• Insights

Data protection compliance: an essential guide from Kazakhstan, Russia and Ukraine

In this guide, Ius Laboris lawyers from Russia, Kazakhstan and Ukraine provide a detailed survey of data protection law and how it is enforced in their jurisdictions.


What information is defined as personal data?

Personal data means: information relating to the data subject identified, or to be identified, on the basis of such information, recorded on an electronic, paper and/or any other tangible medium. Personal data includes full name, address of residence, information on citizenship, date of birth, information on education, marital status, biometric data, individual identification number, etc. The source, or the subject, of personal data may be an individual only.

The law defines two types of personal data – public and restricted data. Public personal data is the data considered as such, by virtue of the Kazakh legislation (such as the name of an individual entrepreneur, name, place and date of birth, within the state statistical accounting, etc.) or by virtue of the individual’s consent to use such data in a publicly available manner.

The personal data protection laws do not contain an exhaustive list of restricted personal data, but provide for an obligation of a person collecting personal data, for its needs, to elaborate and approve the ‘List of Personal Data Required and Sufficient for Achievement of the Objectives Pursued by an Owner and/or Operator’.

Do data protection laws in Kazakhstan apply to foreign companies?

The requirement to localize personal data applies only to persons carrying out their activities in Kazakhstan. The data protection laws apply to foreign companies doing business in Kazakhstan through their dependent agents (for example, distributors), even without the establishment of a local legal entity, representative office, or a branch.

Are there any local data storage/localization requirements in Kazakhstan?

The Law establishes a direct obligation of the personal data database owner, or operator, to store personal data in a database located in Kazakhstan. The owner of a database containing personal data is a person who collects data, uses the database in its business activities and has the right to dispose of such database itself, at its own discretion. The database operators are persons who use databases in their activities, with the owner’s consent, or render data storage, or processing services to the owner. Kazakhstan citizens’ personal data shall be stored mainly in Kazakhstan. It may be transferred to other states, only subject to compliance with requirements on personal data database localization and necessity, to ensure appropriate personal data protection.

How is the use of cookies and other tracking technologies regulated from the data protection perspective?

Processing of personal data, with the use of tracking technologies, is governed by the general rules of the Kazakh laws: there are no specific regulations in this regard. Cookies relate to electronic information resources containing restricted personal data, so local information laws govern their protection. Owners and possessors of information systems must take measures to protect cookies, from the moment of access to cookies containing personal data, until their destruction or anonymization.

Are there any local privacy policy requirements in Kazakhstan? How can global policies (e.g., GDPR-based) be implemented locally?

Owners and/or operators and third parties that have access to restricted personal data must ensure its confidentiality, by preventing distribution of such personal data, without consent of the data subject (or its legal representative), or any other legal ground. In this sense, implementation of the local privacy policy serves as a basic measure for the protection of personal data.

The Kazakh legislation does not provide for a legal mechanism of implementing global policies in the area of personal data, such as the GDPR; however, Kazakhstan pursues the general principles of ensuring personal data protection. From the practical perspective, it is possible to implement global policy locally, provided that it is reviewed, as per the Kazakhstan legal requirements, and translated into Russian, or Kazakh language.

Are there any requirements relating to data disclosures/transfers to the third parties?

Transfer, or disclosure, of personal data to a third party, is only allowed with the consent of an individual or his/her legal representative. The Kazakh laws provide for a number of cases where personal data may be transferred without the individual’s consent (in the course of activities of law-enforcement authorities and courts, enforcement proceedings, or state statistical activities, etc.).

Are there any specific requirements relating to personal data processing performed for direct marketing purposes?

Personal data processing for direct marketing purposes is not directly regulated by the Kazakhstan legislation; however, based on the general rules, it is only allowed in case of complying with requirements relating to protection of rights and liberties of man and citizen, when collecting and processing personal data (there must be an individual’s consent, the purpose limitation principle shall be met, etc.).

Are there any other data protection/privacy requirements companies in Kazakhstan to comply with?

In order to regulate the scope of ‘personal data’ being processed each legal entity must draft, and approve, the list of personal data required and sufficient for attaining the pursued objectives.

What data protection/privacy rights do individuals enjoy in Kazakhstan?

The individuals enjoy the rights to:

  • know that an owner and/or operator, or a third party, has his/her personal data and receive information on the fact, purpose, sources and methods of collecting and processing personal data, obtain a list of personal data, term of personal data processing, including the term of storage;
  • request that an owner and/or operator changes, or supplements, the data subject’s personal data, if there is a basis to do so, verified by relevant documents;
  • request an owner and/or operator, or a third party, to block and to destroy the data subject’s personal data that was collected and processed, in violation of the Kazakh legislation;
  • withdraw a consent to personal data collection and processing;
  • give a consent to an owner and/or operator to distribution of the data subject’s personal data in public sources, or refuse to do so;
  • seek for the protection of own rights and legitimate interests, including to claim compensation of reputational and material damages suffered; etc.


What are the sanctions for non-compliance with data protection laws?

The Kazakh laws do not set out specific sanctions for the failure to comply with the localization requirement. However, it may constitute a general offence associated with unlawful processing of personal data and failure to comply with the security requirement. This entails administrative fines up to 1,000 Monthly Calculation Indices (‘MCI’) and, in some cases, seizure of the tools used for unlawful data processing. MCI is an index used in Kazakhstan for calculation of various social payments as well as penal sanctions, etc. Now its unit is valued at KZT 2,778 (approx. USD 7), so the maximum administrative fine now is about USD 7,000.

There is also a criminal liability for data protection offences (e.g., where failure to comply with the requirements entails substantial damages). Applicable penalties include criminal fines, imprisonment, limitation of liberty, corrective labour or community service, and disqualification.



What information is defined as personal data? 

Personal data is defined as: information, or set of information, about an identified data subject, or a data subject who can be certainly identified. The data subject’s full name, individual tax number and address of residence, taken in conjunction, or separately, are usually defined as personal data. The phone number is not considered as personal data, unless it is taken in conjunction with other data that allows to one to define the data subject with utmost certainty. There is no relevant guidance, nor court practice, on the technical data (IP address, cookies, etc.) so far. Some types of personal data are more sensitive than others: racial and ethnic origin, political and religious beliefs, membership in trade unions, political parties, and religious organizations, health, sexual life, biometric and genetic data, criminal or administrative convictions, location and route tracking. Sensitive data is accorded with higher standards of protection. This data may be processed subject to the data subject’s explicit consent, or on limited grounds provided by law. The data controller must notify the data protection authority (‘DPA’) each time sensitive data is collected, amended or erased.

Do data protection laws in Ukraine apply to foreign companies? 

In Ukraine, personal data processing is governed by the Law of Ukraine ‘On Personal Data Protection’ dated 1st June 2010, No. 2297-VI, as well as the regulations and guidance issued by the DPA. The law is silent on the territorial scope of its application. There is no test, nor applicability criteria, that would define whether the processing of personal data is regulated by the laws of Ukraine, at the moment of data collection. However, in any case, data protection laws apply on a territorial basis, i.e., to Ukrainian legal entities and local branches/representative offices.

Are there any local data storage/localization requirements in Ukraine? 

There are no data localization requirements in Ukraine applicable to the companies doing business in Ukraine. However, there is a requirement, which is de facto construed as a local data storage requirement. Namely, state authorities and local self-government bodies acting as data controllers (data owners) may assign personal data processing only to state- or municipally owned Ukrainian enterprises.

How is the use of cookies and other tracking technologies regulated from the data protection perspective? 

There is no relevant guidance, nor enforcement practice, on the use of cookies. Use of tracking technologies, enabling a controller to locate an individual, may be considered as processing of sensitive data, since its processing may entail significant risks to the individual’s rights and freedoms. The data controller, processing such sensitive data, must implement a privacy policy, appoint a data protection officer, and inform the DPA of every case of such processing.

Are there any local privacy policy requirements in Ukraine? How can global policies (e.g., GDPR-based) be implemented locally?

There is no general obligation to implement a personal data processing policy formally speaking, a requirement, to ensure lawful and secure processing of personal data, may be fulfilled in the absence of the data protection policy.

However, data controllers processing sensitive personal data must implement a personal data processing policy, on the basis of the standard one adopted by the DPA. Foreign companies having Ukrainian subsidiaries normally incorporate provisions of their global policies into the standard policy and thereby implement such policies in Ukraine. The scope of such policy normally covers the processing activities of the Ukrainian office (employee data, emails, archive storage, etc.), while data processing activities on the company website hosted abroad remain governed by the global privacy policy.

Are there any requirements relating to data disclosures/transfers to the third parties?

The data controller may assign processing of personal data to the data processor. In this case, they must enter into a data processing agreement, which may be either a separate document, or a part of another contract. There are no requirements to the form and content of such agreement. In practice, companies use the standard contractual clauses for controller-to-processor transfers, as approved by the EU Commission. The controller-to-controller assignments are not recognised by the Ukrainian law, though if such transfers occur, the respective standard contractual clauses are also used. There are no special, nor simplified, rules for intra-group data transfers.

Are there any specific requirements relating to personal data processing performed for direct marketing purposes?

The Ukrainian law does not lay down any specific requirements governing privacy of electronic communications (e-privacy), so the direct marketing (including digital marketing) and processing of personal data for the related purposes are mostly regulated by general data protection requirements. As regards applicable grounds, each individual’s consent and the data controller’s legitimate interests (subject to balance of interests) are the applicable ones. In the absence of e-privacy regulation there are no requirements of opt-in, nor opt-out (unsubscribing), for direct marketing: therefore, there is no common practice and companies in Ukraine follow different approaches.

Are there any other data protection/privacy requirements companies in Ukraine to comply with? 

There are two significant data protection requirements companies in Ukraine shall comply with:

Firstly, the data controllers shall inform the DPA of the appointed data protection officer (including full name, job position, telephone number, and e-mail address).

Secondly, the data controllers who processes sensitive personal data must inform the DPA in writing/electronically of every processing event with sensitive personal data. The second obligation is quite extensive, and it is rarely complied with.

What data protection/privacy rights do individuals enjoy in Ukraine? 

Individuals are entitled to request: information about processing of their personal data and access to their personal data, to object to processing of personal data, to request correction or erasure of personal data, to protection of personal data from any unlawful processing and disclosure, to withdraw a consent, or claim reservation regarding personal data processing. based on such consent, to know the mechanism of automatic processing. If individuals are not satisfied with the controller’s data processing practices, they can lodge their complaints with the data protection authority, National Police, and court.

What are the sanctions for non-compliance with data protection laws? 

The Ukrainian law sets out administrative and criminal liability for the companies’ officials who fail to comply with data protection laws. The administrative liability includes administrative fines of up to UAH 34,000 (approx. USD1,250), which are imposed by the DPA as result of the state data protection audits. The criminal fines of up to UAH 17,000 (approx. USD 625), or imprisonment of up to 5 years may be imposed only by a court, which implies prior investigation of a case by the National Police. At the same time, there have been no criminal convictions for violations of data protection laws, so far. There are no specific liability rules or enforcement practice against foreign companies.



What information is defined as personal data?

Personal data is defined as any information relating to directly, or indirectly, identified, or identifiable, individual (data subject). In practice, the notion of personal data is construed broadly so that, together with information traditionally attributed to personal data (such as name, contact details, etc.), it may also include certain technical (e.g., information processed with use of cookies) and other data.

Additionally, Russian laws distinguish special categories of personal data (i.e., relating to race, national origin, political views, religious and philosophical commitments, intimate life, health and criminal convictions) and biometric personal data (i.e., relating to an individual’s physiological and biological characteristics, enabling and used for the individual’s identification). Processing of such data is subject to specific legal rules, in terms of applicable legal grounds and security.

Do data protection laws in Russia apply to foreign companies? 

Basically, Russian data protection laws apply on a territorial basis – i.e., to Russian legal entities and branches/representative offices of non-Russian legal entities. However, they may apply to companies without such Russian presence, but processing personal data on websites/apps targeting a Russian audience. Although the targeting test is not formalized under Russian laws, it is widely applied by local authorities and courts, as a matter of practice. It implies examination of such diverse signs as domain zone registration, existence of the Russian version of a website/app, possibility to arrange products’ delivery to Russia, etc. – the list is not exhaustive, so any signs are analysed on a case-by case basis.

Are there any local data storage/localization requirements in Russia? 

Since September 1st, 2015, data controllers have had to ensure that certain operations on Russian citizens’ personal data are performed in a Russian database, once such data is collected. There is a number of legal exceptions, which are quite narrow and, therefore, applied very rarely. In the meantime, in practice, the localization requirement may be construed in a way enabling companies not to localize the data under certain circumstances, for example, where company acts purely as a data processor – in practice, the possibility to apply such exceptions shall be defined on a case-by-case basis.

How is the use of cookies and other tracking technologies regulated from the data protection perspective? 

Russian laws do not set out any specific rules on use of cookies and similar tracking technologies – in such cases, general rules apply. Their use shall be transparently described in a dedicated section of a Privacy Policy, or a specific Cookie Notice. As for legal grounds, it is necessary to request an individual’s opt-in consent for such use. However, it is feasible to rely on alternative legal grounds (e.g., contractual necessity, legitimate interest) to use cookies strictly necessary for a website functioning.

Are there any local privacy policy requirements in Russia? How can global policies (e.g., GDPR-based) be implemented locally? 

Each data controller shall create and maintain a document explaining its personal data processing policy. Such document shall cover all aspects of data processing, including scope of personal data being processed, processing purposes, retention terms, etc. It shall be drawn up in Russian and compliant with the legal requirements and recommendations of the data protection authority (‘DPA’) regarding content. The policy shall be made available to the individuals concerned – in particular, it shall be communicated to employees against their wet signatures and posted on a website/app when it comes to data processing on such website/app. It is possible to implement global privacy policy in Russia; however, such a policy shall be reviewed from the Russian data protection perspective – necessary updates may be reflected directly in the document or attached as the Russian addendum to the global policy. In addition, it is possible to implement Russian and global policy in parallel, giving the priority to the Russian policy.

Are there any requirements to data disclosures/transfers to the third parties? 

Data disclosures shall be described in the controller’s respective policy and there must be appropriate legal grounds to do so. When it comes to cross-border data disclosures, legal grounds vary according to the adequacy of data protection legislation and practice of a recipient country. In addition, data disclosures shall be formalized by way of entering into a data processing agreement. Formally speaking, the law lays down the material terms for such agreements concluded in case of a controller-to-processor assignment. However, in practice, similar terms are included in controller-to-controller agreements. There are no simplified, nor specific, rules regarding intra-group data disclosures.

Are there any specific requirements relating to personal data processing performed for direct marketing purposes? 

Processing of personal data for direct marketing purpose requires each individual’s prior opt-in consent. Each marketing communication shall contain a link allowing an individual to withdraw this consent (unsubscribe), or information as to how it can be done. Once an individual unsubscribes, the data controller must immediately terminate direct marketing communications and related data processing – the laws do not provide any grace period in such a case.

Are there any other data protection/privacy requirements companies in Russia shall comply with? 

There are some additional obligations laid down by Russian data protection laws. In particular, they include implementation of security measures, appointment of a data protection officer, and registration with the DPA. Unlike in the EU, in Russia there is no general obligation to notify DPA, nor a data subject of a data breach. However, it is likely that such obligation will be introduced to the Russian laws due to the recent modernization of the Convention 108+.

What data protection/privacy rights do individuals enjoy in Russia? 

Individuals are entitled to withdraw their consent, to access personal data, to request that their incomplete, inaccurate, outdated or misleading data is modified, and that the data controller terminates data processing and destroys the data, which is excessive, or processed unlawfully. For the moment, Russian laws do not set out a data portability right. Where individuals are not satisfied with a data controller’s privacy practices, they can lodge respective complaints with the DPA, or a court.

What are the sanctions for non-compliance with data protection laws? 

Privacy-related violations may entail administrative fines, which vary according to the type of violation. Separate fines are imposed for violations of different types and, in some cases, multiple fines may be imposed per breach (e.g., per data subject, where necessary consents are absent). In general, amounts of fines are up to RUB 75,000 (approx. USD 1,000). However, higher fines may be imposed for direct marketing reasons – up to RUB 500,000 (approx. USD 6,800), and for the data localization violation – up to RUB 6,000,000 (approx. USD 81,400) for the first offence, and up to RUB 18,000,000  (approx. USD 244,200) for a repeated one. Moreover, unlawful data processing practices may entail forced termination of respective data processing activities and blockage of a website/app, where they relate to personal data processing on such website/app.

Anton Alexeyev
Associate - Kazakhstan
Oleksandr Melnyk
Associate - Ukraine
Vasil Kisil & Partners
Oksana Voynarovska
Partner - Ukraine
Vasil Kisil & Partners
Maria Ostashenko
Dmitry Simbirtsev
Senior Attorney

Watch our webinar on data privacy