May 2024

1. Governing Texts

The processing of personal data in Georgia is regulated under the Law of Georgia on Personal Data Protection of 14 June, 2023 No. 3144 (the 2023 Law). The 2023 Law replaced the Law of Georgia on Personal Data Protection of 28 December 2011 No. 5669 (only available in Georgian here) (the Data Protection Act) and compared to its predecessor, is more harmonized with European Standards, creating a more effective legal framework for the protection of personal data. The 2023 Law introduced such concepts as data protection officer (DPO), Data Protection Impact Assessment (DPIA), etc. The requirements under the 2023 Law are complemented by the orders and recommendations of the Personal Data Protection Service (PDPS). The recommendations are not mandatory in nature but are heavily relied upon by the PDP in the process of verification of compliance by the data controllers and processors with their statutory requirements.

1.1. Key acts, regulations, directives, bills

The governing legislative act in this sector is the 2023 Law. The main requirements and regulations under the 2023 Law are similar to the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

1.2. Guidelines

The PDP issues orders which are binding on data controllers and processors. On the other hand, the PDP issues guidelines and recommendations in various areas relevant to the processing of personal data. They are not binding by nature and are intended to provide clarifications and guidance to the data controllers and processors on the processing of personal data in compliance with the 2023 Law.

1.3. Case law

The case law in the area of the protection of personal data is not very extensive. In 2023, there was a notable case involving a video report (story) prepared by a journalist. The video featured a photo that the plaintiff's father himself had posted on social media. However, the photo also included the plaintiff's minor son. The court ordered the defendant (journalist) to blur the image of the minor son in the story and pay GEL 5,000 (approx. $1,862) for moral damages. According to the court, simply because a photo of a minor is publicly available on social media does not grant permission for its unrestricted use. The court defined the journalist's responsibility: 'Before identifying a minor in a video report, journalists are obligated to assess the potential harm that could result from doing so. If the minor's participation in a video report could negatively impact their well-being and best interests, the child's image should be obscured and their identity protected.'

The Court of Cassation emphasized that 'even though the minor's father published the photo on social media, it doesn't automatically allow its use to identify the child. The court distinguishes between the purpose of sharing on social media and television broadcasts. Additionally, the court highlighted the importance of stricter protection for a minor's personal data and prioritizing the child's best interests.' (Case №AS-488-2023, September 21, 2023)

2. Scope of Application

2.1. Personal scope

The 2023 Law protects the personal data of identified or identifiable natural persons, as well as deceased individuals. The requirements established under the 2023 Law are mandatory for data controllers and processors of any type and category - natural persons, legal entities, and public authorities.

2.2. Territorial scope

Apart from data controllers and processors engaged in data processing on the territory of Georgia, the 2023 Law also extends its coverage over the activities of data controllers that are not registered in Georgia, but use technical facilities (e.g. servers) located in Georgia for data processing (except when such facilities are used for transit of data only). In such cases, foreign data processors are obligated to appoint a registered local representative.

2.3. Material scope

The 2023 Law applies to the processing of personal data fully or partially by automated means within the territory of Georgia, to the processing other than by automated means of data that form part of a filing system or are processed to form part of a filing system, as well as to the processing of data by a controller not established in Georgia, using technical facilities available in Georgia, except where the technical means are used solely for the transit of data.

The 2023 Law establishes requirements for the processing of personal data, personal data of special categories, personal data of minors, personal data of deceased persons, video/audio recordings, and processing of data for direct marketing. The 2023 Law also describes in detail various rights of data subjects with respect to the processing of their personal data, as well as the obligations of data controllers and data processors in relation to such data.  

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator for data protection in Georgia is the PDPS.

3.2. Main powers, duties and responsibilities

The PDPS is an independent state body. In its activities, the PDPS is guided by the Constitution of Georgia, the international treaties of Georgia, generally recognized principles and norms of international law, the 2023 Law, and other relevant legal acts. The PDPS is obligated to abide by the following principles:

• legality;
• protection of human rights and freedoms;
• independence and political neutrality;
• objectivity and impartiality;
• professionalism; and
• secrecy and confidentiality.

The duties of the PDPS include monitoring the lawfulness of data processing in Georgia. The main fields of activities of the PDPS in the field of data protection are the following:

• provide consultations on matters related to data protection;
• review applications related to data protection;
• examine (inspect) the lawfulness of data processing;
• inform the public on the data protection status in Georgia, and important events related thereto; and
• ensure the raising of awareness among the public.

4. Key Definitions

Data controller: A natural person, a legal person, or a public institution, who individually or in collaboration with others determines the purposes and means of the processing of data, and who directly or through a processor processes data (Article 3(n) of the 2023 Law).

Data processor: A natural person, a legal person, or a public institution, which processes data for or on behalf of the data controller. A natural person who is in labor relations with the controller shall not be considered a processor (Article 3(p) of the 2023 Law).

Personal data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, including by his/her name, surname, identification number, location data, and electronic communication identifiers, or by physical, physiological, mental, psychological, genetic, economic, cultural or social characteristics (Article 3(a) of the 2023 Law).

Sensitive data: 

Data connected to a person's racial or ethnic origin, political views, religious, philosophical, or other beliefs, membership of professional unions, health, sexual life, the status of an accused, convicted or acquitted person, or a victim in criminal proceedings, conviction, criminal record, diversion, recognition as a victim of human trafficking or of a crime under the Law of Georgia on the Elimination of Violence against Women and/or Domestic Violence, and the Protection and Support of Victims of Such Violence, detention, and enforcement of his/her sentence, or his/her biometric and genetic data that are processed to allow for the unique identification of a natural person (Article 3(b) of the 2023 Law).

Health data: Data related to the physical or mental health of a data subject, including the provision of health care services, which reveal information about his/her physical or mental health (Article 3(c) of the 2023 Law).

Biometric data: Data processed using technical means and related to the physical, physiological, or behavioral characteristics of a data subject (such as facial images, voice characteristics, or dactyloscopy data), which allows the unique identification or confirm the identity of that data subject (Article 3(d) of the 2023 Law).

Pseudonymization: Processing of data in such a manner that the data cannot be attributed to a specific data subject without the use of additional information, and such additional information is kept separately and, by virtue of technical and organizational measures, the data are not attributed to an identified or identifiable natural person (Article 3(z) of the 2023 Law).

5. Legal Bases

5.1. Consent

The data subject has consented to the processing of its personal data for a specific purpose. The consent must be in writing when expressly required under the law.

5.2. Contract with the data subject

One of the legal grounds of personal data processing is the necessity to process personal data for the purposes of performance of a contract with the data subject, or entering into the contract at the request of the data subject.

5.3. Legal obligations

Data processing is necessary for a data controller to perform its statutory duties, such as processing of employee personal data by the employer for the purposes of performance of its tax obligations. 

5.4. Interests of the data subject

Data processing is necessary to protect the vital interests of a data subject or a third party, including monitoring epidemics and/or preventing their spread, or managing humanitarian crises and natural and man-made disasters.

5.5. Public interest

Data processing is required for the protection of substantial public interest.

5.6. Legitimate interests of the data controller

Data processing is necessary to protect the legitimate interests of a data controller or a third person, except when there is a prevailing interest to protect the rights and freedoms of the data subject.

5.7. Legal bases in other instances

Other legal grounds for the processing of personal data include the following:

• processing of personal data is required/allowed under the effective laws;
• statutorily, data is publicly available in accordance with the law or a data subject has made it publicly available;
• processing of personal data is necessary to perform tasks falling within the scope of public interest as defined by the legislation of Georgia, including for the purposes of crime prevention, investigation, prosecution, administration of justice, enforcement of detention and imprisonment, execution of non-custodial sentences and probation, conduct of operative and investigative activities, safeguarding of public safety and/or protection of the rule of law, including information security and cyber security; and
• data processing is necessary to process the application of the data subject (to provide services to them).

6. Principles

The 2023 Law lists the following principles of personal data processing:

• data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject (lawfulness, fairness, and transparency);
• data shall be collected/obtained for specified, explicit, and legitimate purposes. The further processing of data for other purposes that are incompatible with the initial purposes shall be prohibited;
• data shall be processed only to the extent necessary to achieve the respective legitimate purpose. The data shall be proportionate to the purpose for which they are processed;
• data shall be valid and accurate and, where necessary, kept up to date. With regards to the purposes of data processing, inaccurate data must be rectified, erased, or destroyed without undue delay;
• data may be stored only for a period that is necessary for achieving the legitimate purpose for which the data are processed. Once the purpose for which the data was processed has been achieved, the data must be erased, destroyed, or stored in a depersonalized form, unless the processing of data is required by law and/or a subordinate normative legal act issued in accordance with law, and the storing of data is a necessary and proportionate measure in a democratic society to safeguard overriding interests; and
• to ensure the security of data, technical, and organizational measures must be taken during the processing of data to ensure appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, and/or damage.

7. Controller and Processor Obligations

7.1. Data processing notification

The 2023 Law does not contain an obligation for the data controller to register with and/or notify the Regulator before the commencement of data processing.

7.2. Data transfers

Cross-border transfer of data is permitted if the requirements for data processing are provided under the 2023 Law and appropriate safeguards in the relevant jurisdiction are in place for ensuring data protection and the protection of data subjects' rights (Article 37 of the 2023 Law).

In addition, the cross-border transfer of data is allowed in the following cases:

• the data transfer is envisaged by an international treaty and agreements of Georgia;
• the data controller provides appropriate safeguards for data protection on the basis of an agreement concluded between the controller and the relevant state, the appropriate public institution of such state, a legal person or a natural person, or an international organization (data transfers, in this case, are subject to an additional consent from the PDPS);
• the data transfer of data is required/allowed under legislation of Georgia applicable to criminal investigations, status of aliens, or other law enforcement procedures;
• the data subject gives written consent after receiving information on the lack of proper safeguards for data protection in the relevant jurisdiction and on possible threats;
• the transfer of data is necessary to protect the vital interests of a data subject and the data subject is physically or legally incapable of consenting to such data processing; or
• there is a lawful public interest (including for the purposes of crime prevention, investigation, identification and criminal prosecution, execution of a sentence, and carrying out operative and investigation actions) and the transfer of data is a necessary and proportionate measure in a democratic society.

Onward transfer is permitted only if such data transfer serves the initial purpose of data transfer, meets the requirements for the legal basis for data transfer, and ensures adequate safeguards for data protection.

7.3. Data processing records

Article 28 of the 2023 Law obligates data controllers and a special representative of a foreign data controller (if any) to ensure, in writing or electronically, registration of the following information:

• identity/name and contact details of the data controller, special representative, personal DPO, joint controller, and the processor;
• purpose of data processing;
• data subjects and data categories;
• categories of data recipients (including categories of data recipients from another state or international organization);
• cross-border transfer of data, as well as appropriate guarantees of data protection, including a permit from the PDPS (if applicable);
• data retention periods, and where such periods cannot be specified, the criteria for determining periods of retention;
• general description of the organizational and technical measures taken for ensuring data security; and
• information on incidents (if any).

The data processor and someone involved in data processing are obligated to ensure the registration of the following information:

• name and contact details of the data processor, personal DPO, controller, joint controller, and special representative;
• types of data processing carried out for or on behalf of the data controller;
• information on cross-border transfer of data;
• general description of the organizational and technical measures taken for ensuring data security; and
• information on incidents (if any).

7.4. Data protection impact assessment

Article 31 of the 2023 Law obligates data controllers to conduct Data Protection Impact Assessments (DPIAs) in cases where taking into account the new technologies, categories and the volume of data, and the purposes and means of data processing, there is a high probability of threat of violation of fundamental human rights and freedoms during data processing.

In addition, a DPIA is mandatory if the data controller:

• makes decisions, in a fully automated manner, including on the basis of profiling, which may have legal, financial, or other significant consequences for a data subject;
• processes data of a special category of a large number of data subjects (not less than 3% of the population of Georgia, which is calculated in accordance with the results of the latest population census); or
• carries out systematic and large-scale monitoring of data subjects' behavior in places of public gathering.

DPIAs must be concluded by a written report containing, inter alia, an assessment of possible threats of violation of fundamental human rights and freedoms of data subjects, as well as a description of organizational and technical measures taken for data security.

In the case of a substantial change in data processing, the controller is obliged to update the DPIA report and keep it for the entire period of data processing (as well as for at least one year after termination of processing).

If the DPIA reveals a high risk of violation of fundamental human rights and freedoms, the controller is obliged to take all necessary measures to mitigate the risk substantially, and where necessary, address the PDPS for consultation. Where the threat of violation of fundamental human rights and freedoms cannot be mitigated, data processing may not be carried out.

The rules for conducting the DPIA are outlined in the Order of the PDPS.

7.5. Data protection officer appointment

Article 33 of the 2023 Law mandates the following categories of organizations to appoint a personal DPO: public institutions, insurance companies, commercial banks, micro-finance organizations, credit bureaus, electronic communication companies, airlines, airports, and medical institutions, as well as controllers/processors processing the data of a significant number of data subjects or carrying out systematic and large-scale monitoring of their behavior.

Other data controllers are not required but are encouraged to appoint a DPO. 

The duties of the DPO include the following:

• informing a controller, a processor, and their employees on matters related to data protection, providing e them with consultation and assistance;
• participating in the development of internal regulations related to data processing and the DPIA document, and also monitor their compliance;
• analyzing received applications and grievances regarding data processing and making appropriate recommendations;
• receiving consultations from the PDPS, representing a controller and a processor in the relationship with the PDPS, submitting information and documents at its request, and coordinating and monitoring the implementation of its tasks and recommendations;
• in the event of an application by a data subject, providing him/her with information on data processing and his/her rights; and
• performing other functions to ensure the improvement of standards of data processing by a controller and a processor.

The function of a DPO may be performed by an employee of a controller or a processor or by another person(s) on the basis of a service contract. A DPO must have appropriate knowledge in the field of data protection. A DPO shall be accountable to the highest governance structure, taking into account the specific organizational structure of the company. The identity and contact details of the DPO must be notified to the PDPS and shall be made public. The data controller and processor are obliged to publish the identity and contact details of the DPO on a website (if any) in a proactive manner, or through other available means.

By the Order of the PDPS, the data controllers/processors are exempted from the obligation to appoint the DPO if they satisfy all of the following conditions (Article 3):

• it is not a public institution, insurance company, commercial bank, microcredit organization, credit bureau, electronic communication company, airline, airport, medical institution;
• processed data is under 3% of the population of Georgia based on the last census (1% in case of sensitive data); or
• it is not engaged in systematic and large-scale monitoring of data subject behavior.

7.6. Data breach notification

Articles 29-30 of the 2023 Law obligate the data controller to notify a data breach to the PDPS and to data subjects. In case of a breach the data controller is obligated to register an incident, its resulting outcome, and the measures taken, and to notify the PDPS, no later than 72 hours after identification of the incident, in writing or electronically, except when it is unlikely that the incident would cause significant damage and/or pose a significant threat to fundamental human rights and freedoms. On its part, the data processor is obligated to notify the breach to the data controller.

Among other information regarding the incident, the data controller is obligated to notify the PDPS whether or not, and within what time frames, the controller plans to notify a data subject(s) about the incident. If the data controller is not planning to notify the data subjects, the PDPS may make public the available information on the incident considering the circumstances of the incident, the possible damages, and/or the number of affected data subjects (subject to state security, crime prevention, and public interest considerations).

The obligation to inform the data subject applies in identical circumstances (the incident is likely to cause significant damage and/or pose a significant threat to fundamental human rights and freedoms). The data controller is obligated to inform the data subject immediately, or without unreasonable delay after identification of the incident. The notification must be made in simple and understandable language and contain the following information:

• a general description of the incident and related circumstances;
• possible/resulting damage caused by the incident, and measures taken or planned in order to mitigate or eliminate the damage; and
• the contact details of the personal DPO or other persons.

If notifying data subjects requires disproportionally great efforts, expenses, and time, a controller is obliged to make public the information on the incident or disseminate it in another form that ensures the possibility of the data subject receiving the information.

Various security and public considerations (protection of state secrets, state security, cybersecurity, investigation, criminal prosecution, etc.) are considered exceptional circumstances when the notification obligation does not arise. If a controller has taken appropriate security measures that have resulted in the prevention of a significant risk of violation of fundamental human rights and freedoms, the obligation to notify the data subjects shall not apply.

The criteria for identifying an incident posing a significant threat to fundamental human rights and freedoms and PDPS notification procedures are established by the Order of the PDPS.

7.7. Data retention

Under Article 4(e) of the 2023 Law, personal data may be stored only for a period which is necessary for achieving the legitimate purpose for which the data are processed. Once the purpose for which the data was processed has been achieved, the data must be erased, destroyed, or stored in a depersonalized form, unless the processing of data is required by law and/or a subordinate normative legal act issued in accordance with the law, and the storing of data is a necessary and proportionate measure in a democratic society to safeguard overriding interests.

7.8. Children's data

As opposed to the 2011 Law, Article 7 of the 2023 Law contains specific requirements for the processing of the personal data of minors. Such processing is permitted on the basis of their consent if the minor has attained the age of 16, and the processing of data of a minor under the age of 16 is permitted with the consent of their parent or another legal representative, except in cases expressly provided for by law, including where the consent of a minor between the ages of 16 and 18 and their parent or other legal representative is required for the processing of data. When processing the data of a minor, the controller is obliged to take into account and protect the best interests of the minor.

The controller is required to take reasonable and adequate measures to confirm the existence of the consent of the parent or other legal representative of a minor under the age of 16.

Processing of special categories of data of a minor is permitted only on the basis of the written consent of the minor's parent or other legal representative, except in cases expressly provided for by law.

7.9. Special categories of personal data

Article 6 of the 2023 Law allows the processing of special categories of data only if the data controller provides safeguards for the rights and interests of data subjects and if one of the statutory grounds exists, including where:

• the data subject has given consent to the processing of the special category data for one or more specified purposes;
• processing is expressly and specifically regulated by law, and their processing is a necessary and proportionate measure in a democratic society;
• processing is necessary to protect the vital interests of the data subject or another person and the data subject is physically or legally incapable of giving consent to the processing of special categories of data;
• processing is necessary in the area of health care for the purposes of preventive, prophylactic, diagnostic, therapeutic, rehabilitative and palliative care, and for the management of services, medical equipment, and the quality and safety of products, public health, and the health care system, in accordance with the legislation of Georgia or a contract with a health professional (if these data are processed by a person who has an obligation to protect professional secrets);
• processing is necessary for the purposes of performing statutory duties of the controller or exercising specific rights of the data subject in the field of social security and social protection, including for the management of social security system and services;
• processing is necessary for the purposes of crime prevention, investigation, prosecution, administration of justice, ensuring public and fire safety, public safety, and/or the rule of law, and the processing of such data is required by law or other sub-normative acts;
• special categories of data are processed to ensure information security and cyber security;
• processing is necessary because of the nature of labor obligations and relations, including for making decisions on employment and assessing the working capacity of the employee;
• the data subject has made their data publicly available without an explicit prohibition of their use;
• processing is necessary to protect substantial public interests;
• special categories of data are processed by political or professional associations, and organizations with religious or non-religious philosophical aims, for their legitimate activities;
• processing is necessary for archiving purposes in the public interest as provided for by law, for scientific or historical research purposes or for statistical purposes if the law provides for the implementation of appropriate and specific measures to protect the rights and interests of the data subject;
• the data is being processed for the purpose of the functioning of the Unified Migration Analytical System;
• the data is being processed for the purposes of exercising the right to education of persons with disabilities and persons with special educational needs;
• the data is being processed for the purposes of reviewing the issue under Article 11(2) of the Law of Georgia on the Elimination of Violence against Women and/or Domestic Violence, and the Protection and Support of Victims of Such Violence;
• the data is being processed for the purpose of the re-socialization and rehabilitation of convicted persons and former prisoners, and for the coordination of the process of the referral of minors;
• data is being processed for the purposes of issuing and publishing as public information, in accordance with the Organic Law of Georgia on General Courts, a judicial act adopted as a result of open court hearings;
• the data is being processed in cases expressly provided for by the Law of Georgia on Public Procurement; or
• the data is being processed for the functioning of the institutional inter-agency coordination mechanism.

The burden of proving appropriate legal grounds for the processing of special category of personal data lies with the data controller.

7.10. Controller and processor contracts

Article 36 of the 2023 Law permits the processing of personal data by the data processor only on the basis of a legal act or a written agreement concluded with a controller, which shall specify the grounds and purposes of the data processing, the categories of data to be processed, the term of data processing, and the rights and obligations of a controller and a processor.

The written agreement must include the following obligations of a processor:

• carry out data processing only in accordance with the written instructions or guidelines of a controller;
• ensure that a natural person who directly participates in data processing has an obligation to maintain confidentiality;
• ensure data security in accordance with the 2023 Law;
• delete or transfer data to a controller in the case of the cancellation or termination of the agreement, and delete their copies, unless an obligation to keep them is established by the legislation of Georgia; and
• provide appropriate information to the data controller in order to ensure compliance with the statutory obligations and the monitoring of data processing by the controller.

A data processor may not carry out further data processing for purposes other than those determined by an agreement or a legal act. An agreement on data processing may not be concluded if, due to the activities and/or purposes of the processor, there is a high risk of inappropriate data processing or the risk of violation of the rights of data subjects.

Unless otherwise provided for by the legislation of Georgia, a processor may not assign his/her rights and duties, fully or partially, to another person without the prior written consent of a controller. The consent of the controller shall not relieve the processor from the relevant obligations and responsibilities.

In the event of termination of a written agreement on data processing, data processing must be terminated, and the processed data must be immediately fully transferred to a controller.

8. Data Subject Rights

8.1. Right to be informed

Article 13 of the 2023 Law grants the data subject the right to receive from the data controller confirmation as to whether or not his/her data are being processed and, if requested, the following detailed information:

• categories of processed data, grounds, and purpose of processing;
• source from which the data were collected/obtained;
• retention period and, if no specific period can be determined, the criteria used to determine that period;
• description of rights of the data subject as provided under the 2023 Law;
• legal basis and purposes of data transfer, as well as the appropriate data protection safeguards if the data are subject to cross-border transfer;
• identity of recipients or categories of recipients, including information on the ground for and purpose of the transfer, if the data are transferred to a third party; and
• decision made as a result of automated processing, including profiling, and the logic involved in decision-making, impact on the processing and the expected results of processing.

The above information must be provided free of charge, not later than 10 business days after the request. In special cases and upon appropriate justification, the response period may be extended by no more than 10 business days and the data subject must be notified immediately.

Unless otherwise provided by the legislation of Georgia, the data subject may choose the form of provision of information. If the data subject does not specify the form, the information shall be provided in the same form in which it was requested.

8.2. Right to access

Article 14 of the 2023 Law grants data subjects the right to access their personal data and obtain copies of such data from the controller free of charge, except in cases where in order to access and/or issue the copies of data:

• a fee is required under the legislation of Georgia; or
• a reasonable fee is established by the controller because of the resources spent on issuing them in a form other than the data are stored, and/or frequent requests.

The request of the data subject must be complied with not later than 10 business days unless different time limits are set by the laws of Georgia. In special cases and with proper justification, the response period may be extended by no more than 10 business days and the data subject must be notified immediately.

The data subject may access the data and/or obtain copies in a form in which they are kept by the controller and/or processor. It is possible to obtain copies of data in another form, subject to payment of a reasonable fee established by the controller and where technically feasible.

8.3. Right to rectification

Article 15 of the 2023 Law grants the data subject the right to request rectification, update, and completion of data. The request for data rectification, update, and completion of data must be complied with within 10 business days (unless different time limits are set by the laws of Georgia). Alternatively, the data controller must notify the data subject of the reasons for the refusal of the request and the procedure for appealing such refusal.

If the controller, independently of the data subject, discovers that the data are erroneous, inaccurate, or incomplete, the controller is obligated to rectify, update, or complete the data within a reasonable time and inform the data subject within 10 business days, unless such rectification, update, or completion is related to the correction or removal of a technical error. The same information must be provided to all recipients of data unless prevented due to a large number of controllers/processors or recipients, and/or disproportionately high costs. All recipients of data must rectify, update, and complete the data within reasonable timeframes, upon receipt of respective information.

8.4. Right to erasure

Article 16 of the 2023 Law grants data subjects the right to request termination of the processing of data (including profiling), erasure, or destruction of their personal data.

The request for data erasure must be complied with within 10 business days (unless different time limits are set by the laws of Georgia) and processing of the data must be terminated. Alternatively, the data controller must notify the data subject of the reasons for the refusal of the request and the procedure for appealing such refusal.

The controller may refuse to comply with the request for erasure in the following cases:

• the data controller has other legal grounds for the processing of data;
• the data are processed for the purposes of substantiating a legal claim or a statement of defense;
• the processing of data is necessary for the exercise of the right of freedom of expression or information; or
• the data are processed for archiving purposes in the public interest as provided for by law, for scientific or historical research purposes or statistical purposes, and the exercise of the right to the termination of the processing, erasure, or destruction of the data would render impossible or substantially impair the achievement of the purposes of the processing.

The data controller is obligated to notify the data subject of the termination of processing, erasure, or destruction of the data once the respective action has been taken, without delay and at the latest within 10 business days.

The data subject may, where the data are processed in a publicly available form, also request the controller to restrict access to the data and/or erase copies of or any internet links to the data.

The collector of data must inform all recipients of data regarding termination of the processing, erasure, and destruction of the data unless this information cannot be provided due to a large number of controllers/processors or recipients, and/or disproportionately high costs. Upon receipt of such notification, all recipients must terminate processing and erase or destroy the data.

8.5. Right to object/opt-out

Article 17 of the 2023 Law grants data subjects the right to request from the controller to block data if any of the following circumstances exist:

• the authenticity or accuracy of the data is contested by the data subject;
• the processing of the data is unlawful, although the data subject opposes the erasure of the data and requests their blocking;
• the data are no longer needed for the purposes of processing, but they are required by the data subject to lodge a complaint/claim;
• the data subject requests termination of the processing, erasure or destruction of the data and this request is being considered; or
• there is a need to retain data for use as evidence.

The controller must block the data if one of the above grounds exists unless blocking the data could jeopardize one of the following:

• the fulfillment by the controller of its statutory duties;
• the performance of tasks falling within the scope of public interest in accordance with law and the exercise by the controller of the powers conferred on him/her under the laws of Georgia;
• legitimate interests of the controller or a third party, unless there is an overriding interest in protecting the rights of a data subject, in particular a minor; or
• the protection of interests of the data subject or a third party within the frames of an inquiry/investigation by the PDPS.

After the decision to block data has been made, the controller may unblock the data if any of the grounds provided above exists.

The data shall be blocked for the period of existence of the grounds of blocking, and during such period, if technically feasible, the decision to block the data must be attached to the relevant data.

The data subject has the right to be informed of a decision to block the data or of the grounds of refusal once the decision has been made, without delay and at the latest within three business days after the request.

Where data is blocked in accordance with Article 17 of the 2023 Law, the data may be processed otherwise than by storage in the following cases:

• with the consent of the data subject;
• to substantiate a legal claim or a statement of defense;
• to protect the interests of the controller or a third party; or
• to protect public interests in accordance with the law.

8.6. Right to data portability

In the case of the automated processing of data in accordance with the requirements of the 2023 Law, Article 18 of the 2023 Law grants data subjects the right, if technically feasible, to receive from the controller their personal data which they have provided to the controller in a structured, commonly used and machine-readable format, or to require that the data be transmitted to another controller.

8.7. Right not to be subject to automated decision-making

Article 19 of the 2023 Law grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other similarly significant effects concerning him/her, except where a decision based on profiling is:

• based on the data subject's explicit consent;
• necessary for entering into, or performing, a contract between the data subject and a controller; or
• provided for by applicable law.

Where a respective request has been made by the data subject, the controller must take appropriate measures to safeguard the data subject's rights and freedoms and legitimate interests, including by involving human resources in the decision-making, and by giving the right to the data subject to express his/her point of view and to contest the decision.

The use of special categories of data in the decision-making shall be permitted only in exceptional cases, including the consent of the data subject, provided that appropriate measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

8.8. Other rights

Article 20 of the 2023 Law grants data subjects the right to withdraw their consent on data processing at any time and without explanation. In such case, the processing of the data must be terminated, and/or the processed data must be erased or destroyed within no later than 10 business days after the request, provided that no other ground for the processing exists.

Before withdrawing the consent, the data subject may request and receive from the controller information on the possible consequences of withdrawing the consent.

9. Penalties

Under Article 52 of the 2023 Law, the PDPS may apply one, or simultaneously more than one, of the following measures:

• require the remedy of any violations and shortcomings related to data processing in the manner and within the period specified by it;
• require suspension or termination of data processing, if the measures and procedures implemented by a controller or a processor for ensuring data security do not comply with the requirements of the legislation of Georgia;
• require termination of data processing, the blocking, erasure, destruction, or depersonalization of the data, if it believes that the data are being processed in violation of the legislation of Georgia;
• require termination of data transfer to another state and international organization, if the data transfer is being carried out in violation of the legislation of Georgia;
• provide written advice and recommendations to a controller and/or a processor in case of a minor violation of the procedures related to data processing; or
• impose administrative liability on an offender.

The 2023 Law has increased the amounts of administrative penalties and has tied them to the annual turnover of the breaching entity. The penalties range from GEL 1,000 (approx. $370) to GEL 10,000 (approx. $3,730). To illustrate, below we have listed administrative penalties for some of the violations provided under the 2023 Law.

Processing data without the grounds provided for by the 2023 Law (Article 67):

• issuance of a warning to or imposition of a fine of GEL 1,000 (approx. $370) on a natural person, public institution, non-entrepreneurial (non-commercial) legal entity, as well as a legal person, a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover does not exceed GEL 500,000 (approx. $187,000);
• issuance of a warning to or imposition of a fine of GEL 2,000 (approx. $746) on a legal person (except for non-entrepreneurial (non-commercial) legal entities), a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover exceeds GEL 500,000 (approx. $187,000); or
• in case of aggravating circumstances, the penalty includes to GEL 2,000 (approx. $746) (with annual turnover not exceeding GEL 500,000 (approx. $187,000) or GEL 4,000 (approx. $1,493) (with annual turnover exceeding GEL 500,000 (approx. $187,000).

Processing of special category data without the grounds provided for by the 2023 Law (Article 68):

• issuance of a warning to or imposition of a fine of GEL 2,000 (approx. $746) on a natural person, public institution, non-entrepreneurial (non-commercial) legal entity, as well as a legal person, a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover does not exceed GEL 500,000 (approx. $187,000);
• issuance of a warning to or imposition of a fine of GEL 3,000 (approx. $1,120) on a legal person (except for non-entrepreneurial (non-commercial) legal entities), a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover exceeds GEL 500,000 (approx. $187,000) ; or
• in case of aggravating circumstances, the penalty increases to GEL 3,000 (approx. $1,120) (with annual turnover not exceeding GEL 500,000 (approx. $187,000)) or GEL 5,000 (approx. $1,866) (with annual turnover exceeding GEL 500,000 (approx. $187,000).

Processing data for the purposes of direct marketing in violation of the rules established under the 2023 Law (Article 71):

• issuance of a warning to or imposition of a fine of GEL 2,000 (approx. $746) on a natural person, public institution, non-entrepreneurial (non-commercial) legal entity, as well as a legal person, a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover does not exceed GEL 500,000 (approx. $187,000);
• issuance of a warning to or imposition of a fine of GEL 4,000 (approx. $1,493) on a legal person (except for non-entrepreneurial (non-commercial) legal entities), a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover exceeds GEL 500,000 (approx. $187,000);
• in case of aggravating circumstances, the penalty increases to GEL 6,000 (approx. $2,239) (with annual turnover not exceeding GEL 500,000 (approx. $187,000) or GEL 5,000 (approx. $1,866) (with annual turnover exceeding GEL 500,000 (approx. $187,000)).

Failure to comply with the obligation to inform the data subject (Article 74):

• issuance of a warning to or imposition of a fine of GEL 1,000 (approx. $370) on a natural person, public institution, non-entrepreneurial (non-commercial) legal entity, as well as a legal person, a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover does not exceed GEL 500,000 (approx. $187,000);
• issuance of a warning to or imposition of a fine of GEL 1,500 (approx. $556) on a legal person (except for non-entrepreneurial (non-commercial) legal entities), a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover exceeds GEL 500,000 (approx. $187,000); or
• in case of aggravating circumstances, the penalty increases to GEL 2,000 (approx. $746) (with annual turnover not exceeding GEL 500,000 (approx. $187,000)) or GEL 3,000 (approx. $1,120) (with annual turnover exceeding GEL 500 000 (approx. $187,000)).

9.1 Enforcement decisions

Not applicable.