1 / 20

Navigating Compliance with Kazakhstan’s PDPL

This Whitepaper is your roadmap to:<br>u2013 Understand data collection practices in Generative AI<br>u2013 Demystify the global privacy compliance landscape ufe0f<br>u2013 Identify key challenges and best practices for responsible development<br>u2013 Learn from real-world case studies to inform your approach<br>Download Now

tsaaro
Télécharger la présentation

Navigating Compliance with Kazakhstan’s PDPL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WHITEPAPER OCTOBER 2024 Navigating Compliance with Kazakhstan's Personal Data Protection Law (PDPL) Best Practices for Organizations All rights reserved by Tsaaro Consulting

  2. TABLE OF CONTENTS 02 Overview 04 Chapter 1 : Introduction to Kazakhstan PDPL 04 Objectives 04 Fundamental Principles 06 Chapter 2 : Understanding Scope & Applicability of Kazakhstan PDPL 06 Who is governed by PDPL Exceptions to the PDPL 06 07 Additional Provisions 07 Chapter 3 : Key Provisions of the Kazakhstan PDPL 07 Consent Requirement (Article 7) 09 Data Subject Rights 10 Breach Notifications Trans - Border Transfer 11 Penalties for Non-Compliance 12 13 Chapter 4 : Comparison with Global Standards 15 Chapter 5 : Why there is a need for Compliance with PDPL and how to comply 16 Chapter 6 : Actionable Compliance Strategies 17 Chapter 7 : Key Recent Amendments 18 Chapter 8 : Conclusion 01 www.tsaaro.com

  3. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) OVERVIEW In recent years, Kazakhstan has witnessed a heightened awareness of digital data privacy, as individuals and organizations increasingly rely on digital technologies. This shift has made safeguarding personal information a critical priority. The Personal Data Protection Law (PDPL) serves as a crucial regulatory framework, aiming to protect individuals' privacy rights and establish clear obligations for organizations handling personal data. However, the implementation of the PDPL presents several challenges, particularly regarding: Compliance Uncertainty: Evolving regulations create confusion about compliance requirements. Inconsistent Practices : Lack of standardized guidelines results in varied data protection practices across organizations. Limited Awareness: Many businesses struggle to fully understand the PDPL, leading to compliance gaps. Increased Legal Risks: Challenges in understanding and implementing the law heighten the risk of non-compliance. To address these issues, this whitepaper aims to provide: Core Requirements : An in-depth overview of Kazakhstan's PDPL. Practical Strategies: Guidance on ensuring compliance and managing cross-border data transfers. Regulatory Alignment : A comparison with global standards, such as the GDPR. This whitepaper is designed for: Business Leaders : Executives navigating data privacy challenges in their operations Legal Professionals : Those involved in data protection law. Compliance Officers : Individuals responsible for ensuring adherence to regulations. Data Protection Officers (DPOs): Professionals managing personal data protection within organizations. By providing actionable insights and strategies, this whitepaper aims to empower organizations to enhance their data protection practices. 02 www.tsaaro.com

  4. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) KAZAKHSTAN PDPL - KEY DATES May 21, 2013 Kazakhstan's journey towards data protection began with the Parliament enacting Law No. 94-V, "On Personal Data and Its Protection”. September 3, 2013 Building on this foundation, the Government established measures for data protection by data owners, operators, and third parties. November 12, 2013 Further clarifying the law's scope, the Government defined the list of personal data necessary for lawful processing. February 26, 2016 The Government specified the types of personal data eligible for inclusion in state electronic information resources. July 1, 2021 October 21, 2021 The PDPL was significantly strengthened with amendments passed by the Parliament, ushering in a new era of data protection. The Ministry of Digital Development, Innovations and Aerospace Industry issued detailed rules for collecting and processing personal data, providing further guidance to organizations. These rules came into effect on November 10, 2021. These were amended twice by an order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan dated 31.03.2022 and 18.04.2023. July 1, 2022 The grace period for organizations to comply with the enhanced regulations from the July 2021 amendments came to an end. December 29, 2022 The President signed a law further clarifying and strengthening data protection provisions, including those related to government oversight and enforcement. February 11, 2024 Kazakhstan introduced a new requirement for mandatory data breach notification, aligning its laws with international best practices. Source: https://www.morganlewis.com/-/media/files/publication/outside-publication/article/2023/data-protection-in-kazakhstan- overview.pdf/1000  03 www.tsaaro.com

  5. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) CHAPTER 1 INTRODUCTION TO KAZAKHSTAN PDPL 1 PDPL plays a key role in the country’s efforts to bring its privacy standards in line with international best practices. Adopted to protect the rights of individuals and regulate the collection, processing and storage of personal data, the PDPL has become a vital legal basis for businesses and institutions operating in Kazakhstan. Originally passed in 2013, the Act has undergone amendments to strengthen data subject rights, introduce clearer compliance obligations and increase accountability for data breaches. OBJECTIVES The (PDPL) aims to establish a comprehensive framework for safeguarding personal data while ensuring compliance with international standards. Its key objectives include: Creating a comprehensive system for the protection of personal data. Ensuring the lawful processing of personal data. Guaranteeing individuals the right to access, rectify, or delete their personal information. Mandating secure cross-border data transfers. Laying the groundwork for penalties in cases of non-compliance. It reflects the growing recognition of data confidentiality as a basic law, especially the general regulations of EU data (GDPR) reflect the impact of international rules. The PDPL also aims to create a legal environment that emphasizes transparency and security, support Kazakhstan's trust in digital ecosystem, and eliminate risks related to rapid technological advancements. FUNDAMENTAL PRINCIPLES Article 5 of the PDPL outlines the core principles guiding the collection, processing, and protection of personal data. These principles emphasize: Safeguarding the constitutional rights and freedoms of individuals. Ensuring that all personal data activities are conducted legally and with respect for privacy. Mandating the confidentiality of restricted personal data. Promoting equality among data subjects, owners, and operators. Emphasizing the need to ensure the security of individuals, society, and the state throughout data processing activities. 04 www.tsaaro.com

  6. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) This approach reinforces the PDPL's commitment to comprehensive data protection. KEY DEFINTIONS Personal Data: Defined as details pertaining to a data subject, which may be recorded in electronic, paper, or other physical formats. Owner: Refers to the state body, individual, or legal entity that possesses, utilizes, and governs personal data in accordance with the laws of the Republic of Kazakhstan. Operator: Denotes the state body, individual, or legal entity responsible for the collection, processing, and protection of personal data. The PDPL classifies personal data into two categories: Publicly available data: This type of data can be made public with the consent of the data subject and is generally not subject to confidentiality requirements. Restricted data: Access to this data is limited by other laws, ensuring greater protection. Additionally, the PDPL defines biometric data as personal data that characterizes an individual’s physiological and biological traits, enabling their identification. While specific guidelines for processing biometric data are not provided within the law, it mandates that confidentiality requirements for such data must be established by other relevant laws. 05 www.tsaaro.com

  7. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) CHAPTER 2 Understanding Scope & Applicability of Kazakhstans PDPL 2 The Law of the Republic of Kazakhstan on Personal Data and Its Protection safeguards the personal data of individuals, referred to as "data subjects." The Personal Data Protection Law (PDPL) defines data subjects as those whose personal information is being collected, processed, or stored, ensuring their rights to privacy and data security. Who is governed by PDPL? Data subjects, database owners, and database operators (similar to data controllers). Individuals and legal entities located in Kazakhstan. Foreign individuals and legal entities operating within Kazakhstan, this includes representative offices and branches of foreign legal entities registered in Kazakhstan, provided they engage in the collection and processing of personal data within the territory of Kazakhstan. Unless otherwise stated by Kazakhstan's laws or ratified international treaties. This wide applicability reinforces the law’s intent to protect personal data across various sectors and actors, both domestic and international. Extraterritorial Effect The PDPL does not possess extraterritorial effect. Consequently, it governs both foreign and Kazakh residents in matters of personal data collection and processing within Kazakhstan. However, the mechanisms for enforcing relevant sanctions against foreign legal entities remain ambiguous. Exceptions to the PDPL: The following exceptions apply: Personal and Family Use: The PDPL does not extend to personal and family data use, provided that such use does not infringe upon the rights of others or violate relevant laws. National Archive Fund: Activities concerning the generation, storage, and use of documents within the National Archive Fund are also exempt. 06 www.tsaaro.com

  8. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) State Secrets: Personal data classified as state secrets, or collected during intelligence, counterintelligence, and security operations, fall under the jurisdiction of other laws, such as the Law on State Secrets. Additional Provision: The PDPL permits supplementary regulations through other laws and presidential decrees, thereby highlighting the interrelationship between various legal frameworks within Kazakhstan's data protection regime. CHAPTER 3 3 Key Provisions of the Kazakhstans PDPL Enacted to align with global data protection standards, the PDPL outlines comprehensive regulations governing the collection, processing, storage, and distribution of personal data. This chapter delves into the key provisions of the PDPL, highlighting essential requirements such as consent management, data subject rights, breach notification obligations, trans-border data transfers, and penalties for non- compliance. 3 Consent Requirement (Article 7) The collection and processing of personal data necessitate obtaining consent from the data subject or their legal representative. “When is Consent Required?” Consent is needed for the following activities related to personal data: Accumulation: Gathering personal data from various sources. Storage: Keeping personal data in a database or storage system. Modification: Changing or updating existing personal data. Use: Utilizing personal data for any purpose. Distribution: Sharing personal data with third parties. Depersonalization: Altering personal data to remove identifying information. Blocking: Temporarily preventing access to personal data. Destruction: Permanently deleting personal data from all records. 07 www.tsaaro.com

  9. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) How to obtain Consent ? (Article 8) Consent may be obtained through: Written consent State or non-state services Any verifiable method of consent receipt Key Elements of a Consent Notice (Article 8.4) Operator's Name: Clearly state the entity collecting personal data. Subject's Identification: Provide details about the individual. Validity Period of Consent: Indicate how long the consent is valid. Details on Third-Party Transfers: Specify if data will be shared with others. Potential Cross-Border Data Transfers: Inform about data transfers to other countries. List of Personal Data Collected : Clearly outline types of personal data. Purpose of Data Collection : Explain why the data is collected. Method of Consent : Describe how consent is obtained. Right to Withdraw Consent : Inform about the right to revoke consent. Contact Information: Provide details for data protection queries. Circumstances for Collection Without Consent Allowed for: Law enforcement and administrative activities State statistical work using anonymized data Fulfillment of international treaties Protection of constitutional rights when consent is unattainable Legitimate journalistic and media activities Public office candidacy, tax and customs administration, financial regulation Situations where legally mandated information isn't provided Important Note: Exhaustive List Requirement: Operators must not use vague wording when collecting additional personal data. Contracting Alone Is Not Enough: A contract does not replace the need for explicit consent. 08 www.tsaaro.com

  10. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) (Article 7) Key considerations include: Processing must be limited to the minimum data necessary to achieve the stated purposes. Personal data cannot be repurposed without obtaining further consent from the data subject. Data Subject Rights Under Article 24.1 of the PDPL, personal data subjects are granted a comprehensive set of rights aimed at ensuring transparency, control, and protection over the handling of their personal data. These rights empower individuals to actively engage in the management of their personal information and to seek redress in cases of misuse. The specific rights include: Right to be Informed (Article 24.1): Individuals have the right to know whether their personal data is being held by an owner, operator, or third party. They are entitled to receive detailed information about: The fact and purpose of data collection The source of the data The methods of data processing The specific types of data collected The timeframe for which the data will be processed and stored 1. 2. 3. 4. 5. Right to Access (Article 24.1): Individuals or their legal representatives can request access to their personal data. Requests can be submitted in writing, electronically, or through any other legally permissible method that ensures the integrity of the data during transmission. Right to Rectification (Article 24.1): Data subjects can request the correction or supplementation of their personal data if inaccuracies are found. Such requests must be supported by relevant documentation to justify the changes. Right to Erasure (Right to be Forgotten) (Article 24.1):Individuals can request the blocking or destruction of their personal data if it has been collected or processed in violation of the law. This right also applies if continued retention or use of the data is no longer necessary or lawful. 09 www.tsaaro.com

  11. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) Right to Object or Opt-Out (Article 24.1): This empowers individuals to revoke their consent for data collection, processing, public distribution, transfer to third parties, or cross-border transfers, except in specific cases outlined by law. They can also consent to or object to the publication of their personal data in public sources. Right to Protection of Legal Interests (Article 24.1): Individuals can seek legal recourse for any violation of their personal data rights, with provisions for compensation for both moral and material damages arising from unlawful data processing. Right Not to be Subject to Automated Decision-Making (Article 24.1): Although the PDPL does not recognize the right to data portability, it protects individuals from decisions based solely on automated data processing. Decisions impacting a person's legal rights or interests cannot be made through automated processes unless explicit consent is provided or the decision is permitted by law. Owners or possessors of electronic information resources are obligated to inform individuals when such automated processes are being used. These rights collectively reflect Kazakhstan’s commitment to upholding data privacy and empowering individuals in their interactions with personal data. Breach notifications In the event of a breach, Article 22 outlines the following requirements for data controllers: Immediate Notification: Data controllers must notify the relevant authorities as soon as a breach is discovered. Informing Affected Individuals: If the breach poses a risk to individuals' rights or freedoms, affected individuals must be informed. Reporting to Authorities: The owner or operator of the data is required to notify the authorized body, the Ministry of Digital Development, within one business day of discovering the breach. Notification Content: The notification must include the contact details of the person responsible for overseeing the data processing, if available (Article 25.2.8). In addition, the law includes provisions for the handling of personal data collected or processed in violation of legislation: Removal of Data: Any personal data must be removed from publicly available sources within one business day at the request of the data subject, their legal representative, or by a court order or decision from a state authority. 10 www.tsaaro.com

  12. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) Responsibility for Costs: The costs associated with the removal or destruction of such data are to be borne by the owner, operator, or third party responsible for processing the data. Revocation of Consent: If a data subject revokes their consent for the distribution of their personal data, the costs of removing the data from public sources may be determined by the court (Article 6). Voluntary Cyber-Insurance: The PDPL allows for voluntary cyber-insurance to cover property damage caused to personal data subjects, data owners, operators, or third parties in the event of a breach (Article 23-1). This highlights the law’s commitment to ensuring accountability and financial protection in cases of data-related incidents. Trans-Border Transfer The Law of the Republic of Kazakhstan outlines the legal framework for the trans-border transfer of personal data. According to Article 16, personal data can be transferred outside Kazakhstan’s borders only to countries that offer an adequate level of data protection in line with Kazakhstan’s legal standards. This requirement ensures that personal data remains protected even when it crosses international borders, maintaining the integrity and confidentiality of the information. Exceptions: Transfers to countries without adequate data protection may occur under specific conditions: Explicit Consent: Obtaining consent from the data subject or their legal representative. International Treaties: Transfers authorized by international treaties ratified by Kazakhstan. Urgent Situations: Transfers may proceed without consent if necessary for: Safeguarding constitutional order. Protecting public security. Upholding citizens' rights and freedoms. Addressing public health and morality. Kazakhstan's legal framework also allows for the restriction or prohibition of cross- border data transfers if deemed necessary by national law. This ensures that the country maintains control over the transfer of sensitive information when international data protection standards are not met. 11 www.tsaaro.com

  13. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) Moreover, specific regulations govern the transfer of service-related data concerning subscribers or users of communication services, as detailed in the "Law on Communications." These provisions offer additional safeguards for data in transit, reinforcing Kazakhstan’s commitment to protecting personal data both domestically and internationally. Penalties for Non-Compliance Legal Framework: Non-compliance may result in penalties under: Article 29 of the PDPL. Article 79 of the Kazakhstan Administrative Code. Administrative Fine Range from 50 to 100 Monthly Calculation Indicators (MCI) As of 2024, this equates to approximately 145,850 KZT to 291,700 KZT Repeated Violation Fines may increase significantly for repeat offenders, potentially reaching 200 MCI or more. Criminal Penalties Severe violations may lead to imprisonment under the Kazakhstan Criminal Code for individuals responsible. Legal Consequences Organizations may face lawsuits or claims for damages from affected data subjects. Regulatory Authority Powers Authorities can inspect organizations for compliance and impose penalties for violations. Enforcement of the PDPL is developing, with courts increasingly addressing violations. Courts are upholding the rights of personal data subjects, emphasizing the necessity of compliance. 12 www.tsaaro.com

  14. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) CHAPTER 4 Comparison with Global Standards As Kazakhstan seeks to enhance its digital economy, understanding the nuances of its PDPL in relation to global standards can reveal strengths, weaknesses, and opportunities for improvement. This chapter compares Kazakhstan's Personal Data Law with data protection frameworks from other countries, highlighting the similarities and differences in data subject rights, consent requirements, data breach notifications, fines and penalties, and data localization measures. Data Subject Rights  S. No.  Consent Requirements  Data Breach Notification Fines and Penalties Data Country  Localization  Penalties for data protection violations range from fines of €75 to €37,425, and imprisonment up to 7 years. Access, rectification, erasure, objection, compensation Mandatory notification to authorities and affected individuals Kazakhstan (Personal Data Law) Explicit consent required for processing Data must be stored within Kazakhstan 4 1.  Mandatory notification to authorities and affected individuals Access, correction, erasure, data portability Data localization for critical personal data India  (DPDPA) Explicit consent required Fines, 5 2.  imprisonment   Access, rectification, erasure, portability, objection No specific localization requirement, but strict transfer rules   Explicit consent required, with specific conditions Mandatory notification within 72 hours Heavy fines up to 4% of global turnover 6 EU (GDPR)   3.  No federal localization requirement, varies by state  Access, deletion, opt- out of sale Opt-in consent for sensitive data, opt-out for others 7 USA (CCPA) Varies by state, generally required 4. Fines, lawsuits Mandatory notification to authorities and affected individuals Access, correction, withdrawal of consent No specific localization requirement Implied consent for most activities, explicit for sensitive data Canada (PIPEDA) Fines, orders to comply 8 5. 13 www.tsaaro.com

  15. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) Kazakhstan's Personal Data Law provides a foundational framework for data protection that aligns with various global standards, yet there are notable differences that reveal both challenges and opportunities for improvement. While it shares similarities with GDPR and DPDPA, aspects such as data localization requirements and the severity of penalties may need refinement to enhance compliance and protection measures. As Kazakhstan continues to evolve its data protection regulations, learning from global best practices will be essential to foster trust and safeguard individual privacy rights. 14 www.tsaaro.com

  16. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) CHAPTER 5 Why there is a need for Compliance with the PDPL and How to Comply: In Kazakhstan, administrative fines have been imposed on various entities for non- compliance with personal data protection measures. These include: one major local bank for violating personal data protection measures, two private internet resources for distributing personal data obtained illegally, one telecommunications operator for failing to take necessary measures to protect personal data, two apartment complex management companies for distributing personal data illegally through messenger services, six commercial companies for distributing personal data illegally to third parties, one state official for passing personal data to third parties illegally. 9 In Kazakhstan, the Ministry of Digital Development, Innovation and Aerospace Industry is the key authority overseeing the enforcement of the Personal Data Protection Law. This Ministry is responsible for ensuring compliance, conducting inspections, and identifying violations. Common violations found during inspections include the lack of designated personnel for data management, failure to notify authorities about data security incidents, and inadequate use of identification and authentication methods by employees handling sensitive data. Non-compliance with the law can lead to both administrative and criminal penalties, affecting nearly all companies that process employee or customer data. Companies are obligated to do the following to ensure compliance under the PDPL: Approve a list of personal data necessary and sufficient for carrying out operations. Appoint a person responsible for organizing personal data processing. Adopt and comply with all necessary personal data protection measures. Ensure personal data is stored in a database located in Kazakhstan. Obtain the subject’s consent for collecting and processing data. Comply with requirements on the cross-border transfer of personal data and its transfer to third parties. Destroy personal data once the reason for collecting and processing it has been achieved and the relevant storage period has passed. Provide information to the personal data subject within the terms provided by law. Take additional protection measures when processing restricted personal data. 15 www.tsaaro.com

  17. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) CHAPTER 6 Actionable Compliance Strategies To comply with Kazakhstan's PDPL, companies need to adopt a comprehensive approach to ensure full compliance. The following steps outline key strategies and procedures businesses should implement for compliance: Gap Assessment: Begin by conducting a detailed gap analysis to compare existing data protection practices against the PDPL’s requirements. This helps identify areas where your organization may be non-compliant and require immediate action. Data Mapping & RoPA (Records of Processing Activities): Create and maintain a detailed Record of Processing Activities (RoPA) to document the types of personal data collected, processing purposes, data subjects, and third-party data transfers. This ensures transparency and accountability throughout the data lifecycle. Data Privacy Impact Assessments (DPIA): Conduct regular Privacy and Data Impact Assessments to evaluate potential risks to individuals’ data rights when introducing new processes or technologies. This ensures that privacy risks are identified and mitigated from the outset. Consent Management: Consent to the collection and processing of personal data must include several key details, such as the full name and BIN (IIN)10 of the data operator, the full name of the data subject, the duration for which the consent is valid, and whether personal data will be transferred to third parties during processing. Additionally, it must specify if cross-border data transfers will occur and if the personal data will be made available in public sources. A comprehensive list of the personal data being collected and processed must also be included. Other information may be added at the discretion of the data operator or owner. Data Protection Measures: Enforce security measures like encryption, pseudonymization, and access controls to prevent unauthorized access, tampering, or data breaches. Internal Controls & Monitoring: Set up comprehensive internal controls to monitor compliance with the PDPL. These controls should include regular audits, staff training, and ongoing risk assessments. 16 www.tsaaro.com

  18. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) Incident Management & Breach Notification: Establish a formal incident response procedure to identify and respond to data breaches. Under PDPL, organizations must notify relevant supervisory authorities and affected individuals promptly in case of a data breach. Third-Party Management: Review and update contracts with third-party service providers to ensure they comply with PDPL. Ensure proper data processing agreements (DPAs) are in place for any data-sharing activities. Cross-Border Data Transfers: Comply with the PDPL’s restrictions on international data transfers by ensuring recipient countries meet Kazakhstan’s adequacy standards or by implementing appropriate safeguards such as Standard Contractual Clauses (SCCs). 10 CHAPTER 7 Key Recent Amendments As of 1 July 2024, the following new requirements under the PDPL (No. 44-VIII ZRK) have been introduced: Introduction of the concept of 'personal data security breach', requiring businesses to notify the Ministry of Digital Development, Innovation, and Aerospace Industry of any personal data breaches. Prohibition of collecting and processing physical copies of identity documents. The Digital Development Ministry has been granted the authority to implement governmental oversight, including conducting unscheduled inspections based on complaints or suspected violations. The law mandates the maintenance of a personal data database within Kazakhstan, including ensuring the installation of necessary information security tools and software updates. Companies are now required to implement cryptographic security measures and maintain event logs of database management systems when processing restricted personal data. 11 17 www.tsaaro.com

  19. NAVIGATING COMPLIANCE WITH KAZAKHSTAN'S PERSONAL DATA PROTECTION LAW (PDPL) CHAPTER 8 Conclusion Kazakhstan’s Personal Data Protection Law provides a legal framework to safeguard personal data, aiming to align with global privacy standards. However, compliance with PDPL remains challenging due to the lack of a standardized framework, leading to inconsistent practices across organizations. Businesses can prepare by adopting prevailing best practices and available guidelines, including obtaining explicit consent, minimizing data collection, and enforcing comprehensive security measures. By doing so, organizations can ensure compliance, foster trust, and navigate the complexities of protecting personal data in Kazakhstan's digital environment. Tsaaro Consulting can help you on this journey of compliance with our holistic data protection services. 18 www.tsaaro.com

  20. BIBLOGRAPHY 1. Article 24(2), 7, 25(8), 12(2) of the Law of the Republic of Kazakhstan dated 21 May, 2013 No. 94-V; Kazakhstan: Data Protection Overview, Penalties, Data Guidance, available at: https://www.dataguidance.com/notes/kazakhstan-data-protection- overview (last visited Sept. 26, 2024). Article 24(2), 7, 25(8), 12(2) of the Law of the Republic of Kazakhstan dated 21 May, 2013 No. 94-V; Kazakhstan: Data Protection Overview, Penalties, Data Guidance, available at: https://www.dataguidance.com/notes/kazakhstan-data-protection- overview (last visited Sept. 26, 2024). Article 24(2), 7, 25(8), 12(2) of the Law of the Republic of Kazakhstan dated 21 May, 2013 No. 94-V; Kazakhstan: Data Protection Overview, Penalties, Data Guidance, available at: https://www.dataguidance.com/notes/kazakhstan-data-protection- overview (last visited Sept. 26, 2024). Article 24(2), 7, 25(8), 12(2) of the Law of the Republic of Kazakhstan dated 21 May, 2013 No. 94-V; Kazakhstan: Data Protection Overview, Penalties, Data Guidance, available at: https://www.dataguidance.com/notes/kazakhstan-data-protection- overview (last visited Sept. 26, 2024). DPDPA, 2023, s. 9(2), 9(4). GDPR, 2016, Articles 15, 16, 17, 20, 21, 7, 33, 83, 44, and 46. CCPA, 2018, s.1798.100, 1798.105, 1798.120, 1798.120, 1798.150, 1798.155. PIPEDA, 2000, s. 4.9, 4.9.5, 4.3.8, 4.3, 10.1, 11. Data Protection in Kazakhstan Overview, Deloitte, available at: https://www2.deloitte.com/content/dam/Deloitte/kz/Documents/legal/LegalAlert/K Z_Personal%20data%20protection_eng.pdf. Data Protection in Kazakhstan Overview, Morgan Lewis, available at: https://www.morganlewis.com/-/media/files/publication/outside- publication/article/2023/data-protection-in-kazakhstan-overview.pdf (last visited Sept. 26, 2024). Personal Data Protection. State Oversight And Legislative Updates - Data Protection - Privacy - Kazakhstan, Mondaq, available at: https://www.mondaq.com/kazakhstan. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Email info@tsaaro.com Website www.tsaaro.com Tsaaro Netherlands Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Tsaaro India Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045, India P: +91-0522–3581 Tsaaro India Office Supreme Business Park, Powai, Unit No. B-501 5th floor, Wing ‘B’ Supreme Business Park, Mumbai, Maharashtra, India P: +91-0522–3581 Tsaaro India Office ATS Bouquet Tower C, Office No. 302, Sector - 132, Noida, Uttar Pradesh, India P: +91-0522–3581

More Related