Andersen Global
Main Menu
Main Menu
framework of personal data protection in Georgia

Framework of Personal Data Protection in Georgia

Leave a Comment / Legal Publications, Publications / By

Last year, the Parliament of Georgia made changes to the Law of Georgia on Personal Data Protection (the PDP Law) to align personal data protection legislation more closely with the European Union standards.

These significant changes to the PDP Law entered into force on 1 March 2024 and marked an important regulatory update.

Grounds of Data Processing

The PDP Law introduced additional legal grounds for permissible data processing, such as contractual necessity, protection of important public interests, or investigative purposes.

These grounds permit data processing when the controller must perform or conclude an agreement with the data subject.

According to the PDP Law, data processing is permissible when necessary for public interest tasks defined by Georgian law. These tasks include crime prevention, investigation, prosecution, and administration of justice. They also cover detention, imprisonment, non-custodial sentences, and probation. Operative and investigative activities fall under this scope as well. Public safety, safeguarding, and protection of the rule of law are included. This also covers information security and cybersecurity measures

Rules Related to Consent of the Data Subject

Framework of Personal Data Protection in Georgia


The PDP Law determines specific requirements concerning obtaining consent from the data subject. The PDP Law determines specific requirements concerning obtaining consent from the data subject. If the data processor plans to obtain the data subject’s consent using a document that covers other issues, the data processor must separate the written consent form from the rest of the document and write it in clear, simple, and easy-to-understand language. Also, when the data subject gives consent as part of an agreement, the processor should assess whether the agreement requires this consent and if the service can be provided without it.

Regarding processing special category data (such as data related to racial or ethnic origin, political views, religious beliefs, membership in professional organizations, health, sexual life, criminal history, and others), the data processor may process such data based on the data subject’s written consent or on other grounds listed in the PDP Law.

Technical and Organizational Measures to Ensure Data Security

Illustration of a person standing beside a laptop, shield with padlock, cloud, gear, and binary code representing data security measures.


The data processor must take appropriate technical and organizational measures to ensure data processing complies with the PDP Law. Such measures should adequately ensure data protection, including against unauthorized or illegal processing, accidental loss, destruction, and/or damage.

The data processors must ensure they implement technical and organizational measures that automatically process only the amount of data necessary for the specific purpose. They should apply these measures so that only a minimum amount of data is automatically accessible to an indefinite number of people before choosing a permitted alternative approach.

Additionally, the data processors should periodically update these measures based on data categories, volume, purpose, processing methods, and potential threats to the data subject’s rights.

Rules related to Direct Marketing

Under the PDP Law, the data processor must obtain the data subject’s written consent when processing personal data for direct marketing purposes.

The data controller/processor should explain to the data subjects their right to withdraw their consent at any time in a clear and comprehensible form, with a simple mechanism/procedure for exercising this right.

The data controller/processor should also ensure that the data subject has the possibility to request the termination of the data processing for direct marketing purposes in the same manner as the direct marketing is carried out.

Regulations regarding Video Monitoring

video monitoring icon


Video monitoring of the working process and space is allowed only in exceptional cases, when other means cannot achieve the purpose or require disproportionately large effort. When the controller or processor conducts video monitoring, they must inform employees in writing about its purpose. Additionally, the controller must clearly define in writing the purpose, scope, duration, storage period, access conditions, storage, destruction procedures, and mechanisms to protect the data subject’s rights according to data processing principles. A key requirement is that the controller must install a visible warning sign that includes a clear notice about video monitoring, along with the controller’s name and contact details.

Mandatory Reporting of Incidents

The PDP Law imposes the obligation to notify the Personal Data Protection Service (the Service) regarding the occurrence of incidents of data security breaches. Specifically, the controller is required to maintain the registry of incidents, which describes the incident, its outcome, and the measures taken.

Each and every incident that may cause significant harm and/or pose a significant threat to fundamental human rights shall be reported to the Service in writing no later than 72 (seventy-two) hours after the discovery of such incident. As required under the PDP Law, the Service adopted the order which sets out the rules of reporting and criteria for determining whether a specific incident poses harm and/or threat to fundamental human rights. According to the rules published by the Service, the information about the incident shall be submitted to the Service electronically through the official webpage of the Service.

Mandatory Appointment of the Personal Data Protection Officer


Another notable aspect of the PDP Law is the introduction of the position of the personal data protection officer (the Officer), which came into effect from 1 June 2024.

The Officer’s appointment is mandatory in sectors like public institutions, banks, insurance, and medical institutions. This also applies to entities processing large data volumes or doing large-scale monitoring. The Service issued an order listing those who do not need to appoint an Officer, as required by the PDP Law.

According to this order, there is no obligation to appoint the Officer if the data Processor:

  • Processes the personal data of less than 3 percent of the population of Georgia;
  • Process the special category data of less than 1 percent of the population of Georgia; or
  • Does not engage in systematic and large-scale monitoring of data subject behavior. To calculate the list of persons whose data is being processed, the employees of the processor are not counted in (regardless of their number).

The data processor, who has an obligation to appoint the Officer, may meet this requirement through three options:

  1. Appointing the Officer;
  2. Adding the functions of the Officer to an employee; or
  3. Outsourcing.

The data processor is obliged to publish the identity and contact information of the Officer on its website or through other accessible channels.

Rules related to Data Protection Impact Assessment


The PDP Law introduces the rules on data protection impact assessment, which entered into force from 1 June 2024. If new technologies, categories, volume, or purposes increase the risk to fundamental rights, the controller must act. The controller must assess the impact on data protection in advance.

This assessment requires adopting a document describing the category, process, purposes, and grounds for data processing. It also includes organizational and technical measures for data security protection.

The data protection impact assessment is mandatory if the controller:

  • Makes fully automated decisions, including profiling
  • It is also mandatory if the Controller processes special category data of many data subjects
  • Implements systematic and large-scale monitoring of data subjects in public gathering places

Sanctions for Breach of the PDP Law


The PDP Law increases the penalties for breach. Depending on the breach, the organizational form, and annual turnover, administrative liabilities may vary. Aggravating and mitigating circumstances also affect the penalties. These penalties range from warnings to fines between GEL 1,000 and GEL 20,000. The exact amount depends on the nature of the breach under the PDP Law.

Practical Effect of the PDP Law


Considering the novelties in the PDP Law, processors should review their internal processes and documents. They should also assess technical and organizational measures to ensure compliance. Specifically, each data processor/controller should:

  1. Review its internal policies regarding data protection and the consent form for obtaining consent.
  2. Update these documents as necessary.
  3. Create a register of incidents and procedures for notifying the Service.
  4. Determine if it must appoint a Data Protection Officer and do so by 1 June 2024, if required.
  5. Determine if a data protection impact assessment is required and adopt it by 1 June 2024, if needed.

Now is the time to act. Review your internal policies, appoint a Data Protection Officer if required, and implement the necessary technical and organizational safeguards.

For tailored legal advice or assistance with data protection impact assessments, contact our compliance team today.

Leave a Comment

Your email address will not be published. Required fields are marked *

Book A Call
Book A Call