Law on Personal Data Protection No. 3144/2023 Georgia

    Overview

    Law on Personal Data Protection No. 3144/2023 of Georgia regulates the processing of personal data to safeguard fundamental human rights, such as the right to privacy, inviolability of family life, and confidentiality of communication. It applies to entities within Georgia and those processing Georgian citizens' data using technical means within the country and sets clear principles, responsibilities, and rights for data controllers, processors, and data subjects, along with requirements for transparency, security, and breach notification.

     

    Regulation Summary

    Timeline
    • June 14, 2023: Law adopted.
    • March 1, 2024: Most provisions come into effect.
    • June 1, 2024: Specific provisions on impact assessments and data protection officers take effect.
    • January 1, 2025 - January 1, 2027: Additional provisions phased in.
    What Businesses Are Affected
    • All organizations processing personal data in Georgia, including public and private entities.
    • Foreign businesses processing data of Georgian residents or using infrastructure in Georgia.
    • Entities handling sensitive data such as biometric, health, or financial information.
    Exemptions
    • Personal data processing for exclusively personal or household purposes.
    • Processing for national security, defense, or criminal investigations.
    • Media, journalistic, artistic, or academic research under ethical guidelines.
    Responsibilities for Businesses
    • Lawful Processing: Data must be collected with consent or another legal basis.
    • Purpose Limitation: Data must only be used for its specified purpose.
    • Data Security: Businesses must implement measures to prevent unauthorized access, loss, or alteration.
    • Accountability: Organizations must document their data processing activities and designate responsible officers.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Websites must obtain user consent for non-essential cookies.
    • Privacy Notice: A clear privacy policy must be accessible to users.
    • User Rights Portal: Websites should provide an interface for individuals to exercise their data rights.
    • Secure Data Transmission: Personal data collected online must be encrypted.
    Additional Requirements
    • Cross-Border Data Transfers: Allowed only if the receiving country ensures an adequate level of protection or appropriate safeguards.
    • Data Protection Officer (DPO): Mandatory for large-scale or sensitive data processing organizations.
    • Impact Assessments: Required for high-risk data processing activities, including profiling and automated decision-making.
    Data Subject Rights
    • Access: Individuals can request copies of their personal data.
    • Rectification: Right to correct inaccurate or incomplete data.
    • Erasure: Right to request deletion of personal data under specific conditions.
    • Portability: Right to obtain and transfer personal data.
    • Objection: Right to refuse data processing for marketing or other purposes.
    • Restriction: Right to limit processing under certain circumstances.
    Enforcement
    • Regulatory Body: The Personal Data Protection Service (PDPS) oversees enforcement.
    • Fines: Penalties range from GEL 1,000 to GEL 10,000 (~$370 to $3,700 USD) depending on the severity of the violation.
    • Sanctions: Businesses may face suspension of data processing activities, and responsible individuals may be subject to criminal penalties, including imprisonment in severe cases.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596