Data Protection and Cybersecurity

Over more than 10 years from the moment Kazakhstan adopted legislation on personal data protection AEQUITAS has accumulated extensive practice in this sphere.

The firm’s lawyers possess professional knowledge and solid experience in advising clients from different sectors of economy on different issues of compliance with legislation requirements on personal data protection, their cross-border transfer, database localization, and drafted custom-tailored sets of documents in the sphere of personal data protection adapted for business processes of specific companies (our clients are General Electric, ExxonMobil, Chevron, Schlumberger, Caterpillar, Hewlett-Packard, Visa, ACCA, Johnson & Johnson, Polpharma, Sanofi Aventis, AstraZeneсa, Boehringer Ingelheim, Ipsen, Vorwerk International, ERM Eurasia, Eurasian Group, Mundipharma, Valeant, and many other companies).

Yekaterina Khamidullina, AEQUITAS Partner and Director of AEQUITAS AIFC Branch, studied at King’s College London where she acquired knowledge in the sphere of regulation of the issues of personal data protection, information confidentiality, GDPR, blockchain, and financial technologies. She also wrote a dissertation dedicated to a comparative analysis of the regulation of personal data protection in Kazakhstan, Astana International Financial Centre (AIFC) and the EU (GDPR).

According to the Legal 500, AEQUITAS Partner Alexandr Chumachenko is one of the recommended and key lawyers in Kazakhstan in the sphere of corporate, commercial law and M&A. He is highly experienced in advising clients on complicated issues of personal data protection and drafting of required documents. Alexandr wrote many publications relating to disputable issues and amendments to the personal data protection legislation.

SERVICES

• Advising on the issues of laws of Kazakhstan and the AIFC in the personal data protection sphere.
• Legal audit of the personal data processing and protection system: verification of documents regulating the procedure for collection, storage (including database localization), transfer and other types of personal data processing and measures to ensure personal data security at a company as to compliance with applicable legislation, elaboration of recommendations on how to bring the processes into compliance with requirements.
• Analysis of models of doing business in Kazakhstan as part of proper compliance with the local data protection legislation most convenient for the client, including in the course of international circulation of various goods, digital healthcare, development and support of software for the protection of accounts, prevention of fraud and abuse, payment optimization, chargeback management, and concerning other practice areas involving collection and processing of personal data (including medical personal data).
• Drafting of consents to personal data processing, cross-border transfer, and distribution of information among healthcare professionals.
• Drafting of a mandatory set of documents on personal data of employees and other persons, including:
  • all-purpose form of consent to personal data processing;
  • personal data regulations;
  • list of personal data required and sufficient for attaining the pursued objectives;
  • list of persons who collect and process personal data on behalf of a company and have access thereto;
  • order on approval of the said documents and appointment of a person responsible for organizing the personal data processing at the company;
  • special provisions to employment and other contracts; and
  • other documents.
• Client representation in the course of inspections conducted by authorized agencies of public authorities in the sphere of personal data protection and security.
• Advising on the issues of cross-border transfer of personal data, drafting of agreements on processing and cross-border transfer of personal data, confidentiality and non-disclosure agreements.
• Advising on establishing the information protection system and application of legal, organizational, and technical information protection means.
• Advising and conducting trainings as to compliance with the European legislation on personal data protection (GDPR).
• Advising on the issues of licensing, certification and use of information protection means, including encryption.
• Legal assistance in case of detecting violations of the personal data legislation and computer incidents.
• Advising on the issues of data processing and protection of information in the context of electronic commerce, drafting of the sets of documents mandatory for publishing on the web resources of electronic trade (terms of use, notice of confidentiality, and wordings of consents to personal data processing).