The New Law of Georgia on the 'Protection of Personal Data'

Protection of personal data constantly faces challenges. This challenge is primarily associated with the unyielding advancement and refinement of technological progress. Whenever there is a need to protect a fundamental human right, creating appropriate legislative guarantees is essential. This also applies to the right to personal data protection.

In Georgia, the first law on the protection of personal data was adopted at the end of 2011 and was in force until March 1, 2024. This period can be seen as the initial steps taken by the state and society in this field, which also led to the establishment of the foundations of personal data protection culture in Georgia in a broad sense.

However, in the 21st century, a little over a decade has proven more than sufficient for the development of the personal data protection field. The development of technologies, including artificial intelligence, has uncovered new horizons for personal data processing. Despite numerous positive traits of technologies, their advancement has introduced additional challenges and risks concerning data protection.

In response to these challenges, the European Union, for instance, enacted a completely new and quite effective document in 2018 - the General Data Protection Regulation (GDPR), which is detailed in our blog (https://www.dpt.ge/blog/gdpr-key-points). Meanwhile, in Georgia, the main legislative requirements regulating data protection were updated in 2023 when the second law on the protection of personal data in Georgia was adopted. It came into force on March 1, 2024, ending the operation of the law adopted in 2011. This blog will discuss the new law, which was adopted to ensure the effective protection of the right to personal data in Georgia and fulfill obligations undertaken with the European Union.

What are the key innovations offered by the law? - We can answer this question in three directions:

1. Increased transparency for data subjects;

2. Establishment of detailed and effective obligations for organizations; and

3. Improved sanctioning model, including increased fines as a preventive measure.

Let's begin analyzing them:

1. Increased transparency for data subjects.

Transparency is one of the fundamental principles of the law. It implies that data subjects should proactively be provided with clear, precise, and easily understandable information about who is processing their data, why, and how. However, providing information alone is not sufficient — the information must be easily accessible, comprehensible, and substantially exhaustive, so individuals can make informed decisions. For example, the law obligates those responsible for processing data to provide data subjects with clear and complete information. Such notification should include:

• The name/identity and contact information of the person responsible for processing and the Data Protection Officer (DPO);

• The purpose and legal basis of processing;

• The categories of data being processed;

• Recipients and third parties with whom the data is shared, including in cases of international transfer;

• Retention periods;

• Data subject's rights (including rights of access, correction, deletion, and objection);

• The source of data if not obtained directly from the subject;

• Information about automated decision-making (profiling).

This information should be conveyed in simple language and an accessible format.

2. Establishment of detailed and effective obligations for organizations.

According to the law, organizations are required to demonstrate compliance with it while adhering to principles. This can be achieved by developing mandatory documents based on the law, for example, when implementing video and audio monitoring.

It is important that organizations, while implementing the rules established by law, ensure the effective deployment of control mechanisms both before and during the process. For instance, if a person responsible for processing involves an authorized entity in the processing, such an entity should be selected that ensures compliance with the standards established by law, and an agreement on data processing should be reached between them.

Furthermore, any processing procedure requires documentation, where the processes should be distinct and detailed. This document contains such information about processing as purpose, types and categories of data, recipients, retention periods, technical and organizational security measures planned for the entire processing process.

3. Improved sanctioning model, including increased fines as a preventive measure.

Fines for violations established by law have been increased. For example, if the previous minimum fine was 100 GEL, the current law has raised this threshold to 1,000 GEL. However, this does not mean that fines for all violations have been increased tenfold.

Also, in the presence of multiple violations, instead of the previous absorption principle, the current law defines an aggregation principle. This means that for various qualitatively different violations identified within the inspection framework by the Personal Data Protection Service, the amounts of the fines imposed will be aggregated and charged cumulatively to the violator, enhancing the law's preventive potential.

It should also be noted that while determining violation amounts, the law has established a differentiated approach, considering certain exceptions. Specifically, the fine applicable to an organization depends on its annual turnover. For instance, if a company's annual turnover does not exceed 500,000 GEL and it is found in violation of direct marketing rules, the fine provided by the law is 2,000 GEL, while for a company with an annual turnover exceeding 500,000 GEL - it is 3,000 GEL.