LegalGELegalGE
...

Georgian Data Protection Compliance

Who enforces data protection laws in Georgia?

The Personal Data Protection Service (PDPS) is the supervisory authority responsible for monitoring compliance and imposing fines.

Can I transfer data outside of Georgia?

Yes, but only to countries with adequate protection levels or if you have appropriate safeguards (like a contract) and permission from the PDPS in some cases.

Is employee consent needed for data processing?

In employment relations, consent is often not a valid legal basis due to the power imbalance. Employers should rely on other grounds like "contract performance" or "legal obligation."

How much are the fines under the new law?

Fines have increased significantly and can reach up to 500,000 GEL depending on the severity of the violation and the size of the entity.

Reading Time

4 min

Published

...

Compliance with Georgian Data Protection Legislation is mandatory for all organizations processing information about individuals within the territory of Georgia. From March 1, 2024, the new Law of Georgia on Personal Data Protection came into force, significantly tightening regulations and increasing fines. The law applies to both public and private sectors, banks, hospitals, schools, online stores, and any company that maintains a database of employees or clients. Failure to comply with the law's requirements can result in fines of up to 500,000 GEL, representing a serious financial risk for businesses.

The new legislation establishes strict principles of accountability. Companies are obliged not only to comply with the law but also to demonstrate this compliance at any time. This includes having legal grounds for data processing, implementing appropriate security measures, and timely informing the Personal Data Protection Service about incidents. Legal.ge offers access to qualified lawyers who will help bring your organization's activities fully in line with the requirements of Georgian legislation.

What does the Georgian Data Protection Compliance service cover?

The service aims to ensure the full legal compliance of the organization within the national legislative framework. Specialists offer:

  • Full Legal Audit: Assessing existing practices against the Law of Georgia on Personal Data Protection.
  • Development of Internal Regulatory Documents: Creating data security policies, incident response plans, and detailed instructions on employee obligations.
  • Data Protection Officer (DPO) Functions: Fulfilling the obligation to appoint a DPO or outsourcing this role in cases defined by law (e.g., insurance companies, banks, medical institutions).
  • Mandatory Registration and Notifications: Maintaining catalogs of file systems and communicating with the supervisory authority if necessary.
  • Incident Management: Preparing notifications for the Personal Data Protection Service within statutory deadlines in case of a data security breach.
  • Adaptation of Consent Forms: Aligning client consent forms (written or electronic) with legal requirements.

Common Real-World Scenarios

In the Georgian reality, businesses often unknowingly violate the law:

  • Video Surveillance at the Workplace: A company installed cameras in the office with audio recording capabilities without warning employees. This is a gross violation, as video surveillance is permitted only for strictly defined purposes and under specific rules.
  • Sending Promotional SMS: A store purchased a database of phone numbers and started sending advertising messages without the recipients' prior consent. This leads to fines for violating direct marketing rules.
  • Collection of Biometric Data: A construction company implemented a fingerprint entry system for attendance without justifying why attendance could not be tracked by less intrusive methods (e.g., cards).
  • Data Transfer to Third Parties: A clinic shared a patient's diagnosis with an insurance company or family member without the patient's consent or a legal basis.

Legal Framework: Georgian Law and Regulations

The main regulatory act is the Law of Georgia on Personal Data Protection. The law defines data processing principles: lawfulness, purpose limitation, proportionality, accuracy, and storage limitation. Sector-specific laws also apply, such as the Law on Patient Rights or the Law on Electronic Communications. Supervision is carried out by the Personal Data Protection Service, which has the authority to inspect any organization (with exceptions), issue mandatory instructions, and impose fines. Involvement of a lawyer ensures that your activities are protected during state inspections.

Step-by-Step Service Process

  1. Risk Assessment: Identifying categories of data processed by the company (special categories, biometric, ordinary).
  2. Policy Development: Writing internal regulations defining who has access to data.
  3. Technical Recommendations: Providing instructions to the IT department on data protection standards.
  4. Employee Training: Informing staff about their obligations and responsibilities.
  5. Audit Simulation: Checking readiness for potential inspections by the Personal Data Protection Service.

Why choose a specialist on Legal.ge?

Georgian legislation on personal data has moved to a new stage, and requirements are stricter than ever. An incorrectly drafted consent form or improperly placed video camera can cost you thousands of GEL in fines. Legal.ge allows you to find lawyers who work practically with the Personal Data Protection Service and know their approaches and practices. Protect your business from legal risks with the help of professionals.

Updated: ...

Specialists for this service

Loading...