LawFlash

Republic of Kazakhstan Data Protection Law: Amendments in 2026

July 14, 2026

This LawFlash provides an overview of the key amendments made to the Law of the Republic of Kazakhstan, On Personal Data and Their Protection No. 94-V, dated 21 May 2013, including the introduction of a registry of entities that collect and/or process personal data.

Following the amendments to the Law of the Republic of Kazakhstan, On Personal Data and Their Protection No. 94-V, (the Law) the definition of personal data is amended, effective 11 July 2026. The new definition of personal data focuses heavily on personal data identifiers. Consequently, certain standalone items of information that were previously not categorized as personal data may fall within the scope of the Law when utilized in conjunction with such personal data identifiers.

Additionally, in August 2026, new statutory definitions will be introduced, including automated processing, anonymization, masking, personal data security breaches, and hashing.

PROCESSING OF PERSONAL DATA

Effective 25 August 2026, new regulations will govern the processing of personal data obtained from publicly available sources, including the following:

  • The voluntary publication of personal data in the public domain by a data subject does not automatically constitute consent to the subsequent collection, dissemination, or any other form of processing of such data.
  • When publishing personal data in publicly available sources, owners, operators, and third parties are legally required to mask any information that is restricted from public dissemination under applicable law.

AUTOMATED PROCESSING OF PERSONAL DATA

The Law introduces specific statutory requirements and restrictions regarding the automated processing of personal data. These include a prohibition on taking decisions solely based on automated processing, as well as granting data subjects the right to object to such automated processing, among other provisions.

MAINTENANCE OF STATE REGISTERS

The amendments provide for the establishment of a register of personal data security breaches and a register of persons engaged in the collection and/or processing of personal data.

Register of Personal Data Security Breaches

Effective 25 August 2026, the competent authority will maintain a register of personal data security breaches based on information compiled from publicly available sources and reports submitted by entities within the state cybersecurity system.

Register of Persons Engaged in the Collection and/or Processing of Personal Data

A new register is being established for individuals and entities engaged in the collection and/or processing of personal data. This register will be maintained by the central executive body responsible for the protection of personal data (currently the Ministry of Artificial Intelligence and Digital Development of the Republic of Kazakhstan). The register is compiled based on occurred  statutory notifications.

Owners, operators, and third parties engaged in the collection and processing of personal data will be classified into small, medium, and large entities depending on the volume of personal data processed. Notably, the mandatory obligation to submit notifications regarding both the commencement and termination of personal data processing applies exclusively to large owners (controllers) and/or operators (processors). The aforementioned new measure appears burdensome for business; it is necessary to monitor law enforcement practice.

Law clerk Violetta Ber contributed to this LawFlash.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:

Authors
Aset Shyngyssov (Almaty / Astana)