Law of Georgia on Personal Data Protection

Law of Georgia on Personal Data Protection
Document number 5669-რს
Document issuer Parliament of Georgia
Date of issuing 28/12/2011
Document type Law of Georgia
Source and date of publishing Website, 16/01/2012
Expiration Date 01/03/2024
Registration code 010100000.05.001.016606
Consolidated publications
5669-რს
28/12/2011
Website, 16/01/2012
010100000.05.001.016606
Law of Georgia on Personal Data Protection
Parliament of Georgia
Attention! You are not reading the final edition. In order to read the final edition, please, choose the respective consolidated version.

Consolidated versions (08/05/2019 - 07/06/2019)

 

LAW OF GEORGIA

ON PERSONAL DATA PROTECTION

 

Chapter I – General Provisions

 

Article 1 – Purpose of this Law

This Law is intended to ensure protection of human rights and freedoms, including the right to privacy, in the course of personal data processing.

                  

Article 2 – Definition of terms

The terms used in this Law have the following meanings:

a) personal data (‘the data’) – any information connected to an identified or identifiable natural person. A person shall be identifiable when he/she may be identified directly or indirectly, in particular by an identification number or by any physical, physiological, psychological, economic, cultural or social features specific to this person;

b) special categories of data – data connected to a person’s racial or ethnic origin, political views, religious or philosophical beliefs, membership of professional organisations, state of health, sexual life, criminal history, administrative detention, putting a person under restraint, plea bargains, abatement, recognition as a victim of crime or as a person affected, also biometric and genetic data that allow to identify a natural person by the above features;

c) biometric data – any physical, mental or behavioural feature which is unique and constant for each natural person and which can be used to identify this person (fingerprints, foot prints, iris, retina (retinal image), facial features);

c1) genetic datum – a unique and constant datum of a data subject on genetic inheritance and/or DNA code that makes it possible to identify this person;

d) data processing – any operation performed in relation to the data by automated, semi-automatic or non-automatic means, in particular collection, recording, photographing, audio recording, video recording, organisation, storage, alteration, restoration, request for access to, use or disclosure by way of data transmission, dissemination or otherwise making them available, grouping or combination, locking, deletion, or destruction;

e) automated data processing – data processing by means of information technologies;

e1) semi-automatic data processing – data processing by means of information technologies and non-automatic means;

f) data subject – any natural person whose data is being processed;

g) consent – a voluntary consent of a data subject, after receipt of the respective information, on his/her personal data processing for specific purposes expressed orally, through telecommunication or other appropriate means, which enables clearly establishing the will of the data subject;

h) written consent of the data subject – a voluntary consent expressed by a data subject, after receipt of the respective information on his/her personal data processing for specific purposes, which was signed or otherwise acknowledged by the data subject in writing or in any other equivalent form;

i) data controller – a public agency, a natural or legal person who individually or in collaboration with others determines purposes and means of personal data processing and who, directly or through a data processor, processes personal data;

j) data processor – any natural or legal person who processes personal data for or on behalf of the data controller;

k) data recipient – a private or public agency, a natural or legal person, an employee of the private or public sector to whom the data were transferred, except for the State Inspector Service;

l) third party – any natural or legal person, a public agency, except for a data subject, the State Inspector Service, a data controller, and a data processor;

m) filing system – a structured set of data where they are arranged and available according to specific criteria;

n) filing system catalogue – a detailed description of structure and contents of the filing system;

o) registry of filing system catalogues – a registry providing a detailed record of the existing filing systems;

p) blocking of data – temporary suspension of data processing;

q) data depersonalisation – data modification in a way to make it impossible to link the data to the data subject or to require disproportionately great effort, expense and time to establish such a link;

r) identification number – a personal identification number or any other identification number defined by law, which is connected to a natural person and may be used to retrieve data from the filing system (where the identification number is also processed) or to disclose them;

s) State Inspector – a public official provided for by the Law of Georgia on the State Inspector Service responsible for the supervision of the execution of personal data protection legislation;

t) direct marketing – offering goods, services, employment or temporary jobs by mail, telephone calls, e-mail or other means of telecommunication;

u) (deleted);

v) (deleted);

w) (deleted);

x) (deleted);

y) (deleted);

z) (deleted);

Law of Georgia No 6325 of 25 May 2012 - website, 12.6.2012

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 2869 of 30 November 2014 – website, 30.11.2014

Law of Georgia No 479 of 22 March 2017 – website, 27.3.2017

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 3300 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 3 – Scope of the Law

1. This Law shall apply to the processing of data through automatic or semi-automatic means, and to the processing of data through non-automatic means within the territory of Georgia, which data form part of the filing system or are intended to form part of the filing system. This Law shall also apply to automatic processing of data defined as a state secret for the crime prevention and investigation, operational-investigative activities and protection of the rule of law, except as provided in this article.

11. Non-automatic data processing shall be inadmissible if it is intended to avoid performance of the requirements of this Law.

2. This Law shall also apply to:

a) data processing by diplomatic representations and consular offices of Georgia abroad;

b) activities of a data processor who is not registered in the territory of Georgia but employs technical means existing in Georgia for data processing, except when these technical means are used only for data transfer. In this case, the data controller must appoint/designate a registered representative in Georgia.

3. This Law shall not apply to:

a) data processing by a natural person clearly for personal purposes when the data processing is not related to his/her entrepreneurial or professional activity;

b) data processing for court proceedings as far as it may prejudice the proceedings before the final decision of the court;

c) processing of the data defined as a state secret for the purposes of state security (including economic security), defence, intelligence and counter-intelligence activities;

d) processing of information defined as a state secret (except for the data specified in paragraph 1 of this article).

4. This Law (except for Article 17) shall not apply to processing of data by media for public information, also to processing of data in the fields of art and literature.

5. Articles 19 and 20 of this Law shall not apply to processing of data by political parties, professional and other unions, and religious organisations with respect to their members.

6. Article 6 of this Law shall not apply to data processing for public safety, operational and investigative activities and criminal investigations if the issue is directly and specifically regulated under the Criminal Procedure Code of Georgia or the Law of Georgia on Operational and Investigative Activities or other special laws.

7. Article 6 of this Law shall not apply to data processing for the national population census under the Law of Georgia on Official Statistics.

Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

         

Article 31 – Issues related to the purpose of the execution of this Law by the State Inspector and the State Inspector Service, also the issues related to the monitoring of the covert investigative actions and activities carried out in the electronic data identification central bank

 

Issues related to the purpose of the execution of this Law by the State Inspector and the State Inspector Service, also the issues related to the monitoring of the covert investigative actions and activities carried out in the electronic data identification central bank shall be defined by the Law of Georgia on State Inspector.

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 4 – Principles of data processing

The following principles must be observed during data processing:

a) data must be processed fairly and lawfully, without impinging on the dignity of a data subject;

b) data may be processed only for specific, clearly defined and legitimate purposes. Further processing of data for purposes that are incompatible with the original purpose shall be inadmissible;

c) data may be processed only to the extent necessary to achieve the respective legitimate purpose. The data must be adequate and proportionate to the purpose for which they are processed;

d) data must be valid and accurate, and must be updated, if necessary. Data that are collected without legal grounds and irrelevant to the processing purpose must be blocked, deleted or destroyed;

e) data may be kept only for the period necessary to achieve the purpose of data processing. After the purpose of data processing is achieved, the data must be locked, deleted or destroyed, or stored in a form that excludes identification of a person, unless otherwise determined by Law.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

         

Chapter II – Rules for Data Processing

                  

Article 5 – Grounds for data processing

Data processing shall be admissible if:

a) there is a data subject’s consent;

b) data processing is provided for by Law;

c) data processing is necessary for a data controller to perform his/her statutory duties;

d) data processing is necessary to protect vital interests of a data subject;

e) data processing is necessary to protect legitimate interests of a data controller or a third person, except when there is a prevalent interest to protect the rights and freedoms of the data subject;

f) according to the Law, data are publicly available or a data subject has made them publicly available;

g) data processing is necessary to protect a significant public interest under the Law;

h) data processing is necessary to deal with the application of a data subject (to provide services to him/her).

                  

Article 6 – Processing of special category data

1. Special category data processing shall be prohibited.

2. Processing of data under paragraph 1 of this article shall be possible with written consent of a data subject or when:

a) processing of the data related to previous convictions and state of health is necessary for labour obligations and labour relations, including making a decision regarding employment;

b) data processing is necessary to protect the vital interests of a data subject or a third person and when the data subject is physically or legally unable to give his/her consent to data processing;

c) the data are processed for public health protection, health care or protection of health of a natural person by an institution (employee), and if it is necessary to manage or operate the health care system;

d) a data subject has made his/her data publicly available without an explicit prohibition of their use;

e) data are processed by a political, philosophical, religious or professional union or a non-commercial organisation when implementing legitimate activities; In this case, the data processing may only be connected with the members of this union/organisation or persons who have regular contacts with this union/organisation;

f) data are processed to consider the issues related to the maintenance of personal files and registers of the accused/convicted persons; to the individual planning for a convicted person to serve his/her sentence, and/or the release of a convicted person on parole and the change of an unserved term of his/her sentence with a lighter punishment;

g) data are processed for the purpose of enforcing legal acts under Article 2 of the Law of Georgia on Enforcement Procedure of Non-custodial Sentences and Probation;

h) data are processed in the cases directly provided for by the Law of Georgia on International Protection;

i) data are processed for the functioning of the integrated analytical system of migration data;

j) data are processed for the purpose of the realisation of the right of the education of the persons with special educational needs.

3. When data are processed under paragraph 2 of this article, it shall be prohibited to make the data publicly available and to disclose the data to a third party without the consent of the data subject.

Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3534 of 1 May 2015 – website, 18.5.2015

Law of Georgia No 5017 of 27 April 2016 – website, 13.5.2016

Law of Georgia No 54 of 1 December 2016 – website, 15.12.2016

Law of Georgia No 669 of 21 April 2017 – website, 3.5.2017

Law of Georgia No 3451 of 20 September 2018 – website, 9.10.2018

         

Article 7 – Protection of personal data of a deceased person

1. After a data subject dies, processing of his/her data, except for the grounds specified in Articles 5 and 6 of this Law, shall be permissible with the consent of a parent, child, grandchild or spouse of the data subject, or when 30 years have passed since the death of the data subject.

2. Data processing of a data subject after his/her death shall also be permissible if it is necessary to realise inheritance rights.

3. Data processing under the grounds defined in paragraphs 1 and 2 of this article shall be inadmissible if a data subject, before he/she died, had prohibited in writing having his/her data processed after death, except when data are processed on the grounds specified in Articles 5 and 6 of this Law.

4. To process the name, gender or birth and death dates of a deceased person, existence of grounds under this Law for data processing shall not be necessary.

5. The data of a deceased person may be disclosed for historical, statistical and research purposes, except when the deceased person had prohibited in writing disclosure of his/her data.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

                  

Article 8 – Data processing for direct marketing purposes

1. Data obtained from publicly available sources may be processed for direct marketing purposes.

2. Regardless of the purpose of data collection, the following data may be processed for direct marketing purposes: name (names), address, telephone number, e-mail address, fax number.

3. Any data may be processed for direct marketing purposes on the basis of a written consent given by a data subject as determined by this Law.

4. A data subject shall have the right to require at any time that a data controller stop to use of his/her data for direct marketing purposes.

5. A data controller shall be obliged to stop data processing for direct marketing purposes and/or ensure that a data processor stop data processing for direct marketing purposes not later than 10 working days after the request of a data subject is received.

6. When data are processed for direct marketing purposes a data controller shall be obliged to notify a data subject of the right under paragraph 4 of this article and to ensure the possibility to stop data processing for direct marketing purposes in the same form as the direct marketing is conducted, and/or to determine the available and adequate means to require discontinuation of data processing for direct marketing purposes.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

                  

Article 9 – Biometric data processing by public agencies

1. A public agency may process biometric data only for human security and property protection purposes, also to prevent disclosure of secret information if these goals may not be reached by other means or require disproportionately great efforts.

2. Regardless of the conditions under paragraph 1 of this article, biometric data may be processed to issue an identity document under procedures established by Law, or to identify a person crossing the state border, as well as in other cases directly provided for by a legislative act of Georgia.

Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 54 of 1 December 2016 – website, 15.12.2016

         

Article 10 – Biometric data processing by legal entities under private law and natural persons

A legal entity under private law and a natural person may only process biometric data if it is necessary to perform activities, provide human safety and property protection, also to prevent disclosure of secret information, if these goals may not be reached by other means or require unjustifiably great efforts. Unless otherwise determined by law, before using biometric data, a data processor shall provide the State Inspector Service with the same information that is provided to the data subject, in particular on the purpose of data processing and the security measures taken to protect the data.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

         

Article 11 – Video surveillance in the streets and public transport

1. Video surveillance in streets (including in parks, public gardens, near playgrounds, public transport stops and other public gathering places) and in public transport shall only be permissible to prevent crime, also for human safety reasons, protection of property and public order, or to prevent minors from harmful influence.

2. If a video surveillance system is installed, public and private institutions shall be obliged to put up an appropriate warning sign in a visible place. In this case, it shall be considered that a data subject has been informed about the processing of his/her data.

3. The video surveillance system and video recordings must be protected from unlawful trespass and use.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

         

Article 12 – Video surveillance of buildings of public and private institutions

1. For monitoring purposes, public and private institutions may implement video surveillance of their buildings if it is necessary for human security and property protection, and also to prevent minors from harmful influences, protect secret information and for examination/testing purposes.

2. A video surveillance system may only be used to monitor outside perimeters and entrances of buildings. A data processor shall be obliged to put up an appropriate warning sign in a visible place. In this case, it shall be considered that a data subject is informed about processing of his/her data.

3. A video surveillance system may be installed at a workplace only in exceptional cases if it is necessary for human security and property protection, for the protection of secret information and for examination/testing purposes, and if these goals may not be reached by other means.

4. Video surveillance shall be inadmissible in cloak rooms and hygiene facilities.

5. When using a video surveillance system at the workplace under paragraph 3 of this article, all persons working in their respective private or public institutions must be informed in writing about the video surveillance and their rights.

6. A data processor shall be obliged to create a filing system to store video recordings. In addition to the recordings (images/voice), the system must include information about the date, place and time of data processing.

Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 4145 of 26 December 2018 – website, 10.1.2019

                  

Article 13 – Video surveillance of residential buildings

1. To install a video surveillance system within a residential building, a written consent of more than a half of the building owners shall be necessary. Residents of the building must be notified of the video surveillance system installation.

2. Installation of a video surveillance system within residential buildings shall only be permissible for human security and property protection.

3. A video surveillance system installed within a residential building may only monitor the entrance and common spaces. Monitoring of owners’ apartments shall not be allowed.

4. Monitoring of the hallway of an apartment by a video surveillance system shall be allowed only by the apartment owner's decision or based on his/her written consent.

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

                  

Article 14 – Data processing for registration of entry into and exit from buildings of public and private institutions

1. Public and private institutions may collect the following data for registration of entry into and exit from buildings: name, number and type of the identity document, address, date and time of entry and exit, and reasons for entry into and exit from the building.

2. The storage period for the data under paragraph 1 of this article must not exceed three years after they were recorded unless otherwise provided by law. The data must be deleted or destroyed after three years.

         

Chapter III – Rights and Obligations of Data Controllers and Data Processors

         

Article 15 – Provision of data subjects with data

1. If data are collected directly from a data subject, a data controller or a data processor shall be obliged to provide the data subject with the following information:

a) identities and registered addresses of the data controller and the data processor (if applicable);

b) purpose of data processing;

c) whether provision of data is mandatory or voluntary; if mandatory – the legal consequences of refusal to submit them;

d) the right of the data subject to obtain information on his/her personal data processed, request their correction, updating, addition, blocking, deletion and destruction.

2. Provision of the information mentioned in paragraph 1 of this article shall not be mandatory if the data subject already has it.

3. If the data are not collected directly from a data subject, a data controller or a data processor shall be obliged to provide the data subject with the information in paragraph 1 of this article upon request.

4. When collecting data for statistic, scientific and historic purposes, provision of information shall not be mandatory if this requires disproportionately great efforts.

                  

Article 16 – Processing of data by data processors

1. A data processor may process data on the basis of a legal act or a written contract concluded with a data controller, which must comply with the requirements established by this Law and other normative acts and must take account of the rules and restrictions established by this Law.

2. A data processor must process data within the scope determined by a respective normative act or an agreement. Any further data processing by a data processor for any other purposes shall be inadmissible. A data processor may not transfer the right to process data to any other person without the consent of a data controller.

3. Conclusion of an agreement for data processing shall be inadmissible if, due to the activities and/or aims of a data processor, there is a risk of inappropriate data processing.

4. A data controller must be assured that a data processor applies appropriate organisational and technical measures to protect data. It shall be obliged to monitor data processing by a data processor.

5. In case of a dispute between a data processor and a data controller, the data processor shall be obliged to transfer all available data to the data controller upon request.

6. In the case of cancellation by a data processor of the grounds mentioned in paragraph 1 of this article or termination of activities, the data processing must be stopped and the data that were processed before cancellation of these grounds or termination of the activities shall be immediately transferred to the data controller.

7. The agreement with a data processor must include the obligation to apply measures for data security.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

                  

Article 17 – Data security

1. A data controller shall be obliged to take appropriate organisational and technical measures to ensure protection of data against accidental or unlawful destruction, alteration, disclosure, collection or any other form of unlawful use, and accidental or unlawful loss.

2. A data controller shall be obliged to ensure registration of all operations performed in relation to electronic data. When processing non-electronic data, a data controller shall be obliged to register all operations with respect to disclosure and/or alteration of data.

3. Measures taken to ensure data security must be adequate to the risks related to processing of data.

4. Any employee of a data controller and of a data processor, who is involved in processing of data, shall be obliged to stay within the scope of powers granted to him/her. In addition, he/she shall be obliged to protect data secrecy, including after his/her term of office terminates.

5. The data security measures shall be defined by the legislation of Georgia.

         

Article 18 – Obligations of data controllers and data processors for the disclosure of data

When disclosing data, a data controller and a data processor shall be obliged to ensure registration of the following information: the data that were disclosed, to whom, when and on what legal grounds they were disclosed. This information must be stored together with the data on a data subject for the entire storage period.

                  

Article 19 – Filing system catalogue

1. A data controller shall be obliged to keep a filing system catalogue for each filing system and to register the following information:

a) the name of a filing system

b) the names and addresses of a data controller and a data processor, place of storing and/or processing of data

c) the legal grounds for data processing

d) the category of a data subject

e) the category of data in a filing system

f) the purpose of data processing

g) the period for data storage

h) the fact and grounds for the restriction of a right of a data subject

i) the recipient of data stored in a filing system, and their categories

j) the information on the transborder flows of data and transmission of data to international organisation, and the legal grounds for the transfer

k) the general description of the procedure established to ensure data security.

11. The State Inspector Service shall be obliged to maintain the register of filing system catalogues. This register shall include the information provided for by paragraph 1 of this article. The information entered into the register of filing system catalogues is public. The State Inspector Service shall ensure the publication of this information in accordance with the procedure established by the State Inspector.

2. A data controller shall be obliged to ensure that the information under paragraph 1 of this article is regularly updated.

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

                  

Article 20 – Obligation to notify the State Inspector Service

1. A data controller shall be obliged, before creation of a filing system and entry of a new category of data therein, to notify the State Inspector Service, in writing or electronically, of the information required under Article 19 of this Law.

2. A data controller shall be obliged to notify the State Inspector Service of any alteration made to the information under Article 19 of this Law not later than 30 days after the alteration.

3. One copy of a court ruling on issuance of a permit or refusal to issue a permit to conduct a covert investigative action requested by a law enforcement body, which contains only the details and the resolution part, as well as one copy of a court ruling on recognition as lawful or unlawful of a covert investigative action conducted by a law enforcement body without court permission, which contains only the details and the resolution part, shall be submitted to the State Inspector Service in accordance with the procedure established by the Criminal Procedure Code of Georgia.

4. An electronic communications company shall notify the State Inspector Service of the transfer to a law enforcement body of identification data of electronic communication in accordance with the procedure established by Article 136 of the Criminal Procedure Code of Georgia within 24 hours after the transfer.

5. In the case of urgent necessity the prosecutor’s decree on conducting covert investigative action which contains only the details and the resolution part shall be submitted to the State Inspector Service no later than 12 hours (indicated in the ordinance) after the beginning of the covert investigative action by the prosecutor or the investigator on behalf of the prosecutor as a tangible document.

6. The electronic copy of a court ruling on issuance of a permit for conducting covert investigative action provided for by Article 1431(1)(a) of the Criminal Procedure Code of Georgia which contains only the details and the resolution part, also the electronic copy of the prosecutor’s decree on conducting covert investigative action which contains only the details and the resolution part shall be submitted to the State Inspector Service directly after receiving by the Agency.

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 479 of 22 March 2017 – website, 27.3.2017

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

         

Chapter IV – Rights of Data Subjects

         

Article 21 – Right of data subjects to request information

1. A data subject shall have the right to request information from a data processor on processing of his/her data. The data processor must provide the data subject with the following information:

a) which personal data are being processed;

b) the purpose of data processing;

c) the legal grounds for data processing;

d) the ways in which the data were collected;

e) to whom his/her personal data were disclosed, and the grounds and purpose of the disclosure.

2. Provision of the data specified in paragraph 1(e) of this article, to a data subject shall not be mandatory if the data are public under law.

3. A data subject must be provided with the information under paragraph 1 of this article upon request immediately or not later than 10 days after the request if for responding to the information request it is required to:

a) retrieve and process the information at another institution or structural unit or consult with either one;

b) retrieve and process voluminous documents not linked to each other;

c) consult with its structural unit located in another populated place, or with other public agency.

4. A data subject shall opt for the way in which the information under paragraph 1 of this article is provided to him/her.

5. A person shall have the right to review his/her personal data kept at a public institution and obtain copies of the data for free, except for information when payment of a fee is required under the legislation of Georgia to issue it.

Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

         

Article 22 – The right of data subjects to request for correction, update, addition, blocking, deletion and destruction of data

1. When requested by a data subject, a data controller shall be obliged to correct, update, add, block, delete, or destroy data if the data are incomplete, inaccurate, not updated, or were illegally collected and processed.

2. A data controller must inform all data recipients of correction, update, addition, blocking, deletion, and destruction of the data, except when provision of this information is impossible due to large number of data recipients or disproportionately high costs. The State Inspector Service shall be notified of the latter circumstance.

3. If information is received in accordance with paragraph 2 of this article, the recipient party shall be obliged to correct, update, add, block, delete, or destroy the data, respectively.

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

         

Article 23 – Procedure for correction, update, addition, blocking, deletion and destruction of data

1. A request under Article 22(1) of this Law shall be submitted either in writing, orally or by electronic means.

2. Within 15 days after the request of a data subject is received, a data processor shall be obliged to correct, update, add, block, delete or destroy the data or inform the data subject of the grounds for refusal.

3. If a data processor, without a request from a data subject, considers on its own that the data at his/her disposal are incomplete, inaccurate, or not updated, the data processor shall correct or update the data accordingly and inform the data subject.

4. After a data subject submits a request under Article 22(1) of this Law, a data processor shall have the right to block the data based on the applicant's request.

5. A decision to block data shall be made within three days after an appropriate request is submitted and shall be valid until a data controller decides to correct, update, add, delete or destroy the data.

6. The decision to block data shall be attached to the relevant data for as long as the reason of blocking the data exists.

         

Article 24 – Limitation of rights of data subjects

1. The rights of a data subject under Articles 15, 21 and 22 of this Law may be limited by the legislation of Georgia if the exercise of these rights endangers:

a) the interests of State security and defence

b) the interests of public security

c) crime detection, investigation and prevention

d) significant financial and economic interests of the country (including those related to monetary, budgetary and taxation issues)

e) the rights and freedoms of a data subject and others.

2. A measure under paragraph 1 of this article may be applied only to the extent necessary to achieve the intent of the limitation.

3. If the grounds in paragraph 1 of this article exist, the decision of a data controller or the State Inspector Service must be provided to a data subject without prejudice to the intent of the limitation of a right.

Law of Georgia No 2765 of 29 June 2018 – website, 19.7.2018

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

         

Article 25 – Withdrawal of consent

1. A data subject shall have the right to, at any time and without explanation, withdraw his/her consent given and to request that the data processing be stopped and/or the processed data be destroyed.

2. A data controller shall be obliged to stop the data processing and/or destroy the processed data according to the request of a data subject within five days after the application is submitted, unless there are other grounds to process data.

3. This Article shall not apply to information that is related to fulfilment of a data subject’s financial obligations and processed with his/her consent.

         

Article 26 – Right to appeal

1. If the rights under this Law are violated, a data subject shall have the right to apply to the State Inspector Service or to the court under procedures determined by law, and if a data controller is a public institution, he/she may also submit an appeal to the same or senior administrative body. The State Inspector shall review the application of the data subject in accordance with the procedure established by this Law, the Law of Georgia on the State Inspector Service and normative acts issued by the State Inspector.

2. A data subject shall have the right to require from a body considering the case to block data until a decision is made.

3. A data subject shall have right to appeal the decision of a higher administrative body or the Personal Data Protection Inspector to the court under procedures determined by law.

3. A data subject shall have right to appeal the decision of a higher administrative body or the State Inspector Service to the court under procedures determined by law.

4. In case of a dispute with respect to the existence of a data subject’s consent to process data, a data processor shall carry the burden of proof for the existence of the data subject's consent.
Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

         

Article 261 – (deleted)

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 479 of 22 March 2017 – website, 27.3.2017

         

Chapter V – (Deleted)

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 27 – (Deleted)

Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 28 – (Deleted)

Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 29 – (Deleted)

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

         

Article 30 – (Deleted)

Law of Georgia No 6325 of 25 May 2012 – website, 12.6.2012

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3350 of 20 March 2015 – website, 31.3.2015

Law of Georgia No 3879 of 6 December 2018 – website, 14.12.2018

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 31 – (Deleted)

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 32 – (Deleted)

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 33 – (Deleted)

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 34 – (Deleted)

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 35 – (Deleted)

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 351 – (Deleted)

Law of Georgia No 2869 of 30 November 2014 – website, 30.11.2014

Law of Georgia No 3940 of 8 July 2015 – website, 15.7.2015

Law of Georgia No 479 of 22 March 2017 – website, 27.3.2017

Law of Georgia No 3300 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 36 – (Deleted)

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 37 – (Deleted)

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 38 – (Deleted)

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 39 – (Deleted)

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 2636 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Article 40 – (Deleted)

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

                  

Chapter VI – Transfer of Data to Other States and International Organisations

                  

Article 41 – Data transfer to other states and international organisations

1. Data may be transferred to other states and international organisations if there are grounds for data processing under this Law and if appropriate data protection guarantees are provided by the respective state or international organisation.

2. Data may also be transferred to other states and international organisations, except for paragraph 1 of this article, if:

a) the data transfer is part of a treaty or an international agreement of Georgia;

b) a data processor provides appropriate guarantees for protection of data and of fundamental rights of a data subject on the basis of an agreement between a data processor and the respective state, a natural or legal person of this state or an international organisation.

3. Data may be transferred under paragraph 2(b) of this article only with permission of the State Inspector Service.

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

                  

Article 42 – Establishing appropriate guarantees for data protection

The State Inspector Service shall assess the presence of appropriate guarantees for data protection in other states and/or international organisations, and make a decision on the basis of analysis of the legislation regulating data processing and the practice.

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

         

Chapter VII – Administrative Liability for Violation of this Law

 

Article 43 – Data processing without the grounds under this Law

1. Data processing without the grounds under this Law shall result in a warning or a fine of GEL 500.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 2 000.

         

Article 44 – Violation of principles of data processing

1. Violation of principles of data processing under this Law shall result in a warning or a fine of GEL 500.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 2 000.

 

Article 45 – Processing of special category data without the grounds under this Law

1. Processing of special category data without the grounds under this Law shall result in a fine of GEL 1 000.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 5 000.

 

                  

Article 46 – Failure to comply with data protection requirements

1. Failure to comply with data protection requirements established by this Law shall result in a warning or a fine of GEL 500.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for the violation under paragraph 1 of this article shall result in a fine of GEL 2 000.

                  

Article 47 – Using data for direct marketing purposes in violation of the rules under this Law

1. Using data for direct marketing purposes in violation of the rules under this Law shall result in a fine of GEL 3 000.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 10 000.

                  

Article 48 – Violation of video surveillance rules

1. Violation of video surveillance rules under this Law shall result in a warning or a fine of GEL 500.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 2 000.

 

Article 49 – Violation of rules for processing the building entry/exit data of public and private institutions

Violation of rules under this Law for processing of the building entry/exit data of public and private institutions shall result in a warning or a fine of GEL 100.

                  

Article 50 – Violation of rules for notification of the data subject by the data processor

1. Violation of rules under this Law for notification of a data subject by a data controller shall result in a warning or a fine of GEL 100.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 500.

                  

Article 51 – Assignment of data processing to the data processor by the data controller in violation of rules

1. Assignment of data processing to a data processor by a data controller in violation of rules under this Law shall result in a fine of GEL 500.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 2 000.

                  

Article 52 – Violation of rules under Article 16 of this Law by the data processor

1. Violation of rules under Article 16 of this Law by a data processor shall result in a fine of GEL 1 000.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 3 000.

         

Article 521 – Violation of rules for data transfer to another state and international organisation

1. Transfer of data in violation of rules established under Article 41 of this Law shall result in a fine of GEL 1 000.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 3 000.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

 

Article 53 – Failure to fulfil requirements of the State Inspector Service

1. Violation of the rule for submitting information and documents to the State Inspector Service by a data controller or a data processor, including the failure to provide the information under Article 10 of this Law and to fulfil the notification obligation under Article 20 of this Law shall result in a fine of GEL 500.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 2 000.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

                  

Article 54 – Violation of other rules related to data processing

1. Violation of the rule under Article 3(11) of this Law shall result in a fine of GEL 500.

2. The same act committed by a person who has had an administrative penalty imposed in the course of one year for a violation under paragraph 1 of this article shall result in a fine of GEL 2 000.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

         

Article 55 – Consideration of administrative proceedings

1. The State Inspector Service shall have the right to consider administrative proceedings under Articles 43-54 of this Law and to impose administrative penalties.

2. A person authorised for this purpose by the State Inspector Service shall draw up an administrative offence report.

3. A person authorised by the State Inspector Service shall draw up an administrative offence report and review a case of an administrative offence in accordance with the procedures established by the Administrative Offences Code of Georgia, by the Law of Georgia on the State Inspector Service and the normative acts issued by the State Inspector.

Law of Georgia No 3274 of 21 July 2018 – website, 9.8.2018

Law of Georgia No 4253 of 27 December 2018 – website, 29.12.2018

Law of Georgia No 4597 of 8 May 2019 – website, 8.5.2019

 

Chapter VII1 – Transitional Provisions

Law of Georgia No 2869 of 30 November 2014 – website, 30.11.2014


Article 551 – Transitional provisions

The Ministry of Internal Affairs of Georgia shall, before 31 March 2015, ensure the implementation of technical and organisational measures necessary for the operation of a special data bank electronic control system and the development of appropriate software.

Law of Georgia No 2869 of 30 November 2014 – website, 30.11.2014

 

Chapter VIII – Final Provisions

                  

Article 56 – Entry of the Law into force

1. This Law, except for Articles 43–55 of this Law, shall enter into force from 1 May 2012.

2. Articles 43–55 of this Law shall enter into force from 1 January 2013.

3. Articles 34, 35 and 39 of this Law shall become valid for private sector from 1 November 2014.

Law of Georgia No 2639 of 1 August 2014 – website, 18.8.2014

 

 

President of Georgia                                                                     M. Saakashvili

 

Tbilisi

28 December 2011

No 5669 - რს

33. 30/11/2023 - Law of Georgia - 3819-XIIIმს-Xმპ - Website, 19/12/2023 32. 30/11/2023 - Law of Georgia - 3818-XIIIმს-Xმპ - Website, 19/12/2023 31. 21/09/2023 - Law of Georgia - 3527-XIIIმს-Xმპ - Website, 12/10/2023 30. 14/06/2023 - Law of Georgia - 3144-XIმს-Xმპ - Website, 03/07/2023 29. 13/06/2023 - Law of Georgia - 3130-XIმს-Xმპ - Website, 27/06/2023 28. 13/06/2023 - Law of Georgia - 3121-XIმს-Xმპ - Website, 27/06/2023 27. 31/05/2023 - Law of Georgia - 2996-XIმს-Xმპ - Website, 13/06/2023 26. 17/05/2023 - Law of Georgia - 2925-XIმს-Xმპ - Website, 25/05/2023 25. 09/02/2023 - Law of Georgia - 2558-XIმს-Xმპ - Website, 27/02/2023 24. 30/11/2022 - Law of Georgia - 2199-IXმს-Xმპ - Website, 15/12/2022 23. 30/12/2021 - Law of Georgia - 1313-VIIრს-Xმპ - Website, 13/01/2022 22. 29/11/2019 - Law of Georgia - 5403-Iს - Website, 10/12/2019 21. 20/09/2019 - Law of Georgia - 5031-Iს - Website, 01/10/2019 20. 07/06/2019 - Decision of the Constitutional Court - 1/4/693,857 - Website, 12/06/2019 19. 08/05/2019 - Law of Georgia - 4597-რს - Website, 08/05/2019 18. 26/12/2018 - Law of Georgia - 4145-რს - Website, 10/01/2019 17. 27/12/2018 - Law of Georgia - 4253-რს - Website, 29/12/2018 16. 06/12/2018 - Law of Georgia - 3879-რს - Website, 14/12/2018 15. 20/09/2018 - Law of Georgia - 3451-Iს - Website, 09/10/2018 14. 21/07/2018 - Law of Georgia - 3300-რს - Website, 09/08/2018 13. 21/07/2018 - Law of Georgia - 3274-რს - Website, 09/08/2018 12. 29/06/2018 - Law of Georgia - 2765-IIს - Website, 19/07/2018 11. 21/04/2017 - Law of Georgia - 669-IIს - Website, 03/05/2017 10. 22/03/2017 - Law of Georgia - 479-IIს - Website, 27/03/2017 - Amendment contains transitional provision 9. 01/12/2016 - Law of Georgia - 54-Iს - Website, 15/12/2016 8. 27/04/2016 - Law of Georgia - 5017-IIს - Website, 13/05/2016 7. 08/07/2015 - Law of Georgia - 3940-რს - Website, 15/07/2015 6. 01/05/2015 - Law of Georgia - 3534-IIს - Website, 18/05/2015 5. 20/03/2015 - Law of Georgia - 3350-IIს - Website, 31/03/2015 4. 30/11/2014 - Law of Georgia - 2869-Iს - Website, 30/11/2014 3. 01/08/2014 - Law of Georgia - 2639-რს - Website, 18/08/2014 2. 01/08/2014 - Law of Georgia - 2636-რს - Website, 18/08/2014 1. 25/05/2012 - Law of Georgia - 6325-Iს - Website, 12/06/2012