Personal data security: What Kazakhstanis should know about their rights

In today’s digital age, ensuring personal data security and confidentiality is paramount. Kazakhstan has established special legislative requirements for the protection of information.

For Kazakhstani people to be confident that their data is protected when using services, it is necessary to take into account many criteria, including national legislative norms, which were described by Anna Batalova, lawyer, IT company BTS Digital, especially for the Telegram-channel Q-channel

1. Transparency
Study legal documents such as the User Agreement and Privacy Policy. These documents shed light on the company’s data collection, use, storage, and protection approach.

2. Purpose of data collection
The service provider should clearly state why personal data is collected and processed. According to Kazakhstan’s data protection laws, data must be collected for specific and legitimate purposes.

3. Data storage and retention
Storing personal data in secure databases within Kazakhstan, as stipulated for specific industries, is mandatory. Data retention periods and storage rules should be clearly defined.

4. Consent
Kazakhstani legislation pays special attention to obtaining users' consent to collect and process data in the prescribed form. This means that it is necessary to comply with all formalities that the legislator has laid down

5. Third-party sharing and cross-border transfers
Information on the sharing or transferring personal data to third parties or outside Kazakhstan must be specified. The legislator establishes straightforward ways of such data transfer.

6. Withdrawal of consent
Users should be able to easily withdraw their consent, which is a right under Kazakhstan’s data protection rules.

7. Data protection measures
The service provider should implement strong data protection measures such as encryption, regular security audits, and two-factor authentication.

8. Rights of Data Subjects
Users must be informed of their rights following Kazakhstan’s legal framework.

9. Oversight and reporting: Organizations should have mechanisms to detect, report, and take appropriate action on data breaches following Kazakhstan’s data breach notification requirements.

10. Data Protection Officer (DPO)
Each owner (or operator) of personal data should appoint a person responsible for organizing the processing of personal data in case the owner and (or) operator are legal entities.

Users should proactively contact the service provider’s support team if any of the above points need clarification. And suppose there are any doubts about working with personal data. In that case, Kazakhstanis can and should contact the Information Security Committee under the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan via the E-otinish system.

Awareness is the first line of defense against data leakage or misuse. Users can ensure their privacy is respected and preserved by knowing and understanding the protections and their rights.

Link to original publication: and