Data Protection & Privacy in Kazakhstan

Kazakhstan has built a standalone personal data protection regime that applies to any business collecting, storing or processing information about individuals in the country. The core statute - the Law on Personal Data and Its Protection (Закон о персональных данных и их защите), adopted in 2013 and significantly amended since - creates obligations that are comparable in structure, though not identical in detail, to the EU General Data Protection Regulation (GDPR). Foreign companies operating in Kazakhstan, whether through a local entity or by targeting Kazakhstani residents online, fall within its scope. Non-compliance carries administrative fines, operational bans and reputational damage that can materially affect a business. This article maps the legal framework, explains the practical obligations, identifies the most common mistakes made by international clients and outlines the strategic choices available when a dispute or enforcement action arises.

The primary instrument is the Law on Personal Data and Its Protection (hereinafter the Personal Data Law). It defines personal data broadly as any information relating to an identified or identifiable individual, a definition that covers names, contact details, biometric data, financial records and online identifiers. The law distinguishes between ordinary personal data and special categories - health, biometric, financial and other sensitive data - and imposes stricter requirements on the latter.

The Personal Data Law operates alongside several other statutes. The Law on Communications (Закон о связи) governs data processed by telecommunications operators and imposes sector-specific retention and access obligations. The Law on Electronic Document and Electronic Digital Signature (Закон об электронном документе и электронной цифровой подписи) sets standards for electronic consent and digital records. The Code of Administrative Offences (Кодекс об административных правонарушениях) contains the penalty provisions that regulators use in enforcement proceedings.

The principal regulator is the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (Министерство цифрового развития, инноваций и аэрокосмической промышленности). It maintains the State Register of Personal Data Holders, conducts inspections and issues binding orders. The Committee for Information Security (Комитет по информационной безопасности) within the same ministry handles cybersecurity incidents, including data breaches that affect critical information infrastructure. The Agency for the Protection and Development of Competition (Агентство по защите и развитию конкуренции) may become involved where data misuse intersects with unfair commercial practices.

A non-obvious risk for international businesses is that the Ministry can initiate an inspection without a prior complaint from a data subject. Routine sector sweeps, triggered by media coverage or a competitor's tip, have resulted in enforcement actions against companies that believed their data practices were adequate.

Under Article 8 of the Personal Data Law, consent is the primary legal basis for processing personal data. Valid consent must be informed, specific, freely given and documented. The law does not prescribe a single form, but in practice a written or electronic record is required to demonstrate compliance during an inspection. Oral consent is legally possible for certain categories but is almost impossible to prove.

The Personal Data Law recognises a limited set of alternative legal bases that do not require consent:

• Performance of a contract to which the data subject is a party.
• Compliance with a legal obligation imposed on the data holder.
• Protection of the vital interests of the data subject.
• Execution of tasks carried out in the public interest.

These alternatives are narrower in practice than their GDPR equivalents. Kazakhstani regulators have consistently interpreted 'legitimate interests' - a widely used GDPR basis - as not constituting a standalone ground under the Personal Data Law. Companies that migrate their GDPR-compliant consent architecture directly to Kazakhstan without adaptation frequently discover this gap only when an inspection begins.

A common mistake made by international clients is to rely on a single group-wide privacy notice drafted for European audiences. Kazakhstani law requires that the notice be provided in Kazakh or Russian, or both, and that it specify the exact purposes of processing, the categories of data collected and the identity of any third parties who will receive the data. A notice that satisfies GDPR but omits these elements will not satisfy the Personal Data Law.

Special categories of data - health records, biometric identifiers, financial data and information about criminal convictions - require explicit written consent and, in many cases, additional organisational safeguards. Processing biometric data without written consent is a separate administrative offence under the Code of Administrative Offences.

To receive a checklist on consent documentation and legal bases for data processing in Kazakhstan, send a request to info@vlo.com.

Article 22 of the Personal Data Law establishes the data localisation requirement: personal data of Kazakhstani citizens must be collected, processed and stored using databases physically located within Kazakhstan. This obligation applies to the primary database. Subsequent transfer of the data abroad is permitted under specific conditions, but the initial collection and storage must occur on Kazakhstani territory.

Cross-border transfer of personal data is regulated by Article 22.1 of the Personal Data Law. A transfer is lawful if at least one of the following conditions is met:

• The destination country provides an adequate level of personal data protection, as determined by the Ministry.
• The data subject has given explicit written consent to the transfer.
• The transfer is necessary for the performance of a contract with the data subject.
• The transfer is required to protect the life or health of the data subject.

Kazakhstan has not published a formal adequacy list comparable to the EU's. In practice, businesses rely on explicit consent or contractual necessity as the most reliable bases. Standard contractual clauses modelled on GDPR practice are not formally recognised under Kazakhstani law, though some businesses use them as supplementary contractual protection. The Ministry has not issued guidance that endorses or prohibits this approach, which creates residual legal uncertainty.

The localisation requirement has significant operational consequences for cloud-based businesses. A company that stores Kazakhstani user data exclusively on servers located in Germany, the United States or Singapore is in breach of Article 22, regardless of how robust its security measures are. The Ministry has the authority to block access to online services that fail to comply, a power it has exercised against foreign platforms in the past.

A non-obvious risk arises in group structures where a parent company in another jurisdiction acts as a centralised data processor for its Kazakhstani subsidiary. Even if the subsidiary collects the data, routing it immediately to a foreign server for processing before returning it to Kazakhstan may constitute a transfer that triggers the localisation and consent requirements simultaneously.

The Personal Data Law requires data holders - defined as any legal entity or individual that collects and processes personal data - to register with the State Register of Personal Data Holders maintained by the Ministry. Registration is a prerequisite for lawful processing. Operating without registration is an administrative offence.

The registration process requires the data holder to submit information about the categories of data processed, the purposes of processing, the location of the database and the identity of the responsible person within the organisation. Updates must be filed when any of these particulars change. Many foreign companies with Kazakhstani subsidiaries overlook the update obligation after a corporate restructuring or a change in data infrastructure.

The Personal Data Law does not use the term 'Data Protection Officer' (DPO) in the GDPR sense, but it requires each data holder to designate a responsible person (ответственное лицо) for personal data protection. This individual must have sufficient authority and resources to implement the data protection policy, respond to data subject requests and liaise with the regulator. In practice, the responsible person fulfils a role similar to a DPO, but the formal requirements differ from those under GDPR Article 37.

Internal governance obligations include:

• Maintaining a written personal data processing policy accessible to data subjects.
• Implementing technical and organisational measures proportionate to the sensitivity of the data.
• Conducting periodic internal audits of data processing activities.
• Ensuring that employees who handle personal data are bound by confidentiality obligations.

Many underappreciate the audit obligation. The Ministry's inspection methodology includes a review of internal audit records. A company that has never conducted a formal audit of its data processing activities will struggle to demonstrate compliance even if its day-to-day practices are sound.

To receive a checklist on registration, responsible person appointment and internal governance requirements in Kazakhstan, send a request to info@vlo.com.

A personal data breach is defined under the Personal Data Law as any unauthorised access to, disclosure of, modification of or destruction of personal data. The law imposes a notification obligation on data holders when a breach occurs. The notification must be sent to the Ministry and, where the breach affects the rights and interests of data subjects, to the affected individuals.

The Personal Data Law does not specify a fixed number of days for notification in the same way that GDPR Article 33 prescribes 72 hours. The obligation is to notify 'promptly' (незамедлительно), which regulators have interpreted in practice as meaning within a period of days rather than weeks. Businesses that delay notification while conducting an internal investigation risk being found in breach of the notification obligation independently of the underlying security failure.

The notification to the Ministry must include a description of the breach, the categories and approximate volume of data affected, the likely consequences and the measures taken or proposed to address the breach. Notification to data subjects must be in plain language and must explain what data was affected and what steps the individual can take to protect themselves.

Enforcement of breach-related obligations falls primarily to the Committee for Information Security when the breach affects critical information infrastructure - defined to include financial institutions, telecommunications operators, healthcare providers and government information systems. For other data holders, the Ministry handles enforcement.

Three practical scenarios illustrate the range of enforcement outcomes:

• A retail company suffers a breach of its customer loyalty database containing names, phone numbers and purchase histories. The breach does not affect critical infrastructure. The Ministry issues a binding order requiring notification of affected customers and implementation of specified technical measures. Failure to comply within the deadline triggers an administrative fine.

• A fintech company operating a payment application experiences unauthorised access to financial data. The Committee for Information Security becomes involved alongside the Ministry. The company faces parallel investigations, and the risk of operational suspension is higher because financial data is a special category under the Personal Data Law.

• A foreign e-commerce platform with no Kazakhstani legal entity suffers a breach affecting Kazakhstani users. The Ministry may seek to block access to the platform within Kazakhstan as an enforcement measure, since it lacks direct jurisdiction over the foreign entity. This extraterritorial enforcement mechanism is increasingly used.

The cost of a breach response - including legal advice, technical remediation, regulatory liaison and potential fines - typically starts from the low thousands of USD for a minor incident and can reach the mid-to-high tens of thousands for a significant breach affecting a large number of data subjects.

Administrative liability for violations of the Personal Data Law is set out in the Code of Administrative Offences. The penalty structure distinguishes between first-time violations and repeat offences, and between violations by individuals, officials and legal entities. Fines for legal entities are calculated as a multiple of the monthly calculation index (месячный расчётный показатель, MRP), a unit that is adjusted periodically by the government.

The most common violations that trigger enforcement are:

• Processing personal data without a valid legal basis or without registration.
• Failure to obtain written consent for special categories of data.
• Breach of the data localisation requirement.
• Failure to respond to a data subject's request within the statutory period.
• Failure to notify the regulator of a breach.

Data subjects have the right under Article 20 of the Personal Data Law to access their data, request correction, demand deletion and object to processing. The data holder must respond within 15 working days. Failure to respond within this period is a separate violation. In practice, international companies often miss this deadline because the request arrives in Kazakh or Russian and is not routed to the responsible person in time.

Disputes between data subjects and data holders can be resolved through the Ministry's complaint mechanism or through the courts. The Ministry's complaint procedure is administrative and does not award compensation to the data subject. Civil claims for damages caused by unlawful data processing are brought before the courts of general jurisdiction under the Civil Procedure Code (Гражданский процессуальный кодекс). Damages awards in personal data cases remain modest by international standards, but reputational consequences and the cost of litigation can be disproportionate to the financial exposure.

A common mistake is to treat a Ministry inspection as a purely administrative matter that can be managed without legal counsel. The Ministry's inspectors have broad powers to request documents, interview employees and access information systems. Statements made during an inspection can be used in subsequent administrative proceedings. Engaging a lawyer before the inspection begins - or at the earliest possible stage - materially reduces the risk of inadvertent admissions and procedural errors.

The risk of inaction is concrete: a company that receives a Ministry notification of an upcoming inspection and fails to prepare within the notice period - typically 30 days for a scheduled inspection, shorter for an unscheduled one - may find that its documentation gaps become the primary basis for enforcement action rather than any substantive violation.

To receive a checklist on enforcement preparation and inspection response procedures in Kazakhstan, send a request to info@vlo.com.

What is the most significant practical risk for a foreign company that processes Kazakhstani personal data without a local entity?

The Ministry has the authority to block access to online services and platforms that fail to comply with the Personal Data Law, including the data localisation requirement. This power applies regardless of whether the company has a registered presence in Kazakhstan. A foreign company that routes Kazakhstani user data exclusively through servers outside the country is exposed to a blocking order that can effectively remove it from the Kazakhstani market. The risk is not theoretical: the Ministry has used this mechanism against foreign platforms. Establishing a compliant data infrastructure - either through a local server arrangement or a certified Kazakhstani cloud provider - is the most direct way to mitigate this exposure.

How long does a Ministry inspection typically take, and what are the financial consequences of a finding of non-compliance?

A scheduled inspection typically lasts up to 30 working days, though complex cases involving multiple violations or critical infrastructure can extend longer. An unscheduled inspection triggered by a complaint or a breach notification may proceed more quickly. Financial consequences depend on the nature and number of violations: fines for legal entities are calculated as multiples of the MRP and can accumulate across multiple separate violations identified in a single inspection. Beyond fines, the Ministry can issue binding remediation orders with short compliance deadlines, and failure to comply with an order is itself a separate offence. The total cost of an enforcement outcome - including legal fees, remediation and fines - can reach the mid-to-high tens of thousands of USD for a company with systemic compliance gaps.

When should a business consider replacing a consent-based processing model with a contract-based or statutory obligation model?

Consent is the default legal basis under the Personal Data Law, but it carries operational risks: data subjects can withdraw consent at any time, and the data holder must then cease processing and, in many cases, delete the data. For processing that is genuinely necessary to perform a contract - such as processing a customer's delivery address to fulfil an order - the contractual necessity basis is more stable and does not depend on the data subject's continued willingness to consent. The statutory obligation basis is appropriate where a specific law requires the data holder to collect or retain certain data, such as anti-money laundering or tax record-keeping requirements. Businesses should map each processing activity to the most appropriate legal basis rather than defaulting to consent for everything, both to reduce withdrawal risk and to demonstrate a structured compliance approach to the regulator.

Kazakhstan's data protection regime is a functioning, enforced legal framework with real consequences for non-compliance. The combination of data localisation requirements, strict consent rules, breach notification obligations and active regulatory enforcement creates a compliance burden that international businesses must address systematically rather than reactively. The gap between GDPR-compliant practices and Kazakhstani requirements is narrower than many assume in some areas and wider in others - particularly on localisation, consent documentation and the absence of a legitimate interests basis. A structured compliance programme, supported by local legal counsel, is the most cost-effective way to manage the risk.

Our law firm Vetrov & Partners has experience supporting clients in Kazakhstan on data protection and privacy matters. We can assist with compliance audits, registration with the State Register, consent framework design, cross-border transfer structuring, breach response and representation before the Ministry of Digital Development. To receive a consultation, contact: info@vlo.com.