Legal Principles Of Personal Data Processing

GDPR vs. Kazakhstan's DPL, Part II

Having analysed the background behind the rapid personal data regulation development over the last decade, objectives that the European and Kazakhstani legislation pursues by such development, as well as the legal notion of personal data as such, the next step of paramount importance to be taken to understand personal data's legal treatment is the review of guiding principles.

"Knowledge of some principles easily compensates for the lack of knowledge of some facts"¹.In this regard, this part focuses on differences and similarities of principles laid down in the GDPR and KZ DPL with more stress put toward the observance of constitutional rights and freedoms of individuals and legality of processing with the introduction of the consent doctrine that will be discussed in more details in the next part.

Legal Principles of Operations with Personal Data

A legal principle is a "set of standards of behavior or judgment assumed to be just standards of behavior for a society" laying a basis for other norms to arise.² Principles are, therefore, both norms of general application and the foundation of specific rules of behaviour. That is, principles may be applied independently and beside particular legal provisions as a means of interpretation thereof. In this regard, it is important to analyse the principles laying the foundation of the GDPR and the Kazakhstan DPL to gain deeper understanding of underlying purpose of enactment of relevant statutes and application of particular provisions thereof.

The GDPR sets 6 key principles that outline the requirement of engagement with personal data. Such general rules stipulate that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (further processing requirements' specifics are to be covered at a later stage) ('purpose limitation');
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject ('storage limitation'); and
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').³
7. Thus, GDPR sets a comprehensive foundation on the basis of which particular regulations are built. Such principles cover main aspects of interaction with personal data and proper treatment thereof during such interactions.
8. On the contrary, KZ DPL goes the path of priority of general legal principles and protection of personal data of limited access, providing that the collection, processing and protection of personal data are carried out in accordance with the following principles:

• Respect for the constitutional rights and freedoms of man and citizen;
• Legality;
• Confidentiality of personal data with limited access;
• Equality of rights of subjects, owners, and operators; and
• Ensuring the security of the individual, society and the state.

Respect for the Constitutional Rights and Freedoms

The reference to the Constitution is a feature of the Civil Law system and projection of Kelsen's Pure Theory of Law that focused on presenting legal system as framework based on a grundnorm – a foundational rule of behaviour from which all other norms are emanating on a 'layer' basis creating chains of superior and inferior norms.⁴ Thus, the legality of inferior norms relies on the legality of superior norms and the key superior rules originate from the constitution which is 'the organic and fundamental law of a nation or state, which may be written or unwritten, establishing the character and conception of its government, laying the basic principles to'.⁵ The inclusion of a reference to the Constitution as a ultimate legislative act that has supreme legal force and direct effect throughout the territory of a state is not peculiar just to Kazakhstan. Relevant references are presented in the relevant personal data-related legislative acts of different countries, such as Italy, Spain, Russia, China, and other counties.⁶

In this regard, Kazakhstan, following the examples of other states makes a reference to the Constitution, specifically the respect for the constitutional rights and freedoms of man and citizen in order to emphasise:

• the prevailing power of the Constitution in case of law's contradiction with KZ DPL's provisions; as well as
• the status of the provisions of the KZ DLP as specification or elaboration on the Constitutional rights and freedoms that should also be viewed as the means for interpretation of certain rights and obligations of data subjects, operators, processors, owners, and third parties that are mentioned in the KZ DPL.

In particular, the analysis of the constitutional law enables to make the following conclusion on the derivation of certain KZ DPL rules from the Constitutional norms. Constitution provides that everyone has the right to privacy, personal and family secrets, as well as protection of their honor and dignity. Everyone has the right to privacy of personal deposits and savings, correspondence, telephone conversations, postal, telegraph and other messages. Professor Sapargaliev states that private life is an area of human activity that belongs to an individual, belongs to and is dear only to him, and therefore, according to general rules, is not subject to control by society and the state. This is a sphere of personal and non-business relationships and concerns. Personal and family secrets are part of private life, the sphere of sensitive and intimate aspects of a person's existence, and the disclosure of certain information is immoral.⁷ Thus, any type of personal data in Kazakhstan should be viewed and assessed from the perspective of privacy as well as personal and family secrets. For example, medical tests, marriage status, number of children, wages, or any other personal data is inevitably connected with the person's self-identification and control over such data (sharing, disclosure, deletion or change) should completely belong to the relevant individual due to the abovementioned constitutional rules, unless the public interests of the state and people of Kazakhstan as such are affected.

Legality and Equality of Rights

The legality principle in combination with the principle of equality of rights of subjects, owners, and operators under KZ DPL corresponds to the lawfulness, fairness and transparency principle established by the GDPR. The lawfulness refers to the processing criteria that make the conduct of various operations with personal data in line with legislation. Such criteria include:

1. Consent provision for one or more specific purposes by an individual;
2. Necessity (a) for the performance of a contract to which the data subject is party to or (b) for requesting the data subject to provide data prior to entering into a contract;
3. Necessity to comply with a legal obligation to which the controller is subject;
4. Protection of the vital interests of the data subject or of another individual;
5. Necessity (a) for the performance of a task carried out in the public interest or (b) in the exercise of official authority vested in the controller; and
6. Necessity for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (not applicable to processing carried out by public authorities in the performance of their tasks).⁸

Thus, the GDPR build the entirety of the processing lawfulness on choosing a specified ground and not altering it throughout the course of processing.⁹ Such an approach facilitates the process of identification of relevant purposes for processing that protects the interests of the data subject. It should be noted that the order of the grounds for processing does not represent the hierarchy¹⁰ and the controllers should focus on appropriateness of each particular basis prior to processing commencement. It should be kept in mind that the grounds for processing mentioned in the GDPR are reflected in the relevant laws of member states in the same way¹¹ as in the GDPR or specific requirements may be also introduced¹². Such approach is reasonable as the absolute supremacy of the consent would hinder the efficient functioning of the stateIt does not necessarily mean that data processing conducted not in accordance with previously defined goals is impossible at all. The reasonable approach for the controller would be to receive the consent of the data subject for such alteration (expansion, substitution, or reduction of purposes). Even though the KZ DPL is silent on the requirement for the owner or operator to amend the list of collected personal data, we assume that the same legal attitude, that is the unconventional repeated consent collection rule should be applied. Such a legal technique should ensure compliance with the equal stance and constitutional rights respect principles laid down in KZ DPL. Thus, the personal data processing may be divided into two key categories, namely consent-based and consent-free processing. Such approach is applicable to both GDPR and KZ DPL.

Consent-Based Processing

The most wide-spread requirement for private enterprises in relation too collection, storage, processing and conducting other actions towards personal data is prior obtainment of consent. This requirement stems from the right to privacy mentioned in the first part of the series of Articles that can be viewed here. If an individual is a person that ultimately holds control over his personal data due to the absolute prevailing of his interests of knowing and possessing relevant information compared to any third party.

Considering that, it should always (almost always) up to the individual to decide

1. Which data (about himself) to share;
2. With whom to share the data; and
3. for what purposes the sharing is conducted.

Such a logic of consent provision is a product of the civil law system doctrine of agreement and general principles of law as such. Certain authors argue that the "consent" doctrine originates from "agreement" and "unanimity" concepts signifying the establishment of legal relationship between 2 persons leading to emergence of corresponding subjective rights and obligations.¹³ That is, an individual being a personal data subject 'transfers the control' over his data to an owner or operator for the obligation of that person to ensure the safety of such data and use within the frameworks that the individual agrees to. Even though such logic is applied both by Kazakhstani and EU legislators, the KZ DPL does not provide for certain requirements to the consent as such, including but not limited to (1) the definition of the consent, (2) the ways of its provision, and general characteristics of a proper consent. The EU law, on the other hand, regulates these issues.

As for the definition, in the EU law the consent (for personal data regulation purposes) is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". That is, the validity of the consent is achieved by the observance of the following key characteristics:

1. freedom in provision;
2. specificity;
3. informed data subject; and
4. unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.¹⁴

So it is important to go through each of the requirement to understand the legislators position on each of them and their application in practice. Such analysis is done in the next part of the series of articles.

Footnotes

1 Helvétius, C. A. (1758). De l'Esprit (On the Mind). Book III, Chapter I.

2 Jordan Daci, 'Legal Principles, Legal Values and Legal Norms: Are They the Same or Different?' (2010) Academicus International Scientific Journal MMX, 110 https://doi.org/10.7336/academicus.2010.02.11.

3 GDPR, Article 5.

4 Kelsen Hans, General Theory of Law and State (Wedberg's translation of 1945), page 56.

5 Black's Law Dictionary, 2nd Ed., The Law Dictionary. Available at https://thelawdictionary.org/?s=constitution.

6 Italian Personal Data Protection Code, Legislative Decree no. 196 of 30 June 2003 ("IPDPC"), Preamble, Article 1.

Federal Law of 27 July 2006 N 152-FZ (as amended on August 8, 2024) "On Personal Data", Russia, Article 4.

Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales, Preamble, Article 1, Article 79.

Personal Information Protection Law, People's Republic of China, Article 1.

7 Sapargaliev G.S. Scientific and legal commentary on the Constitution of Kazakhstan, 2^nd edition, Zhety Zhargy publishinghouse, Article 18, available at https://online.zakon.kz/Document/?doc_id=1018028&pos=4;-87#pos=4;-87.

8 GDPR, Article 6. Recital 40, GDPR.

9 DRĂGHICI, A., & IANCU, D. THE PRINCIPLE OF LAWFULNESS, FAIRNESS AND TRANSPARENCY IN THE PROCESSING OF PERSONAL DATA. EDITORIAL BOARD, 162, page 163.

Ruxandra Sava, GDPR pe înțelesul tău. Sinteză teoretică și recomandări practice (Bucharest: Universul Juridic, 2019), page 61.

10 DPC, Guidance Note: Legal Bases for Processing Personal Data, Page 3.

11 Please see Article 5 of the "Data Protection" Act of 6 January, 1978 (Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties) of France.

12 Please see Section 23, Section 26, Section 27, and others of Federal Data Protection Act of 30 June 2017 of Federal Republic of Germany (Federal Law Gazette I p. 2097), as last amended by Article 10 of the Act of 23 June 2021 (Federal Law Gazette I, p. 1858; 2022 I p. 1045).

Part II of the IPDPC.

13 Prasetyo, T., & Mamangkey, J. Y. S. (2024). The essence of consent in the personal data protection law: Perspective of dignified justice theory. The International Journal of Social Sciences World, 6(1), 153–161, p 154. https://doi.org/10.5281/zenodo.11181783

14 Article 29 Data Protection Working Party. (2018). Guidelines on consent under Regulation 2016/679 (WP259 rev.01). European Commission, page 5. Retrieved from http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358&tpa_id=6936

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.