Review of judicial practice on personal data in Kazakhstan
In recent years, the protection of personal data in Kazakhstan has become particularly relevant. The state is tightening regulation in this area, and liability for violations is becoming more and more serious. The reason for this is obvious: news about large-scale information leaks affecting Kazakhstanis regularly appear in the public domain. One of the high-profile examples was the sale of personal data of citizens by banks, as well as cases of their leakage to China. Such incidents could not be ignored, and now the state is introducing new rules according to which the protection of personal data becomes a priority. From March 2025, fines for the illegal collection and processing of personal data will increase by two to three times. Now, small and medium-sized businesses can face fines of 450 and 750 euros, respectively, and large businesses - about 1500 euros. Moreover, these amounts are applied for each revealed fact of illegal collection and processing of personal data.
This approach brings Kazakhstan closer to the level of regulation in the countries of the region. For example, in Belarus, a fine of up to 600 euros is provided for a similar violation, while in Russia fines for the same acts are much higher - up to 7,000 euros for legal entities.
At the same time, compared to European countries, where companies can receive fines of millions of euros for violating personal data legislation (GDPR), Kazakhstan's measures remain relatively lenient.
Previously, we discussed how to properly draw up documents governing the processing of personal data, including consents and policies. Today we will go further and consider how these norms are applied in practice: what cases have already been considered by the courts in Kazakhstan, who has been prosecuted and how this problem applies to small and medium-sized businesses.
It is widely believed that the regulation of personal data affects only large corporations, since their activities are related to the processing of large amounts of information. This view is largely driven by the complexity of regulatory requirements, including server localization, internal policy development, appointment of responsible employees, and implementation of technical data protection measures. These requirements are indeed resource-intensive and can be challenging for small and medium-sized businesses. However, the legislation does not distinguish by the size of the company - all business entities are required to comply with the requirements for the processing and protection of personal data. In practice, this means that even small companies can face sanctions for negligence in the processing of personal data if they do not pay due attention to this issue.
Case 1
A small company that provides wired telecommunications services for government agencies was prosecuted for the illegal use of the personal data of a former employee. The company participated in a tender that required the availability of qualified personnel, and included the data of a former employee in the tender documentation without his explicit consent.
Upon discovering this, the former employee filed a complaint with the authorized body for the protection of personal data, which led to an unscheduled inspection and the drawing up of an administrative protocol. As a result of the review, the company was fined 140 euros.
Disagreeing with the decision, the company went to court, stating that the employee's consent was obtained orally, and only procurement participants had access to the documents. However, the court pointed out that verbal consent is not enough - written confirmation is required. In addition, the fine was paid in an abbreviated procedure, which is actually regarded as an acknowledgement of the violation. As a result, the court confirmed the legality of the fine imposed.
Case 2
A citizen of Kazakhstan took out a loan from a local bank and when submitting an application, indicated the full name and phone number of his acquaintance as contact details, without having his explicit consent. As a result, the bank systematically called this number for two years in order to find a borrower.
The owner of the number, who is not related to the loan agreement, repeatedly informed the bank employees that his full name and contact details were used without his consent, and demanded to stop processing. However, the calls continued.
As a result, the court found that the bank did not have legal grounds for processing the personal data of this citizen, since it did not consent to their use. Moreover, the bank did not take measures to verify the legality of the data processing, despite the appeals received.
The court qualified the bank's actions as illegal collection and processing of personal data and imposed an administrative fine of 400 euros.
Case 3
A state institution in the city of Almaty was prosecuted for using personal data of citizens in the information system without obtaining their consent. The court found that the system stored personal data of citizens, while the consent to their processing was not properly formalized.
Representatives of the institution tried to challenge the drawn up protocol, pointing out procedural shortcomings and the fact that the data was processed by a third-party organization. However, the court found the violation justified and dismissed the complaint and imposed an administrative fine of 140 euros on the institution.
Conclusion
Thus, the judicial practice of Kazakhstan on personal data shows that the subjects of offenses can be not only large and medium-sized businesses, but also small businesses, and even government agencies. The reality is that almost any organization works with the personal data of employees, customers or partners, but not everyone pays due attention to this.
Despite the active work of the authorized body for the protection of personal data, business inspections, as a rule, are carried out only after a complaint is received from a person whose rights have been violated. In practice, this means that state authorities do not carry out systematic control of small and medium-sized businesses. However, the absence of inspections does not exempt from the need to comply with the law, since any complaint can lead to an inspection and the imposition of a fine.
Today, in Kazakhstan, the most common violations are related to the lack of correctly executed consent to the processing of personal data and their illegal distribution (for example, publication in the public domain on the Internet, inclusion in tender documentation or transfer to third parties without legal grounds). Judicial practice makes it clear that this is the basis for fines and inspections.
Compliance – clear documentation of consents and control over data processing – will help businesses not only protect their reputation, but also minimize the risks of financial losses.
Author: Zhanture Tashkarayev
Contact our legal team to learn more
Write to lawyerDear journalists, use of material from the REVERA website in publications is only possible with our written permission.
To approve material, please contact i.antonova@revera.legal or Telegram: https://t.me/PR_revera