If your company handles personal data of Kazakhstan citizens — employee records, customer data, user accounts — you are legally required to store that data on servers physically located within Kazakhstan. This requirement is embedded in Kazakhstani law, monitored by a government authority, and enforced through administrative penalties.

Here is what the law requires, who it applies to, and how to achieve compliance in practice.

The primary document is Law of the Republic of Kazakhstan No. 94-V of 21 May 2013 “On Personal Data and Their Protection” (as amended). The law governs the collection, processing, storage, and transfer of personal data.

Under the law, personal data is “information relating to a specific or identifiable natural person.” This includes: full name, individual identification number (IIN), address, phone number, email, biometric data, health information, financial details — essentially any data that can identify a specific individual.

The supervisory authority is the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan (MCRIAP). The ministry maintains a register of databases, conducts inspections, and issues enforcement orders.

The localisation requirement

Article 22 of the Law establishes that the collection and processing of personal data of Kazakhstan citizens must be carried out using databases located on the territory of the Republic of Kazakhstan.

In practical terms: the database containing personal data of Kazakhstani citizens must reside on a server physically located in Kazakhstan.

A foreign cloud provider’s infrastructure — even if accessible from Kazakhstan — does not satisfy this requirement unless the server is physically in Kazakhstan.

Who must comply

The requirement applies to personal data operators — legal entities or individuals that independently or jointly with others organise and/or carry out the processing of personal data.

In practice, this covers:

  • Kazakhstani companies storing employee, client, or user data.
  • Foreign companies operating in Kazakhstan and collecting data on Kazakhstani users.
  • Internet services, mobile applications, and marketplaces accessible to Kazakhstani users.
  • Banks, insurance companies, healthcare organisations, and telecommunications operators.
  • Government bodies and organisations performing public functions.

There is no exemption by company size: the requirement applies to organisations of any scale if they process personal data.

Cross-border data transfers

The law permits cross-border transfer of personal data only under specific conditions:

  1. Subject consent — written consent of the individual for the transfer of their data to a specific country.
  2. Interstate agreement — the recipient country must ensure an adequate level of personal data protection recognised by Kazakhstan.
  3. Prior notification to MCRIAP of the cross-border transfer.

Important nuance: permission to transfer data cross-border does not remove the localisation requirement. A copy of data may be transferred abroad, but the primary database must remain in Kazakhstan.

Database registration

Personal data operators are required to register their databases with the supervisory authority. Registration is carried out through Kazakhstan’s e-government portal (egov.kz). The registration includes, among other things, the physical location of the database.

When registering, the operator confirms that the database is located in Kazakhstan. A discrepancy between the declared and actual location is grounds for an enforcement order and a fine.

Penalties and liability

Liability for violating personal data legislation is established by the Code of Administrative Offences of the Republic of Kazakhstan (CAO).

Key violation categories include:

  • Unlawful collection and processing of personal data.
  • Failure to meet requirements for the storage and protection of personal data.
  • Unauthorised access to or disclosure of personal data.
  • Violations of cross-border transfer procedures.
  • Failure to register databases.

Fines for legal entities run into hundreds and thousands of Monthly Calculation Indices (MCI). Beyond fines, the supervisory authority may issue an enforcement order, restrict access to a resource, or initiate a block.

Since 2022, MCRIAP has stepped up enforcement: the number of inspections and orders has increased. Major international platforms have received localisation requirements.

How a Kazakhstani data center helps achieve compliance

The most direct path to meeting the localisation requirement is placing servers or databases in a commercial data center on Kazakhstani territory.

Colocation in a Kazakhstani DC provides:

  • Documented physical location. The DC contract fixes the equipment’s address — direct proof of compliance during an inspection.
  • Auditability. A certified DC provides documents for regulators: SOC reports, placement certificates.
  • Reliability and continuity. A Tier III/IV data center guarantees 99.982–99.995% uptime, ensuring uninterrupted data access.
  • Physical security. CCTV, access control, perimeter protection — infrastructure-level security covers the law’s physical protection requirements.

For companies using cloud infrastructure, the problem is solved in two ways: choose a cloud provider with a Kazakhstani region (if one exists), or migrate databases to colocation in Kazakhstan while keeping the rest of the infrastructure in the cloud.

Practical steps to compliance

  1. Inventory. Create a register of all databases containing personal data of Kazakhstani citizens. Determine their physical location.
  2. Risk assessment. Identify databases stored outside Kazakhstan.
  3. Migration. Move the relevant databases to servers in Kazakhstan — via colocation or Kazakhstani cloud.
  4. Registration. Register (or update the registration of) databases with MCRIAP, specifying the actual Kazakhstani address.
  5. Documentation. Retain DC contracts, placement certificates, and technical documentation — for presentation during an inspection.

Frequently asked questions

Does the requirement apply to data on foreign nationals using a Kazakhstani service?

The law applies to personal data of Kazakhstan citizens. Data on foreign nationals is not subject to this localisation requirement, though it may be regulated by the applicable foreign law.

Can data be stored in a foreign cloud if the provider agrees to comply with Kazakhstani requirements?

No, if the physical server is not in Kazakhstan. A provider’s contractual agreement to comply with Kazakhstani law does not substitute for the requirement that the database be physically located in Kazakhstan.

Is keeping a backup copy in Kazakhstan sufficient when the primary storage is abroad?

Under the current interpretation of the law — no. The primary database must be in Kazakhstan. Backup copies abroad may be permissible under cross-border transfer rules, but do not substitute for localisation of the primary storage.

How does MCRIAP find out where data is located?

At the point of database registration, the operator self-declares the location. Additionally, MCRIAP conducts scheduled and unscheduled inspections, processes user complaints, and works with internet providers to monitor cross-border data flows.

How quickly must a violation be remedied after an enforcement order?

The order specifies the remedy deadline, typically 30 to 90 days. Systematic violations or failure to comply with an order can result in resource blocking.

Looking for a data center in Kazakhstan to meet localisation requirements? Learn about colocation at Akashi — Central Asia’s first Tier IV data center, located in Astana.