Unofficial translation
Footnote. Abolished by the Decree of the Government of the Republic of Kazakhstan dated 07/13/2023 No. 559 (effective from the date of its first official publication)In accordance with Subparagraph 3) of Article 26 of the Law of the Republic of Kazakhstan dated May 21, 2013 “On personal data and their protection”, the Government of the Republic of Kazakhstan hereby DECREES AS FOLLOWS:
1. To approve the attached Rules for determining the list of personal data by owner and (or) operator necessary and sufficient for fulfillment of their tasks.
2. This Decree shall come into force on November 25, 2013 and shall be subject to official publication.
The Prime Minister of the Republic of Kazakhstan |
S. Akhmetov |
Approved by the Decree of the Government of the Republic of Kazakhstan No.1214 dated November 12, 2013 |
Rules for determination of the list of personal data by the owner and (or) operator, necessary and sufficient for performance of tasks carried out by them
Footnote. The Rules - as amended by the Decree of the Government of the Republic of Kazakhstan dated 18.01.2021 No. 12 (shall be enforced upon expiry of ten calendar days after the date of its first official publication).
Chapter 1. General Provisions
1. These Rules for determination of the list of personal data by the owner and (or) operator, necessary and sufficient for performance of tasks carried out by them (hereinafter referred to as the Rules) have been developed in accordance with Subparagraph 3) of Article 26 of the Law of the Republic of Kazakhstan dated May 21, 2013 “On personal data and their protection” (hereinafter referred to as the Law) and shall determine the procedures for determination of the list of personal data by the owner and (or) operator, necessary and sufficient for performance of tasks carried out by them.
2. The following basic concepts shall be used in these Rules:
1) personal data - any information relating to an identified or identifiable on the basis of their personal data subject, recorded on electronic, paper and (or) other physical media;
2) collection of personal data – actions, directed to reception of personal data;
3) owner of the base containing personal data (hereinafter referred to as the owner) - the state authority, individual and (or) legal entity, exercising the right of possession, use and disposition of base, contained the personal data in accordance with the laws of the Republic of Kazakhstan;
4) operator of base, containing personal data (hereinafter referred to as – operator), - the state body, individual and (or) legal entity, carrying out collection, processing and protection of personal data;
5) authorized body in the field of personal data protection (hereinafter referred to as the authorized body)- a central executive body in charge for personal data protection;
6) processing of personal data – actions, directed to accumulation, storage, change, supplement, use, distribution, depersonalization, blocking and destruction of personal data;
7) personal data subject – individual, to whom personal data are referred.
Chapter 2. Procedure for determining the list of personal data by owner and (or) operator, necessary and sufficient for performance of tasks carried out by them
3. The owner and (or) operator shall, prior to the beginning of collection and processing personal data, perform analysis of the tasks carrying out by them with respect to the use of personal data.
When carrying out current activities, the owner and (or) operator annually re-analyze their tasks for the use of personal data, on the basis of which changes are made to the list of personal data necessary and sufficient to perform their tasks, in accordance with Paragraph 6 of these Rules.
4. On the basis of the performed analysis, the owner and (or) operator, in the form according to Appendix to this Rules, shall determine the list of personal data, necessary and sufficient for the performance of tasks carrying out by them indicating the goals of their collection and processing within the framework of tasks.
The goals are unambiguous, legal and correspond to the objectives of the owner and (or) operator..
Personal data, the content and volume of which are redundant in relation to the tasks carried out by the owner and (or) operator, shall not be included in the list of personal data necessary and sufficient to perform the tasks carrying out by them.
5. The list of personal data necessary and sufficient to perform the tasks carrying out by them shall be approved by the owner and (or) operator.
Personal data protection shall be carried out in accordance with the Rules for implementation by owner and (or) operator, as well as a third party of measures to protect personal data, approved by the Government of the Republic of Kazakhstan.
6. Based on the results of current activities, the owner (or) the operator annually makes changes and additions to the list of personal data necessary and sufficient for performance of tasks carrying out by them in accordance with the procedures prescribed by Paragraphs 3, 4 and 5 of these Rules.
Amendments and additions made to the list of personal data, necessary and sufficient for performance of tasks carried out by them, shall be valid from the moment of their approval and do not apply to relations that arose before their entry into force.
7. The owner and (or) operator shall ensure the access to the list of personal data necessary and sufficient for the performance of tasks carried out by them, by methods not prohibited by the legislation of the Republic of Kazakhstan.
Appendix Rules for determination of the list of personal data by the owner and (or) operator, necessary and sufficient for performance of tasks carried out by them |
List of personal data necessary and sufficient for performance of tasks being carried out
Item no. | Name of the task, including functions, powers, duties | Goals of collection and processing within the framework of the task being carried out | Name of personal data for a specific goal | Reference to documents or regulatory legal acts that have direct indications of the tasks carried out by the owner and (or) operator |