal data protection (i.e. ICRIAP RK), notifies personal data subjects of a violation of personal data security or processing of personal data by sending Information is sent to the user's account on the e-government web portal or to their cellular subscriber number in the form of a short text message.

Thus, summarizing the upcoming changes from July 1, 2024, those companies that collect, process, store and other manipulations with personal data of Kazakhstanis are required to inform ICRIAP RK on security violations in relation to PD within 1 business day.

In addition, as far as we can see from the provisions of the legislation, as a result, information about what happened to the PD of an individual will be communicated to him by notification from JSC National Information Technologies.

Taking into account the above, Kazakhstani companies should pay significant attention to meeting the requirements of the law on personal data protection. Take this issue seriously, since it is possible that upon receipt of such notifications, many Kazakhstanis may apply not only to the authorized bodies, but also to the court for the purpose of protecting their rights.

Genghis Oralbayev

Lawyer at Solis Law Firm

+ 7 702 945 06 21 (WhatsApp) 

Applicable links:

1. The Law of the Republic of Kazakhstan "On Informatization" No. 418-V of the SAM dated November 24, 2015 (https://adilet.zan.kz/rus/docs/Z1500000418#z1172 );

2. The Law of the Republic of Kazakhstan "On Personal Data and their protection" No. 94-V dated May 21, 2013 year (https://adilet.zan.kz/rus/docs/Z1300000094 );

3. The Law of the Republic of Kazakhstan "On Amendments and Additions to Some Legislative Acts of the Republic of Kazakhstan on Information Security, Informatization and Digital Assets" No. 44-VIII (https://adilet.zan.kz/rus/docs/Z2300000044#z204 ).