InfoHub Logo

New entrepreneurs in Kazakhstan are finding it difficult to escape the attention of banks and financial institutions. Shortly after registering a new business, they are inundated with calls and offers. This raises a crucial question: how do these organizations obtain personal contact details, especially when such information is not publicly listed on the eGov portal?

Public Outcry Over Data Leaks

The issue gained significant attention thanks to Dmitry Kazantsev, an expert in tax and tax security. He reported receiving calls from two banks and a consulting firm within a day of registering his new company, despite not consenting to the dissemination of his contact information on the eGov portal.

Online discussions reveal widespread suspicion among citizens regarding the distribution of personal data. Some are even suggesting collective legal action. Experienced entrepreneurs note that this is not a new phenomenon, recalling similar complaints that surfaced in December 2023. At that time, a director of an LLP shared receiving unsolicited advertising offers from banks despite having made no transactions after registration.

Government Explains Data Transparency

The relevant ministry has provided an explanation, stating that company information is considered public under the law, specifically citing the Law "On State Statistics." Ministry representatives mentioned that when registering legal entities, it is recommended to provide official phone numbers.

Officials also pointed to technical malfunctions and human error as common causes for data breaches. They highlighted insufficient cybersecurity, inadequate infrastructure protection, and non-compliance with cyber hygiene standards as significant factors. The possibility of cybersecurity incidents in any information system, particularly private ones, was also acknowledged.

Financial Regulator's Stance

The Agency for Regulation and Development of the Financial Market (ARDFM) clarified that information about business leaders becomes part of state information systems upon business registration. However, they emphasized that there are limitations to the transparency of this data.

According to Kazakhstan's Law "On Personal Data and Its Protection," consent from the individual or their legal representative is required to disseminate personal data through publicly accessible sources. Regarding whether banks calling new entrepreneurs constitutes a breach of banking secrecy, the agency stated that such actions do not always fall under this definition. The regulator believes that a call to a personal number does not inherently mean protected data has been disclosed, unless it pertains to the relationship between the bank and client, account details, or other banking operations.

Expert Analysis: How Banks Access Data

Evgeny Pitolin, co-chairman of the Information Security Committee of the QazTech Alliance, suggests that direct data leaks from the eGov system might be unlikely. Instead, he posits that banks utilize legal mechanisms for data enrichment.

Pitolin explains that an individual's phone number, linked to their IIN (Individual Identification Number), becomes associated with their eGov digital profile. Upon registration, the eGov account tied to the number is used. After the certificate is issued, the leader's name enters public registries. Banks and other commercial entities can legally access these public registries. When banks identify a newly registered LLP, they "enrich" this data through their internal databases or by querying credit bureaus or telecom operators, where the IIN is linked to a phone number.

Pitolin describes this as a "complete and absolutely standard market practice," particularly within the banking sector. Banks identify potential clients from public registries and then ascertain their contact details. Legally, if a bank does not acquire stolen databases but uses legitimate sources and the client's past service history, it considers its actions lawful. However, for the client, this can feel like an invasion of privacy, as they have not given explicit consent for marketing calls.

Risks for Entrepreneurs

Beyond the annoyance of unsolicited calls, Evgeny Pitolin highlights more serious risks. If fraudsters know a business has recently been established, they might pose as bank representatives offering services, potentially tricking the entrepreneur into revealing sensitive data or money under the guise of opening an account. Furthermore, individuals lose control over who is using their personal data and for what purpose.

Practical Advice for Data Protection

Pitolin offers several practical steps for entrepreneurs to protect their information:

"It is impossible to identify the entire chain without the help of law enforcement agencies or a special audit. A lot of information is published in open registries about legal entities. Use two-factor authentication and access control. Ensure your eGov account and banking applications are reliably protected, as they are the main entry points to your data," the expert concluded.

Бұл туралы Infohub.kz ақпарат агенттігі хабарлайды.