March 2023

1. Governing Texts

Georgia adopted, on 28 December 2011, Law of Georgia on Personal Data Protection of 28 December 2011 No. 5669 ('the Data Protection Act'), which is the primary legal act regulating data processing activities in the country.

The Data Protection Act is a reflection of Georgia's commitment under the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108'), to which Georgia became party to in 2005. The Data Protection Act has also been influenced by the Data Protection Directive (Directive 95/46/EC).

1.1. Key acts, regulations, directives, bills

The Data Protection Act is further aided by other normative acts, including:

• Order of the Head of Personal Data Protection Service ('PDPS') on the Approval of the Form of Protocol on Administrative Infringement and the Rule of Keeping the Records Thereof, Its Use and Registration – Accounting (No.8 of 18 March 2020) (only available in Georgian here);
• Order of the Head of PDPS on The Approval of the Rule and Conditions of Proactive Publication of Public Information in Personal Data Protection Service and the Standard of Requesting the Public Information by Electronic Means (No. 7 of  16 March 2022) (only available in Georgian here);
• Order of the Head of PDPS on the Approval of the Template Forms of the Personal Data Protection Service (No. 6 of 9 March 2022) (only available in Georgian here);
• Order of the Head of PDPS on the Approval of the List of Countries with Proper Guarantees of Personal Data Protection (No. 3 of  2 March 2022) (only available in Georgian here);
• Order of the Head of PDPS on the Approval of the Rule of Investigating the Legality of Processing of the Personal Data (No. 4 of 2 March 2022) (only available in Georgian here);
• Order of the Head of PDPS on the Approval of the Rule on Granting Permission on Transferring the Personal Data to Other States and International Organizations (No. 2 of 2 March 2022) (only available in Georgian here); and
• Order of the Head of PDPS on the Approval of the Regulations of Personal Data Protection Service (No. 1 of 1 March 2022) (only available in Georgian here). 

In May 2019, the PDPS registered the draft Law on Personal Data Protection ('the Draft Law') as a bill at the Parliament of Georgia. The Draft Law has yet to undergo three parliamentary hearings before it is promulgated to law.

The purpose of the Draft Law is to provide comprehensive data protection requirements to Georgian legislation and align with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

1.2. Guidelines

The PDPS issued a number of recommendations and guides on personal data protection, including:

• Recommendations on Processing of Personal Data by the Commercial Banks (only available to download in Georgian here);
• GDPR – What You Should Know About EU Data Protection Regulation (only available to download in Georgian here);
• Recommendations on Processing of Personal Data in Healthcare (only available to download in Georgian here);
• The Guide for a Start-up (only available to download in Georgian here);
• Recommendations for the Internet Service Providers (only available to download in Georgian here);
• Recommendations on the Processing of Biometric Data;
• Recommendations for conducting Video-surveillance;
• Recommendations on the Personal Data Processing for Direct Marketing Purposes (only available to download in Georgian here);
• Recommendations on Processing of Personal Data by Financial Organizations (only available to download in Georgian here);
• Recommendations On Processing of Personal Data During Election (only available to download in Georgian here);
• Recommendations On Processing of Personal Data During the Fight Against Covid-19 (only available to download in Georgian here);
• Recommendations On Processing of Personal Data In the ID Card (only available in Georgian here); and
• Recommendations On Processing of Personal Data In the Birth Certificate (only available to download in Georgian here).

1.3. Case law

On 6 August 2022, the Supreme Court of Georgia ('the Supreme Court') decided on the case N BS_162(K-22) which concerned unauthorised processing (collection) of personal data by an employee of the Ministry of Internal Affairs of Georgia ('the Ministry of Internal Affairs') for non-work related purposes.

The Supreme Court endorsed the reasoning of the Appellate Court that in a democratic society the State has the positive obligation to protect the right to privacy, which includes ensuring the protection of the personal data of the individuals. The obligation to protect the personal data is applicable to the persons employed by the ministry, who have the connection to the personal databases due to the work-related functions. Unlawful collection and processing of personal data by the employee of the ministry will undoubtedly breach the right of private and family life under Article 8 of the European Convention on Human Rights.

2. Scope of Application

2.1. Personal scope

The Data Protection Act applies to:

• data controllers defined as public authorities or natural or legal persons which individually, or in cooperation with others determine the purposes and means of personal data processing and process the personal data directly or through the data processor;
• data processors defined as any natural or legal persons processing the personal data for or on behalf of the data controller; and
• data subjects defined as natural persons whose data is being processed.

The Data Protection Act also applies to the data controllers, which employ technical means existing in Georgia for data processing. However, if such technical means are used solely for data transferring, then the Data Protection Act will not be applicable.

Other entities to which Data Protection Act applies include diplomatic representations and consular office of Georgia abroad.

2.2. Territorial scope

The Data Protection Act applies to:

• processing of personal data through automatic or semi-automatic means on the territory of Georgia;
• processing of data through non-automatic means within the territory of Georgia, which data forms part of the filing system or are intended to form part of the filing system; and
• automatic processing of data defined as a state secret for the crime prevention and investigation, operational-investigative activities, and protection of the rule of law.

Data processing within the territory of Georgia will trigger the application of the Data Protection Act. If this is the case, the nationality or residence of the data controller has no relevance. Decisive criterion is the territoriality of the data processing activity.

If the territorial criterion is not met, then the Data Protection Act will apply to:

• data processing by diplomatic representations and consular offices of Georgia abroad; and
• if the data controller, which is not registered in Georgia, employs technical means existing in Georgia for data processing. If this is the case data controllers must appoint/designate a registered representative in Georgia. However, if such technical means are used solely for data transferring, then the Data Protection Act will not be applicable.

2.3. Material scope

The Data Protection Act applies to:

• the processing of personal data through automatic or semi-automatic means;
• the processing of data via non-automatic means within the territory of Georgia which data forms the part of a filing system or is intended to form the part of the filing system; and
• the automatic processing of data defined as a state secret for crime prevention and investigation, operational-investigative activities, and protection of the rule of law except as provided by the Data Protection Act.

The Data Protection Act does not apply in the following circumstances:

• to data processing by a natural person for personal purposes not related to their entrepreneurial or professional activities;
• during court proceedings as far as it may prejudice the proceedings before the court's final decision is taken;
• to processing of data defined as a state secret for the purposes of state security (including economic security), defence, intelligence, and counterintelligence activities; and
• to the processing of information defined as a state secret, with certain exceptions.

The Data Protection Act does not apply to the processing of data by media for public information, also to the processing of the information in the fields of art and literature, except for the requirements provided for in Article 17 of the Data Protection Act.

The requirements for data controllers to keep a filing system catalogue and to notify and register certain information with the PDPS does not apply to the processing of data by political parties, professional and other unions, and religious organisations, with respect to their members.

Data processing rules on special category data does not apply to data processing for public safety, operational and investigative activities, and criminal investigations, if the matter is directly and specifically regulated under the Criminal Procedure Code of Georgia, the Law of Georgia on Operational-Investigative Activities, or other special laws and for the national population census under the Law of Georgia on Official Statistics.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The regulator for data protection is the PDPS, which substituted the Office of the State Inspector. The PDPS has two main functions:

• controlling the legality of data processing activities; and 
• monitoring of secret investigative actions and activities carried out in the central bank of electronic communication identification data.

3.2. Main powers, duties and responsibilities

PDPS in addition to the powers mentioned above, may also carry out inspections of data processing activities in public and private organisations.

Additionally, PDPS may provide consultation to public and private parties regarding data protection, review applications from data subjects, and maintain a register of filing system catalogues.

4. Key Definitions

Data controller: A public authority or natural or legal person which individually, or in cooperation with others determine the purposes and means of personal data processing and processes the personal data directly or via a data processor.

Data processor: Any natural or legal person processing the personal data for or on behalf of the data controller.

Personal data: Any information connected to an identified or identifiable natural person. A person is identifiable when they may be identified directly or indirectly, in particular by an identification number or by any physical, physiological, psychological, economic, cultural, or social features specific to this person.

Special category data: Data connected to a person's racial or ethnic origin, political views, religious or philosophical beliefs, membership of professional organisations, state of health, sexual life, criminal history, administrative detention, putting a person under restraint, plea bargains, abatement, recognition as a victim of crime or as a person affected, also biometric and genetic data that allow to identify a natural person by the above features.

Health data: There is no definition of Health Data under the Data Protection Act.

Biometric data: Any physical, mental, or behavioural feature which is unique and constant for each natural person and which can be used to identify this person (fingerprints, footprints, iris, retina (retinal image), facial features).

Pseudonymisation: 'Data depersonalisation' is defined as data modification in a way to make it impossible to link the data to the data subject or to require disproportionately great effort, expense, and time to establish such a link.

Genetic data: Unique and constant data of a data subject relating to genetic inheritance and/or DNA code that makes it possible to identify them.

5. Legal Bases

5.1. Consent

Consent is one of the legal bases for the processing of personal data.

5.2. Contract with the data subject

Personal data may be processed if it is necessary to consider the application of, or to provide a service to, the data subject;

5.3. Legal obligations

Personal data may be processed if the data processing is necessary in order to enable the data processor to fulfil a legal obligation.

5.4. Interests of the data subject

Personal data may be processed if the data processing is necessary in order to protect the vital interests of the individual to whom the data relate.

5.5. Public interest

Personal data may be processed if the data processing is necessary in order to safeguard a public interest material by Law.

5.6. Legitimate interests of the data controller

Personal data may be processed if the data processing is necessary in order to safeguard a legitimate interest of the data controller or the third party, except where such interests are overridden by the interest of protecting the rights and freedoms of the data subject.

5.7. Legal bases in other instances

Other legitimate grounds for data processing include:

• there is a statutory authority for the data processing; and
• the personal data are in public domain or have been made accessible by the data subject.

Data controllers may process personal data in the form and manner permitted by the Law, including:

• to process personal and special category data;
• to process the data for direct marketing purposes; and
• to conduct the video-surveillance and more.

6. Principles

The main responsibility of the data controller is to ensure that the following requirements are met:

• there is a proper legal ground (such as, for example, data subject's consent) to process the personal data;
• the personal data is being processed for specific, clearly defined, and legitimate purposes;
• the personal data is processed only to the extent necessary for legitimate purposes;
• the personal data is adequate and proportionate to the purposes for which it was collected;
• the data is kept only for the period necessary to achieve the purpose of data processing;
• the data controller and data processor took necessary technical and organisational security measures to ensure the protection of personal data from accidental or illegal destruction, modification, disclosure, access, and any other form of illegal use, or accidental or illegal loss; and
• the security measures implemented by the data controller and data processor are adequate for the risks of personal data processing.

7. Controller and Processor Obligations

7.1. Data processing notification

The registration (notification) requirement applies to the databases. According to Article 2(N) of the Data Protection Act, a database is any structured set of personal data where data is arranged and can be accessed based on certain criteria. The Data Protection Act uses the term 'filing system' to denote to a database. For example, the database of customers or a registry of employees and clients, which are subject to processing, may qualify as a filing system.

Under Article 19 of the Data Protection Act, the data controller is obliged to have a special catalogue on each filing system providing a detailed description of the structure and content of the filing system. The data controller must, before the creation of a filing system and entry of a new category of data electronically, register with the PDPS the following information:

• the name of the filing system;
• names and addresses of a data controller and a data processor, place of storing, and/or processing of data;
• legal grounds for data processing;
• the category of data subject;
• the category of data in the filing system;
• the purposes of data processing;
• the period for data storage;
• the fact and grounds for the restriction of a right of a data subject;
• the recipient of data stored in a filing system, and their categories;
• the information on the trans-border flows of data and transmission of data to an international organisation, and the legal grounds for the transfer; and
• the general description of the procedure established to ensure data security.

Data controllers must regularly update the filing system catalogue. Any alteration made to the information in the filing system catalogue must be notified to the PDPS not later than 30 days after the alteration.

The notification requirement also applies to cross-border data transfers and to the processing of biometric data by private organisations.

Before using biometric data, a data controller must provide the PDPS with the same information which is provided to the data subject, specifically the purpose of data processing and the security measures taken to protect the personal data.

7.2. Data transfers

Transfer of personal data outside Georgia is admissible without a separate authorisation from the PDPS if one of the two following conditions apply:

• a respective legal ground for data processing exists and the proper standards for the safety of data are secured in the relevant country; or
• the processing of data is stipulated in the international agreement between Georgia and the relevant country.

If neither of the above conditions apply, then there should be a formal written agreement between the transferor and the recipient under which the recipient must commit to ensuring proper guarantees to protect the data. In this case, the PDPS must be presented with such agreement and other relevant information or documents for data transfer approval.

7.3. Data processing records

The data processor must keep the record of all data processing activities carried out on personal data and stored in electronic form. A record must also be kept of any disclosure or modification of personal data contained in non-electronic form.

7.4. Data protection impact assessment

Currently, the Data Protection Act does not require a Data Protection Impact Assessment ('DPIA') or a Privacy Impact Assessment ('PIA').

7.5. Data protection officer appointment

There is no compulsory requirement to appoint a data protection officer.

7.6. Data breach notification

There is no direct obligation to report to the PDPS the data breach.

7.7. Data retention

The Data Protection Act does not provide for how long the data must be stored. The data controller determines the data retention term by itself.

According to the general principle of the Data Protection Act, the personal data may only be retained as long as necessary to achieve the legitimate objectives for which they were collected. After such purposes have been achieved, personal data must be blocked, deleted, destroyed, or retained in a form that prevents the identification of an individual, unless otherwise provided for by the Data Protection Act.

Storing data for an unlimited term is not permitted as confirmed by the decisions of the PDPS.

7.8. Children's data

According to Article 71 of the Code for the Rights of the Child, the personal data of any child involved in administrative proceedings or a judicial process may not be disclosed in any form, including by media, which may disclose or indirectly indicate the identity of the child (an image, a detailed description of the child or their family members, names, addresses, audio, and video recordings, and similar information).

Besides, it is not permitted to disclose in any form, including by media, a document, or a record containing the personal data of a child, which is related to the use of disciplinary measures against the child, violence committed against or by the child, the health status of the child, the participation of the child in programs of social assistance or charity programs for children with disabilities or for poor families, and other information of similar content related to the child.

7.9. Special categories of personal data

The processing of special category data is prohibited except with the written consent of the data subject or where one of the following conditions apply:

• the data subject has made public the data about them, without expressly prohibiting the use of such data;
• processing of health related or prior conviction data is necessary for the data controller to observe the employment obligation, including for hiring the candidate;
• data processing is necessary to protect vital interests of the data subject or a third party and the data subject is physically or legally disabled to provide consent for data processing;
• the data are processed for the purpose of protecting the public health, processed by a healthcare facility (employee of such facility) for the purpose of protecting individual's health, or processed where necessary for the management or operation of the healthcare system;
• data processing is carried by political, philosophical, religious, or trade unity, association, or other non-commercial organisation during performing the legitimate activities. If this is the case, data processing may only be related to the members of such organisation or to the persons who have permanent connection with the organisation;
• data is processed to run the registry/personal files of the accused/convicted individuals; to consider the issues related to individual planning of serving the sentence by the convicted person and/or releasing convicted person on a parole and changing of an unserved term with a lighter punishment; and
• data are processed in accordance with Law of Georgia On Crime Prevention, Non-Custodial Sentences, and Probation (only available in Georgian here), Law of Georgia On International Protection (only available in Georgian here), or for functionality of uniform analytical system of migration data.

When processing special category data based on any of the grounds above, it is prohibited to publish or disclose to third parties the data without the consent of the data subject.

7.10. Controller and processor contracts

Data processing may be carried out by a data processor based on a legal act or written agreement concluded with the data controller. The agreement must meet the requirements of the Data Protection Act and other legal acts and include the prohibitions set out under the Data Protection Act.

The data processor:

• must only process the personal data to the extent set out in the agreement or the legal act. Personal data must not be further processed for other purposes;
• may not assign or outsource data processing to other parties without the consent of the data controller; and
• must implement adequate organisational and technical security measures to protect the personal data. The data controller should monitor data processing.

The agreement with the data processor should not be signed if there is a risk that the personal data may be processed for other purposes taking into account the activities/objectives of the data processor. The actions of the data processor are attributable to the data controller.

8. Data Subject Rights

8.1. Right to be informed

When personal data is collected directly from a data subject, the data controller or data processor must provide the data subject with the following information:

• identities and registered addresses of the data controller and the data processor (if applicable);
• purposes of the data processing;
• whether the provision of data is mandatory or voluntary and, if mandatory, the legal consequences of refusal to submit them; and
• the right of the data subject to obtain information on their personal data processed, request their correction, updating, addition, blocking, deletion, and destruction.

Provision of the information is not mandatory if the data subject already has it.

8.2. Right to access

The data subject has the right to request information from a data controller on processing of their data. Upon request, the data controller must provide the data subject with the following information:

• which personal data was processed;
• the purpose of data processing;
• the legal grounds for data processing;
• the ways in which the data were collected; and
• to whom the personal data were disclosed, and the grounds and purpose of the disclosure.

The data subject must be provided with the above information immediately upon request or not later than ten days after the request is made, when responding to the request it is required to:

• retrieve and process the information at another institution or structural unit or consult with either one;
• retrieve and process voluminous documents not linked to each other; and
• consult with its structural unit located in another populated place, or with other public agency.

8.3. Right to rectification

Upon the data subject's request, the data controller must correct, update, add, block, delete, or destroy the personal data if it is incomplete, inaccurate, outdated, or collected in violation of the Data Protection Act.

8.4. Right to erasure

Upon request of the data subject, the data controller must delete or destroy the personal data if they are incomplete, inaccurate, outdated, or collected in violation of the Data Protection Act.

8.5. Right to object/opt-out

Withdrawal of consent

A data subject may revoke consent on data processing and request termination of data processing or deletion of processed data at any time and without explanation. This right of the data subject does not apply to the data processed with the consent and related to the performance of monetary obligation.

8.6. Right to data portability

The Data Protection Act does not provide for the data portability right.

8.7. Right not to be subject to automated decision-making

The Data Protection Act does not provide any specific provision on data subject's right not to be subject to automated decision-making.

8.8. Other rights

Right to appeal

The data subject may appeal the violation of their rights before the PDPS, the Court, or the administrative body.

9. Penalties

A breach of the Data Protection Act can result in criminal, administrative, and civil liability.

Criminal liability

The illegal collection, retention, use, or dissemination of personal data, which caused substantial damage, can result in a fine, correction labour, and/or imprisonment for three years. The legal entity can be imposed a fine, deprived of the right to run the business, or imposed liquidation and a fine.

Administrative sanctions

The PDPS may order temporary or permanent termination of data processing, the blocking, destruction, or depersonalisation of personal data, the termination of transfer, and issuance of administrative fines.

The administrative fines provided under the Data Protection Act range from GEL 500 (approx. €142) to GEL 10,000 (approx. €2,840) depending on the type of violation.

Civil claim

Individuals may, in addition, bring a civil claim depending on the harm caused by the breach of the Data Protection Act.

9.1 Enforcement decisions

Supreme Court Decision N BS-287(K-19) 22 October 2020 (only available in Georgian here) which concerned the processing of personal data of the deceased individuals. The Supreme Court referred to Article 7.5 of the Data Protection Act noting that the data of a deceased person may be disclosed for historical, statistical, and research purposes, except when the deceased person had prohibited in writing disclosure of their data and ruled that this is a valid statutory ground to process the personal data of the deceased. However, the Supreme Court noted that the person asking for access to the data of the deceased person based on that ground must prove that there is a statutory basis and prevailing public interest for such access.