Data Privacy In Kazakhstan's Astana International Financial Centre

• Published date: 16 January 2024
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Ius Laboris
• Author: Yekaterina Khamidullina

In this article, we take a look at data privacy law as it applies in the Astana International Financial Centre (AIFC), which was officially launched in 2018. The AIFC is a territory within Astana, the capital of Kazakhstan, where a special legal regime applies to the financial sector. The data privacy law applicable in the AIFC is most closely aligned with the EU's General Data Protection Regulation (GDPR).

The AIFC provides a favourable environment for companies registered there. It aims to attract investment in the Kazakhstan economy, develop local capital markets and engender the production of goods and services. As of 8 December 2023, 2,390 companies were registered with the AIFC.

The AIFC Data Protection Regulations (AIFC Regulations) and the AIFC Data Protection Rules (AIFC Rules) ensure personal data protection in the AIFC. Both Acts were adopted after the GDPR and are significantly closer to the GDPR than the Law on Personal Data that is applicable in Kazakhstan. The AIFC Acts on data protection are administered by a Commissioner of Data Protection.

Note that under the system of AIFC legislation, the current law of Kazakhstan applies to the extent not regulated by the AIFC Constitutional Law and AIFC acts. Therefore, employers registered in the AIFC must take into account the Kazakhstan Law on Data Protection and other Kazakhstan legislation that might apply to the extent not regulated by the AIFC-specific data protection laws discussed below.

What is similar to the EU's GDPR?

Like the GDPR, the AIFC Regulations provide certain key principles of personal data processing, including lawfulness, fairness, accuracy, data minimisation, purpose limitation, storage limitation and security. The grounds for legitimate processing provided by the AIFC Regulations are not much different from those provided by the GDPR.

What is considered 'sensitive personal data' under the AIFC Regulations is also similar to that described in the GDPR. Sensitive personal data include data related to health or sexual life, trade union membership, philosophical or religious beliefs, political opinions or affiliations, criminal records, ethnic or racial origin and community background. A data controller must not process sensitive personal data unless either the data subject has consented to the processing or certain other situations apply, and generally these are similar to those set out in the GDPR.

What is different from the EU's GDPR?

A distinguishing feature of the AIFC is...