The Parliament of Kazakhstan is considering a new draft law amending personal data (PD) legislation— with new obligations for companies.
The draft law proposes obliging companies to notify the Ministry of Digital Development, Innovations and Aerospace Industry (the Ministry) about identified violations of PD protection within two working days.
There is currently an obligation to notify the Ministry about cybersecurity incidents involving PD of limited access, but no procedures or time limits have been set for this.
The proposal would introduce an obligation for companies to notify the Ministry about all protection violations with respect to any personal data (both public and limited access) within the said term.
The amendments propose introducing an authority under the Ministry that would exercise state control in respect of PD protection, which includes initiating and conducting inspections of companies.
It is assumed that the introduction of this authority would allow the Ministry to take more active measures to hold companies accountable for violations of PD collection and processing rules.
Currently, the Ministry is only authorized to conduct inspections in respect of the informatization legislation compliance. As recent court cases illustrate, companies are already being imposed with sanctions within the framework of such inspections.
Another proposition of the draft law is to prohibit collection and processing of copies of identification documents (IDs, passports, resident permits, etc.). According to MPs, this prohibition is necessary to mitigate leaks of PD.
This draft law is at the consideration stage in the Mazhilis—the lower chamber of Parliament—and is subject to possible changes in the future.
We are closely monitoring the draft law’s status and will keep you updated about any news related to the draft law. If you have any questions about this alert, please contact us.