Since 2013, Kazakhstan has had the Law “On Personal Data and Their Protection” (No. 94-V). It has been amended several times since, and today it obliges a wide range of organisations to store personal data of Kazakhstani citizens exclusively on servers physically located in the Republic of Kazakhstan. Ignoring this law is becoming increasingly difficult: regulatory enforcement is intensifying and penalties are growing.
What the law says
The core document is the RK Law of 21 May 2013 No. 94-V “On Personal Data and Their Protection.” It is supplemented by:
- The RK Law “On Informatisation” (with 2020–2024 amendments) — governs requirements for state and quasi-state organisations.
- RK Government resolutions — detail the technical requirements for data protection.
- MCRIAP requirements (Ministry of Digital Development, Innovation and Aerospace Industry) — departmental regulations.
The key norm of the law: databases containing personal data of RK citizens must be located on the territory of Kazakhstan. This is a direct requirement about the physical location of the servers holding the data — not about the company’s jurisdiction, but about the physical address of the rack.
What counts as personal data
Under Kazakhstani law, personal data is any information relating to a specific or identifiable natural person. This includes:
- Full name, date of birth, individual identification number (IIN)
- Residential address and contact details
- Biometric data (photographs, fingerprints)
- Health data
- Financial data and transaction history
- Employment data
- Geolocation data
Any database containing even one of these fields for Kazakhstani citizens falls under the requirements of the law.
Who must comply
The requirements apply to all personal data operators — organisations and individuals that collect, store, process, or transfer personal data of RK citizens:
- Kazakhstani companies of any ownership form
- State bodies and quasi-state structures
- Foreign companies working with data of Kazakhstani citizens (including international e-commerce, subscription services, payment systems)
- Medical institutions
- Banks, microfinance organisations, and insurance companies
- Telecommunications operators
- HR platforms and staffing agencies
An important point for international business: being incorporated abroad does not exempt a company from the obligation to store data of Kazakhstani clients in Kazakhstan. If you process data of RK citizens, you are required to comply with this law.
Requirements for data storage and protection
Beyond localisation, the law sets requirements for protecting the data itself:
Technical measures:
- Encryption of databases containing personal data
- Role-based access control — only employees who need it for their work
- Logging of all operations involving personal data
- Backup with protection of backup copies
Organisational measures:
- Appointment of a personal data processing officer
- Development of a personal data processing policy
- Consent of the data subject for processing (written, or electronic with a digital signature)
- Notification of the data subject at the point of collection: purpose, scope, retention period
Regulator notification: Certain categories of operators are required to register personal data databases with the authorised body (MCRIAP).
Penalties for violations
Liability for violating the personal data law is established in the RK Code of Administrative Offences:
| Violation | Penalty |
|---|---|
| Unlawful processing of personal data | Fine up to 200 MCI (~KZT 550,000) |
| Violation of data protection requirements | Order, fine, suspension of operations |
| Non-compliance with the localisation requirement | Website/service blocking, licence suspension |
| Transfer of data to third parties without consent | Fine up to 500 MCI (~KZT 1,400,000) |
Beyond administrative sanctions, the Law “On Informatisation” provides for blocking resources that violate data storage requirements. MCRIAP has the authority to issue instructions to telecom operators to block websites.
Enforcement is intensifying: in 2022–2025, audits of localisation compliance became more frequent, and large Kazakhstani companies have received orders to remedy violations.
The role of a data center in maintaining compliance
The most direct way to meet the data localisation requirement is to place servers in a Kazakhstani data center whose physical address you can document — or to use colocation there.
What to look for when choosing a data center for compliance:
Documentary proof of physical location. The data center must be able to provide documents confirming the address of the facility in Kazakhstan — for your internal policies and in the event of an audit.
Security certification. ISO 27001 and compatible standards confirm that the DC operator has built information security systems. This matters if your data is processed on the DC’s infrastructure, not merely stored there.
Reliability tier. Data protection requirements also mean ensuring data availability. Tier III or Tier IV guarantees that data will not be lost due to an infrastructure failure.
Physical access logging. Who accessed the equipment and when — the DC must maintain such logs and be able to provide them on request.
Akashi Data Center in Astana is a Tier IV facility within Kazakhstani jurisdiction, designed to meet MCRIAP requirements for the information security of critical infrastructure.
What to do right now
A practical checklist for bringing infrastructure into compliance:
- Data inventory: identify which databases contain personal data of RK citizens.
- Location audit: confirm that all such databases are physically stored in Kazakhstan.
- Cloud services: for foreign clouds (AWS, Azure, GCP), verify whether they have Kazakhstani regions, or migrate RK citizen data to local infrastructure.
- Documentation: record the physical storage address in the personal data processing policy.
- Technical measures: implement encryption, access controls, and logging.
Frequently asked questions
Is a foreign business required to store data of Kazakhstani users in Kazakhstan?
Yes. The personal data law applies to all operators processing data of RK citizens, regardless of the company’s country of incorporation. International e-commerce platforms, SaaS services, and payment systems that work with Kazakhstani customers are required to comply with the localisation requirement.
What happens if data is stored abroad?
Violating data localisation requirements can lead to administrative fines, MCRIAP orders, and blocking of the website or service on the territory of Kazakhstan by a telecom operator.
Can AWS or Azure be used to store data of Kazakhstani citizens?
Only if AWS or Azure provide a region on the territory of Kazakhstan. As of 2024, major public clouds have no Kazakhstani regions — meaning personal data of Kazakhstani citizens in their standard regions formally violates the localisation requirements. The solution is colocation or placement in a local cloud inside Kazakhstan.
What data does not need to be localised?
The localisation requirement applies specifically to personal data of Kazakhstani citizens. Anonymised, aggregated, or de-identified data does not fall under this requirement. Data transferred abroad by the data subject themselves on the basis of their explicit consent is also an exception.
How does a data center help comply with the personal data law?
Colocation in a Kazakhstani DC gives you a physically documented address for your servers in Kazakhstan — directly fulfilling the localisation requirement. Additionally, a certified DC provides the technical protection measures (access control, logging, physical security) that are themselves part of the law’s requirements.
Looking for a data center in Kazakhstan to meet data localisation requirements? Learn about colocation at Akashi — a Tier IV facility in Astana with full compliance documentation.