Document from CIS Legislation database © 2003-2025 SojuzPravoInform LLC

ORDER OF THE GOVERNMENT OF THE REPUBLIC OF KAZAKHSTAN

of September 3, 2013 No. 909

About approval of Rules of implementation by the owner and (or) operator, and also the third party of measures for personal data protection

(as amended on 17-03-2023)

According to the subitem 4) of article 26 of the Law of the Republic of Kazakhstan "About personal data and their protection" the Government of the Republic of Kazakhstan DECIDES:

1. Approve the enclosed Rules of implementation by the owner and (or) operator, and also the third party of measures for personal data protection.

2. This resolution becomes effective since November 25, 2013 and is subject to official publication.

Prime Minister of the Republic of Kazakhstan

S. Akhmetov

Approved by the Order of the Government of the Republic of Kazakhstan of September 3, 2013 No. 909

Rules of implementation by the owner and (or) operator, and also the third party of measures for personal data protection

Chapter 1. General provisions

1. These rules of implementation by the owner and (or) operator, and also the third party of measures for personal data protection (further – Rules) are developed according to the subitem 4) of article 26 of the Law of the Republic of Kazakhstan "About personal data and their protection" (further – the Law) and determine procedure the owner and (or) the operator, and also the third party of measures for personal data protection.

2. In these rules the following basic concepts are used:

1) personal data – the data relating to the subject of personal data determined or determined on their basis, fixed on electronic, paper and (or) other material medium;

2) blocking of personal data – actions for the temporary termination of collection, accumulating, change, amendment, use, distribution, depersonalization and destruction of personal data;

3) collection of personal data – the actions directed to receipt of personal data;

4) destruction of personal data – actions as a result of which making it is impossible to recover personal data;

5) depersonalization of personal data – actions as a result of which making determination of accessory of personal data is impossible for the subject of personal data;

6) the base containing personal data (further – base), – set of the arranged personal data;

7) the owner of the base containing personal data (further – the owner), – the state body, the physical and (or) legal entity exercising right of possession, uses and orders of the base containing personal data according to the laws of the Republic of Kazakhstan;

8) the operator of the base containing personal data (further – the operator), – the state body, the physical and (or) legal entity performing collection, processing and personal data protection;

9) personal data protection – package of measures, including legal, organizational and technical, performed for the purpose of, established by the Law;

10) authorized body in the field of personal data protection – the central executive body performing management in the field of personal data protection;

11) personal data processing – the actions directed to accumulating, storage, change, amendment, use, distribution, depersonalization, blocking and destruction of personal data;

12) the subject of personal data (further – the subject) – physical person to which personal data belong;

13) public personal data – personal data or data to which according to the laws of the Republic of Kazakhstan requirements of maintaining confidentiality, access to which is free with the consent of the subject, do not extend;

14) personal data of limited access – personal data, access to which is limited by the legislation of the Republic of Kazakhstan;

15) the third party – person which is not the subject, the owner and (or) the operator, but related circumstances or legal relationship on collection, processing and personal data protection;

16) electronic information resources – the data in electronic and digital form containing on the electronic medium and in objects of informatization;

17) inspection of ensuring security of processes of storage, processing and distribution of the personal data of limited access containing in electronic information resources (further – inspection), – assessment of the applied security measures and protective actions when implementing processing, storage, distribution and personal data protection of limited access containing in electronic information resources.

Other concepts used in these rules are applied according to the Law and the Law of the Republic of Kazakhstan "About informatization".

Chapter 2. Procedure owner and (or) operator, and also third party of measures for personal data protection

3. No. 228 is excluded according to the Order of the Government of the Republic of Kazakhstan of 17.03.2023

4. Safety hazards of personal data are understood as set of the conditions and factors creating opportunity unauthorized including accidental, access to personal data in case of their collection and processing which result can become destruction, change, blocking, copying, unauthorized provision to the third parties, unauthorized distribution of personal data, and also other wrongful acts.

5. Personal data protection is performed by application of package of measures, including legal, organizational and technical, for the purpose of:

1) realization of the rights to personal privacy, personal and family secret;

2) ensuring their integrity and safety;

3) respect for their confidentiality;

4) realization of the right to access to them;

5) prevention of their illegal collection and processing.

6. No. 228 is excluded according to the Order of the Government of the Republic of Kazakhstan of 17.03.2023

7. It is necessary for ensuring personal data protection:

1) selection of the business processes containing personal data;

2) separation of personal data on public and limited access;

3) determination of the list of the persons which are performing collection and personal data processing or having to them access;

4) assignment of person responsible for the organization of personal data processing if the owner and (or) the operator are legal entities. Obligations of person responsible for the organization of personal data processing are specified in Item 3 of article 25 of the Law. Action of the subitem 4) of this Item does not extend to personal data processing in activity of the courts.

5) establishment of procedure for access to personal data;

6) document approval, determining policy of operator for collection, processing and personal data protection;

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SoyuzPravoInform LLC.