Personal Data Protection in Georgia: Current Requirements and International Standards
Based on the legislation of Georgia as of 29.01.2025
29 January, 2025
Anna Bakradze
1.Introduction
Georgia, following global trends, is actively improving its national legislation aimed at protecting the rights of data subjects and preventing data leaks. Since 2023, a number of amendments have been made to the "Personal Data Protection Law," which came into effect in 2024, and the industry is now operating under the updated legal framework.
This review will help understand the main provisions of the law, the requirements for companies, and the inspection plan published by the Personal Data Protection Service (hereinafter referred to as the Service) for 2025. We will discuss practical aspects, touch upon large-scale data leaks in Georgia, and compare local regulations with practices in the EU, the USA, and Russia
This review will help understand the main provisions of the law, the requirements for companies, and the inspection plan published by the Personal Data Protection Service (hereinafter referred to as the Service) for 2025. We will discuss practical aspects, touch upon large-scale data leaks in Georgia, and compare local regulations with practices in the EU, the USA, and Russia
2.Legal Regulation of Personal Data Protection in Georgia: Current Situation in 2025
2.1. Brief Overview of Changes from 2023–2024
Starting from 2023, Georgia introduced amendments to the "Personal Data Protection Law." The main provisions came into effect in March and June 2024, and they are now fully applied by businesses and government authorities.
Key changes include:
● The requirement to appoint a Data Protection Officer (DPO) in certain organizations;
● Stricter requirements for consent to marketing and advertising communications;
● Clear regulations for penalties tied to company turnover;
● Clarification of the powers of the Service, which is authorized to conduct scheduled and unscheduled inspections and impose fines even for the first detected violation.
No new amendments have been adopted in 2025, but the practice of law enforcement shows that the Service has intensified its supervisory activities, especially in light of the increased number of data leaks.
2.2. Key Principles of Data Processing
Georgian legislation outlines six basic principles that must be followed when collecting and using personal data:
Starting from 2023, Georgia introduced amendments to the "Personal Data Protection Law." The main provisions came into effect in March and June 2024, and they are now fully applied by businesses and government authorities.
Key changes include:
● The requirement to appoint a Data Protection Officer (DPO) in certain organizations;
● Stricter requirements for consent to marketing and advertising communications;
● Clear regulations for penalties tied to company turnover;
● Clarification of the powers of the Service, which is authorized to conduct scheduled and unscheduled inspections and impose fines even for the first detected violation.
No new amendments have been adopted in 2025, but the practice of law enforcement shows that the Service has intensified its supervisory activities, especially in light of the increased number of data leaks.
2.2. Key Principles of Data Processing
Georgian legislation outlines six basic principles that must be followed when collecting and using personal data:
- Lawfulness, transparency, fairness. Processing is allowed only if there is a legal basis, and it must be understandable to the data subject.
- Purpose limitation. Data must be collected exclusively for pre-defined purposes;
- Data minimization. The amount of processed information should be the minimum necessary;
- Accuracy and relevance. Operators should regularly update the data and correct inaccuracies;
- Storage limitation. Once the processing goals are achieved, data must be destroyed or anonymized;
- Security. Companies and government authorities must take technical and organizational measures to prevent unauthorized access, leaks, or distortion of data.
2.3. Mandatory Data Protection Officer (DPO)
2.3.1. What is a Data Protection Officer (DPO)?
A Data Protection Officer (DPO) is a specialist appointed by an organization to oversee compliance with the law and protect the rights of data subjects. The DPO checks compliance with internal policies, provides recommendations for rectifying violations, ensures communication with the regulator, and responds promptly to incidents involving personal data security.
2.3.2. Key Responsibilities of the DPO
The law and subordinate acts assign the following key functions to the DPO:
●Monitoring compliance with legislation and internal policies. The DPO ensures that all data processing activities comply with both Georgian law and corporate standards;
● Participation in risk document preparation. The DPO helps identify and assess risks related to data processing, oversees the implementation of internal instructions;
● Employee training and consulting. The DPO organizes training, explains the rights and obligations of employees in data protection;
● Interaction with the Service. In case of inspections or requests from the regulator, the DPO is the contact person, providing clarifications and responsible for document submission;
● Processing requests from data subjects. If a citizen wants to exercise their rights (access, deletion, correction, etc.), the DPO coordinates this process.
2.3.3. When Are Entrepreneurs Required to Have a DPO?
According to legislative amendments, appointing a DPO is mandatory for:
● Government institutions;
● Insurance organizations;
● Commercial banks;
● Microfinance organizations;
● Credit bureaus;
● Electronic communications companies (telecom operators, internet providers, etc.);
● Airlines and airports;
● Healthcare institutions;
● Entities processing large volumes of data (more than 3% of the entire population of Georgia or over 1% of special category data);
● Entities conducting **systematic and large-scale monitoring.
*Special categories of data include race and ethnic origin, political and religious beliefs, health status, biometric data, and other information that may affect the rights and freedoms of individuals.
**Systematic and large-scale monitoring includes:
● Tracking internet activity (tracking, creating user profiles);
● Profiling or assigning scores to assess risks;
● Monitoring the behavior of children (in kindergartens, schools, universities) or other categories of citizens;
● Behavioral advertising (based on the collection and analysis of user actions).
2.4. Consent for Marketing Communications and Other Aspects
The law requires obtaining explicit consent from data subjects before sending any marketing messages (email, SMS, messengers). Additionally, the unsubscribe process must be simple and accessible. Failure to comply with these rules may lead to fines, especially in the case of mass mailings.
2.5. Responsibility and Fines
Violations of processing regulations, failure to meet security requirements, failure to appoint a DPO (when mandatory), and other infractions are subject to administrative responsibility. For companies with a turnover of up to 500,000 GEL, fixed fines are established for different types of violations. In cases of serious or repeated violations, the fines increase in proportion to turnover. However, the maximum fine resulting from a single inspection cannot exceed 20,000 GEL.
2.6. Control by the Personal Data Protection Service
The Service actively conducts scheduled and unscheduled inspections. According to official statistics, in 2024, 265 inspections were carried out. Of these, 31% (83) were scheduled, and 69% (182) were unscheduled. The results of the inspections show that the regulator uses its right to impose fines even at the first detected violation, without limiting itself to issuing warnings. This is partly due to the increasing cases of major data leaks and the Service’s intention to prevent even potential risks.
2.3.1. What is a Data Protection Officer (DPO)?
A Data Protection Officer (DPO) is a specialist appointed by an organization to oversee compliance with the law and protect the rights of data subjects. The DPO checks compliance with internal policies, provides recommendations for rectifying violations, ensures communication with the regulator, and responds promptly to incidents involving personal data security.
2.3.2. Key Responsibilities of the DPO
The law and subordinate acts assign the following key functions to the DPO:
●Monitoring compliance with legislation and internal policies. The DPO ensures that all data processing activities comply with both Georgian law and corporate standards;
● Participation in risk document preparation. The DPO helps identify and assess risks related to data processing, oversees the implementation of internal instructions;
● Employee training and consulting. The DPO organizes training, explains the rights and obligations of employees in data protection;
● Interaction with the Service. In case of inspections or requests from the regulator, the DPO is the contact person, providing clarifications and responsible for document submission;
● Processing requests from data subjects. If a citizen wants to exercise their rights (access, deletion, correction, etc.), the DPO coordinates this process.
2.3.3. When Are Entrepreneurs Required to Have a DPO?
According to legislative amendments, appointing a DPO is mandatory for:
● Government institutions;
● Insurance organizations;
● Commercial banks;
● Microfinance organizations;
● Credit bureaus;
● Electronic communications companies (telecom operators, internet providers, etc.);
● Airlines and airports;
● Healthcare institutions;
● Entities processing large volumes of data (more than 3% of the entire population of Georgia or over 1% of special category data);
● Entities conducting **systematic and large-scale monitoring.
*Special categories of data include race and ethnic origin, political and religious beliefs, health status, biometric data, and other information that may affect the rights and freedoms of individuals.
**Systematic and large-scale monitoring includes:
● Tracking internet activity (tracking, creating user profiles);
● Profiling or assigning scores to assess risks;
● Monitoring the behavior of children (in kindergartens, schools, universities) or other categories of citizens;
● Behavioral advertising (based on the collection and analysis of user actions).
2.4. Consent for Marketing Communications and Other Aspects
The law requires obtaining explicit consent from data subjects before sending any marketing messages (email, SMS, messengers). Additionally, the unsubscribe process must be simple and accessible. Failure to comply with these rules may lead to fines, especially in the case of mass mailings.
2.5. Responsibility and Fines
Violations of processing regulations, failure to meet security requirements, failure to appoint a DPO (when mandatory), and other infractions are subject to administrative responsibility. For companies with a turnover of up to 500,000 GEL, fixed fines are established for different types of violations. In cases of serious or repeated violations, the fines increase in proportion to turnover. However, the maximum fine resulting from a single inspection cannot exceed 20,000 GEL.
2.6. Control by the Personal Data Protection Service
The Service actively conducts scheduled and unscheduled inspections. According to official statistics, in 2024, 265 inspections were carried out. Of these, 31% (83) were scheduled, and 69% (182) were unscheduled. The results of the inspections show that the regulator uses its right to impose fines even at the first detected violation, without limiting itself to issuing warnings. This is partly due to the increasing cases of major data leaks and the Service’s intention to prevent even potential risks.
Processing involves any action carried out with personal information: not only collection, recording, storage, but also usage, disclosure, transfer to a third party, dissemination, deletion, destruction, and so on.
3. Comparison with International Practices
Below are three of the most notable jurisdictions for comparison: the European Union, the USA, and Russia. Each of these regions has its own regulation specifics, fines, and requirements for the appointment of data protection officers.
3.1. European Union (GDPR)
Main regulation: General Data Protection Regulation (GDPR), which came into effect in 2018.
Key points:
● Principles and rights of data subjects. Requirements for transparency, purpose limitation, informing citizens, and respecting their rights (access, correction, deletion, portability).
● Fines. GDPR provides fines up to 20 million euros or 4% of a company’s global turnover (whichever is higher). These are among the highest fines in the world.
● Mandatory Data Protection Officer (DPO). In all organizations that process large volumes of data or handle special categories of data, a DPO must be appointed with clearly defined rights and independent status.
● Extraterritoriality. GDPR applies to companies outside the EU if they process data of EU residents.
3.2. USA (State and Sectoral Regulation)
Features:
● Fragmented legislation. There is no single federal law like the GDPR. Instead, there are state laws (California – CCPA/CPRA, Colorado, Virginia, etc.) and sectoral acts: HIPAA (for medical data), GLBA (for the financial sector), FERPA (in education), etc.
● Fines. Fines can vary significantly. In California, violations of CCPA/CPRA can result in multimillion-dollar penalties, especially in class actions.
● Data Protection Officer institution. Not provided at the federal level, but large corporations implement the role of CPO (Chief Privacy Officer) based on best practices and state-specific requirements.
● Data breach notifications. A strong emphasis is placed on the obligation to notify about incidents (data breach notification); failure to do so can lead to significantly higher fines.
3.3. Russia (Federal Law "On Personal Data" and Recent Amendments)
Main law: Federal Law No. 152-FZ "On Personal Data" (adopted in 2006, amended multiple times).
Key features:
● Mandatory “Responsible for Personal Data Processing.” Similar to the DPO, but the requirements for independence and authority are less detailed than in the GDPR.
● Fines. Previously low, but with recent amendments (2025), fines have significantly increased. For unlawful transfer of information about 1,000–10,000 people, fines can reach 400,000 rubles for officials (state agencies and NGOs); up to 5,000,000 rubles for individual entrepreneurs and companies. The fine for the unlawful dissemination of special categories of data can reach 15,000,000 rubles. Large penalties are also introduced for failing to notify Roskomnadzor about data breaches.
● Registration of operators. All organizations processing personal data are required to notify Roskomnadzor unless exempted.Thus, Russia is moving toward stricter regulation by increasing fines and tightening control over personal data processing, especially regarding special categories of data and leaks.
3.1. European Union (GDPR)
Main regulation: General Data Protection Regulation (GDPR), which came into effect in 2018.
Key points:
● Principles and rights of data subjects. Requirements for transparency, purpose limitation, informing citizens, and respecting their rights (access, correction, deletion, portability).
● Fines. GDPR provides fines up to 20 million euros or 4% of a company’s global turnover (whichever is higher). These are among the highest fines in the world.
● Mandatory Data Protection Officer (DPO). In all organizations that process large volumes of data or handle special categories of data, a DPO must be appointed with clearly defined rights and independent status.
● Extraterritoriality. GDPR applies to companies outside the EU if they process data of EU residents.
3.2. USA (State and Sectoral Regulation)
Features:
● Fragmented legislation. There is no single federal law like the GDPR. Instead, there are state laws (California – CCPA/CPRA, Colorado, Virginia, etc.) and sectoral acts: HIPAA (for medical data), GLBA (for the financial sector), FERPA (in education), etc.
● Fines. Fines can vary significantly. In California, violations of CCPA/CPRA can result in multimillion-dollar penalties, especially in class actions.
● Data Protection Officer institution. Not provided at the federal level, but large corporations implement the role of CPO (Chief Privacy Officer) based on best practices and state-specific requirements.
● Data breach notifications. A strong emphasis is placed on the obligation to notify about incidents (data breach notification); failure to do so can lead to significantly higher fines.
3.3. Russia (Federal Law "On Personal Data" and Recent Amendments)
Main law: Federal Law No. 152-FZ "On Personal Data" (adopted in 2006, amended multiple times).
Key features:
● Mandatory “Responsible for Personal Data Processing.” Similar to the DPO, but the requirements for independence and authority are less detailed than in the GDPR.
● Fines. Previously low, but with recent amendments (2025), fines have significantly increased. For unlawful transfer of information about 1,000–10,000 people, fines can reach 400,000 rubles for officials (state agencies and NGOs); up to 5,000,000 rubles for individual entrepreneurs and companies. The fine for the unlawful dissemination of special categories of data can reach 15,000,000 rubles. Large penalties are also introduced for failing to notify Roskomnadzor about data breaches.
● Registration of operators. All organizations processing personal data are required to notify Roskomnadzor unless exempted.Thus, Russia is moving toward stricter regulation by increasing fines and tightening control over personal data processing, especially regarding special categories of data and leaks.
Creating catalogs and sorting information in them must be carried out in the Georgian language. The processor determines the composition of information in the files and its categorization. For example, employee data may be loaded into one file, contracts into another, or they can be combined and differ only in their titles.
4.Practical Cases: Data Leaks in Georgia
4.1. Large-Scale Data Leak in January 2025
In January 2025, a large unsecured database was discovered on a server of a German cloud provider, containing over 5 million records of personal data, including more than 7.2 million phone numbers and information on 1.45 million car owners. For a country with a population of around 4 million people, this indicates a combination of outdated databases and new data.
4.2. 2020 Leak: Database Merger
In 2020, the database of the Central Election Commission of Georgia (about 5 million records) was leaked. The new leak seems to be a "consolidation": the data from 2020 was supplemented with new records about car owners, insurance numbers, and other data.
4.3. Risks and Consequences
In January 2025, a large unsecured database was discovered on a server of a German cloud provider, containing over 5 million records of personal data, including more than 7.2 million phone numbers and information on 1.45 million car owners. For a country with a population of around 4 million people, this indicates a combination of outdated databases and new data.
4.2. 2020 Leak: Database Merger
In 2020, the database of the Central Election Commission of Georgia (about 5 million records) was leaked. The new leak seems to be a "consolidation": the data from 2020 was supplemented with new records about car owners, insurance numbers, and other data.
4.3. Risks and Consequences
- Financial fraud, identity theft (loan applications, document forgery).
- Social engineering (criminals use real data to deceive citizens).
- Political manipulation (especially in the context of tense geopolitical situations).
- Reputational damage for companies and government agencies involved in the leak or insufficiently protecting their databases.
5.Inspection Plan of the Personal Data Protection Service for 2025
At the beginning of the year, the Service published the Inspection Plan – an official document outlining the main directions for scheduled inspections and specific areas of focus for the regulator. However, aside from scheduled events, unscheduled inspections are always a possibility and may be triggered by citizen complaints or major incidents.
5.1. General Directions and Areas of Inspections
According to the plan, the target groups for 2025 include: Minors, youth, migrants, women, elderly people, socially vulnerable citizens, people with disabilities, as well as accused/convicted individuals.
The sectors of greatest interest to the Service include: Labor relations, remote services, modern technologies, medical services, covert investigative actions.
The inspection topics cover:
● Volume and security of data processing;
● Working with special category data;
● Rights of data subjects (access, deletion, correction, etc.);
● Disclosure and cross-border data transfer;
● Appointment and activities of the Data Protection Officer (DPO).
5.2. Main Categories of Inspected Organizations
The recently published 2025 Inspection Plan includes specific state (including: Ministry of Economy, Ministry of Finance, Ministry of Health, Ministry of Education), municipal (mayor's offices of 5 municipalities), law enforcement agencies (including: Ministry of Internal Affairs, Prosecutor General’s Office, and Ministry of Defense), as well as commercial organizations and business sectors, including: Companies with websites and applications, medical institutions, fitness centers and pharmacies, hotels and restaurants, educational institutions, private companies.
5.3. Risks of Unscheduled Inspections and Key Conclusions
The regulator does not limit itself to just the pre-published list. Any organization can be subject to an unscheduled inspection if:
● A complaint is received from a data subject;
● A leak or other incident becomes public knowledge;
● There are signals of non-compliance with the law (e.g., absence of DPO in organizations that are required to appoint one).
Thus, all companies must maintain an adequate level of data protection and be ready for a visit from the Service.
5.1. General Directions and Areas of Inspections
According to the plan, the target groups for 2025 include: Minors, youth, migrants, women, elderly people, socially vulnerable citizens, people with disabilities, as well as accused/convicted individuals.
The sectors of greatest interest to the Service include: Labor relations, remote services, modern technologies, medical services, covert investigative actions.
The inspection topics cover:
● Volume and security of data processing;
● Working with special category data;
● Rights of data subjects (access, deletion, correction, etc.);
● Disclosure and cross-border data transfer;
● Appointment and activities of the Data Protection Officer (DPO).
5.2. Main Categories of Inspected Organizations
The recently published 2025 Inspection Plan includes specific state (including: Ministry of Economy, Ministry of Finance, Ministry of Health, Ministry of Education), municipal (mayor's offices of 5 municipalities), law enforcement agencies (including: Ministry of Internal Affairs, Prosecutor General’s Office, and Ministry of Defense), as well as commercial organizations and business sectors, including: Companies with websites and applications, medical institutions, fitness centers and pharmacies, hotels and restaurants, educational institutions, private companies.
5.3. Risks of Unscheduled Inspections and Key Conclusions
The regulator does not limit itself to just the pre-published list. Any organization can be subject to an unscheduled inspection if:
● A complaint is received from a data subject;
● A leak or other incident becomes public knowledge;
● There are signals of non-compliance with the law (e.g., absence of DPO in organizations that are required to appoint one).
Thus, all companies must maintain an adequate level of data protection and be ready for a visit from the Service.
6.Recommendations for Georgian Businesses
- Conduct an internal audit. Determine if data processing practices comply with the main principles of the law and check for any "gaps" in security.
- Appoint a DPO if your organization is required to do so (government agencies, banks, insurance companies, large data holders, etc.). Ensure that the specialist has the necessary knowledge, time, and authority to perform the duties.
- Document confidentiality/data protection policies. Clearly define the processes for obtaining consent, handling deletion or correction requests, data storage periods, etc.
- Organize staff training. Employees must understand not only the letter of the law but also practical risks (social engineering, phishing).
- Consider the specifics of scheduled inspections. If you belong to the sectors mentioned in the Service’s plan, prepare documents confirming compliance: contracts, regulations, audit results, complaint logs, etc.
- Be prepared for unscheduled inspections. Keep data processing logs, track access actions, update information in a timely manner, and have all evidence of compliance with the law ready.
7.Role of Legal Support and Consultants:
In today's environment, companies increasingly turn to professional help to minimize the risks of fines and reputational damage. Legal specialists in the field of personal data protection provide the following services:
● Audit and development of internal documentation (policies, instructions, agreements);
● Assistance in appointing and training DPOs;
● Consulting on cross-border data transfer and interaction with foreign regulators (especially in relation to GDPR);
● Preparation for scheduled and unscheduled inspections of the Service (building clear procedures, maintaining registries);
● Risk assessment and cybersecurity strategy development in line with best global practices.
● Audit and development of internal documentation (policies, instructions, agreements);
● Assistance in appointing and training DPOs;
● Consulting on cross-border data transfer and interaction with foreign regulators (especially in relation to GDPR);
● Preparation for scheduled and unscheduled inspections of the Service (building clear procedures, maintaining registries);
● Risk assessment and cybersecurity strategy development in line with best global practices.
8.Conclusion
In 2025, Georgian personal data protection legislation still relies on amendments that came into effect in 2024, but their application has become stricter, and the Service has the right to impose fines at the first detected violation. Major leaks in recent years (including the January 2025 leak) further strengthen the regulator's vigilance and the public's attention to security issues. Comparison with the EU, the USA, and Russia shows that the global trend of tightening data processing requirements continues to gain momentum. The appointment of a Data Protection Officer (DPO) is becoming mandatory for a wide range of organizations and can significantly reduce legal risks. The Service’s inspection plan for 2025 clearly indicates which government agencies and sectors are "under scrutiny." However, any company can become the subject of an unscheduled inspection upon receiving complaints or detecting incidents, so it is essential to align all processes with the law in advance.
Timely legal support and proper implementation of data protection standards not only minimize the likelihood of fines and reputational loss but also increase consumer trust. Proper handling of confidential information is one of the key factors for business stability in the digital age.
Timely legal support and proper implementation of data protection standards not only minimize the likelihood of fines and reputational loss but also increase consumer trust. Proper handling of confidential information is one of the key factors for business stability in the digital age.
Was it helpful? Share your opinion
Do you have a task or a question?
MARIA GUSEINOVA
Leading Manager of Commercial Department
Leading Manager of Commercial Department
