Last modified 6 January 2025

Data Protection in Georgia

Transfer in Georgia

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Georgia

As of March 1st, 2024, the new Law of Georgia on Personal Data Protection (“Data Protection Law” or / and “Law”) has come into effect. This law establishes rights for data subjects and imposes obligations on data controllers and processors, closely mirroring the GDPR framework. Key provisions include the introduction of the Data Protection Officer role, enhanced internal accountability for controllers through internal registration of data processing activities and impact assessments, stricter data security obligations, and a redefined framework for international data transfers.

While the GDPR does not apply in Georgia, the Data Protection Law serves as the cornerstone of the country’s data protection framework. Its similarity to the GDPR stems from Georgia's commitment to aligning with EU standards as part of its path toward EU membership.

Georgia does not have extensive sector-specific data privacy regulations. Instead, sectoral laws typically refer to the Data Protection Law for guidance. This approach is evident in the regulations governing the telecom sector (via the Electronic Communications Law), the e-commerce sector (via the E-Commerce Law), the media sector (via the Broadcasting Law), and the banking sector (via the Commercial Bank Activities Law).

Furthermore, also the Georgian Civil Code grants individuals the right to access their personal data and records concerning their financial or private matters and to obtain copies of such data, except where restricted by Georgian law. Access to information containing personal data cannot be denied, and entities must provide such data to third parties upon receiving a written request and the explicit consent of the individual concerned, ensuring confidentiality is maintained. These rights are further elaborated and regulated in Chapter III of the Data Protection Law, particularly in Articles 13 and 14.

Material and Territorial Scope

The Data Protection Law applies:

to the processing of data wholly or partly by automated means within the territory of Georgia;
to the processing other than by automated means of data which form part of a filing system or are processed to form part of a filing system within the territory of Georgia;
to the processing of data by a controller not established in Georgia, using technical means available in Georgia, except where the technical means are used solely for the transit of data (hence law develops here extra-territorial effect).

The law does not apply to:

the processing of data by a natural person in the course of purely personal and / or household activities, which has no connection to his / her entrepreneurial and / or economic and professional activities or the performance of official duties. The processing of data in the course of purely personal and / or household activities can include correspondence and the holding of addresses, or online activity (including social networking) undertaken within the context of such activities;
the processing of data for the purposes of national security (including economic security), defense, intelligence and counter-intelligence activities;
semi-automated processing and non-automated processing of data deemed to be a state secret, for the purposes of the prevention, investigation and prosecution of crime, and the conduct of operative and investigative activities or the protection of the rule of law;
the processing of data for the purposes of court proceedings;
the processing of data by mass media for public information (except for particularly stipulated cases);
the processing of data for academic, artistic or literary purposes.

Also, at the outset, the Data Protection Law establishes an important principle, stating that anyone who unintentionally comes into possession of another person’s data, not intended for them, must respect the rights of the data subject and refrain from engaging in any unlawful processing of such data.

Related resources

Definitions

Definitions in Georgia

The Data Protection Law defines personal data as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, including by his / her name, surname, identification number, location data and electronic communication identifiers, or by physical, physiological, mental, psychological, genetic, economic, cultural or social characteristics.

As for the special categories of data, the Data Protection Law defines sensitive data (special categories of data) as data connected to a person’s racial or ethnic origin, political views, religious, philosophical or other beliefs, membership of professional unions, health, sexual life, status of an accused, convicted or acquitted person or a victim in criminal proceedings, conviction, criminal record, diversion, recognition as a victim of trafficking in human beings or of a crime under the Law of Georgia on the Elimination of Violence against Women and / or Domestic Violence, and the Protection and Support of Victims of Such Violence, detention and enforcement of his / her sentence, or his / her biometric and genetic data that are processed to allow for the unique identification of a natural person.

Furthermore the Law defines health-related data, as data related to the physical or mental health of a data subject, including the provision of health care services, which reveal information about his / her physical or mental health. It defines biometric data as data processed using technical means and related to the physical, physiological or behavioral characteristics of a data subject (such as facial images, voice characteristics or dactyloscopic data), which allow the unique identification or confirm the identity of that data subject. In addition to that, Law states that genetic data is the data relating to the acquired or inherited genetic characteristics of a data subject which, through an analysis of a biological sample from that data subject, give unique information about his / her physiology or health.

The Data Protection Law defines processing as any operation performed on personal data, including collecting, obtaining, accessing, photographing, video monitoring and / or audio monitoring, organizing, grouping, interconnecting, storing, altering, retrieving, requesting for access, using, blocking, erasing or destroying, and disclosing by transmission, publication, dissemination or otherwise making available.

It is to be noted that controllers and processors are allowed to process data, whereas controller is a natural person, a legal person, or a public institution, who individually or in collaboration with others determines the purposes and means of the processing of data, and who directly or through a processor processes data, whilst processor is a natural person, a legal person, or a public institution, which processes data for or on behalf of the controller, furthermore a natural person who is in labor relations with the controller will not be considered a processor.

Data subject is any natural person whose data are being processed by either controller or / and processor.

Authority

National data protection authority in Georgia

The national data protection authority is Personal Data Protection Service, which is an independent state body established and operating on the basis of law. the Personal Data Protection Service is guided by the Constitution of Georgia, the international treaties of Georgia, generally recognized principles and norms of international law, the Data Protection Law and other relevant legal acts.

The principles of activities the Personal Data Protection Service adheres to are:

legality;
the protection of human rights and freedoms;
independence and political neutrality;
objectivity and impartiality;
professionalism;
the ensuring of secrecy and confidentiality.

The structure, the rules for activities and the distribution of powers among employees of the Personal Data Protection Service are established by the regulations of the Personal Data Protection Service, which is approved by the head of the Personal Data Protection Service. An employee of the Personal Data Protection Service (except for the head, first deputy head and the head of the Personal Data Protection Service) is regarded as a public servant. The activities of the Personal Data Protection Service are financed from the State Budget of Georgia.

The Personal Data Protection Service is independent in exercising its powers and is not subject to any body or official. Any influence on the head of the Personal Data Protection Service or the employees of the Personal Data Protection Service, and any unlawful interference in their activities, is not allowed and is punishable by law. In order to ensure the independence of the Personal Data Protection Service, the State creates appropriate conditions for its activities.

Once a year, not later than 31 March, the head of the Personal Data Protection Service submits to the Parliament of Georgia a report on the status of data protection in Georgia, the monitoring of the conduct of covert investigative actions, and the activities carried out in the electronic data identification central bank. The annual report of the Personal Data Protection Service contains information on the activities carried out by the Personal Data Protection Service in the field of data protection during the reporting period, general assessments related to the status of data protection in Georgia, conclusions and recommendations, information on significant violations identified during the year and measures taken, and general statistical information on the activities carried out in the field of monitoring the conduct of covert investigative actions. Information on the activities carried out by the Personal Data Protection Service will be made public through the website of the Personal Data Protection Service. The Personal Data Protection Service is also authorized to publish a special report at any time on its own initiative on issues related to its activities and which it considers important.

An official Website of Personal Data Protection Service can be found here.

Registration

Registration in Georgia

The Data Protection Law does not establish an indiscriminate system for registration or notification of data processing activities, however, controllers and / or processors may need to consult Personal Data Protection Service in specific cases after conducting a data protection impact assessment (Article 31), or submit registered processing activities to the Personal Data Protection Service on its request (Article 28), or notify Personal Data Protection Service of incidents which have a potential to cause significant damage and / or pose a significant threat to fundamental human rights and freedoms (Article 29). Also, controllers and processors are required to notify the Personal Data Protection Service about their data protection officer (if one is appointed) under Article 33.

In light of the above, it is evident that the Law prioritizes internal accountability over external mechanisms like registration. For instance, under Article 28 (as stated above) controllers and processors are required to keep comprehensive records of their data processing activities. These records, detailing key aspects of the processing within the organization, must be provided to the Personal Data Protection Service upon request. This approach places a substantial operational responsibility on organizations. To be more precise:

In case of keeping internal logs of data processing activities (Article 28), the controller (and its registered representative, in case one is appointed) is obligated to ensure, in writing or electronically, the internal registration of the following data processing information on:

the identity / name and contact details of the controller, special representative, personal data protection officer, joint controller, and the processor;
the objectives of data processing;
the data subjects and the data categories;
the categories of data recipients (including the categories of data recipients from another state or international organization);
the transfer of data to another state or international organization, as well as appropriate guarantees of data protection, including a permit from the Personal Data Protection Service (if any);
the periods of data storage, and where such periods cannot be specified, the criteria for determining the periods of storage;
a general description of the organizational and technical measures taken for ensuring data security;
information on incidents (if any).

Furthermore, a processor is obliged to ensure, in writing or electronically, the internal registration of the following data processing information on:

the name and contact details of the processor, personal data protection officer, controller, joint controller, and special representative;
the types of data processing carried out for or on behalf of the controller;
the transfer of data to another state or international organization, as well as appropriate guarantees of data protection, including a permit from the Personal Data Protection Service, if processor participates in the process of transferring data to another state or international organization;
a general description of the organizational and technical measures taken for ensuring data security;
information on incidents (if any).

A controller, co-controller, processor and a special representative are obligated to provide to the Personal Data Protection Service with the information provided for above immediately upon request, but not later than 3 working days after a request.

When it comes to the incidents as stated above (Article 29), the controller is obliged to register an incident, its resulting outcome, the measures taken, and to notify the Personal Data Protection Service about the incident, not later than 72 hours after the identification of the incident, in writing or electronically, except for the case where it is least expected that the incident would cause significant damage and / or pose a significant threat to fundamental human rights and freedoms. Furthermore, a processor is obliged to notify a controller immediately about an incident. (for more, see below Section on Breach Notification).

As for the consultation with the Personal Data Protection Service during the conducting of impact assessment (Article 31), If, as a result of a data protection impact assessment, a high risk of violation of fundamental human rights and freedoms is identified, a controller is obliged to take all necessary measures to mitigate the risk substantially, and where necessary, address the Personal Data Protection Service for consultation. Where the threat of violation of fundamental human rights and freedoms cannot be mitigated by taking additional organizational and technical measures, the data processing shall not be carried out.

Over the course of consultation with the Personal Data Protection Service on the basis of above a controller needs to submit:

information on the authority of the controller, joint controller and a processor;
information on the purposes and means of the planned data processing;
information on security measures for protecting the rights and freedoms of a data subject;
the contact details of a personal data protection officer (if any);
data protection impact assessment;
other (additional) information in the event of a request by the Personal Data Protection Service.

As evident from all the articles mentioned above, the authority is consulted only in specific exceptional cases where there is a potential risk to the rights and freedoms of data subjects. Otherwise, data privacy activities and related protective measures are largely managed and implemented internally.

Data protection officers

Data protection officers in Georgia

As per the Data Protection Law (Article 33), public institutions, insurance organizations, commercial banks, micro-finance organizations, credit bureaus, electronic communication companies, airlines, airports, and medical institutions, as well as controllers / processors processing the data of a significant number of data subjects or carrying out systematic and large-scale monitoring of their behavior, are obliged to appoint or designate a personal data protection officer. The personal data protection officer on the other hand, shall:

inform a controller, a processor and their employees on matters related to data protection, including on matters related to the adoption or modification of regulatory legal norms, and provide them with consultation and assistance in terms of the methodology used;
participate in the development of internal regulations related to data processing and the data protection impact assessment document, and also monitor whether a controller or a processor complies with the legislation of Georgia and the internal organizational documents;
analyze received applications and grievances regarding data processing and make appropriate recommendations;
receive consultations from the Personal Data Protection Service, represent a controller and a processor in the relationship with the Personal Data Protection Service, submit information and documents at its request, and coordinate and monitor the execution of its tasks and recommendations;
in the event of an application by a data subject, provide him / her with information on data processing and his / her rights;
perform other functions for ensuring the improvement of standards of data processing by a controller and a processor.

Except for the cases provided for in the beginning (first paragraph), other controllers / processors have the right, at their own discretion, to appoint or designate a personal data protection officer. It is to be noted that, the function of a personal data protection officer may be performed by an employee of a controller or a processor or by other person(s) on the basis of a service contract. The personal data protection officer has the right to perform other functions unless they give rise to a conflict of interest.

Furthermore, a controller or a processor is allowed to appoint or designate a common personal data protection officer provided that he / she completes his / her functions. If the controller or the processor is a public institution, it is also permissible to appoint or designate a common personal data protection officer for several state institutions, taking into account the organizational structure and size of the said institutions. A personal data protection officer needs to have appropriate knowledge in the field of data protection and be accountable to the highest governance structure, taking into account the specific circumstances.

A controller and a processor are obligated to ensure the proper involvement of a personal data protection officer in the process of taking important decisions regarding data processing, provide him / her with appropriate resources, and ensure his / her autonomy during the carrying out of activities. They are also obliged to provide to the Personal Data Protection Service information on the identity and contact details of a personal data protection officer, who is in charge of making such information public; this needs to be carried out within 10 working days after the appointment or designation and / or replacement of the relevant personal data protection officer. In addition to that, the controller and the processor are obliged to publish the identity and contact details of the personal data protection officer on a website (if any) in a proactive manner, or through other available means. In the case of the temporary absence of a personal data protection officer or the termination of his / her authority, the controller and the processor are obliged, without unjustifiable delay, to grant the authority of the personal data protection officer to another person.

Collection and processing

Collection and processing in Georgia

Data protection principles

As per Article 4 of Data Protection Law, the following principles shall be observed during data processing:

data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency’). The obligation to ensure the transparency of data processing will not apply to the exceptional cases established by the respective Law;
data shall be collected / obtained for specified, explicit and legitimate purposes. Further processing of data for other purposes that are incompatible with the initial purposes shall be inadmissible (Secondary Purpose);
data shall be processed only to the extent necessary to achieve the respective legitimate purpose. The data shall be proportionate to the purpose for which they are processed;
data shall be valid and accurate and, where necessary, kept up to date. Having regard to the purposes of data processing, inaccurate data shall be rectified, erased or destroyed without undue delay;
data may be stored only for a period which is necessary for achieving the legitimate purpose for which the data are processed. Once the purpose for which the data was processed has been achieved, the data shall be erased, destroyed or stored in a depersonalized form, unless the processing of data is required by law and / or a subordinate normative legal act issued in accordance with law, and the storing of data is a necessary and proportionate measure in a democratic society to safeguard overriding interests;
to ensure the security of data, technical and organizational measures shall be taken during the processing of data to ensure appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction and / or damage.

The controller shall be responsible for, and demonstrate compliance with, the described principles when processing data.

Processing for a further purpose

If data are to be processed for purposes other than those for which they have been collected / obtained (Secondary Purpose), and the processing is not based on the consent of the data subject or on law, the controller shall, in order to decide whether the data were processed for purposes other than those for which they have been collected / obtained, take into account:

any link between the initial purpose for which the data have been collected / obtained and the intended further purpose;
the nature of the relationship between the controller and the data subject in the context of collecting / obtaining data;
whether the data subject has reasonable expectations as to the further processing of data concerning him / her;
whether special categories of data are processed;
possible consequences for the data subject that may accompany further data processing;
the existence of technical and organizational safeguards.

Data collected by a law enforcement agency in the course of its activities may be processed for the purpose of general analysis of criminal activity and to establish the relationship between the various offences detected. The further processing of data by the controller for the purposes of crime prevention (including the conduct of appropriate analytical research), investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, ensuring the placement of a person in a temporary detention cell, combating illegal migration, the implementation of international protection, responding to administrative offences, ensuring public and fire safety, the conduct of operative and investigative activities, the safeguarding of public safety and / or the protection of the rule of law (including the conduct of criminological research by a relevant law enforcement body or a court), shall not be considered to be incompatible with initial purposes if the processing of data is required by law, or a law and a subordinate normative act issued on the basis thereof.

Furthermore, the further processing of data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with initial purposes. Long-term storage of data for the purposes referred to herein shall be permitted if appropriate technical and organizational measures are in place to protect the rights of the data subject.

The controller shall be responsible for, and demonstrate compliance with, the described principles when processing data.

Grounds for data processing

Data processing is admissible where one of the following grounds exists:

the data subject has given consent to the processing of data concerning him / her for one or more specific purposes;
data processing is necessary for the performance of a contract entered into with the data subject or to enter into a contract at the request of the data subject;
data processing is provided for by law;
data processing is necessary for the controller to perform his / her statutory duties;
according to law, the data are publicly available or the data subject has made them publicly available;
data processing is necessary to protect the vital interests of the data subject or another person, including to monitor epidemics and / or prevent their spread, or manage humanitarian crises and natural and man-made disasters;
data processing is necessary to protect substantial public interests;
data processing is necessary to perform tasks falling within the scope of public interest as defined by the legislation of Georgia, including for the purposes of crime prevention, investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, the conduct of operative and investigative activities, the safeguarding of public safety and / or the protection of the rule of law, including information security and cyber security;
data processing is necessary to protect important legitimate interests pursued by the controller or a third party, unless there is an overriding interest in protecting the rights of the data subject (including a minor);
data processing is necessary to review an application submitted by the data subject (to provide services to him / her).

The controller has an obligation to justify the legal basis for the processing of data.

Processing of special categories of data

The processing of special categories of data is permitted only if the controller provides safeguards for the rights and interests of the data subject as provided for by the Data Protection Law and if one of the following grounds exists:

the data subject has given consent to the processing of the special category data for one or more specified purposes;
the processing of special categories of data is expressly and specifically regulated by law, and their processing is a necessary and proportionate measure in a democratic society;
the processing of special categories of data is necessary to protect the vital interests of the data subject or another person and the data subject is physically or legally incapable of giving consent to the processing of special categories of data;
the processing of special categories of data is necessary in the area of health care for the purposes of preventive, prophylactic, diagnostic, therapeutic, rehabilitative and palliative care, and for the management of services, medical equipment and the quality and safety of products, public health and the health care system, in accordance with the legislation of Georgia or a contract with a health professional (if these data are processed by a person who has an obligation to protect professional secrets);
the processing of special categories of data is necessary for the purposes of performing the statutory duties of the controller or exercising the specific rights of the data subject in the field of social security and social protection, including for the management of the social security system and services;
the processing of special categories of data is necessary for the purposes of crime prevention (including the conduct of appropriate analytical research), investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, ensuring the placement of a person in a temporary detention cell, combating illegal migration, the implementation of international protection, responding to administrative offences, ensuring public and fire safety, the conduct of operative and investigative activities, the safeguarding of public safety and / or the protection of the rule of law (including the conduct of criminological research by a relevant law enforcement body or a court), and the processing of such data is required by law, or a law and a subordinate normative act issued on the basis thereof;
special categories of data are processed to ensure information security and cyber security;
the processing of special categories of data is necessary because of the nature of labor obligations and relations, including for making decisions on employment and assessing the working capacity of the employee;
the data subject has made his / her data publicly available without an explicit prohibition of their use;
the processing of special categories of data is necessary to protect substantial public interests;
special categories of data are processed by political or professional associations, and organizations with religious or non-religious philosophical aims, for their legitimate activities. In this case, the processing of such data may relate solely to the members or former members of this association / organization or persons who have regular contact with this association / organization in connection with its purposes, on condition that these data are not disclosed to a third party without the consent of the data subjects;
the processing of special categories of data is necessary for archiving purposes in the public interest as provided for by law, for scientific or historical research purposes or statistical purposes if the law provides for the implementation of appropriate and specific measures to protect the rights and interests of the data subject. This ground for the processing of special categories data shall not apply if a special law expressly provides for the restriction of the processing of such data under additional and different conditions;
special categories of data are processed for the purpose of the functioning of the Unified Migration Analytical System;
special categories of data are processed for the purposes of exercising the right to education of persons with disabilities and persons with special educational needs;
special categories of data are processed for the purposes of reviewing the issue within the ambit of the Law of Georgia on the Elimination of Violence against Women and / or Domestic Violence, and the Protection and Support of Victims of Such Violence;
special categories of data are processed for the purpose of the re-socialization and rehabilitation of convicted persons and former prisoners, and for the coordination of the process of the referral of minors;
special categories of data are processed for the purposes of issuing and publishing as public information, in accordance with the Organic Law of Georgia on General Courts, a judicial act adopted as a result of open court hearings;
special categories of data are processed in cases expressly provided for by the Law of Georgia on Public Procurement;
special categories of data are processed for the functioning of the institutional inter-agency coordination mechanism – for the purposes of identifying and / or managing cases involving harm or anticipated risks to the life, health or safety of the child and / or to the best interests of the child or to his / her rights, and ensuring, within the limits of these purposes, coordination between competent bodies (agencies) as designated by the Government of Georgia in the cases provided for by the Code on the Rights of the Child.

The controller has an obligation to justify the legal basis for the processing of special categories of data.

Specific processing activities

Procedure and conditions for giving consent to the processing of data relating to a minor

The processing of data relating to a minor is permitted on the basis of his / her consent if he / she has attained the age of 16, and the processing of data relating to a minor under the age of 16 is permitted with the consent of his / her parent or other legal representative, except in cases expressly provided for by law, including where the consent of a minor between the ages of 16 and 18 and his / her parent or other legal representative is required for the processing of data.

The controller is obliged to take reasonable and adequate measures to confirm the existence of the consent of the parent or other legal representative of a minor under the age of 16. In addition to that, the processing of special categories of data relating to a minor is permitted only on the basis of the written consent of the minor’s parent or other legal representative, except in cases expressly provided for by law.

When processing data relating to a minor, the controller is obliged to take into account and protect the best interests of the minor. Furthermore, the consent of a minor, his / her parents or other legal representative to the processing of data will not be considered valid if the processing of the data jeopardizes or harms the best interests of the minor.

Protection of data of a deceased person

After a data subject dies, the processing of data concerning him / her is permitted:

on the grounds specified above (general grounds and grounds for specific categories of data, as above outlined);
unless the processing of such data has been prohibited by the data subject’s parent, child, grandchild or spouse (except in cases where the data subject has prohibited in writing the processing of data concerning him / her after his / her death);
if 30 years have passed since the death of the data subject;
if this is necessary to exercise an inheritance right.

The processing of the name, surname, sex, date of birth and date of death of a deceased person is permitted irrespective of the circumstances and grounds as provided for above.

Processing of biometric data

Biometric data may be processed only if this is necessary for the purposes of carrying out activities, security, protection of property and prevention of the disclosure of secret information, and these purposes cannot be achieved by other means or involve disproportionate effort, as well as for the purposes of issuing an identity document in accordance with law, identifying a person crossing the state border, combating illegal migration, implementation of international protection, crime prevention, investigation, prosecution, administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, the re-socialization and rehabilitation of convicted persons and former prisoners, the coordination of the process of the referral of minors, the conduct of operative and investigative activities, and ensuring information security and cyber security and in other cases expressly provided for by law.

The controller is obliged, in accordance with the principles provided for by the Law (as stated above), to determine in writing, prior to processing, the purpose and amount of biometric data to be processed, the period of storage of these data, the procedure and conditions for their storage and destruction, and the mechanisms for the protection of the rights of the data subject.

Video monitoring

Video monitoring is permitted for the purposes of crime prevention, crime detection, public safety, the protection of personal safety and property, the protection of minors (including from harmful influence), the protection of secret information, examination / testing, and for the performance of tasks related to public and / or other legitimate interests, provided that the video monitoring is adequate and proportionate to the purpose of data processing.

To carry out video monitoring, the controller is obliged, in accordance with the principles provided for the Law (as outlined above), to determine in writing the purpose and amount of video monitoring, the duration of the video monitoring and the period of storage of the video recording, the procedure and conditions for accessing, storing and destroying the video recording, and the mechanism for the protection of the rights of the data subject, except in cases where a natural person carries out video monitoring in a residential building.

Video monitoring of the work process / area of an employee is only permitted in exceptional cases where the purposes referred to right above cannot be achieved by other means or involve disproportionate effort. Video monitoring is not permitted in changing rooms, hygiene facilities or other places where a data subject has a reasonable expectation of privacy and / or where video monitoring is contrary to generally accepted moral standards.

A video monitoring system and video recordings should be protected from unlawful encroachment and use. The controller shall ensure that any access to the video recordings is recorded, including the time of access and the user name that allow the identification of the person who accessed the video recording.

In a residential building, the video monitoring of a common entrance to a residential building and of a common space in a residential building shall be permitted with the written consent of more than half of the owners (if an owner cannot be identified, the consent of a possessor may be obtained), unless the controller / the processor carries out video monitoring to perform his / her statutory duties and the area of video monitoring includes the common entrance and common space of the residential building. Furthermore, the video monitoring of an entrance to an individual property in a residential building shall be permitted only by a decision of the owner / possessor or with his / her written consent, in such a manner that the video monitoring does not harm the legitimate interests of other persons (including those lawfully using the owner’s property).

The controller / processor should place a warning sign indicating that video monitoring is being carried out in a visible place and also warn the employee in writing of the specific purpose(s) of the video monitoring. Where the respective requirements are met, the data subject shall be deemed to be informed of the processing of data concerning him / her.

A warning sign indicating that video monitoring is being carried out should have an appropriate inscription, a clearly visible image of video monitoring in progress, and the name and contact details of the controller.

Audio monitoring

Audio monitoring is permitted:

with the consent of the data subject;
to make a record;
to protect important legitimate interests pursued by the controller, provided that appropriate and specific measures are in place to safeguard the rights and interests of the data subject;
in other cases expressly provided for by the legislation of Georgia.

To carry out audio monitoring, the controller is obliged, in accordance with the principles provided for by Law (as outlined above), to determine in writing and in advance, the purpose and amount of audio monitoring, the duration of the audio monitoring, the procedure and conditions for accessing, storing and destroying the audio recording, and the mechanism for the protection of the rights of the data subject.

Also, the controller should warn the data subject, prior to or upon starting audio monitoring, about the carrying out of audio monitoring, and explain to him / her his / her right to object (if any). The burden of proof of informing the data subject lies with the controller / processor.

If the data subject is informed of audio monitoring by means of a warning sign, the warning sign shall have an appropriate inscription, a clearly visible image of audio monitoring in progress, and the name and contact details of the controller.

Communicating with a data subject (privacy notices)

Where data are collected directly from the data subject, the controller is obliged to provide the data subject with at least the following information before or at the beginning of the collection:

the identity / name and the contact details of the controller, his / her representative and / or the processor (if any);
the purposes and the legal basis of the processing of the data;
whether the provision of the data is mandatory, and where the provision of the data is mandatory, the legal consequences of refusal to provide them, as well as the information that the collection / obtaining of the data is required by the legislation of Georgia or is a necessary condition for entering into a contract (if such information exists);
the important legitimate interests pursued by the controller or of a third party;
the identity and the contact details of the personal data protection officer (if any);
the identity of the recipients or categories of recipients of the data (if any);
the planned transfer of data and the existence of appropriate safeguards for the protection of the data, including authorization to transfer the data (if any) if the controller plans to transfer the data to another state or an international organization;
the period for which the data will be stored and, if no specific period can be determined, the criteria used to determine that period;
the right of the data subject as provided for by this chapter.

The provision of the information referred to right above is not mandatory if it is reasonably foreseeable that the data subject already has such information.

The controller is obligated to provide the described information to the data subject, especially if the data subject is a minor, in simple and understandable language. This information may be provided orally or in writing (including electronically), unless the data subject requests the provision of the information in writing.

Where data are not collected directly from the data subject, the collector is obliged to provide the data subject with the information referred to right above (in case data are collected from data subject), as well as information as to which data concerning him / her are being processed, and the source of the data, including whether the data have been obtained from a publicly accessible source. The controller shall provide the data subject with the respective information within a reasonable period, or if the data are used to communicate with the data subject, at the time of the first communication with the data subject, or if the disclosure of the data is envisaged, before the data are disclosed, but not later than 10 working day after obtaining the data.

The obligation to provide the information shall not apply to the controller and / or the processor if: the data subject already has the described information; the collection or disclosure of the data is established by law or required for the performance of statutory duties; the information cannot be provided or involves disproportionate effort, or the fulfilment of the respective obligation would seriously impair or render impossible the achievement of the legitimate purpose(s) of the processing. In such cases, the controller shall take appropriate measures to protect the rights and legitimate interests of the data subject, including by making general information about the collection of data publicly available / publishing general information about the collection of data in an easily accessible form.

Consent reception or / and withdrawal

If a controller plans to obtain written consent from a data subject with a document that also covers other matters, the controller is obliged to formulate the wording of the consent in the document in a clear, simple and understandable language and to separate it from other parts of the document.

If the consent of a data subject is given within the scope of a contract or service, when determining whether or not the consent was given on a voluntary basis, among other circumstances, it shall be assessed whether the consent is a required term of the contract or service, and whether it is possible to receive the relevant service / enter into the relevant contract without such consent.

Before obtaining consent from a data subject, a controller shall ensure that the data subject is informed of his / her right to withdraw the consent.

A controller is obliged to immediately terminate the data processing and delete or destroy the processed data if a data subject withdraws his / her consent, unless otherwise provided for by the Law.

The withdrawal of consent by a data subject shall not lead to the cancellation of legal consequences arising before the withdrawal of the consent and within the scope of the consent.

On the basis of a request of a data subject or in the event that this results in legal, financial or other significant consequences for the data subject, a controller is obliged to provide the data subject, prior to the withdrawal of consent by the data subject, with information on the consequences of the withdrawal of consent.

A controller is obliged to provide a free, simple and accessible mechanism for withdrawing consent, including the possibility of withdrawing consent in the same form in which the consent was given.

In the event of a dispute regarding the existence of a data subject’s consent to data processing, a controller shall bear the burden of proving the fact of the existence of the data subject’s consent.

Rights of data subjects

Right of data subjects to receive information on the processing of data

The data subject shall have the right to obtain from the controller confirmation as to whether or not data concerning him / her are being processed and, if requested by the data subject, the following information free of charge:

which data concerning him / her are being processed, as well as the grounds for and the purpose of the processing;
the source from which the data were collected / obtained;
the period for which the data will be stored and, if no specific period can be determined, the criteria used to determine that period;
the rights of the data subject as provided for by the Law;
the legal basis and purposes of the data transfer, as well as the appropriate data protection safeguards if the data are transferred to another state or an international organization;
the identity of the recipients or the categories of recipients, including information on the ground for and purpose of the transfer, if the data are transferred to a third party;
the decision made as a result of automated processing, including profiling, and the logic involved in making such a decision, as well as its impact on the processing and the expected results of the processing.

The data subject has the right to receive the information referred to right above not later than 10 working days after the request. This period may, in special cases and upon appropriate justification, be extended by no more than 10 working days, of which the data subject shall be notified immediately.

The controller shall have the right to provide the data subject with any information necessary to ensure transparent processing in accordance with transparency principle, unless the disclosure of the information is contrary to the law. Unless otherwise provided by the legislation of Georgia, the data subject has the right to choose the form of the provision of information described above. In addition, if the data subject does not request the information in another form, the information shall be provided in the same form in which it was requested.

Right to access and to obtain a copy

The data subject shall have the right to access personal data concerning him / her and to obtain copies of such data from the controller free of charge, except in cases where in order to access and / or issue the copies of data:

a fee is required under the legislation of Georgia;
a reasonable fee is established by the controller because of the resources spent on issuing them in a form other than the data are stored, and / or frequent requests.

The data subject shall have the right to access the data referred to above and / or to obtain copies thereof not later than 10 working days after the request, unless different time limits are set by the legislation of Georgia. The period may be extended in special cases and upon appropriate justification by no more than 10 working days, of which the data subject shall be notified immediately.

The data subject has the right to access the described data and / or to obtain copies thereof in a form in which they are kept by the controller and / or processor. The data subject shall also have the right to obtain copies of data concerning him / her in another form in return for a reasonable fee established by the controller and where technically feasible.

The fee shall not exceed the amount of resources actually spent by the controller. The burden of establishing a fee and of proving that its amount is reasonable shall lie with the controller.

Right to the rectification, update and completion of data

The data subject shall have the right to request the controller to rectify, update and / or complete erroneous, inaccurate and / or incomplete data concerning him / her. Within not later than 10 working days after the data subject has made such a request, the data shall be rectified, updated and / or completed, or the grounds on which the request was refused shall be notified, and the procedure for appealing against the refusal shall be explained, to the data subject.

If the controller, independently of the data subject, discovers that the data available to him / her are erroneous, inaccurate and / or incomplete, the controller shall rectify, update and / or complete the data within a reasonable period of time and inform the data subject thereof within 10 working days after the rectification of the data. The controller shall not be obliged to inform the data if the rectification, update and / or completion of the data is related to the correction / removal of a technical error. If there are objective circumstances that make it impossible to fulfil the obligation to inform the data subject within the said period, the controller shall inform the data subject of the change made at the time of the first communication to the data subject.

The collector shall inform all the recipients and all respective controllers and processors, to whom the controller transferred the same data, of the update and completion of the data, unless this information cannot be provided due to a large number of controllers / processors or recipients, and / or disproportionately high costs. The persons shall rectify, update and / or complete the data within a reasonable period after receiving the respective information.

Right to the termination of the processing, erasure or destruction of data

The data subject shall have the right to request the controller to terminate the processing of (including profiling), erase or destroy data concerning him / her. Within not later than 10 working days after the data subject has made such a request, the processing of the data shall be terminated, and / or the data shall be erased or destroyed, or the grounds on which the request was refused shall be notified and the procedure for appealing against the refusal shall be explained to the data subject. The controller shall have the right to refuse the request if:

one of the grounds provided for above exists (general ground and / or ground for special category of data);
data are processed for the purposes of substantiating a legal claim or a statement of defense;
the processing of data is necessary for the exercise of the right of freedom of expression or information;
data are processed for archiving purposes in the public interest as provided for by law, for scientific or historical research purposes or statistical purposes, and the exercise of the right to the termination of the processing, erasure or destruction of the data would render impossible or substantially impair the achievement of the purposes of the processing.

Where any of the described grounds exists, the controller shall have an obligation to justify the respective ground.

Furthermore, the data subject has the right to be informed of the termination of the processing, erasure or destruction of the data once the respective action has been taken, without delay and at the latest within 10 working days, also, where the data concerning him / her are processed in a publicly available form, to also request the controller to restrict access to the data and / or erase copies of or any internet links to the data.

The collector shall inform all the recipients and all respective controllers and processors, to whom the controller transferred the same data, of the termination of the processing, erasure and destruction of the data, unless this information cannot be provided due to a large number of controllers / processors or recipients, and / or disproportionately high costs. The respective persons shall, after the receipt of the respective information, terminate the processing of the data and erase or destroy the data.

Right to the blocking of data

The data subject has the right to request the controller to block data if any of the following circumstances exists:

the authenticity or accuracy of the data is contested by the data subject;
the processing of the data is unlawful, although the data subject opposes the erasure of the data and requests their blocking;
the data are no longer needed for the purposes of the processing, but they are required by the data subject to lodge a complaint / claim;
the data subject requests the termination of the processing, erasure or destruction of the data and this request is being considered;
there is a need to retain the data for use as evidence.

The controller is obliged to block the data upon the request of the data subject if one of the circumstances provided for above applies, unless blocking the data could jeopardize one of the following:

the fulfilment by the controller of the duties assigned to him / her by law and / or a law and a subordinate normative act issued on the basis thereof;
the performance of tasks falling within the scope of public interest in accordance with law and the exercise by the controller of the powers conferred on him / her under the legislation of Georgia;
the legitimate interests of the controller or a third party, unless there is an overriding interest in protecting the rights of a data subject, in particular a minor;
the protection of interests of a data subject or a third party, or for the purposes of the security and defense of the State.

After the decision to block the data has been made, the controller may decide to unblock the data if any of the grounds provided for right above exists.

The data shall be blocked for the period that the reason for blocking them exists, and during this period, if technically feasible, the decision to block the data shall be attached to the relevant data. The data subject has the right to be informed of a decision to block the data or of the grounds for refusing to block the data once the decision has been made, without delay and at the latest within 3 working days after the request. Where data are blocked the data may be processed otherwise than by storage in the following cases:

with the consent of the data subject;
to substantiate a legal claim or a statement of defense;
to protect the interests of the controller or a third party;
to protect public interests in accordance with law.

Right to the transmission of data (data portability)

In the case of the automated processing of data on the grounds provided for by Article 5(1)(a) and (b) (Consent and / or Fulfillment of the Contractual Obligation) and Article 6(1)(a) (Consent) of the Data Protection Law, if technically feasible, the data subject shall have the right to receive from the controller data concerning him / her which he / she has provided to the controller in a structured, commonly used and machine-readable format, or to require that the data be transmitted to another controller.

Automated individual decision-making and related rights

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other similarly significant effects concerning him / her, except where a decision based on profiling is:

based on the data subject’s explicit consent;
necessary for entering into, or performing, a contract between the data subject and a controller;
provided for by law or by a subordinate normative act issued within the powers delegated on the basis of the law.

Where there is a respective request from the data subject, the controller shall take appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests, including by involving human resources in the decision-making and by giving the right to the data subject to express his / her point of view and to contest the decision.

The use of special categories of data in the decision-making shall be permitted only in the cases provided for by Article 6(1)(a), (f) and (j) (Consent and / or during Investigations and / or Public Interest) of the Data Protection Law, provided that appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Right to withdraw consent

A data subject has the right to withdraw his / her consent at any time and without explanation. In such case, the processing of the data shall be terminated, and / or the processed data shall be erased or destroyed, according to the request of the data subject, within not later than 10 working days after the request, provided that no other ground for the processing exists. Furthermore, the data subject has the right to withdraw his / her consent in the same form in which it was given. Also, before withdrawing consent, the data subject has the right to request and receive from the controller information on the possible consequences of withdrawing the consent.

Restriction of the rights of data subjects

The rights of the data subject described above may be restricted if this is expressly provided for by the legislation of Georgia, does not violate fundamental human rights and freedoms, and is a necessary and proportionate measure in a democratic society, and the exercise of these rights may jeopardize:

national security, information security and cyber security and / or defense interests;
public safety interests;
crime prevention, investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, and the conduct of operative and investigative activities;
interests relating to financial or economic (including monetary, budgetary and taxation), public health and social protection issues of importance to the country;
the detection of the data subject’s violations of professional ethical standards, including those of a regulated profession, and the imposition of liability on the data subject;
the exercise of the functions and powers of regulatory and / or supervisory bodies in the respective areas;
the protection of the rights and freedoms, including freedom of expression, of the data subject and others;
the protection of state, commercial, professional and other secrets provided for by law;
the substantiation of a legal claim or a statement of defense.

A described measure may be applied only to the extent necessary to achieve the purpose of the restriction. If the grounds listed above exist, the decision of the controller to restrict, or to refuse the exercise of, the rights of the data subject shall be notified to the data subject, except where the provision of the information would jeopardize the purpose (purposes) of the restriction of the right.

The exercise by the data subject of the rights elucidated above is free of charge, subject to the exceptions established by the Data Protection Law. Where the data subject makes an unreasonable number of requests, the controller may refuse to comply with the request, in which case he / she shall immediately inform the data subject in writing and explain to him / her his / her right to appeal.

Where the rights of the data subject are restricted and his / her request is refused, the burden of proof shall lie with the controller.

Right to appeal

If the rights as provided for and the rules established by the Data Protection Law are violated, the data subject has the right to apply to the Personal Data Protection Service, to a court and / or a superior administrative body in accordance with procedures established by law. In addition to that, the data subject has the right to request the Personal Data Protection Service to make a decision to block the data until a decision is made to complete the consideration of the application. Also, the data subject has the right to appeal the decision of the Personal Data Protection Service to a court, in compliance with the conditions and time limits established by the legislation of Georgia.

Related resources

Transfer

Transfer in Georgia

The transfer of data to another state and international organization is allowed if the requirements for data processing provided for by the Data Protection Law and appropriate safeguards in the relevant state or international organization are in place for ensuring data protection and the protection of data subjects’ rights.

The existence of adequate safeguards for data protection in another state and / or international organization is assessed by the Personal Data Protection Service on the basis of international obligations and regulatory legislation relating to data protection, guarantees for the protection of the rights and freedoms of data subjects (including effective legal protection mechanisms), rules for further international data transfer, and the analysis of the existence, powers and activities of an independent data protection supervisory body.

A list of states and international organizations in which adequate data protection guarantees are ensured is determined by a normative act of the head of the Personal Data Protection Service and is reviewed at least once every 3 years. If a state and / or international organization no longer meets the conditions provided for above, appropriate changes is made in the said list, which does not have retroactive force.

As of January 2025, the list of the acknowledged countries is as follows:

“Commonwealth of Australia, Republic of Austria, Republic of Albania, Principality of Andorra, Republic of Argentina, New Zealand, Kingdom of Belgium, Bosnia and Herzegovina, Republic of Bulgaria, Federal Republic of Germany, Kingdom of Denmark, United Kingdom of Great Britain and Northern Ireland, Kingdom of Spain, Republic of Estonia, Japan, Ireland Republic of Iceland, State of Israel, Republic of Italy, Canada, Republic of Cyprus, Republic of Latvia, Republic of Lithuania, Principality of Liechtenstein, Grand Duchy of Luxembourg, Republic of Malta, Republic of Moldova, Principality of Monaco, Montenegro, Kingdom of the Netherlands, Kingdom of Norway, Republic of Poland, Portuguese, Republic Romania, Hellenic Republic (Greece), French Republic, Republic of Serbia, Slovak Republic, Republic of Slovenia, Ukraine, Hungary, Oriental Republic of Uruguay, Republic of Finland, Kingdom of Sweden, Swiss Confederation, Czech Republic, Republic of North Macedonia, Republic of Croatia, Republic of Korea”.

In addition to the event when country is recognized in the list as per conditions elucidated above, the transfer of data to another state and international organization shall be also allowed if:

the transfer of data is envisaged by an international treaty and the agreements of Georgia;
a controller provides appropriate safeguards for data protection on the basis of an agreement concluded between the controller and the relevant state, the appropriate public institution of such state, a legal person or a natural person, or an international organization;
the transfer of data is stipulated by the Criminal Procedure Code of Georgia (for the purpose of carrying out investigative action), the Law of Georgia On the Legal Status of Aliens and Stateless Persons, the Law of Georgia On International Cooperation in Criminal Matters, the Law of Georgia On International Cooperation in Law Enforcement, and a normative act adopted on the basis of the Organic Law of Georgia On the National Bank of Georgia or the Law of Georgia On Facilitating the Prevention of Money Laundering and the Financing of Terrorism;
a data subject gives written consent after receiving information on the lack of proper safeguards for data protection in the relevant state and on possible threats;
the transfer of data is necessary to protect the vital interests of a data subject and the data subject is physically or legally incapable to give consent to such data processing;
there is a lawful public interest (including for the purposes of crime prevention, investigation, identification and criminal prosecution, the execution of a sentence and carrying out operative and investigation actions) and the transfer of data is a necessary and proportionate measure in a democratic society.

On the basis of letter “b” (agreement between controller and processor) data transfer is allowed only after obtaining a permit from the Personal Data Protection Service, and the procedure for issuing such permit is established by a normative act of the head of the Personal Data Protection Service. Also, the respective agreement on data transfer must provide that the provisions therein are legally binding.

In the case of data transfer on any of the grounds stipulated in all above letters, a controller / processor is obliged to take necessary organizational and technical measures to safeguard such data transfer.

Data transferred to another state or international organization may be further transferred to a third party only if such data transfer serves the initial purpose of data transfer and meets the basis for data transfer and guarantees adequate safeguards for data protection as provided for right above.

It has to be noted that all conditions elucidated above (being recognized by the Personal Data Protection Service, or being justified by at least one of the grounds listed in above letters) are independent from each other, meaning they are applied individually not cumulatively.

Related resources

Security

Security in Georgia

As per Article 27 of Data Protection Law a controller is obliged to take appropriate technical and organizational measures to ensure the processing of data in accordance with the Law and the confirmation of the compliance of data processing with the Law.

Furthermore, a controller and a processor are obliged to take organizational and technical measures that are adequate for the possible and associated risks of data processing (including data pseudonymization, registration of the access to data, information security mechanisms (confidentiality, integrity, accessibility), etc.), which will ensure the protection of the data against loss or unlawful processing, including destruction, deletion, alteration, disclosure or use.

When determining the necessary organizational and technical measures for ensuring data security, a controller and a processor are obliged to take into account the data categories and volume, and the purpose, form and means of data processing and possible threats of violation of the rights of data subjects, and to periodically assess the efficiency of technical and organizational measures taken for ensuring data security, and where necessary, to take adequate measures and / or update existing measures for ensuring data security.

In addition to that, a controller and a processor are obliged to ensure that all operations performed in relation to electronic data (including information on incidents, data collection, data alteration, data access, data disclosure (transfer), data links and data deletion) are registered. When processing non-electronic data, the controller and the processor are obliged to ensure that all operations related to data disclosure and / or alteration (including information on incidents) are registered.

Any employee of a data controller and a data processor who is involved in data processing, or who has access to data, is obliged to act within the scope of powers granted to him / her, maintain data secrecy and confidentiality, and to comply with same after the termination of his / her term of office. A controller and a processor are obliged to determine the volume of data to be accessed by employees depending on their scope of authority, and to take adequate measures to safeguard such data from incidents of unlawful data processing by employees, and to identify and prevent such incidents, and to provide information to employees on matters related data security.

Related resources

Breach notification

Breach notification in Georgia

As already outlined above (Registration Chapter), a controller is obliged to register an incident, its resulting outcome, the measures taken, and to notify the Personal Data Protection Service about the incident, not later than 72 hours after the identification of the incident, in writing or electronically, except for the case where it is least expected that the incident would cause significant damage and / or pose a significant threat to fundamental human rights and freedoms. A processor is obliged to notify a controller immediately about an incident.

The respective notification as referred to above shall contain the following information on:

the circumstances, type and time of the incident;
the possible categories and volume of data that have been disclosed, damaged, deleted, destroyed, obtained, lost, or altered in a non-authorized manner as a result of the incident, as well as the possible categories and number of data subjects that have been exposed to a threat as a result of the incident;
the measures taken or planned by a controller for mitigating or eliminating any possible damage caused by the incident;
whether or not, and within what time frame, a controller plans to notify a data subject(s) about the incident;
the data of a personal data protection officer or other contact persons.

if it is impossible to provide the information provided for above entirely and in full, a controller has a right, in agreement with the Personal Data Protection Service, to provide the information gradually, within a reasonable period.

The criteria for identifying an incident posing a significant threat to fundamental human rights and freedoms as provided above, and the procedure for notifying the Personal Data Protection Service about the incident, is established by a normative act of the head of the Personal Data Protection Service. According to the said normative act, types of incidents include:

Breach of confidentiality – Unauthorized disclosure of or access to personal data;
Breach of integrity – Unauthorized alteration of personal data, as well as unlawful or accidental damage, loss, or destruction;
Breach of availability – Loss of access to, restriction of access to, destruction, or deletion of personal data.

In addition to notifying the Personal Data Protection Service, If there is a high probability that an incident will cause significant damage and / or pose a significant threat to fundamental human rights and freedoms, a controller is obliged to inform a data subject about the incident immediately, or without unreasonable delay, after the identification of the incident, and to provide, in a simple and understandable language, the following information on:

a general description of the incident and the related circumstances;
the possible / resulting damage caused by the incident, and the measures taken or planned in order to mitigate or eliminate the damage;
the contact details of the personal data protection officer or other persons.

If informing a data subject requires disproportionately great efforts, expenses and time, a controller is obliged to make public the information provided for above or to disseminate it in another form that ensures the possibility of the data subject receiving the information. This obligation shall not arise where one of the following circumstances exists; namely if:

informing a data subject on the incident poses a threat to the interests of the protection of state secrets, the interests of state security, information security and cyber security and / or defense, the interests of public safety, crime prevention, operative and investigative activities, a criminal investigation, a criminal prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences or probation, interests related to financial or economic (including monetary, budgetary, and taxation) matters, public health and social protection that are essential for the country;
if a controller has taken appropriate security measures that have resulted in the prevention of a significant risk of violation of fundamental human rights and freedoms.

Related resources

Enforcement

Enforcement in Georgia

The Personal Data Protection Service monitors the lawfulness of data processing in Georgia. The main fields of activities of the Personal Data Protection Service in the field of data protection are:

provide consultations on matters related to data protection;
review applications related to data protection;
examine (inspect) the lawfulness of data processing;
inform the public on the data protection status in Georgia, and important events related thereto, and ensure the raising of awareness among the public.

Review of applications of data subjects by the Personal Data Protection Service

The Personal Data Protection Service is obliged to review the applications of data subjects regarding data processing and to take the measures provided for by the legislation of Georgia. Within 10 days after receiving a data subject’s application, the Personal Data Protection Service shall take a decision on the measures to be taken, and inform the applicant thereof. The Personal Data Protection Service shall be authorized to carry out an inspection in order to study and investigate the circumstances related to a data subject’s application. Any processor and / or controller is obliged to transfer the relevant material, information and / or documents to the Personal Data Protection Service upon request.

The period for reviewing an application of a data subject by the Personal Data Protection Service shall not exceed 2 months. On the basis of a grounded decision of the Personal Data Protection Service, the period of review of an application of a data subject may be extended for not more than 1 month. The Personal Data Protection Service shall be authorized to suspend the review of a data subject’s application on the grounds of a request for additional material, information and / or documentation, of which the data subject shall be informed. The review of the data subject’s application shall continue where such grounds no longer exist. The period of suspension shall not be included in the period provided for herein.

The Personal Data Protection Service shall be authorized to take a decision on data blocking before the review of the data subject’s application is completed. Despite the blocking of data, the data processing may continue if it is necessary to protect the vital interests of a data subject or a third party, or for the purposes of the security and defense of the State. After reviewing the application of a data subject, the Personal Data Protection Service shall take a decision on one of the measures provided for the Law (see below), and inform the data subject and a processor and / or a controller thereof in accordance with the procedure and within the time frame specified by the legislation of Georgia.

Inspection by the Personal Data Protection Service

The Personal Data Protection Service shall be authorized to carry out, on its own initiative or based on an application of an interested person, an inspection of any controller and / or processor. A decision to carry out an inspection provided for herein shall be taken by the Head of the Personal Data Protection Service.

Inspection by the Personal Data Protection Service involves:

determining compliance with the principles of data processing and the existence of legal grounds for data processing;
checking the compliance of organizational and technical measures and procedures implemented for data security with the requirements of the legislation of Georgia;
the checking of the lawfulness of data transfer to another state and international organization;
checking compliance with the rules and requirements of the Law and other normative acts with respect to data protection.

During an inspection, the Personal Data Protection Service shall be authorized to request from any institution, natural and / or legal person, documents and / or information, including information containing state, tax, banking, commercial, professional secrets and / or data, as well as materials and / or documents and / or information describing operative and investigative activities and criminal investigations, which constitute state secrets and are necessary to carry out the inspection within the scope determined herein.

A controller and / or a processor is obliged to provide any material, information and / or document to the Personal Data Protection Service immediately, within not later than 10 working days, if a response to the request for information requires:

finding and processing information in another institution or structural unit, or consulting with the said institution or unit;
searching for and processing a significant volume of information / documents.

The Personal Data Protection Service shall be authorized to extend the period referred right above by not more than 10 working days based on a substantiated application of a controller and / or a processor.

The Personal Data Protection Service shall be authorized to visit any institution and organization for inspection and to obtain any document and information, including information containing state, tax, banking, commercial, professional secrets and / or data, as well as materials and / or documents and / or information describing operative and investigative activities and criminal investigations, which constitute state secrets, irrespective of their content and mode of storage. As in case of applications (as stated above), taking into account the results of an inspection, the Personal Data Protection Service shall be authorized to apply the appropriate measures (see below).

An employee of the Personal Data Protection Service is obliged to secure information containing any kind of secret and not to disclose the secret information that he / she has become aware of in the course of performing his / her official duties. Such obligation shall survive after the termination of the powers of an employee of the Personal Data Protection Service.

Consultation and implementation of educational activities by the Personal Data Protection Service

If requested, the Personal Data Protection Service is obliged to provide consultations to state authorities, municipal bodies, other public institutions, legal entities under private law, and natural persons on any issue related to data processing and data protection. Also, the Personal Data Protection Service shall carry out educational activities on issues related to data processing and data protection.

Application of measures by the Personal Data Protection Service

If the Personal Data Protection Service identifies a violation of the Law or another normative act regulating data processing, it shall be authorized to apply one, or simultaneously more than one, of the following measures:

require the remedy of any violations and shortcomings related to data processing in the manner and within the period specified by it;
require the suspension or termination of data processing, if the measures and procedures implemented by a controller or a processor for ensuring data security do not comply with the requirements of the legislation of Georgia;
require the termination of data processing, the blocking, erasure, destruction or depersonalization of data, if it believes that the data are being processed in violation of the legislation of Georgia;
require the termination of data transfer to another state and international organization, if the data transfer is being carried out in violation of the legislation of Georgia;
provide written advice and recommendations to a controller and / or a processor in the case of a minor violation of the procedures related to data processing;
impose administrative liability on an offender.

A controller and / or a processor is obliged to fulfil the requirements of the Personal Data Protection Service within the period determined by the latter, and to inform the Personal Data Protection Service thereof.

If a controller and / or a processor fails to comply with the requirements of the Personal Data Protection Service, the Personal Data Protection Service shall have the right to apply to a court, a law enforcement body and / or a state institution supervising (regulating) the respective area, as provided for by the legislation of Georgia.

If the Personal Data Protection Service identifies an administrative offence, it shall be authorized to draw up an administrative offence report and, accordingly, to impose administrative liability on a controller and / or a processor in accordance with the Law and the Administrative Offences Code of Georgia.

If, in the course of performing its activities, the Personal Data Protection Service believes that there are elements of a crime, it shall inform the authorized state body thereof as provided for by law.

Compliance with the decisions of the Personal Data Protection Service in the area of data protection shall be mandatory and may only be appealed in a court according to the procedure established by law.

As for the liabilities:

Criminal liability

Illegal acquisition, storage, use, dissemination, or other provision of access to information reflecting private life or personal data that causes significant harm is punishable by a fine, corrective labor for up to two years, or imprisonment for up to three years.

Illegal use or dissemination of information reflecting private life or personal data via a published work, the internet (including social networks), mass broadcasting, or other public communication, which causes significant harm, is punishable by a fine, corrective labor for up to two years, or imprisonment for up to four years.

The actions described in Paragraph 1 or 2 above, committed:

for personal gain;
repeatedly,

are punishable by a fine or imprisonment for up to five years.

The actions described in Paragraph 1, 2, or 3 above, committed by an individual responsible for protecting such information or data due to their professional position, duties, or other circumstances, or by abusing their official position, are punishable by imprisonment for a term of four to seven years and may also include disqualification from holding a position or performing activities for up to three years, or without such disqualification.

Criminal liability under Paragraph 1 (acquisition, storage) does not apply to individuals who transfer the acquired / stored information to investigative authorities and provide information about committed / anticipated criminal actions through this means.

A legal entity committing actions specified under this Article is punishable by a fine, revocation of the right to perform activities, or liquidation and a fine.

Administrative liability

There are various fines imposed upon controller / processor when breaching their obligations stipulated in the Law (chapter X) ranging from GEL 500 (app. USD 177) to GEL 10,000 (app. USD 3,500).

Also, the Law introduces circumstances mitigating liability for an administrative offence. The following circumstances shall be considered as mitigating the administrative liability for an administrative offence:

terminating an unlawful act and remedying the damage caused as a result of the administrative offence, and / or taking appropriate organizational and technical measures for the prevention of similar offences in the future;
the commission of an administrative offence by a minor;
the sincere repentance of an administrative offence and cooperation with the Personal Data Protection Service;
other circumstances, such as the nature of the administrative offence and the degree of charges against the offender, which are considered as mitigating circumstances by the Head of the Personal Data Protection Service during the resolution of the case.

The obligation to submit evidence of the existence of circumstances mitigating administrative liability determined herein shall rest with a controller / processor.

Furthermore, there are circumstances aggravating liability for an administrative offence. The following circumstances shall be considered as aggravating administrative liability for the administrative offences:

the repeated commission of the same administrative offence within 1 year, for which an administrative penalty has already been imposed on a controller / processor / third party;
processing large quantities of data subjects’ data in violation of the requirements of this Law, or a risk thereof;
processing minors’ data in violation of the requirements of the Law;
the commission of an administrative offence for financial or other gain;
the commission of an administrative offence on the grounds of discrimination.

Civil liability

Civil claims (e.g. for monetary compensation) can be brought by individuals, depending on the actual consequences the breach of the Data Protection Law caused to the remedy-seeking individual.

Electronic marketing

Electronic marketing in Georgia

The Data Protection Law defines direct marketing as the direct and immediate delivery of information to a data subject by telephone, mail, email or other electronic means to generate and maintain interest in, sell and / or support a natural and / or legal person, product, idea, service, work and / or initiative, as well as image and social issues.

Furthermore, the Law stipulates that irrespective of the ground for collecting / obtaining data and their accessibility, data may only be processed for direct marketing purposes with the consent of the data subject.

Also, in addition to the name, surname, address, telephone number and e-mail address of the data subject, other data shall be processed for direct marketing purposes with the written consent of the data subject.

Prior to obtaining the data subject’s consent and when carrying out direct marketing, the controller / processor shall inform the data subject, in clear, simple and understandable language, of his / her right to withdraw his / her consent at any time and of the mechanism / procedure for exercising this right.

The controller / processor shall be obliged to terminate the processing of data for direct marketing purposes within a reasonable period after receiving an appropriate request from the data subject, but no later than 7 working days. To ensure that this obligation is met, the controller / processor shall have an obligation to provide information on the withdrawal of consent by the data subject.

The controller / processor shall ensure that the data subject has the possibility to request that the processing of data for direct marketing purposes be terminated in the same form in which the direct marketing is carried out, or to determine other available and adequate means to request the termination of the processing. The means referred herein to request the termination of data processing for direct marketing purposes shall be simple. In addition, the data subject shall be provided with a clear and easily understandable instruction on the use of the means. No fee or other restriction shall be imposed on the data subject for exercising the right to withdraw consent.

In the case of direct marketing, the burden of proof for the existence of the data subject’s consent, the simplicity of the means of objection, and the ease of understanding, accessibility and adequacy of instructions on the use thereof shall lie with the controller and / or processor. The controller / processor shall record and keep the date and fact of the data subject’s consent to the processing of data concerning him / her and the withdrawal of such consent for the duration of the direct marketing and for 1 year after the direct marketing has been discontinued.

Also, E-Commerce Law of Georgia stipulates that unwanted commercial communication (whereas commercial communication is defined as “the offering or communication of goods and / or services via electronic means, which directly or indirectly promotes the goods, services, and / or the reputation of a natural or legal person”) shall be subjected to the provision regulating direct marketing within the Data Protection Law.

Online privacy

Online privacy in Georgia

There are no specific regulations governing cookies compliance, traffic data, location data, or similar matters. Consequently, any activities involving such elements that fall within the material and territorial scope of the Data Protection Law (as above outlined) must be carried out in strict adherence to the provisions and requirements set forth by the Law.

Related resources

Key contacts

Data protection lawyers in Georgia

Rusa Tchkuaseli

Partner

BLC Law Office

Tbilisi

Email Full bio

Ketti Kvartskhava

Managing Partner

BLC Law Office

Tbilisi

Email Full bio

As of January 2025, the list of the acknowledged countries is as follows:

“Commonwealth of Australia, Republic of Austria, Republic of Albania, Principality of Andorra, Republic of Argentina, New Zealand, Kingdom of Belgium, Bosnia and Herzegovina, Republic of Bulgaria, Federal Republic of Germany, Kingdom of Denmark, United Kingdom of Great Britain and Northern Ireland, Kingdom of Spain, Republic of Estonia, Japan, Ireland Republic of Iceland, State of Israel, Republic of Italy, Canada, Republic of Cyprus, Republic of Latvia, Republic of Lithuania, Principality of Liechtenstein, Grand Duchy of Luxembourg, Republic of Malta, Republic of Moldova, Principality of Monaco, Montenegro, Kingdom of the Netherlands, Kingdom of Norway, Republic of Poland, Portuguese, Republic Romania, Hellenic Republic (Greece), French Republic, Republic of Serbia, Slovak Republic, Republic of Slovenia, Ukraine, Hungary, Oriental Republic of Uruguay, Republic of Finland, Kingdom of Sweden, Swiss Confederation, Czech Republic, Republic of North Macedonia, Republic of Croatia, Republic of Korea”.

In addition to the event when country is recognized in the list as per conditions elucidated above, the transfer of data to another state and international organization shall be also allowed if:

the transfer of data is envisaged by an international treaty and the agreements of Georgia;
a controller provides appropriate safeguards for data protection on the basis of an agreement concluded between the controller and the relevant state, the appropriate public institution of such state, a legal person or a natural person, or an international organization;
the transfer of data is stipulated by the Criminal Procedure Code of Georgia (for the purpose of carrying out investigative action), the Law of Georgia On the Legal Status of Aliens and Stateless Persons, the Law of Georgia On International Cooperation in Criminal Matters, the Law of Georgia On International Cooperation in Law Enforcement, and a normative act adopted on the basis of the Organic Law of Georgia On the National Bank of Georgia or the Law of Georgia On Facilitating the Prevention of Money Laundering and the Financing of Terrorism;
a data subject gives written consent after receiving information on the lack of proper safeguards for data protection in the relevant state and on possible threats;
the transfer of data is necessary to protect the vital interests of a data subject and the data subject is physically or legally incapable to give consent to such data processing;
there is a lawful public interest (including for the purposes of crime prevention, investigation, identification and criminal prosecution, the execution of a sentence and carrying out operative and investigation actions) and the transfer of data is a necessary and proportionate measure in a democratic society.

Quick links

Data Protection in Georgia

Transfer in Georgia