The first piece of legislation regulating the protection of personal data on the territory of Georgia was adopted in 2011 and has been applied by the Personal Data Protection Service of Georgia (PDPS) for over a decade to ensure the protection of the interests of data subjects during the processing of their personal data. Though mainly based on the General Data Protection Regulation (GDPR), the Data Protection Act on Protection of Personal Data (the Data Protection Act) does contain certain requirements, which are unique to Georgia. The new Data Protection Act 2023 is a successful attempt of the Georgian legislator to bring the local legal framework closer to EU standards, by setting more detailed requirements, specifying the obligations of data controllers in areas that were not covered by the Data Protection Act, and increasing the amounts of administrative sanctions applicable for the breach of the Data Protection Act 2023. The Data Protection Act 2023 shall gradually enter into force from March 2024. Together with the recommendations and guidelines for various types of data processing published by the PDPS, the Data Protection Act 2023 is expected to create a more consistent, strong legal framework for the protection of data subjects' rights during the processing of their personal data, irrespective of the organizational type of the data controllers/processors.

This Insight article offers a summary of the most notable novelties and changes introduced by the Data Protection Act 2023, which include the establishment of an institution of a personal data protection officer (DPO), data protection impact assessment (DPIA), incident notification requirements, regulation of the processing of personal data of minors, changes in the rules of direct marketing, the appointment of a special representative by foreign controllers, and increase of administrative sanctions for breach. It does not contain an exhaustive analysis of the applicable legal requirements.

Personal DPO

The introduction of an institution of the personal DPO is an important novelty for Georgia. As opposed to the GDPR, the Data Protection Act does not recognize the concept of a DPO and there is no obligation to appoint one, irrespective of the type of processing entity or the volume of personal data processed. The Data Protection Act 2023, on the other hand, establishes an obligation to designate or appoint a DPO for certain categories of entities. The creation of this additional mechanism for the protection of personal data should have a significant positive effect on the protection of personal data and should support the data controllers/processors in better understanding the applicable legal framework and adjusting the working process to comply with effective data protection requirements.   

The obligation to appoint or designate a personal DPO applies to public agencies, insurance companies, commercial banks, microfinance institutions, credit bureaus, electronic communication companies, airlines, airports, medical institutions, and data controllers/processors that process large volumes of data or monitor data subject behavior on a frequent basis, in large volumes. Other data controllers are not obligated but may designate or appoint a DPO at their discretion.

The functions of the personal DPO include informing the data controller/processor and its staff on the data protection requirements and any changes thereto, consulting and assisting the data controller/processor in compliance with applicable requirements, participating in the adoption of internal regulations for data processing and DPIA, monitoring compliance by the data controller/processor with applicable requirements, analysis and issuance of recommendations in relation to incoming complaints and communication-related to data processing, representing the data controllers/processor in communications with the PDPS, informing the data subjects on the processing of their personal data and their rights in relation thereto (on the basis of a request submitted by the data subject), otherwise assisting the data controller/processor in increasing the standards of data protection within the organization.

The personal DPO's duties may be exercised by an employee of the data controller/processor, or a service provider, on the basis of a service agreement. The DPO is required to have a proper educational background in personal data protection and shall report to the highest managing authority within the structure of the data controller/processor. The DPO shall be independent in the exercise of its duties. The name and contact information of the DPO are to be reported to the PDPS and published on the web page of the data controller/processor. The PDPS shall also publish information on personal DPOs on its web page. Notably, the DPOs authorized within the data controller/processor for the appointment and/or designation of the personal DPO are to be determined by the normative of the PDPS.

DPIA

Another important novelty of the Data Protection Act 2023 is the introduction of a requirement for data controllers to conduct DPIA. The general requirement applies to the processing of personal data in cases where due to new technologies of processing, category of data, purpose, and means of processing there is a high likelihood of violation of the fundamental rights of data subjects. The criteria for determining whether or not such risks exist, and the procedure of assessment is to be established by the rules of assessment to be adopted by the PDPS. The Data Protection Act 2023 further specifies that the requirement shall also apply if the data controller

• is engaged in automated processing (e.g. profiling) in relation to decisions that have legal, financial, or other material consequences for data subjects;
• processes sensitive personal data in relation a to large number of data subjects;^[1] or
• is engaged in monitoring data subjects' behavior systematically and on a large scale.

The DPIA shall be concluded by the preparation of a written report. In addition to information on the category, purposes, proportionality, processes, and grounds of processing, the report must contain an assessment of risks for the violation of fundamental rights and freedoms of affected data subjects and the technical/organizational means for the security of such data. The report must be retained throughout the processing, plus at least one year after termination of processing. If the DPIA reveals that there is a high risk of violation of the fundamental rights and freedoms of data subjects, the data controller is obligated to take all technical measures for the minimization of risks, if necessary in coordination with the PDPS. If such risks cannot be minimized by technical and organizational means, the data controller may not proceed with processing.

Incident notification

The Data Protection Act does not contain incident notification requirements, either to data subjects or to the PDPS. The only requirement that must be observed by data controllers/processors is to record all disclosures or breaches of personal data and keep such records together with the data. Such measures are required to verify the recipients (lawful or unlawful) of personal data in the event the PDPS or the data subject requests such information. 

In contrast, the Data Protection Act 2023 introduces the notification requirement in relation to both parties - data subjects and the PDPS. In the case of data subjects, a notification is required if the incident is likely to result in substantial damages and/or creates substantial risk to the fundamental rights and liberties of data subjects.^[2] A notification must be served as soon as practicable, without undue delay. If informing data subjects requires unproportionally high costs or efforts, the data controller is required to publish a notification on the incident in a manner that ensures that the data subjects will receive the information. A notification is not required if informing the data subjects will endanger national security, informational security, or cybersecurity interests of the state, or investigation/prevention of a crime, operative actions, etc. One of the grounds for releasing the data controller from the notification requirement is adequate incident mitigation - taking by the data controller of safety measures that have prevented substantial risks to the fundamental rights and liberties of data subjects.

As for the notification to the PDPS, the Data Protection Act 2023 obligates the data controller to record all incidents, their results, and measures taken in relation to the incident, and notify the PDPS within 72 hours of such incident, except when it is not likely that the incident will result in substantial damages and/or create substantial risk for the fundamental rights of data subjects or their liberties.^[3] The notification must contain detailed information on the incident, including potential damages and whether the data subjects are being notified of the incident. If the incident takes place with the data processor, it must be immediately notified to the data controller.

If the notification submitted to the PDPS makes it clear that the data controller does not or is unable to notify data subjects, taking into consideration the circumstances of the incident, its potential results, and/or number of affected data subjects, the PDPS may decide to make information on the incident public, unless there are grounds to believe that publication of such information may endanger national security, informational security and cybersecurity interests of the state, public interest, or there are other factors making it unreasonable to publish the notification.

Personal data of minors

The Data Protection Act is silent on the rights of minors with respect to the protection of their personal data. Therefore, such personal data is protected by using general data protection rules and requirements applicable to other types of personal data, as well as general principles of legal representation. The Data Protection Act 2023 clarifies the process of obtaining consent for the processing of the personal data of minors. Once the minor reaches 16 years, consent may be obtained directly from the minor, except in the case of sensitive data, which may be processed only with the consent of the parent or legal representative of the minor. In the case of younger minors, their personal data may be processed only with the consent of their parent or other legal representative. The data controller is required to take all reasonable and adequate measures for the purposes of verification of the existence of the consent in relation to the processing of personal data of children under the age of 16. When processing the personal data of minors, the data controller is obligated to act in the best interests of the minors. The consent of a minor, their parent, or other legal representative shall be considered void if the processing of personal data endangers the best interests of the minor.

Special representative

Similarly to the Data Protection Act, the Data Protection Act 2023 applies not only to the local data controllers and processors, but it extends coverage over foreign registered entities that use local technical facilities for the processing of personal data, except when such technical facilities are used for data transit only. In cases where foreign entities use local technical facilities, such foreign entity is obligated to appoint a special representative before the commencement of any processing activities. The Data Protection Act fails to provide guidelines for the process of appointment of a special representative. Therefore, in practice, the appointment is performed through the issuance of a power of attorney or execution of a service contract. While the Data Protection Act 2023 does not clarify the mechanism of appointment, it establishes a requirement for registration of such special representatives with the PDPS and states that the rules of registration shall be determined by a normative act of the PDPS. These rules are expected to contain guidelines on the methods of appointment of special representatives as well.

The purpose of the special representative is to represent the data controller/processor in relation to the data subject and the PDPS. The data subject may address the special representative for any issues related to the processing of his/her data by the data controller/processor.

Notably, the requirements in relation to the appointment and registration of special representatives do not apply to data controllers/processors incorporated in member states of the EU, which are subject to the requirements of GDPR, as well as those data controllers/processors that are established in the states recognized by the EU as states having adequate data protection mechanisms.

Direct marketing

The Data Protection Act allows the use of publicly available personal data for direct marketing. The categories of data that may be used for this purpose are name, address, telephone number, email, and fax number. Processing of any other category of data is permitted with the written consent of the data subject. The data subject may request from the data controller the termination of processing of its personal data for direct marketing purposes. Such request must be honored within 10 business days. The data controller is obligated to inform the data subject of its right to request termination of processing through the same means that are used for direct marketing and/or define an accessible and adequate means for the request to terminate processing of personal data.

On the other hand, the Data Protection Act 2023 allows the processing of personal data for direct marketing only on the basis of the informed consent of the data subject, irrespective of the grounds of collection and availability of such personal data. A written consent is required in case of processing of personal data, other than the name, address, telephone number, and email. The timeline for compliance with the request of the data subject to terminate processing of its personal data has been decreased to seven business days. The data controller and data processor are required to ensure the exchange of information in this respect. The Data Protection Act 2023 obligates the data controller to establish clear and easily understandable means for the data subject to communicate its request for termination of processing. Collection of a fee or establishment of any restriction on the exercise of this right is prohibited.

Sanctions

Similarly to the Data Protection Act, the Data Protection Act 2023 establishes fixed penalties for the breach of the requirements of the Data Protection Act 2023. However, the Data Protection Act 2023 increases the amounts of penalties and ties them to the organizational form and annual turnover of the breaching entity. The penalties range from GEL 1,000 (approx. $370) to GEL 10,000 (approx. $3,700).

Tamara Tevdoradze Partner
[email protected]
BGI Legal, Georgia