On Determining the Category of Controllers and Processors Who Are Not Obliged to Appoint or Designate a Personal Data Protection Officer

Order No 22

of the Head of the Personal Data Protection Service

Tbilisi

On Determining the Category of Controllers and Processors Who Are Not Obliged to Appoint or Designate a Personal Data Protection Officer

In accordance with Article 33, Article 88(4)(c) and Article 90(3) of the Law of Georgia on Personal Data Protection, I hereby order:

Article 1

The annexed category of controllers and processors who are not obliged to appoint or designate a personal data protection officer shall be approved.

Article 2

This Order shall enter into force on 1 June 2024.

Head of the Personal Data Protection Service                     Lela Janashvili

Category of Controllers and Processors Who Are Not Obliged to Appoint or Designate a Personal Data Protection Officer

Article 1 – General Provisions

1. This Act aims at determining the category of controllers and processors who are not obliged to appoint or designate a personal data protection officer.

2. When determining the category provided for by paragraph 1 of this article, the head of the Personal Data Protection Service shall take into consideration the criteria established by Article 33(1) of the Law of Georgia on Personal Data Protection.

Article 2 – Terms

The terms used in this Act shall have the meanings as provided for by the Law of Georgia on Personal Data Protection.

Article 3 – Category of persons who are not obliged to appoint or designate a personal data protection officer

1. The appointment/designation of a personal data protection officer shall not be the responsibility of controllers/processors who meet the following conditions simultaneously:

a) they are not a public institution, insurance organisation, commercial bank, microfinance organisation, credit bureau, electronic communication company, airline, airport, medical institution;

b) they process personal data of the following amount of data subjects:

b.a) not more than 3% of the population of Georgia, which shall be calculated according to the latest results of the general census of population;

b.b) the personal data of a special category of not more than 1% of the population of Georgia, which shall be calculated according to the latest results of the general census of population;

c) they do not carry out systematic and large-scale monitoring of the behaviour of data subjects.

2. An institution carrying out activities as provided for by Article 2(2)(b) of the Law of Georgia on Personal Data Protection shall not be obliged to appoint/designate a data protection officer where he/she processes data in the context of the activities under the same subparagraph.

3. For the purposes of this article, employees of controllers/processors, regardless of their number, shall not be considered as data subjects.

Article 4 – Systematic and large-scale monitoring of the behaviour of data subjects

1. For the purposes of this Act, the following activities shall be considered as systematic and large-scale monitoring of the behaviour of data subjects:

a) the surveillance of online activity (so-called, ‘tracking’ where the data subject will be registered in advance (creation/activation of a user));

b) profiling or scoring for the purpose of risk assessment;

c) the monitoring of the behaviour of children, pupils, vocational students/trainees and students by an early education and/or pre-school education institution, a general education institution, a vocational educational institution, a legal entity authorised to carry out vocational training/vocational retraining, a higher educational institution;

d) behavioural advertising based on personal data.

2. In addition to the list provided for by paragraph 1 of this article, systematic and large-scale monitoring of the behaviour of data subjects may be carried out by other activities as well, in the process of the assessment of systematic and large-scale nature of which the controller/processor shall be guided by the criteria listed in paragraphs 3 and 4 of this article.

3. When assessing the systematic nature of monitoring, the following shall be considered:

a) the frequency of data processing, its continuity and periodically repetitive nature;

b) the premeditated and organised nature of data processing and its consistency;

c) whether or not data processing is a part of the main activities of a controller/processor.

4. For the purposes of this Act, the following shall be considered when assessing the extent of the monitoring of the behaviour of data subjects:

a) the quantity of data subjects;

b) the amount of the processed data and/or the types of the processed data;

c) the duration of the process of data processing;

d) the geographical coverage of the process of data processing.

5. For the purposes of this article, data processing within the context of the video monitoring of an administrative area/workplace or an auxiliary infrastructure of a controller/processor shall not be considered as a systematic and large-scale monitoring of data subjects, except for data processing by means of so-called ‘smart cameras’.

Article 5 – Voluntary appointment of a personal data protection officer

A controller/processor who is not obliged to appoint/designate a personal data protection officer but appoints/designates a personal data protection officer voluntarily shall undertake all the responsibilities related to the appointment/designation of a personal data protection officer provided for by the Law of Georgia on Personal Data Protection.