Kazakhstan LPDP

Law on Personal Data and Its Protection (No. 94-V)

Flag of KZ
KazakhstanOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2013
Enacted
May 21, 2013
Enforcing Authority
Ministry of Digital Development. Prosecution Authorities supervise compliance. No dedicated independent DPA.
Consent Model
Opt-in
Applies To
Government and private sector entities processing personal data in Kazakhstan

Overview

Kazakhstan's LPDP requires written consent before processing personal data and mandates data localization within Kazakhstan. A massive 2025 data breach affecting 16 million individuals — the largest in the country's history — has prompted proposals for criminal liability for mass leaks and significantly increased fines.

What This Means for Your Website

  • Written consent is required specifying the operator, duration, transfer permissions, and data categories
  • Personal data must be stored within Kazakhstan (data localization requirement)
  • Breach notification to authorities is required within 1 business day
  • The 2025 data breach has prompted proposals for significantly stronger penalties
  • Cookie consent is not specifically regulated but general consent requirements apply

Key Requirements

The Ministry of Digital Development oversees compliance with no dedicated independent DPA. Administrative fines range from 50-300 MCI (~USD 577-3,500). Criminal penalties include up to 5 years imprisonment. The 1-business-day breach notification and data localization requirements create significant operational obligations.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Kazakh visitors meeting the written consent specification requirements.

Penalties

Administrative: 50-300 MCI (~USD 577-3,500). Criminal: 400-2,000 MCI, up to 5 years imprisonment. Proposed: criminal liability for mass leaks.

Key Requirements

  • Written consent required specifying operator, duration, transfers, and data categories
  • Data localization: personal data must be stored within Kazakhstan
  • Breach notification to authorities within 1 business day
  • Data retention only until processing purposes fulfilled
  • Legal, organizational, and technical protection measures required

Notable Provisions

  • 16 million individual data breach in 2025 — largest in Kazakhstan history
  • Proposals for criminal liability for mass leaks following breach
  • Data localization requirement
  • 1-business-day breach notification
  • No dedicated independent DPA

Other Central Asia Regulations

Uzbekistan PDLUzbekistan
Uzbekistan's 2019 law requires explicit consent for data collection, third-party provision, and cross-border transfers. Presidential Decree PP-153 (April 2025) marks a shift toward practical enforcement with compulsory breach notifications in the financial sector. A new AI regulation bill is under parliamentary review.
Kyrgyzstan Law 58Kyrgyzstan
Kyrgyzstan's 2008 law provides a basic data protection framework. The May 2025 amendment introducing administrative liability for violations represents a significant step, as previously the law lacked effective penalty mechanisms. Enforcement is still minimal but growing.
Tajikistan Law 1537Tajikistan
Tajikistan's 2018 data protection law provides a framework for personal data processing with consent requirements. Enforcement is in its infancy with very low penalties and minimal practical enforcement activity. The President determines the authorized enforcement body.
Turkmenistan Law 519-VTurkmenistan
Turkmenistan has the weakest data protection framework among Central Asian states. No dedicated data protection authority exists, penalties are very low (120-150 EUR for administrative violations), and practical enforcement is essentially non-existent. No Central Asian state has acceded to Council of Europe Convention 108+.

Frequently Asked Questions

Does Kazakhstan require data localization?

Yes. Personal data must be stored on servers within Kazakhstan, creating a significant compliance requirement for international organizations.

What happened with Kazakhstan's 2025 data breach?

A massive breach affected 16 million individuals, prompting proposals for criminal liability for mass leaks and significantly increased penalties.

How fast must breaches be reported?

Within 1 business day to authorities — one of the fastest notification requirements globally.

Stay compliant with Kazakhstan LPDP

ConsentStack helps you implement Opt-in consent for Kazakhstan automatically.

Get started free