Gambling operators in Georgia operate within an evolving regulatory environment that imposes multi-layered compliance requirements across several critical areas, including data protection, anti-money laundering (AML), player registration and verification, data security, information disclosure, and regulatory reporting. These obligations arise from a combination of sector-specific gambling legislation, ministerial regulations, data protection law, and AML legislation. This publication provides a comprehensive overview of the key rules affecting the sector, outlining the practical obligations that operators must meet to maintain regulatory compliance.
Player Data Collection, Registration, and Verification
Under the applicable ministerial regulations, operators must create an electronic file for each player containing, at a minimum, the player’s name, date of birth, personal identification number or passport data, account details, address, email, and telephone number. Operators must also record the method and date of identity verification, the player’s citizenship, and obtain declarations confirming the accuracy of the information, legal age (25 for Georgian citizens, 18 for foreign nationals), and acceptance of terms and conditions.
Verification can be completed through several methods: a photograph with an identity document, video call, in-person contact, biometric technology, or SMS one-time code. Registration cannot proceed until the player’s phone number has been verified by SMS. For Georgian citizens and residence permit holders, operators must cross-check information against Public Service Development Agency databases and re-verify each player every year.
The primary gambling legislation further establishes categories of prohibited persons — including employees of state institutions, national regulatory bodies, and the National Bank, as well as members of socially vulnerable households — whom operators must screen before granting access. Gambling-dependent persons may also be entered into a separate registry by judicial order or self-application, which operators must consult.
Data Security
Player file data must be encrypted, with special attention to personal identification numbers, identity document details, passwords, and financial information. Communications between players and platforms require SSL encryption at a minimum. Platform-to-supplier communications must use SSL/TLS 1.2 or higher. Sportsbook systems must protect player confidentiality and encrypt all communications over public or third-party networks.
Verification documents must be retained in accordance with prescribed periods and produced to authorized bodies upon substantiated request. These sector-specific requirements operate alongside data protection legislation, which mandates that controllers and processors implement appropriate organizational and technical measures against unauthorized processing, accidental loss, or destruction of data, with periodic effectiveness assessments.
In the event of a security incident affecting player data, operators must also comply with the notification obligations set out under Data Breach Notification Requirements under Georgian Law, including the requirement to report qualifying incidents to the supervisory authority within 72 hours.
Information Disclosure to Players
Operators must make readily accessible all fees and charges, a “Malfunction Voids All Pays” notice, deposit and withdrawal procedures, and rules applicable to inactive accounts. Players must be able to request periodic activity statements covering deposits, withdrawals, wins, losses, balances, and total gaming time. Responsible gaming instructions, profile management information, and internet interruption consequences must also be disclosed.
For sportsbooks, operators must publish clear rules on how odds are calculated, when bets are accepted, and payout limits. Gaming machines must display rules in both Georgian and English, covering bet amounts, potential winnings, and pay lines. The gambling law also requires game rules to be posted at the venue and given to any player who asks.
Regulatory Reporting
Operators must immediately notify the Revenue Service if there is reasonable suspicion that a player is engaged in fraud, money laundering, or other unlawful activity, and must report any threat to system integrity. Internal control mechanisms, covering change management, business continuity, incident reporting, fraud detection, and network security, must be furnished to the Revenue Service or its designated “selected person.” Upon request, operators must transmit detailed data, including player account transactions, bet summaries, jackpot details, and account statuses.
Anti-Money Laundering Obligations
As accountable persons under AML legislation, gambling operators must implement client identification and verification procedures, establish business relationships only with properly verified persons, and maintain risk-based compliance control systems. Suspicious transactions must be reported to the Financial Monitoring Service, Georgia’s financial intelligence unit. Enhanced due diligence, including intensified monitoring and inquiries into the origin of funds, applies in elevated-risk cases such as transactions involving politically exposed persons or clients from high-risk jurisdictions. Operators must retain identification and transaction records for prescribed periods, appoint a compliance officer, and implement continuous staff training programs.
For a broader overview of payment-related AML obligations applicable to businesses operating in Georgia’s financial and digital services sectors, see our article on Procedures for Registration as a Payment Service Provider in Georgia.
Data Protection Obligations
Data protection legislation applies to gambling operators as data controllers, requiring compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, and integrity. Data subjects may request information about their data processing, including legal basis, purpose, sources, retention periods, and recipients, with responses due within 10 working days. They may also demand correction, deletion, or destruction of unlawfully processed data.
Direct marketing requires the individual’s consent. Written consent is needed to process data beyond basic contact information. Operators must stop marketing within 7 working days of receiving an opt-out request. The gambling regulations separately ban advertising to players whose accounts are blocked or suspended. Data security incidents must be reported to the supervisory authority within 72 hours. While gambling operators are not currently required to appoint a Data Protection Officer, the supervisory authority can expand this list, and operators who engage in large-scale monitoring or process special category data may still need to appoint one under general criteria.
For a detailed breakdown of the rules governing direct marketing and consent requirements under Georgian data protection law, see our guide on Processing Personal Data for Direct Marketing in Georgia.
Penalties and Supervisory Architecture
The data protection framework imposes graduated fines structured by entity type and turnover, with aggregate caps of GEL 10,000 for smaller entities and higher ceilings for larger ones; mitigating circumstances may reduce fines by 30 percent. Under the gambling legislation, failure to comply with registration, identification, and verification requirements constitutes a breach of permit conditions entailing liability as prescribed by law.
Gambling operators in Georgia must answer to three distinct supervisory bodies: the Revenue Service for gambling permit compliance, operating through the selected person responsible for the electronic control system; the data protection supervisory authority, empowered to inspect processing lawfulness and order cessation of inadequate data handling; and the Financial Monitoring Service for AML compliance. Each body exercises its own inspection powers, reporting requirements, and sanctioning authority.
For a full overview of the tax obligations applicable to gambling operations in Georgia, including GGR tax rates and foreign player treatment, see our guide on Taxation of Gambling Operators in Georgia.
The information provided in this article is intended for general informational purposes only and does not constitute legal advice. For advice tailored to your specific circumstances, please consult a qualified legal professional.