AI Use in Kazakhstan: What Is Important to Consider from a Personal Data Protection Perspective
Artificial intelligence is increasingly being used in business: in customer support, marketing, e-commerce, HR, scoring, analytics, and the automation of internal processes.
At first glance, AI may be perceived as just another technological tool. However, if an AI system receives, analyzes, or uses information relating to an individual, such a process falls under personal data regulation.
For Kazakhstan, this issue is becoming especially relevant in the context of the evolving regulation of the digital environment and artificial intelligence. The use of AI must be not only efficient, but also transparent, secure, and controllable from the perspective of users’ rights.
AI as Part of Personal Data Processing
In accordance with Article 10 of the Law of the Republic of Kazakhstan “On Artificial Intelligence,” the operation of artificial intelligence systems is permitted provided that data protection and confidentiality requirements are met, including the prevention of unlawful collection, storage, and dissemination of personal data.
At the same time, the processing of personal data using AI systems also falls under the legislation of the Republic of Kazakhstan on personal data and their protection.
In many cases, AI does not work with abstract information, but with data relating to specific individuals.
For example, an AI chatbot may process a customer’s name, phone number, address, order history, or the content of a request. An AI-based HR tool may analyze a candidate’s CV, work experience, education, and skills. A marketing AI system may use purchase history, behavioral data, and user preferences.
In such cases, AI becomes part of the personal data processing chain. Therefore, it is important for businesses to understand what data is being used, why it is needed, on what legal basis it is processed, where it is stored, and who may have access to it.
Key Risks for Businesses
The first risk is the use of data beyond its original purpose. Data may be collected, for example, to process an order or provide a service, but later used to train an AI model, for customer analytics, or for ad personalization. Such use requires a separate assessment, as the new purpose of processing does not always match the one to which the user originally consented.
The second risk is insufficient transparency. Users do not always understand that their data is being analyzed by an automated system or that a result has been generated using AI. This is especially important when AI influences recommendations, scoring, candidate selection, or other impactful decisions.
The third risk is the transfer of data to AI solution providers. Many companies use external AI tools, cloud platforms, APIs, CRM modules, or chatbots. In such cases, it is necessary to understand who has access to the data, where it is stored, whether it is used to train models, and whether it is transferred outside Kazakhstan.
Special attention should also be given to situations where employees upload customer, HR, or internal data into public AI tools. Even if this is done to speed up work, such practices may create a risk of unauthorized disclosure of personal data or confidential information.
Automated Decision-Making and Human Oversight
If AI is used only as a supporting tool, the risks are generally lower. For example, when a system helps classify requests or prepare a draft response.
However, if AI actually affects a person’s rights or legitimate interests, the requirements for transparency and control become significantly higher. This may apply to service refusal, credit scoring, insurance assessment, candidate selection, account blocking, or determining individual service conditions.
In such cases, it is important for businesses to ensure the possibility of human involvement: the user should have a clear mechanism to appeal, and the company should have the ability to review and, if necessary, reconsider a result generated with the help of AI.
At the same time, for the purposes of ensuring transparency, the Law on AI establishes a requirement to inform users that goods, works, and services are produced or provided using artificial intelligence systems.
That Should Be Checked Before Implementing AI
Before launching an AI tool, companies should carry out a basic legal and technical assessment:
- What personal data will be processed;
- For what purpose it will be used;
- Whether there is a legal basis for such processing;
- Whether users are informed about the use of AI;
- Whether the data is used to train the model;
- Whether the data is transferred to vendors or outside Kazakhstan;
- Whether adequate security measures and access restrictions are in place;
- Whether the AI-generated outcome can be explained and reviewed.
It is also important to update user-facing documents and internal policies: the privacy policy, consent forms, user agreements, contracts with vendors, and internal rules on employees’ use of AI.
Conclusion
The use of AI in Kazakhstan cannot be considered separately from personal data regulation. Any AI system that processes information about customers, employees, users, or counterparties must be assessed not only from the perspective of efficiency, but also in terms of compliance with personal data legislation.
The key question for businesses is not only whether AI can be used, but also how well the company understands what data is being processed by the system, for what purposes it is used, where it is stored, to whom it may be transferred, and how the rights of data subjects are protected.
| Companies that establish transparent and secure data processing practices in advance will be able to use AI not only more efficiently, but also more sustainably in terms of regulation, customer trust, and long-term legal risk management. Lawyers at REVERA are ready to help successfully address this challenge. |
Write to our lawyer to learn more details
Contact a Lawyer
