Personal Data Protection for Business in Georgia 2026

Personal Data Protection for Business in Georgia: What a Company Must Consider in 2026

Introduction: What Changed on March 2, 2026?

From March 2, 2026, the Personal Data Protection Service was abolished and its functions - supervision, inspections, review of incidents, and receipt of applications from data subjects - were transferred to the State Audit Office.

This change raises open questions. The Personal Data Protection Service was a specialized, separately established institution, whereas the primary mandate of the State Audit Office is the control of state finances. The specialized competence and speed of the new structure remain to be tested. The business and civil society sectors must closely monitor this development.

What has not changed: The requirements of the Law - obligations, fines, and the rights of data subjects - remain in full force.

Official Contact: State Audit Office - sao.ge

Part I: To Whom Does the Law Apply?

The Law "On Personal Data Protection" applies to any person or organization that:

• processes data on the territory of Georgia by automatic or semi-automatic means;

• or is established outside the borders of Georgia, but processes local data using technical means located in Georgia.

This means that the Law applies to: all companies and institutions where the processing of a natural person's personal data takes place. Video and audio monitoring.

Exception: The exclusively personal and household activities of a natural person, which have no connection to entrepreneurial or professional activities. Furthermore, the operation of the Law does not apply to the processing of a legal entity's personal data. The focus of the Law is the personal data of a natural person.

Part II: What is Personal Data?

Standard Personal Data

First name, last name, personal identification number, email, telephone number, IP address, Cookie identifiers, geolocation, account numbers.

Special Category Data

The Law considers as special category the data that concerns:

• Health and mental state

• Racial or ethnic origin

• Political views, religion, philosophical beliefs

• Trade union membership

• Sexual life and orientation

• Biometric and genetic data (facial image, dactyloscopic data)

• Criminal records, conviction, and acquittal

⚠️ Practical Warning: Video monitoring used for the biometric identification of a person (e.g., facial recognition systems) constitutes special category data, and the direct use thereof in an institution is quite risky.

Part III: 7 Principles of Processing

These principles are the "backbone" of the Law - all other obligations are built upon this foundation:

The most frequently violated principle in practice: Companies do not store personal data for the term that is envisaged for the fulfillment of the specific purpose, and they do not delete it even after the expiration of the said term. Furthermore, they process more data than they need.

Part IV: Legal Bases of Processing

Every processing must rely on one of these bases.

For Standard Data

1. Consent - must be specific, informed, and freely given. The data subject can withdraw it at any time. Consent is considered obtained only through an active action of the data subject.

2. Performance of a contract - applied when the processing is directly necessary for the performance of a contract concluded with the data subject. It is important [to note]: this basis does not automatically apply to additional processing - e.g., for marketing; the latter requires a separate basis.

3. Legal obligation - applied when processing is a direct requirement of the legislation (e.g., Tax Code, Labor Code).

4. Protection of vital interests - a narrow, exceptional basis, which is mainly applied in medical emergency situations where the data subject is physically or legally unable to express consent. It is practically inapplicable for commercial purposes.

5. Public interest - a basis primarily intended for public institutions.

6. Legitimate interest — the controller or a third party may have a justified interest in processing the data, provided that this interest overrides [Note: "ჭარბობს" literally means outweighs/prevails over] the fundamental rights and interests of the data subject. The direct assessment of the aforementioned is quite difficult and necessitates a prior examination of complete documentation.

For Special Category Data

Processing of this category is prohibited by default - except for the exceptions directly provided for by the Law. The most frequently used basis is written consent, which differs from standard consent: oral or implied consent is not sufficient - the Law requires a signed or electronic form.

Part V: Main Obligations of Business

1. Transparency and Providing Information

A personal data processing policy is mandatory, but it cannot replace a short, comprehensible notice at the moment of data collection. When filling out a form, or opening an account - the data subject must receive information regarding:

• Who is processing the data

• For what purpose it is being processed

• On what legal basis

• DPO contact details (if appointed)

• Data recipients (third parties, transferring countries)

• Storage term

• Rights of the data subject

Important Matters to Consider: A Practical Checklist for Business

Compliance with the Law begins not with legal documents, but with simple questions - what are you processing, why, and how. Below are the issues that every company must verify.

Data Inventory. Check what categories of personal data you have - of clients, employees, guests. Ascertain where it is stored (on a local server, in the cloud, in email), who has access to it, and, what is particularly important - for what term. Data that is stored for a term longer than established constitutes a violation of the Law. If it is impossible to determine a specific term, a specific purpose must be defined for the achievement of which the data is stored, and after the achievement of the said purpose, it must be deleted and/or stored in a depersonalized form.

Video Monitoring. If video cameras are used in the company, the Law establishes exact requirements: the purpose of recording must be defined, data subjects must be informed - by a visible warning sign, and the storage term of the recording must be fixed. Special caution is required if the camera monitors a workplace - in such a case, an additional basis is required. The mere argument that video monitoring in the workspace is necessary in order to verify the work efficiency of employees is unjustified.

Audio Monitoring. The aforementioned is quite sensitive and entails risks. The company must consider that audio monitoring is permissible in the following cases: a) with the consent of the data subject; b) to produce a protocol record; c) to protect a significant legitimate interest of the person responsible for processing [Controller (დამუშავებისთვის პასუხისმგებელი პირი)], provided that appropriate and specific measures are defined to protect the rights and interests of the data subject; d) in other cases directly provided for by the legislation of Georgia. Therefore, in the event of a desire to conduct audio monitoring, it is recommended that the company undergo detailed consultation. [Translator's note: The original text ends abruptly without terminal punctuation; translated as written].

Direct Marketing. Check on what basis you are sending promotional SMS or emails. A list that was "collected sometime" or "purchased directly" is not sufficient. Prior, withdrawable consent is required. Furthermore, if consent was not obtained from a specific person and they refused the processing of data for the purpose of direct marketing, disregarding the aforementioned will result in a sanction.

Informing Employees. The most frequent "loophole" in personal data protection is the human factor. It is mandatory that every employee be trained and informed, both regarding the processing of their personal data and regarding the company's policy that exists in this direction.