Data protection & privacy laws in Kazakhstan (2026)

Law No. 94-V of 21 May 2013 'On Personal Data and Its Protection' is the principal statute, covering collection, processing, storage, and cross-border transfer of personal data. The most recent amendment is Law No. 211-VIII of 16 July 2025, which enters into force 60 calendar days after first official publication.

The Ministry of Digital Development, Innovations and Aerospace Industry (MDDIAI) is the designated data protection authority. It issues guidance, performs compliance oversight, and since the 2024 amendments may conduct unscheduled inspections. The Prosecutor's Office retains parallel supervisory powers.

Effective 1 July 2024, owners and operators of personal data must notify the MDDIAI within one working day of detecting a personal data security breach, including the contact details of the data processing officer. Collecting and processing physical copies of identity documents was simultaneously prohibited.

Operators must maintain databases containing 'restricted personal data' on servers physically located in Kazakhstan. Cross-border transfers are permitted only to countries ensuring adequate protection, or based on data-subject consent, an international treaty, or specific public-interest grounds.

Consent of the data subject is the primary lawful basis for processing. It must be given in written or electronic form. Other permitted bases include performance of a contract, legal obligations, and protection of vital interests, but the law is less detailed on alternative bases than the GDPR.

Entities registered in the Astana International Financial Centre are subject to the AIFC Data Protection Regulations and Rules — a separate framework closely modelled on the GDPR, including data-minimisation, purpose-limitation, storage-limitation principles, and rights to erasure and rectification. A dedicated AIFC Commissioner for Data Protection handles complaints within the AIFC.