Processing and Storage of Personal Data in Georgia in 2023
Current regulations and accountability for violations
Anna Davidson, Founder and Managing Partner of JUST Advisors
July 25, 2023
On June 14, 2023, the Georgian Parliament passed a new law on "Personal Data Protection" in its third reading. The document introduces several innovations, expands user rights, ensures their protection, and generally aligns national legislation with international standards. The changes will come into effect in several stages — in March and June 2024. For the upcoming year, we will continue operating under the old regulations, which we will outline in this article. The material discussing the amendments to the current process will be published separately.
The "Personal Data Protection" law in Georgia applies equally to both public and private organizations - nearly all of which process personal data. Regardless of an agency's activities or the product produced by an organization, if it collects, stores, or uses information about clients, employees, or partners during its operations, it automatically becomes a data processing subject and, consequently, assumes specific obligations before the law and the individuals whose personal data it involves.
General information about data
Under the law, personal data includes any information that helps identify a person, including their name, personal identification number (such as in an employee contract), their salary, email address (provided during service registration), bank account number, video recorded by surveillance cameras, correspondence, and much more.
There are also special category data - their processing is prohibited in the absence of specific legal grounds outlined in the legislation. This data includes, for example, biometric and genetic information, as well as details related to:
There are also special category data - their processing is prohibited in the absence of specific legal grounds outlined in the legislation. This data includes, for example, biometric and genetic information, as well as details related to:
- Race or national origin of an individual.
- Their political, religious, and philosophical beliefs.
- Membership in a professional union.
- Health status.
- Sexual life.
- Administrative detention, conviction, application of preventive measures, early conditional release, agreement on recognition of guilt, acknowledgment as a victim, including of a crime.
Processing involves any action carried out with personal information: not only collection, recording, storage, but also usage, disclosure, transfer to a third party, dissemination, deletion, destruction, and so on.
Who can store data
Processing of personal data can be conducted by public institutions as well as legal or natural persons (sometimes referred to as "processors") who work with user data based on entrepreneurial or professional activities, rather than for personal purposes (this applies, for instance, to auditors, lawyers, and other experts).
Data can be processed either independently or through an authorized person — which can also be any individual or legal entity acting on behalf of the processor. For instance, if you decide to inform clients about a new service using SMS messages and hire a contractor for this purpose, they will act as your authorized person. The data they process will be based on a legal act or a written contract concluded with you, outlining the scope of data transferred and processed, and distributing responsibility.
The authorized person (e.g., contractor) and the processing entity (organization, business, sole proprietor) must create file system catalogs, which are registered in the personal data protection registry. Before establishing or making changes to the system, the authorized person and processor are obliged to provide information to the Personal Data Protection Service — this body oversees the legality of data processing within Georgia.
Data can be processed either independently or through an authorized person — which can also be any individual or legal entity acting on behalf of the processor. For instance, if you decide to inform clients about a new service using SMS messages and hire a contractor for this purpose, they will act as your authorized person. The data they process will be based on a legal act or a written contract concluded with you, outlining the scope of data transferred and processed, and distributing responsibility.
The authorized person (e.g., contractor) and the processing entity (organization, business, sole proprietor) must create file system catalogs, which are registered in the personal data protection registry. Before establishing or making changes to the system, the authorized person and processor are obliged to provide information to the Personal Data Protection Service — this body oversees the legality of data processing within Georgia.
Creating catalogs and sorting information in them must be carried out in the Georgian language. The processor determines the composition of information in the files and its categorization. For example, employee data may be loaded into one file, contracts into another, or they can be combined and differ only in their titles.
What data can be processed?
First and foremost, data processing is allowed if the individual (data subject) has given their consent — voluntary, informed, and explicit consent: for instance, accepting the privacy policy on a company’s website or signing another agreement. However, in some cases, consent is not obligatory. Data processing is permissible if it is:
It’s worth noting separately that legislation permits data processing if they are considered publicly available or if the subject made them such: for instance, publishing a photograph or contact information on a social network.
- Envisaged by law (for instance, processing data related to entry and exit from public and private buildings).
- Required to fulfill obligations imposed on the data processor by law (e.g., keeping records and storing data for taxation purposes).
- Necessary to protect vital interests of a person (in situations where an individual’s life is in danger during emergencies and identifying their location is necessary for rescue).
- Necessary to protect the legitimate interests of the data processor or a third party when the owner of the personal data cannot effectively defend their rights and freedoms.
- Necessary to protect public interests — crime prevention, property protection, minors, and several other situations.
- Required to process a person’s application and provide them with services.
It’s worth noting separately that legislation permits data processing if they are considered publicly available or if the subject made them such: for instance, publishing a photograph or contact information on a social network.
How to handle data properly
The storage period of personal data varies. For example, data for monitoring visitor entry and exit in public and private establishments must be stored for no more than three years from the registration date — as stated by legislation. In many other situations, specific deadlines are not provided, so the data processor or authorized person must independently determine the period, justify it, and state the purpose of storing personal data during this period. Upon expiration of the period (or upon achieving the goal), the data must be destroyed or preserved in a form that prevents identification of individuals.
Upon request from the data owner, the processor is obligated to correct, update, add, block, delete, or destroy this data if it is incomplete, inaccurate, or if their collection and processing violated regulations. If the processor disregards the request, the data subject can appeal to the Personal Data Protection Service or to court. If the processor is a government institution, a complaint can also be lodged with the higher administrative body.
Data processors must ensure the security of personal data, taking organizational and technical measures in line with the risks. When assessing risks, it’s advisable to consider:
Upon request from the data owner, the processor is obligated to correct, update, add, block, delete, or destroy this data if it is incomplete, inaccurate, or if their collection and processing violated regulations. If the processor disregards the request, the data subject can appeal to the Personal Data Protection Service or to court. If the processor is a government institution, a complaint can also be lodged with the higher administrative body.
Data processors must ensure the security of personal data, taking organizational and technical measures in line with the risks. When assessing risks, it’s advisable to consider:
- 1The data category and volume.
- 2The number of organization employees and their level of access to the data.
- 3Adherence to security rules by third parties who have data access.
To protect data, the processor should designate an individual or group responsible for security and implement technical infrastructure and security systems. In case of breaches in storage and accounting procedures, there should be a mechanism for quick response — to restore data and minimize damage caused.
Powers of the Data Protection Service
As mentioned, the Personal Data Protection Service oversees the legality of data processing in Georgia. It is authorized to enter any organization or institution at its own initiative or based on a request from an interested party, and review any documents and information, including those pertaining to state, tax, banking, commercial, professional secrets, related to law enforcement activities and criminal prosecution, regardless of their content and form of storage.
The data processor or authorized person is obligated to provide any material, information, and documents to the Data Protection Service upon the first request, within a period not exceeding 10 working days.
In case of law or regulatory violations in data processing, the Service has the right to take one or more measures, namely: issue a warning, impose administrative fines, provide written recommendations or advice for rectifying violations. If the Service suspects actions by an organization or individual indicating a crime, it must report it to the competent state body in accordance with the law. Compliance with decisions made by the Personal Data Protection Service is mandatory and can only be appealed in court.
The data processor or authorized person is obligated to provide any material, information, and documents to the Data Protection Service upon the first request, within a period not exceeding 10 working days.
In case of law or regulatory violations in data processing, the Service has the right to take one or more measures, namely: issue a warning, impose administrative fines, provide written recommendations or advice for rectifying violations. If the Service suspects actions by an organization or individual indicating a crime, it must report it to the competent state body in accordance with the law. Compliance with decisions made by the Personal Data Protection Service is mandatory and can only be appealed in court.
Responsibility for violating legal norms
Collecting, storing, using, and disseminating data in violation of regulations can be grounds for administrative liability.
The Law on Personal Data Protection in Georgia is a comprehensive document that may pose challenges to quickly comprehend. However, data processing concerns almost every organization. In the new version of the law, the responsibility for violations will be stricter, and inspections will be more likely. To minimize the risk of fines, we recommend seeking legal assistance. JUST Advisors' lawyers are ready to provide services for auditing your company regarding data protection issues and aligning all internal documents with the legislation.
Was it helpful? Share your opinion
Do you have a task or a question?
MARIA GUSEINOVA
Leading Manager of Commercial Department
Leading Manager of Commercial Department