Law No. 94-V Kazakhstan

• May 21, 2013: Law enacted.
• November 2013: Law takes effect.
• Multiple amendments: Updated several times, including major revisions in 2021, 2022, and 2025.
• Latest amendments: Effective January 7, 2025.

• All organizations processing personal data in Kazakhstan, including public and private entities.
• Foreign businesses processing data of Kazakhstani residents, provided they operate within Kazakhstan or use local data processing infrastructure.
• Entities handling sensitive data, such as biometric, health, financial, or criminal records.

• Personal data processing for exclusively personal or household purposes.
• Government agencies processing data for national security, law enforcement, taxation, or crime prevention.
• Journalistic, literary, artistic, or academic research where ethical guidelines are followed.

• Lawful Processing: Data collection must have a legal basis such as consent, contractual necessity, or legal obligation.
• Purpose Limitation: Data must only be used for the purpose it was collected.
• Data Security: Organizations must implement technical and organizational measures to prevent data breaches.
• Accountability: Data controllers must maintain compliance records and appoint responsible officers where required.

• Cookie Consent: Websites must obtain consent before storing non-essential cookies.
• Privacy Notice: A clear and accessible privacy policy must be provided.
• User Rights Portal: Websites should offer an interface for users to exercise their data rights.
• Secure Data Transmission: Websites must encrypt personal data collected via forms.

• Cross-Border Data Transfers: Allowed only if the receiving country provides an adequate level of protection or specific safeguards are implemented.
• Data Protection Officer (DPO): Required only for operators processing large-scale or sensitive personal data, as per legal requirements.
• Impact Assessments: While not explicitly mandated, businesses must implement security measures to mitigate risks associated with high-risk processing activities, including profiling and credit reporting.

• Access: Individuals can request copies of their personal data.
• Rectification: Right to correct inaccurate or incomplete data.
• Erasure: Right to request deletion of personal data under specific conditions.
• Portability: Right to obtain and transfer personal data in a structured format.
• Objection: Right to refuse data processing for direct marketing or other purposes.

Restriction: Right to limit processing in specific circumstances.

• Regulatory Body: The Ministry of Digital Development, Innovations, and Aerospace Industry, along with the Personal Data Protection Authority, oversees enforcement.
• Fines: Penalties range from 100 to 10,000 Monthly Calculation Index (MCI) (~$300 to $30,000 USD) depending on the severity of the violation.
• Sanctions: In severe cases, businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment.