• Insights

Data privacy in Kazakhstan’s Astana International Financial Centre 

Written by
AEQUITAS Law Firm, the top labour and employment practice in Kazakhstan.
In this article, we take a look at data privacy law as it applies in the Astana International Financial Centre (AIFC), which was officially launched in 2018. The AIFC is a territory within Astana, the capital of Kazakhstan, where a special legal regime applies to the financial sector. The data privacy law applicable in the AIFC is most closely aligned with the EU’s General Data Protection Regulation (GDPR).

The AIFC provides a favourable environment for companies registered there. It aims to attract investment in the Kazakhstan economy, develop local capital markets and engender the production of goods and services. As of 8 December 2023, 2,390 companies were registered with the AIFC. 

The AIFC Data Protection Regulations (AIFC Regulations) and the AIFC Data Protection Rules (AIFC Rules) ensure personal data protection in the AIFC. Both Acts were adopted after the GDPR and are significantly closer to the GDPR than the Law on Personal Data that is applicable in Kazakhstan. The AIFC Acts on data protection are administered by a Commissioner of Data Protection. 

Note that under the system of AIFC legislation, the current law of Kazakhstan applies to the extent not regulated by the AIFC Constitutional Law and AIFC acts. Therefore, employers registered in the AIFC must take into account the Kazakhstan Law on Data Protection and other Kazakhstan legislation that might apply to the extent not regulated by the AIFC-specific data protection laws discussed below.  

What is similar to the EU’s GDPR?

Like the GDPR, the AIFC Regulations provide certain key principles of personal data processing, including lawfulness, fairness, accuracy, data minimisation, purpose limitation, storage limitation and security. The grounds for legitimate processing provided by the AIFC Regulations are not much different from those provided by the GDPR. 

What is considered ‘sensitive personal data’ under the AIFC Regulations is also similar to that described in the GDPR. Sensitive personal data include data related to health or sexual life, trade union membership, philosophical or religious beliefs, political opinions or affiliations, criminal records, ethnic or racial origin and community background. A data controller must not process sensitive personal data unless either the data subject has consented to the processing or certain other situations apply, and generally these are similar to those set out in the GDPR. 

What is different from the EU’s GDPR?

A distinguishing feature of the AIFC is that processing of sensitive personal data is allowed, for example, if necessary to comply with any anti-money laundering or counter-terrorist financing, accounting and auditing rules. A permit allowing for the processing of sensitive personal data can be obtained, for a fee, from the Commissioner of Data Protection, provided safeguards are applied. 

Unlike the GDPR, the AIFC Regulations do not provide that security requirements for processing may include pseudonymisation or encryption, but other than that, the requirements for security of data processing are similar in both acts. 

Under the AIFC Regulations, data subjects have most of the rights provided by the GDPR, including the right to be informed about collection and use of their data, the right to erasure (to be forgotten), to rectify inaccuracies, and the right to complain to the Commissioner of Data Protection. However, certain rights of data subjects provided by the GDPR are not specified in the AIFC Regulations, including the right to data portability and provisions related to objections against profiling and automated decision-making. 

The GDPR places restrictions on the transfer of personal data to countries outside the EEA that do not have adequate data protection regulations, and it provides for mechanisms such as standard data protection clauses to facilitate lawful data transfers. The AIFC Regulations also have provisions relating to data transfers and these take into consideration the legal and economic relationship between the AIFC and other countries. Personal data cannot be transferred outside the AIFC unless an adequate level of protection is provided in that jurisdiction. Schedule 2 of the AIFC Rules provides a list of jurisdictions with adequate protection, including 32 countries, mostly located in Europe. Transfer to other jurisdictions is allowed in cases similar to those provided for by the GDPR. 

Data controllers must create and maintain records required under the AIFC Rules and notify the Commissioner about operations related to personal data processing, and the Commissioner is responsible for maintaining a Register of Notifications. 

Message for employers

Failure to comply with these legal requirements may result in fines. Schedule 3 of the AIFC Rules specifies the maximum fines imposable for contraventions of the AIFC Regulations. For giving misleading or false information to the Commissioner, the maximum fine is USD 5,000. For processing sensitive personal data in contravention of a condition of the permit, the fine is USD 10,000. For a transfer to a jurisdiction without adequate protection, the maximum fine is USD 20,000. A maximum fine of USD 25,000 may be imposed for failure to comply with a direction issued by the Commissioner. 

In recent years, there have been a number of well-publicised cases of violation of personal data protection requirements. If employers demonstrate a commitment to data protection and compliance with relevant rules (including the rules applicable in the AIFC), it will enhance trust among employees, clients, and partners and reduce the risk of liability for violations. It will also showcase the organisation’s dedication to respecting privacy, which will positively impact its reputation. 

Yekaterina Khamidullina
Partner - Kazakhstan