Дата публикации
This year, speakers from Kazakhstan discussed data privacy in business and the competitive advantages it provides companies in the country's digital market.
Opening the event, Managing Partner of DRCQ and founder of the Eurasian Digital Foundation, Ruslan Dayyrbekov, stated:
"Business and the state are the largest operators processing personal data. Open dialogue will help us develop effective approaches to data protection in Kazakhstan."
Elzhan Kabyshev, Head of Legal Practice, Eurasian Digital Foundation
➖ Compliance in Personal Data Protection in Business
"If a company experiences a cyber incident leading to data leakage to third parties, the law defines this as a 'personal data security breach.' The responsible operator must notify the regulator (the Ministry of Digital Development) within one day. The ministry then sends notifications to those affected by the breach."
"Businesses should not only follow the Personal Data Law but also general provisions outlined in the Entrepreneurial Code. Additionally, state control over compliance is tightening—both scheduled and unscheduled inspections are now possible. Businesses must prepare in advance and implement best data protection practices."
Ruslan Dayyrbekov, Founder, Eurasian Digital Foundation
➖ Establishing the Data Protection Officer (DPO) Institution in Kazakhstan
"Since 2021, companies have been required to appoint a responsible person for personal data processing. The function of state oversight in this area has been assigned to the CIB. However, according to global standards, such a government body should have an independent legal status, which we currently lack."
Comparison with GDPR (EU standard):
- Independence: In Kazakhstan, the responsible person may hold multiple roles (e.g., HR or IT Director), whereas an EU DPO must be free from conflicts of interest.
- Interaction with the regulator: In the EU, a DPO directly communicates with the supervisory authority, whereas in Kazakhstan, this is not clearly established.
"Overall, Kazakhstan is still in the process of developing this institution. While in many aspects, DPO functions align with global standards, key requirements such as independence and detailed rights need further refinement."
Danila Bekturganov, Director, Civic Expertise Foundation
➖ Privacy Risks in the Use of Biometric Data in Business
"It is hard to imagine a more convenient technology for user identification and authentication than biometrics, and overall, it is a very useful tool. However, improper or even criminal use of this technology presents significant risks:"
- Leaks or unauthorized access to biometric data
- Selling data to third parties
- Data collection without consent, such as through surveillance cameras
- Regulation lagging behind technological development
"Only biometric data necessary for a specific purpose should be collected. Biometric information should not be stored longer than required."
Dana Utegen, Teaching Professor, Higher School of Law, Maqsut Narikbayev University
➖ Codification of National Legislation on Personal Data
"Despite the vast amount of big data used today by both businesses and the government, I would say that regulation is not keeping pace with technology. Every other news story today is about AI and digital products, yet state control and personal data protection are lagging, with legal gaps in responsibility, ethics, and cross-border data transfers."
"Kazakhstan's Digital Code is still under development, with active participation from the IT sector, government agencies, and civil society. There are few global examples of such an initiative, and Kazakhstan aims to be at the forefront of digital regulation. However, there is still a long way to go before successful implementation."
Roman Reymer, Co-founder, Erkindik Kanaty Foundation
➖ Legal Cases on Personal Data Protection
"In 2023, an interesting case occurred when a group of citizens from Pavlodar unexpectedly received SMS messages from Damumed stating they had been placed under psychiatric supervision, even though they had never sought such help. For some reason, their personal data was used for this notification. They filed a lawsuit in Pavlodar, and the judge ruled in their favor, awarding moral damages of 50,000 KZT per person."
"Recently, another case emerged where a resident of Almaty received an SMS stating she had been registered at a clinic in Kyzylorda. Moreover, when she sought medical care in Almaty, she was denied service because she was 'registered elsewhere.' The investigation suggests she may have been registered in Kyzylorda to boost the hospital's statistics. However, it remains unclear how her data was obtained. Thus, legal cases on data protection exist in Kazakhstan, and we will continue to see more of them."
Privacy Day 2025 brought together insightful Kazakhstani experts, and many pressing topics were addressed at this annual event dedicated to International Data Protection Day.
The full event broadcast is available on YouTube.
(This translation was done automatically)
