Protecting Personal Data in the Country of Georgia

The Law of Georgia on Personal Data Protection of 28 December 2011 No. 5669, also known as the Data Protection Act, is a data protection law that was passed in the country of Georgia in 2011. As Georgia is one of a number of countries within the continent of Europe that is not a part of the European Union, the country does not fall under the jurisdiction of the General Data Protection Regulation or GDPR. To this end, the Data Protection Act was created for the purposes of aligning the data protection legislation of Georgia with the provisions and principles set out in the EU’s GDPR law. To illustrate this point further, Georgia plans to formally apply for EU membership in 2024.

How are data controllers and processors defined under Georgia’s Data Protection Act?

Under Georgia’s Data Protection Act, a data controller is defined as “– a public agency, a natural or legal person who individually or in collaboration with others determines purposes and means of personal data processing and who, directly or through a data processor, processes personal data”. Alternatively, a data processor is defined as “any natural or legal person who processes personal data for or on behalf of the data controller”. Moreover, the law defines personal data as “any information connected to an identified or identifiable natural person. A person shall be identifiable when he/she may be identified directly or indirectly, in particular by an identification number or by any physical, physiological, psychological, economic, cultural or social features specific to this person”.

What are the requirements for data controllers and processors under Georgia’s Data Protection Act?

Under Georgia’s Data Protection Act, data controllers and processors are responsible for meeting the following requirements when collecting or processing personal data from Georgian citizens:

• All personal data must be collected and processed in accordance with the principles of fairness and lawfulness. Furthermore, data controllers and processors are prohibited from infringing on the dignity of data subjects.
• Personal data may only be collected or processed “for specific, clearly defined and legitimate purposes. Further processing of data for purposes that are incompatible with the original purpose shall be inadmissible”.
• Personal data may only be collected or processed “to the extent necessary to achieve the respective legitimate purpose. The data must be adequate and proportionate to the purpose for which they are processed”.
• All personal data that is collected or processed must be accurate and updated when necessary. Any personal data that is collected or processed illegally or is irrelevant to the stated purposes for collection or processing must be deleted, blocked, or destroyed.
• All personal data that is collected or processed may be kept for no period longer than is required to achieve the purposes for which they were collected or processed.
• The collection and processing of personal data shall only be admissible under certain grounds, such as instances where a data subject has consented to the processing of their personal data, and the data processing is provided for by law, among various others.
• A data controller shall be obliged to take appropriate organizational and technical measures to ensure protection of data against accidental or unlawful destruction, alteration, disclosure, collection or any other form of unlawful use, and accidental or unlawful loss.
• Any employee of a data controller and of a data processor, who is involved in processing of data, shall be obliged to stay within the scope of powers granted to him/her. In addition, he/she shall be obliged to protect data secrecy, including after his/her term of office terminates.

What are the rights of Georgian citizens under the Data Protection Act?

Under the Data Protection Act, Georgian citizens are entitled to the following rights as it relates to data protection and privacy:

• The right to be informed- Data subjects have the right to request information from a data collector or processor concerning the collection or processing of their personal data.
• The rights to erasure and rectification- Data subjects have the right to request that a data controller or processor erase or rectify personal data concerning them, permitting “that the data are incomplete, inaccurate, not updated, or were illegally collected and processed”.
• The right to object or opt-out- “A data subject shall have the right to, at any time and without explanation, withdraw his/her consent given and to request that the data processing be stopped and/or the processed data be destroyed”.
• The right to appeal- “If the rights under this Law are violated, a data subject shall have the right to apply to the Personal Data Protection Inspector or to the court under procedures determined by law, and if a data controller is a public institution, he/she may also submit an appeal to the same or senior administrative body”.

What are the punishments for non-compliance under Georgia’s Data Protection Act?

Georgia’s Data Protection Act is enforced by the Personal Data Protection Inspector or the Inspector for short. As such, the Inspector has the authority to impose a variety of administrative and monetary penalties, including:

• Require elimination of the violation and the deficiencies related to data processing in the form and within the period indicated by him/her.
• Require termination of data processing, their blocking, deletion, destruction or depersonalisation if he/she believes that the data processing is conducted unlawfully.
• Give written advice and recommendations to a data controller and a data processor if they insignificantly violate the data processing rules.
• Require termination of data transfer to other states and international organisations if they are transferred in violation of the requirements of this Law.
• Issue a monetary fine ranging from GEL 100 ($32) to GEL 10 000 ($3,225), depending on the scope and severity of a particular offense.

Through the passing of the Data Protection Act in 2011, the Georgian Government was able to provide data subjects within the country with a level of data protection that is consistent with the protections offered to citizens of EU member states under the General Data Protection Regulation or GDPR. As such, the country of Georgia was able to set the foundation for the harmonization of their legislation with the legislation of the EU as it pertains to data protection and personal privacy. More importantly, however, Georgian citizens can have peace of mind in knowing that their personal data is being protected at all times, whether they are in the country of Georgia or outside of it.