Recently, many stores, to reward their customers, give various bonuses in the form of cumulative or discount cards, for which you are asked to fill out a form, questionnaire or other document where you leave your personal data. Have you ever thought about the further history of your data, whether the store is authorised to collect and store the data provided, about its fate and your risks?
If not, this article will help you control the collection and distribution of your personal data.
In accordance with sub-paragraph 2 of Article 1 of the Law of the Republic of Kazakhstan No. 94-V dated 21 May 2013 “On Personal Data and Their Protection” (the “Law”), personal data comprise information belonging to a personal data subject defined or to be defined on their basis, recorded on electronic, paper and (or) other tangible media.
The Law does not provide a specific list of personal data, while in practice it has turned out that personal data means such information as: surname, first name, patronymic, date and place of birth, individual identification number, number of identity document, family and social status, property, education and other personal information by which it is possible to identify a person’s identity, respectively, it can be any information about a person.
In the Republic of Kazakhstan, the collection and processing of personal data is carried out only with the consent of a person or his/her legal representative, except as provided for in Article 9 of the Law, for example, performing activities of law enforcement agencies and courts, enforcement proceedings, state statistical activities, implementation of international treaties ratified by the Republic of Kazakhstan, and other grounds mainly for the use of personal data in the public interest.
When providing your personal data, it is recommended that you carefully study the documents that you are filling out. Usually, the owner of a database containing personal data, i.e. a state body, an individual and (or) a legal entity, in our case – the store to which you grant the right to own, use and manage your personal data (hereinafter – the “Database Owner”) specifies the purpose of their collection.
For example, in the document filled by you the Database Owner specified the grounds for data collection as ‘keeping its consumers informed via communication means about any changes in the product line, new products or services’. Respectively, you give the Database Owner the right to store and use your data but without distributing them. It means than the Database Owner has no right to publish, transfer and distribute your data without your consent. Moreover, the Database Owner is obliged to ensure protection of personal data.
Failure to comply with measures to protect personal data entails administrative and criminal liability.
Employment relations represent a widespread example of transferring personal data without the consent of an individual to whom these personal data are related. When concluding an employment contract, an employee automatically grants an employer the right to use his personal data, but only within the framework of the legislation of the Republic of Kazakhstan, according to which the employer is obliged to transfer the employee’s personal data to state bodies, for example, when submitting reports to labor and social security agencies, for keeping record of persons liable for military service or at the official request of law-enforcement agencies.
Systematically, the employer communicates with bank employees or other third parties who, by telephone, request personal data of employees, confirmation of their job place, length of service or wage. This information cannot be transferred without the written consent of the employee. Therefore, the employer does not have the right to distribute personal data of employees without their written consent, unless it is prescribed by the legislation of the Republic of Kazakhstan.
Madina Raspayeva, Senior Lawyer of MinTax LLP, I Category Tax Consultant, in her article considers issues relating to personal data and their protection.