Personal Data Protection: Crucial Points

Introduction

The formation of practice for the protection of the personal data of an individual dates back to the midtwentieth century—the period when the UN actively approved various international acts with respect to human rights: Universal Declaration of Human Rights, international covenants on human rights, and many others. It was then that the civilised countries started to seriously consider the safe conduct of privacy.

The very concept of ‘personal data’ was formed towards the end of the last century. It was connected with a new turn in the development of information technology, which resulted in the introduction of computer means for the collection, storage and processing of information about human life. Such information required special protection from unauthorised leaks, which, in turn, required appropriate legal regulation. Thus, first, the states of the European Union and then the other countries of the world began a large-scale adoption of regulations governing the protection of individuals’ personal data. Please note that only physical persons (citizens, foreigners and persons without citizenship) are the subjects (carriers) of personal data.

With respect to the protection of personal data, the Republic of Kazakhstan (hereinafter RK), on its part, in its Constitution in 1995 entrenched the postulate stating that each individual has the right of privacy and personal and family privileged information (Article 18).

What should be perceived as personal data?

In accordance with Article 1 of the Law ‘On Personal Data and Protection’ (hereinafter the Law), personal data is information relating to the subject of personal data, identified or identifiable on the basis of such information, recorded in electronic, paper and/or any other tangible medium. The Law does not provide a comprehensive list of personal data. However, several subordinate regulatory acts anchored on the decision of the government of the RK, such as No. 1214, ‘on approval of rules determining the owner and (or) the operator of the list of personal data, necessary and sufficient for the performance of their tasks’, dated 12 November 2013, at one time stipulated the basic list of personal data. The contents on the list are rather numerous. The abovementioned regulation contains a reference to the special lists where personal data can be found.

The personal data of an individual, among other things, comprises full name, sex, date and place of birth, nationality, personal identification number, address information on the place of residence, marital status, property status and other information that either identifies a specific person or relates to one.

Who operates our personal data? What is the mechanism?

All personal data makes the database set in certain organized order.

The subject (who can be a public authority or a natural or legal person), who holds the right of ownership and owns, uses and disposes of the personal data base, is referred to as the owner. The subject performing the collection, processing and protection of personal data is referred to as the operator.

Thus, the two categories of subjects can collect, store, modify, add, use, distribute, depersonalise, block or destroy personal data, as well as transfer them to third parties.

But in order to perform all these actions, they are required to obtain the consent of the subject of personal data, except for cases provided for in Article 9 of the Law. Consent may be granted to a physical person or a legal representative in writing, in the form of an electronic document or by other means with elements of protective actions that do not contravene the Law.

Moreover, a subject of personal data can withdraw his or her consent to the collection and processing of personal data given earlier at any time.

What is personal data protection?

In modern life, we are constantly forced to pass our personal data to owners (operators)—that is, when getting employed, taking out a bank loan, obtaining a subsidy and many others. Thus, we bear certain risks, such as the fact that our personal information can fall into the wrong hands or be made public. In order to mitigate this risk, the state guarantees the protection of personal data. Thus, according to Article 22, the owner and/or the operator, as well as the third party, undertake to make the necessary efforts for the protection of personal data:

•\tPrevention of unauthorised access to personal data

•\tTimely detection of unauthorised access to personal data in cases where such access was not prevented

•\tMinimisation of the adverse effects of unauthorised access to personal data

On a related note, the adoption of the Law implied amendments to a number of other regulatory acts of the RK, significantly in relation to the protection of personal data, which can be found in the Law of RK ‘on amendments to some legislative acts of RK on the issues of personal data and their protection’.

Nonetheless, without a clear mechanism for determining the liability of subjects who infringe on personal data, the measures for the protection of such data still will not give the desired results.

What threats does a breach of the Law on personal data pose?

So what order should we follow if those to whom we entrust our personal data failed to fulfil their obligation of protecting the data or otherwise violated the Law on personal data—for example, made illegal collection and/or processing of them and spread private information?

First of all, the claim on illegal personal data use can be filed to a court for the rights protection with the relevant claims on compensation of damages and losses.

Kazakhstan legislation also foresees to bring the violators to one of these types of legal liability:

a) Administrative liability (Articles 79 and 641 of the Code of Administrative Offences of the RK) occurs in the case of the following acts:

– Illegal collection and/or processing of personal data (punishable by a fine of 20 to 100 monthly calculation indices (hereinafter MCI) with confiscation of subjects of an administrative offence

– Illegal collection and/or personal data processing committed by the owner, the operator or the third person using his or her official position, if it does not create criminal liability (a fine of 50 to 200 MCI with confiscation of subjects of an administrative offence)

– Failure to comply with the measures for personal data protection by the owner, operator or any third party (a fine of 100 to 300 MCI)

– Failure to comply with the measures for personal data protection by the owner, operator or any third party, resulting in the loss, illegal collection and/or processing of personal data (if it does not create criminal liability, a fine of 200 to 1,000 MCI)

– Failure to implement or improper implementation of the measures for the protection of information systems that contain personal data by the owner (a fine of 10 to 100 MCI)

– Use of electronic information resources containing personal data about individuals in order to inflict pecuniary and/or nonpecuniary damage and/or limit the rights and freedoms guaranteed by the laws of the RK (a fine of 10 to 200 MCI).

b) Criminal responsibility (Articles 147 and 211 of the Criminal Code of the RK) occurs in the case of the following acts:

– Failure to comply with measures for the protection of personal data by a person who is entrusted with the duty of taking such measures, if this act caused substantial harm to the rights and lawful interests of individuals (a fine of up to 3,000 MCI, or corrective labor, restriction or deprivation of freedom for a term of up to two years with deprivation of the right to occupy certain positions or engage in certain activities for up to three years)

– Illegal collection of information about the private life of a person that constitutes his or her personal or family secret, without his or her consent, or causing substantial harm to the rights and lawful interests of a person as a result of illegal collection and/or processing of other personal data (fine of up to 5,000 MCI, or corrective work, or restriction or deprivation of liberty for a term of up to three years)

– Illegal collection of information about the private life of a person using one’s official position or special technical means or through unauthorised access to electronic information resources and information systems or unlawful interception of information on the telecommunications networks, or for the purpose of deriving profit and advantages for oneself or for other persons or organizations (imprisonment for up to five years, with deprivation of the right to occupy certain positions or engage in certain activities for the term of two to five years)

– Distribution of information about the private life of a person that constitutes his personal or family secret, without his consent, or causing substantial harm to the rights and legitimate interests of a person as a result of the illegal collection and/or other processing of personal data (imprisonment for up to five years)

– Illegal distribution of electronic information resources containing personal data of citizens or other information where access to which is limited by the laws of the RK or by the owner (a fine of up to 200 MCI or corrective labor or community service for up to 180 hours, or apprehension for up to 60 days, with deprivation of the right to occupy certain positions or engage in certain activities for up to three years)

– Illegal distribution of electronic information resources containing personal data of citizens or other information where access to which is limited, committed by a group of persons by prior conspiracy, out of selfish motives, or by a person using his official position (restriction or deprivation of liberty for a term of up to five years, with deprivation of the right to occupy certain positions or engage in certain activities for up to three years)

– Illegal distribution of electronic information resources containing the personal data of citizens or other information where access to which is limited, committed by a criminal group and implying grave consequences (imprisonment for a term of three to seven years with deprivation of the right to occupy certain positions or engage in certain activities for up to five years)

Conclusion

The institution of personal data protection is one of the most important institutes of civil society. It is a considerably new entity and has not been thoroughly examined in our country yet; thus, the coverage of all the key aspects of legal regulation of operations involving personal data in one article appears impossible. The nuances of collecting, processing and protecting personal data by an employer when hiring employees, the subtleties of the exchange of personal data at the time of conclusion of contract, protection of personal data on the Internet as well as matters of personal data storage and destroy are of primary concern now.

In this regard, we shall definitely return to the issues of the practical implementation of the Kazakhstani laws regulating social relations in the sphere of personal data protection in our upcoming publications. Stay with us!

Information contained in this Client Update is of general nature and cannot be used as legal advice or recommendation. Please note that Kazakhstan is an emerging economy, and its legislation and legal system are in constant development. Should you have any questions or want to discuss matters addressed in this Client Update, please contact us.