The processing of personal data in Georgia is governed by the Law, which was enacted on June 14, 2023. The Law supersedes the previous law of 2011 and introduces strengthened safeguards for the protection of personal data. Furthermore, the Law aligns itself closely with the legal framework of the European Union (EU), aiming to foster increased harmonisation. The requirements outlined in the Law are complemented by the orders and recommendations issued by PDPS. Unlike orders, recommendations are not legally binding. Instead, they serve to interpret the provisions of the Law.

The Law protects the personal data of identified or identifiable individuals, including minors and deceased persons. It also establishes obligations for all data controllers and processors, regardless of whether they are natural persons, legal entities, or public authorities. The data controller decides the purposes and methods of data processing and is responsible for either processing the data directly or delegating it to a processor, who acts on behalf of the controller.

The Law applies to data processing within the territory of Georgia, whether it is done wholly or partially by automated means. It also covers the processing of data that is not automated but forms part of a filing system or is intended to be included in one. Furthermore, it applies to data processing by a controller/processor who is not located in Georgia but uses technical means (e.g., servers) available within Georgia, unless those technical means are solely used for data transit. In such instances, foreign data controllers/processors are legally obligated to designate a duly registered local representative.

According to the Law, the processing of personal data encompasses various activities. These activities include collecting, obtaining, accessing, photographing, video monitoring, audio monitoring, organising, grouping, interconnecting, storing, altering, retrieving, requesting access, using, blocking, erasing, destroying, disclosing through transmission, publication, dissemination, or any other means of making personal data available.

In accordance with the Law, personal data refers to any information related to an individual who can be identified directly or indirectly. This includes but is not limited to their name, surname, identification number, location data, electronic communication identifiers, as well as physical, physiological, mental, psychological, genetic, economic, cultural, or social characteristics.

The Law provides a higher level of protection for special categories of personal data. These include data related to a person’s:

• race or ethnic origin;
• political views, religious, philosophical or other beliefs;
• membership in professional unions;
• health and sexual life;
• status as an accused, convicted, or acquitted person, or as a victim in criminal proceedings;
• conviction, criminal record, diversion, recognition as a victim of trafficking, or recognition as a victim of a crime under the Law of Georgia on the Elimination of Violence against Women and/or Domestic Violence, detention, and enforcement of sentence; and
• biometric and genetic data used for unique identification of an individual.

The legality of data processing is based on one of the following grounds:

• Explicit permission from the data subject for processing data for specific purposes.
• The requirement to fulfil or initiate a contract with the data subject.
• The laws of Georgia mandate processing.
• A necessity to fulfil the data controller’s legal duties and compliance with applicable laws.
• Data is legally public or voluntarily made public by the subject.
• The necessity to protect the vital interests of the data subject or others, including:
  • monitoring and managing epidemics; and
  • handling humanitarian crises and disasters.
• Required to protect significant public interests.
• Required for the performance of activities serving public interests, including:
  • crime prevention and investigation;
  • prosecution and administration of justice;
  • public safety and rule of law; and
  • information and cybersecurity.
• Protection of the controller’s or a third party’s legitimate interests, unless overridden by the data subject’s rights.
• The necessity to assess the data subject’s application for providing services.

Processing special category data requires additional safeguards beyond those for standard personal data. Unlike standard processing, which may rely on general consent, contractual necessity or legal obligation, processing sensitive data mandates either explicit, unambiguous written consent for specific purposes or strict legal regulation to ensure necessity and proportionality. Alternative legal bases include protecting vital interests when consent cannot be provided and processing for narrowly defined purposes such as healthcare, social security, crime prevention, cybersecurity, employment, public interest, functioning of associations/unions, research and archiving, migration, education, violence protection, rehabilitation, judicial acts, public procurement and child protection. These extra layers of legal regulation and limitation are designed to provide heightened privacy and protection for particularly sensitive information.  

The following obligations apply to data controllers and data processors under the Law: 

• Protection of data subject’s rights. Please refer to the answer to Question 9, below. 
• Informing data subject. The following information shall be provided to the data subject when data is collected directly from him/her: information on the controller’s identity; the purpose of data processing; the mandatory nature of the processing; the legitimate interest of data processing; contact details of data protection officer (DPO); the identity of the data recipient; data transfer details; data storage period; and the data subject’s rights. When data is collected indirectly, controllers must provide the same information as above, plus the information on what is being processed and the source of the data.
• Ensuring privacy by design and default. Data controllers must implement appropriate technical and organisational measures during data processing, considering new technologies, risks to individuals’ rights, and data processing principles. These measures protect data subjects’ rights and integrate data protection mechanisms. When determining the scope of data processing, storage periods, and access rights, controllers must ensure that only the minimum necessary data is processed and accessed, thereby limiting the data available to authorised individuals.
• Ensuring data safety. Data controllers and processors must implement appropriate technical and organisational safeguards to ensure lawful data processing and protect against risks such as data loss or unauthorised access. Measures like pseudonymisation and access logging must be regularly reviewed and updated. All data operations must be documented. Employees are required to maintain confidentiality in their roles, even after their departure. Access to data should be restricted based on employee responsibilities, with measures in place to prevent misuse.
• Registration of information and notifying the PDPS. Data controllers and processors must register detailed information on data processing, including identities, objectives, data categories, recipients, security measures, and incidents. This information must be provided to the PDPS upon request within three working days. Additionally, law enforcement-related data transfers and covert investigative actions must be reported to the PDPS within specific legal timelines.
• Data breach notification. Data controllers must report incidents to the PDPS within 72 hours, unless the incident is unlikely to cause significant harm. The notification must include details about the incident, affected data, mitigation steps and contact details of the DPO or other contact person. Data processors must immediately notify controllers of incidents. In addition, if the incident likely poses a significant threat to human rights, the controller must immediately inform the affected data subject with information about the incident, potential damage, and mitigation steps. If direct communication is impractical, public dissemination is required. Exceptions apply if notifying the data subject compromises state or public security.
• Carrying out data protection impact assessment. Impact assessment is carried out when there is a high probability of threat of violation of fundamental human rights and freedoms during data processing taking into account the new technologies, categories and the volume of data, and the purposes and means of data processing.
• Obtaining and managing consent. If a controller seeks consent from a data subject in a document covering other matters, the consent must be clear and separate. Consent must be voluntary, with an option to withdraw, and data processing must stop upon withdrawal. The controller must provide an easy mechanism for withdrawing consent and prove the existence of consent in case of disputes.
• Appointing a personal DPO. When applicable.
• Appointing a special representative. Controllers/processors outside Georgia using technical means in Georgia must appoint a special representative in Georgia before data processing begins. The representative must be registered and comply with data protection requests. This obligation does not apply to controllers/processors in the EU or countries with EU-recognised data protection standards.

The data subject has the following rights under the Law:

• Right to receive information on data processing. The data subject has the right to receive confirmation of data processing and the following information for free:
  • Data being processed, the purpose, and legal basis.
  • Source of data collection.
  • Storage period or criteria for determining it.
  • Rights of the data subject.
  • Legal basis and safeguards for international data transfers.
  • Recipients of the data and reason for transfer.
  • Results and logic of automated processing, including profiling.

The information must be provided within 10 working days of the request, extendable by another 10 days with notice.

• Right to access and obtain a copy. The data subject has the right to access and receive copies of personal data for free, except in cases where:
  • A fee is required by law.
  • A reasonable fee is set due to resource costs or frequent requests.

The information must be provided within 10 working days of the request, extendable by another 10 days with justification.

• Right to rectify, update, and complete data. The data subject has the right to request rectification, updating, or completion of inaccurate data. Requests must be processed within 10 working days, with reasons provided if denied.

When detecting incorrectness of the data, the controller must correct erroneous data independently and notify the subject within 10 days. Notification is not required for correcting technical errors.

All recipients of corrected data must be informed unless impractical or too costly. This obliges recipients to rectify, update or complete data.

• Right to terminate processing, erase or destroy data. The data subject can request termination, erasure, or destruction of data. Requests must be addressed immediately, but not later than within 10 working days, with reasons provided if denied. Requests may be denied if:
  • Legal grounds exist for processing.
  • Data processing is necessary for legal claims, free speech, or public interest research.

All recipients of the data must be informed of termination unless impractical or too costly. This obliges data recipients to terminate processing, erase or destroy data.

• Right to block data. The data subject has the right to demand blocking of the data if:
  • Accuracy is contested by the data subject.
  • Processing is unlawful, but erasure is opposed by the data subject.
  • Data is no longer needed but required for a claim by the data subject.
  • Erasure request is under review.
  • Data is required as evidence.

Data must be blocked unless it conflicts with legal obligations, public interest, or legitimate interests.

• Right to data transmission. The data subject has the right to receive their data in a structured format or request transmission to another controller.
• Rights related to automated decision-making. The data subject has the right not to be subject to solely automated decisions, which produce legal or other similarly significant effects concerning him/her except when:
  • Explicit consent is given.
  • It is necessary for a contract.
  • It is provided by law.

The subject can request human involvement in the decision-making process and contest the decision.

• Right to withdraw consent. Consent can be withdrawn at any time, leading to the termination of data processing within 10 days unless another legal basis exists.
• Right to appeal. The data subject can appeal to the PDPS, court, or administrative body if his/her rights are violated. The subject can request data blocking while an appeal is reviewed.

Data can only be processed for direct marketing with the consent of the data subject, regardless of how the data was collected or its accessibility. Processing of any additional data, beyond name, surname, address, phone number, and email, requires the written consent of the data subject.

Before obtaining consent and during direct marketing, the controller/processor must inform the data subject of their right to withdraw consent at any time and explain how to do so.

The data subject must be able to request the termination of direct marketing data processing through the same channels used for marketing or other simple and accessible means and in this case, data processing shall be ceased promptly, but no later than seven working days. The method for stopping data processing must be simple, and clear instructions must be provided. No fees or restrictions shall be imposed on the data subject for withdrawing consent.

The controller/processor must record and retain the date and details of the data subject’s consent and its withdrawal for the duration of the direct marketing and one year after it concludes.

Personal data can be transferred to another country or international organisation if:

• The data processing requirements in the law are met.
• The receiving country or organisation provides adequate safeguards for data protection and individual rights.

A list of countries and organisations with adequate protection is set by the head of the PDPS. Transfers to countries not on this list require additional legal grounds (e.g. written agreement between a data controller and transferee, consent of the data subject on data transfer besides having information on inadequate data protection safeguards, necessity to protect the vital interests of a data subject who is unable to give consent for the processing of their data, etc.). 

When transferring personal data in accordance with a written agreement between the data controller and the recipient, it is necessary to obtain permission from the PDPS.

The PDPS is the regulatory body responsible for ensuring compliance with data protection requirements in Georgia. As an independent state agency, the PDPS is tasked with monitoring data processing activities within the country. Its primary functions include:

• Providing consultations on data protection.
• Reviewing data protection applications.
• Inspecting the lawfulness of data processing.
• Informing the public on data protection status/events and raising public awareness about data protection.

In order to carry out these functions, PDPS exercises the following authorities: 

• Reviewing and responding to data subjects’ applications regarding data processing.
• Conducting inspections to investigate data processing activities.
• Requesting relevant materials, information, and documents from data processors or controllers.
• Suspending the review process if additional information is required.
• Blocking data processing in certain circumstances before completing the review.
• Inspecting data processing practices for legal compliance.
• Requesting confidential or classified information during inspections.
• Applying measures to correct violations, suspend data processing, or provide recommendations.
• Imposing administrative liability on the data controller/processor.
• Providing consultations and conducting educational activities on data protection.
• Informing authorised state bodies if any criminal elements are identified in the actions of the data controller/data processor. 

In addition, PDPS monitors covert investigative actions and activities carried out in the central bank of electronic communication identification data. 

If PDPS determines that there has been a breach of personal data protection regulations, the following sanctions may be applied: a warning may be issued, or a fine may be imposed. The amount of the fine will vary depending on the specific breach, with a range of GEL 1,000 (approximately USD 371) to GEL 10,000 (approximately USD 3,710) for a single violation. The fine amount is determined by considering factors such as the turnover of the person being sanctioned and any circumstances that may either mitigate or aggravate liability for the administrative offence.

When multiple administrative offences have been committed, the total fines imposed do not exceed the specified limits if the following conditions are met:

• The offences are discovered during a single check.
• The offences are reviewed in a single proceeding.
• The offences occurred prior to a previous penalty being imposed on the same person.

The maximum fines that can be imposed are either GEL 10,000 (approximately USD 3,710) or GEL 20,000 (approximately USD 7,420) depending on the annual turnover of the sanctioned person/entity.

Disclosure of private life information or personal data may be subject to criminal sanctions, including penalties, corrective works, and up to seven years’ imprisonment.