New personal data protection rules in Georgia: what changes are planned in 2024
Sending advertisements without prior consent will be prohibited, and fines will be imposed for violations, applying to both companies and individual entrepreneurs
December 7, 2023
Marina Piduashvili, lawyer JUST Advisors
On March 1 and June 1, 2024, amendments to the Law on Personal Data Protection will come into effect, incorporating international standards. For instance, the changes will prohibit sending advertising messages to users without their prior consent, and certain organizations will be mandated to appoint a data protection officer. Failure to comply with the new requirements could result in substantial fines for companies and individual entrepreneurs.
We have elaborated on the meaning of personal data and its regulation in Georgia in a separate article. In the context of this article, our attention will shift to the specific points undergoing changes directly from 2024
1. Principles of Personal Data Processing:
- 1Data must be processed legally, fairly, and transparently for the data subject, without violating their dignity. The obligation of data processing transparency does not apply to exceptional cases established by this law.
- 2Data must be collected or obtained only for specific, clearly defined, and legitimate purposes. Further processing of data for purposes incompatible with the original intent is not allowed.
- 3Data shall be processed only to the extent necessary to achieve the relevant legitimate purpose, ensuring proportionality to the purpose for which they are processed.
- 4Data must be true, accurate, and, when necessary, updated. Inaccurate data must be corrected, deleted, or destroyed without undue delay, considering the purposes of data processing.
- 5Data may be stored only for the period necessary to achieve the corresponding legitimate purpose of data processing. After fulfilling the processing purpose, data must be deleted, destroyed, or stored in a depersonalized form, unless data processing is mandated by law and/or by-law, and data storage is a necessary and proportionate measure to protect the best interests in a democratic society.
- 6To ensure data security, adopt technical and organizational measures during data processing that effectively safeguard data, including protection against unauthorized and illegal processing, accidental loss, destruction, and/or damage.
2. Mandatory Requirement to Appoint a Data Protection Officer
The list of institutions where the presence of a personal data protection officer (an employee responsible for processing personal data in the organization) will be mandatory has been defined. These include:
A personal data protection officer within an organization can be any person in the office or an individual working under a service contract. There is no requirement for the person to possess special education or certification to carry out this role. Moreover, a personal data protection officer can simultaneously perform data protection functions for multiple companies, and within a specific company, they may also undertake other job responsibilities.
- Public institutions (except religious and political organizations)
- Insurance organizations
- Commercial banks
- Microfinance organizations
- Credit Bureaus
- Electronic communication companies
- Airline companies
- Airports
- Medical institutions serving at least 10,000 data subjects per year
- Organizations processing a large amount of data from data subjects or engaging in systematic and large-scale monitoring of their behavior.
A personal data protection officer within an organization can be any person in the office or an individual working under a service contract. There is no requirement for the person to possess special education or certification to carry out this role. Moreover, a personal data protection officer can simultaneously perform data protection functions for multiple companies, and within a specific company, they may also undertake other job responsibilities.
The personal responsibility of the data protection officer is determined by the contract established with the employer or customer. It's important to note that legal liability is not specifically defined by law but is outlined within the terms of the contractual agreement.
3. Expansion of Basics in Personal Data Processing
The law has introduced additional definitions for the basis of data processing. This includes situations where processing is necessary to conclude a contract or fulfill contractual obligations between parties. Additionally, it encompasses instances related to public safety and law enforcement purposes, such as crime prevention and investigation.
4. Expansion of Data Subject's Rights
The rights of the data subject, whose data is being processed, have been enhanced. This includes the right to request the termination, erasure, or destruction of data processing, including the removal of internet links. This right becomes particularly relevant when data processing is no longer necessary for the original purpose for which it was processed.
5. Incident Reporting Procedure Defined
Every organization or individual processing personal data is required to document all instances of data security breaches, along with the outcomes and actions taken. The Personal Data Protection Service must be notified within 72 hours of discovering the incident unless it is deemed unlikely to cause significant harm or pose a substantial threat to basic human rights.
6. Introduction of Opt-Out Option for Advertising
As of the 2024 changes, the processing of personal data and sending advertising messages is permissible only with the prior consent of individuals whose data is being processed. Sending advertising messages from stores, restaurants, or other establishments will be illegal unless individuals have expressly consented to receiving such messages.
Clause 1, along with clauses 3 to 6, will come into force on 1 March 2024. However, Clause 2 will be effective a little later, starting from 1 June 2024. These changes represent a significant stride in reinforcing the right to privacy concerning the personal data of Georgian citizens.
Liability for violation of the law
Compliance with the law on personal data processing is overseen by the Personal Data Protection Service (https://personaldata.ge/ka/contact). In case of violations, the service has the authority to issue warnings or impose fines. For companies and individual entrepreneurs with a turnover of up to 500,000 GEL, the fines are as follows:
- 1000 GEL for the violation of any principle of personal data processing.
- 2000 GEL for the violation of two or more principles of personal data processing.
- 2000 GEL for the violation of data processing for direct marketing purposes.
- 2000 GEL for the failure to report an incident to the Personal Data Protection Service.
Explore comprehensive legal services for your company in Georgia with JUST Advisors specialists. Sign up for a consultation, and we'll guide you on the precise handling of data in your field of activity to ensure compliance with the "Personal Data Protection" law.
Was it helpful? Share your opinion
Do you have a task or a question?
MARIA GUSEINOVA
Leading Manager of Commercial Department
Leading Manager of Commercial Department