Georgia: Amended Data Protection Law

On 14 June 2023, the Parliament of Georgia adopted Law "On Personal Data Protection" (the "Law" or "New Law"), which enters into force on 1 March 2024, and certain provisions of which will enter into force on 1 June 2024 and 1 January 2025.

The Law introduces a number of additional obligations for those involved in the processing of personal data. The provisions of the New Law affecting the private sector are largely based on the EU General Data Protection Regulation (GDPR).

“Personal data” is any information relating to an identified or identifiable physical person. “Processing” means any operation performed on the data, including collection, retrieval, access, storage, and disclosure. In today's reality, most organisations process personal data in one form or another, be it personal data of employees or personal data of clients. Thus, the obligations set out in the New Law apply to the majority of representatives of the Georgian business sector. Compliance with the Law requires developing various written policies and procedures, appointing an officer responsible for data protection, providing trainings to employees involved in data processing, signing data protection agreements with service providers, etc.

The liability for violations of the provisions established by Law is much stricter. The amount of the fine varies depending on the type of violation and usually ranges between GEL 1,000 and GEL 6,000. The exact amount of the fine depends on the amount of the person's annual turnover and the presence of aggravating circumstances, such as repeated violation, violation with discriminatory motives, etc.

The following are the main issues regulated by the Law and the main innovations that impose additional obligations on those involved in data processing and will therefore have a significant impact on business.

Who are subject to legal obligations

• person responsible for data processing
• data processor

The controller determines the purposes and means of the data processing and carries out the data processing directly or via a person authorised to process the data. A data controller is, for example, any employer (for employee data), any clinic (for patient data), any hotel (for guest data), any bank (for customer data), etc.

The processor is a contractor to a controller who must process personal data for the benefit of or on behalf of the controller under a contractual relationship. For example, if another company provides call centre services for a healthcare provider, the healthcare provider itself is the controller with respect to the processing of patient data and the call centre is the processor.

Personal Data Protection Officer

The New Law introduced the position of the personal data protection officer ("DPO"). The rights and duties of the DPO include informing and advising the controller, data controller and their employees about data processing issues; reviewing and analysing claims and complaints related to data processing; representing the interests of the controller and data controller before the Personal Data Protection Service, etc.

• The Law explicitly names the persons (entities) required to appoint a DPO, namely:
• Insurance companies
• Commercial banks
• Medical institutions
• Microfinance organisations
• Electronic communications organisations
• Airline companies
• Airports
• Credit bureaus
• Public organisations
• A person who processes data of a large number (at least 3% of Georgia’s population) of data subjects or systematically monitors data on a large scale.

The functions of a DPO may be performed by an employee or an external person on the basis of a service contract. The Law also allows the appointment of a common DPO by more than one person (entity).

In addition to appointing a DPO, the Law introduces additional important provisions on the following topics:

• Obligation to record information
• Data protection impact assessment document
• Profiling
• Incident reporting
• Audio and video surveillance
• International data transfer
• Other.