8 Amendments that the New Law on the Personal Data Protection Envisage
The Parliament of Georgia passed the bill on Personal Data Protection in three readings, initiated back in 2019. The discussion on the draft law resumed in the Parliament of the 10th Convocation in December 2022.
The law encompasses a multitude of cutting-edge advancements in line with the best international standards for personal data protection. Its execution will be carried out gradually.
1. Commercial text messages will not be sent without consent obtained beforehand
The processing of personal data for commercial text messages and the transmission of advertising messages (data processing for direct marketing purposes) are strictly allowed with the explicit consent of the individual whose data is being processed.
The individual whose data is being processed possesses the right to withdraw their consent at any time. Upon receiving such a request, the data processor is legally obliged to halt the processing of the individual's data within 7 working days.
The provision shall come into force from March 1, 2024.
- All public institutions and certain private companies will be required to appoint a personal data protection officer
The institutions required to have a personal data protection officer (the designated employee responsible for overseeing personal data processing within the organization) include the following:
- Public institutions (except religious and political organizations)
- Insurance companies
- Commercial banks
- Microfinance organizations
- Credit bureaus
- Electronic communication companies
- Airlines
- Airports
- Medical institutions which provide services to at least 10,000 data subjects annually
- Organizations engaged in data processing for a substantial number of data[1] subjects or implementing systematic and extensive monitoring of their behavior.
The personal data protection officer has the right to perform other functions as long as it does not create a conflict of interest. The organization may put the service contract for a personal data protection officer.
The provision shall come into force from June 1, 2024.
3. The regulations and terms regarding audio recording (audio monitoring) in public or private spaces are established
Audio monitoring will be permissible under the following circumstances:
- with the consent of the data subject;
- for generating protocol records;
- during remote communication;
- for the purposes of personal safety and property protection, as well as protection of confidential information, if these cannot be achieved by other means;
- in other cases, expressly prescribed by law.
The data processor is obligated to inform the data subject beforehand or at the commencement of audio monitoring.
The provision shall come into force from March 1, 2024.
- The regulations regarding video recording (video monitoring) through cameras installed in public or private spaces are further defined
- To carry out video surveillance, the data processor must document in writing the purpose and scope of video monitoring, the duration of surveillance, the timeframe for retaining recorded footage, the protocols for accessing video recordings, as well as the procedures for storage and disposal, mechanisms to ensure the protection of the data subject's rights (except in cases where video monitoring is performed by an individual within a residential building).
- Depending on their workplace, all employees are entitled to receive additional information concerning the objectives of the video surveillance.
- The data processor/authorized person is required to prominently display a notice indicating the presence of video surveillance. This notice must include the name and contact information of the data processor.
The provision shall come into force from March 1, 2024.
5. Legal guarantees for the protection of minor’s personal data are established
- Data processing of a minor is permissible with the minor's consent if the minor has attained the age of 16. In the case of a minor below the age of 16, data processing is permitted with the consent of their parent or other legal representatives.
- When processing the data of a minor, it is obligatory to consider and safeguard the best interests of the minor. The consent to data processing given by a minor, his parent, or other legal representatives shall not be considered valid if data processing endangers or harms the minor's best interests.
The provision shall come into force from March 1, 2024.
6. The obligation to notify the inspector in case of data protection violation is established
Any organization or individual who processes personal data is required to record all incidents of data protection violations, the results, and the measures taken, and to report it to the Personal Data Protection Service no later than 72 hours after the discovery of the incident.
The provision shall come into force from March 1, 2024.
- The grounds for data processing are enhancing
The following is added to the existing data processing grounds (any action performed on personal data, including their collection, obtainment, storage, use, blocking, erasure or destruction, data disclosure, etc.):
- When data processing is necessary to conclude a contract (or other agreement) or or to fulfill the contractual obligations of the involved parties;
- Data processing is required for carrying out tasks falling under the realm of public interest as defined by legislation. This includes activities related to crime prevention, crime investigation, criminal prosecution, administration of justice, imprisonment, operative-investigative activities, public safety, and protection of law and order.
- When the processing of special categories of data (e.g. health condition, the status of accused, convicted, acquitted, or victim in criminal proceedings, etc.) is necessary to protect the important public interest; To fulfill the duty imposed by the legislation in the field of social security and social protection.
The provision shall come into force from March 1, 2024.
- The rights of individuals whose data is processed are enhanced
The data subject (the person whose data is being processed) retains the right to request the termination, erasure, or destruction of data concerning them not only in cases of unlawful data processing but also in the following circumstances:
- If data processing is no longer necessary for the purpose for which it was processed;
- The data subject withdraws consent, which is the sole basis for data processing.
The data subject is also entitled to request the deletion of all internet links connecting to their personal data from any data processor.
The provision shall come into force from March 1, 2024.
[1] A substantial number of data refers to no less than 3% of the population of Georgia, as determined based on the latest findings from the general population census.