Processing of personal data can be conducted by public institutions as well as legal or natural persons (sometimes referred to as "processors") who work with user data based on entrepreneurial or professional activities, rather than for personal purposes (this applies, for instance, to auditors, lawyers, and other experts).
Data can be processed either independently or through an authorized person — which can also be any individual or legal entity acting on behalf of the processor. For instance, if you decide to inform clients about a new service using SMS messages and hire a contractor for this purpose, they will act as your authorized person. The data they process will be based on a legal act or a written contract concluded with you, outlining the scope of data transferred and processed, and distributing responsibility.
The authorized person (e.g., contractor) and the processing entity (organization, business, sole proprietor) must create file system catalogs, which are registered in the
personal data protection registry. Before establishing or making changes to the system, the authorized person and processor are obliged to provide information to the Personal Data Protection Service — this body oversees the legality of data processing within Georgia.