Breach Notification Service for the Personal Data Protection Service
When a data leak or security incident occurs, the most crucial legal step is timely and accurate reporting to the regulator—the Personal Data Protection Service. Georgian legislation strictly establishes a 72-hour deadline from the discovery of the incident to send the notification. This is not simply "sending an email"; it is an official legal document in which the organization describes the nature of the incident, probable consequences, and measures taken. An incorrectly drafted notification can increase the fine amount or trigger additional inspections. The Breach Notification service focuses specifically on the professional execution of this bureaucratic and legal obligation.
Our lawyers ensure full management of the notification process, which includes:
- Deadline Control: Legally defining the moment of "discovery" of the incident (which is often disputable) and tracking the 72-hour countdown.
- Drafting the Notification Form: Filling out the form approved by the Service with legally sound terminology to prevent the company from assuming excessive liability before facts are fully clarified.
- Risk Assessment (Notification Threshold): Determining whether the company is even required to report in a specific case (not all minor incidents require notification).
- Phased Notification: If complete information cannot be gathered in 72 hours, the law allows for phased submission. The lawyer prepares initial and follow-up notifications.
- Communication with Data Subjects: Deciding whether and how to inform the affected citizens (this is mandatory only when there is a high risk).
In practice, the notification process is full of nuances. For example, a company discovers an incident on Friday evening. Do weekends count within the 72 hours? Yes, they do. Many companies make the mistake of waiting until Monday, thereby violating the law. Another common error is using phrases in the notification that directly admit guilt ("It happened due to our negligence...") instead of a dry statement of facts. Also, companies often report incidents that legally did not require reporting, unnecessarily drawing the regulator's attention.
The legal basis for this service is the relevant article (Incident Notification) of the Law of Georgia on Personal Data Protection. The law obliges the data controller to inform the Service about the nature of the incident, categories of data, number of affected persons, probable consequences, and remedial measures. Failure to report is an administrative offense punishable by a fine.
Collaborating with a lawyer reduces stress during a crisis moment. You provide the facts, we translate them into legal language and send them to the regulator. We also answer follow-up questions from the Service that often accompany a notification.
Legal.ge is your reliable partner in dealing with the regulator. Do not risk delays or incorrect wording. Trust our experts to ensure the notification process is conducted accurately, on time, and in full compliance with the law.
Updated: ...