Georgia has enacted a dedicated personal data protection law that draws heavily on European principles, creating a compliance environment that international businesses cannot afford to ignore. The Law of Georgia on Personal Data Protection establishes obligations around consent, data subject rights, cross-border transfers, and breach notification that apply to any entity processing Georgian residents' data. For foreign companies operating in or entering the Georgian market, the framework presents both manageable compliance tasks and genuine legal risk if ignored. This article covers the legal architecture, key obligations, enforcement mechanisms, cross-border transfer rules, and practical strategies for structuring a defensible privacy programme in Georgia.
The legal framework governing data protection in Georgia
Georgia's primary instrument is the Law of Georgia on Personal Data Protection (hereinafter the Data Protection Law), which was substantially amended to bring it closer to the General Data Protection Regulation (GDPR) model. The law defines personal data broadly as any information relating to an identified or identifiable natural person, a definition that mirrors Article 4 of the GDPR. Special categories of sensitive data - including health information, biometric data, racial or ethnic origin, religious beliefs, and data on criminal convictions - attract a higher standard of protection under the same law.
The supervisory authority responsible for enforcement is the Personal Data Protection Service (PDPS), an independent state body established under the Data Protection Law. The PDPS has powers to conduct inspections, issue binding instructions, impose administrative sanctions, and publish findings. Its jurisdiction extends to both public bodies and private entities, including foreign companies that process data of Georgian residents regardless of where the processing takes place.
The Constitutional Court of Georgia and ordinary courts retain jurisdiction over disputes between data subjects and controllers where the PDPS route has been exhausted or where civil damages are sought. The Civil Code of Georgia provides a supplementary basis for compensation claims where unlawful processing causes harm to a data subject's dignity, reputation, or financial interests.
Secondary legislation and PDPS guidelines flesh out the practical requirements. The PDPS has issued guidance on consent mechanisms, data security standards, and the appointment of data protection officers. These guidelines do not carry the force of statute but are treated as authoritative interpretations by courts and the PDPS itself in enforcement proceedings.
A non-obvious risk for international clients is the territorial scope. The Data Protection Law applies not only to controllers established in Georgia but also to those established outside Georgia when they process data of persons residing in Georgia, particularly where the processing relates to offering goods or services to those persons or monitoring their behaviour. This extraterritorial reach is analogous to Article 3 of the GDPR and means that a company with no Georgian office can still face PDPS scrutiny.
Lawful bases for processing and consent requirements in Georgia
Under the Data Protection Law, processing of personal data is lawful only when it rests on one of the recognised legal bases. These bases include the data subject's consent, performance of a contract to which the data subject is a party, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest, and the legitimate interests of the controller or a third party, provided those interests are not overridden by the data subject's rights.
Consent in Georgia must be freely given, specific, informed, and unambiguous. The Data Protection Law requires that consent be expressed through a clear affirmative action - a pre-ticked box or silence does not satisfy the standard. Controllers must be able to demonstrate that consent was obtained, which in practice means maintaining records of when, how, and for what purpose consent was collected. Withdrawal of consent must be as easy as giving it, and withdrawal does not affect the lawfulness of processing carried out before withdrawal.
For special categories of data, the bar is higher. Processing sensitive data requires explicit consent or one of the narrowly defined exceptions set out in the Data Protection Law, such as processing necessary for employment law obligations, protection of vital interests where the data subject is incapable of giving consent, or processing by a not-for-profit body in the context of its legitimate activities. Controllers relying on exceptions rather than consent bear the burden of documenting the applicable exception clearly.
A common mistake made by international clients is importing consent language drafted for GDPR compliance without adapting it to Georgian procedural requirements. While the substantive standard is similar, the PDPS expects consent records to be maintained in a format accessible to Georgian-language inspectors, and consent forms that reference only EU law or EU supervisory authorities may be treated as non-compliant during an inspection.
In practice, it is important to consider that the legitimate interests basis, while available, is not a default fallback. The Data Protection Law requires a genuine balancing exercise, and the PDPS has signalled in its guidance that controllers must document this balancing in writing. Relying on legitimate interests without a documented assessment creates a vulnerability that can be exploited by data subjects filing complaints.
To receive a checklist on lawful bases and consent documentation for Georgia, send a request to info@vlo.com.
Data subject rights and controller obligations
The Data Protection Law grants Georgian residents a set of rights that closely track those in the GDPR. Data subjects may request access to their personal data, rectification of inaccurate data, erasure in defined circumstances, restriction of processing, and portability of data provided in a structured, commonly used, machine-readable format. They also have the right to object to processing based on legitimate interests or carried out for direct marketing purposes.
Controllers must respond to access requests within 10 calendar days of receipt. Where the request is complex or numerous, this period may be extended by a further 20 days, but the controller must notify the data subject of the extension and the reasons within the initial 10-day window. Failure to respond within the statutory period is itself a ground for a PDPS complaint and can trigger an inspection.
The right to erasure - sometimes called the right to be forgotten - applies where the data is no longer necessary for the purpose for which it was collected, where consent has been withdrawn and there is no other lawful basis, or where the data has been processed unlawfully. Controllers must assess erasure requests carefully because the right is not absolute: it does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
Controllers are required to maintain records of processing activities. The Data Protection Law, read alongside PDPS guidance, requires these records to include the identity and contact details of the controller, the purposes of processing, a description of categories of data subjects and personal data, recipients of the data, and, where applicable, details of transfers to third countries. Small organisations processing only occasional, low-risk data may qualify for a lighter record-keeping obligation, but the threshold is interpreted narrowly.
Privacy notices must be provided to data subjects at the time of collection. The notice must cover the identity of the controller, the purposes and legal basis for processing, the recipients or categories of recipients, the retention period, and the data subject's rights including the right to lodge a complaint with the PDPS. A non-obvious risk is that notices drafted in English only may be considered insufficient where the data subjects are Georgian residents who primarily use Georgian. The PDPS has not issued a blanket rule requiring Georgian-language notices, but in enforcement proceedings, language accessibility has been raised as a factor.
Cross-border data transfers from Georgia
Cross-border transfer of personal data is one of the most practically significant issues for international businesses operating in Georgia. The Data Protection Law permits transfers to countries that the PDPS has recognised as providing an adequate level of protection. The EU member states and countries with EU adequacy decisions are generally treated as adequate destinations, but controllers should verify the current PDPS list rather than assuming equivalence.
Where the destination country is not on the adequate list, transfers are permitted only on the basis of appropriate safeguards. These safeguards include standard contractual clauses approved or recognised by the PDPS, binding corporate rules for intra-group transfers, or specific derogations such as the data subject's explicit consent to the transfer after being informed of the risks, or the transfer being necessary for the performance of a contract with the data subject.
Standard contractual clauses used in Georgia should ideally be adapted from the PDPS-recognised templates rather than imported directly from EU Commission decisions, although in practice the PDPS has accepted EU-model clauses where the parties have documented their applicability to Georgian law. Controllers relying on binding corporate rules must submit them to the PDPS for approval before relying on them as a transfer mechanism, a process that can take several months.
A common mistake is treating data transfers to cloud service providers as routine operational matters rather than cross-border transfers requiring a legal basis. Where a Georgian company stores personal data on servers located outside Georgia - even with a provider headquartered in Georgia - the transfer rules apply. Controllers must identify the server locations of all major processors and document the transfer mechanism for each.
The derogation for explicit consent to transfers is available but should not be used as a primary mechanism for routine transfers. The PDPS guidance indicates that consent-based transfers are appropriate for occasional, one-off situations rather than systematic processing. Relying on consent for all cross-border transfers creates a compliance fragility: if consent is withdrawn, the transfer must stop immediately, which can disrupt business operations.
To receive a checklist on cross-border data transfer compliance for Georgia, send a request to info@vlo.com.
Data breach notification and security obligations
The Data Protection Law imposes mandatory breach notification obligations on controllers. Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the controller must notify the PDPS without undue delay and, where feasible, within 72 hours of becoming aware of the breach. This 72-hour window mirrors the GDPR standard and is treated strictly by the PDPS.
The notification to the PDPS must include a description of the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address it. Where the notification cannot be made within 72 hours, the controller must provide the reasons for the delay alongside the notification.
Where the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, the controller must also notify the data subjects directly without undue delay. The notification must describe the nature of the breach in plain language and provide the contact details of the data protection officer or other contact point, the likely consequences, and the measures taken to address the breach and mitigate its effects.
Controllers must implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. The Data Protection Law does not prescribe specific technical standards, but the PDPS guidance references encryption, pseudonymisation, access controls, and regular security testing as baseline expectations. The adequacy of security measures is assessed relative to the nature, scope, context, and purposes of processing and the risks to data subjects.
A practical scenario illustrating the stakes: a Georgian fintech company suffers a breach affecting payment card data of several thousand customers. The company's incident response plan was drafted for EU operations and does not reference the PDPS. The 72-hour window passes before the PDPS is notified because internal escalation procedures were unclear. The PDPS opens an investigation, finds both the breach and the delayed notification as separate violations, and issues a binding instruction requiring a full security audit at the company's expense alongside an administrative fine. The cost of the audit and remediation significantly exceeds what a properly structured incident response programme would have cost.
Processors - entities that process data on behalf of a controller - must notify the controller of a breach without undue delay after becoming aware of it, to allow the controller to meet its 72-hour obligation. Contracts between controllers and processors must address this obligation explicitly. A non-obvious risk is that many standard processor agreements used in international transactions do not contain breach notification timelines aligned with Georgian law, leaving the controller exposed.
Appointment and role of the data protection officer in Georgia
The Data Protection Law requires certain categories of controllers and processors to appoint a data protection officer (DPO). The obligation applies where the core activities of the controller or processor consist of processing operations that, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale, or where the core activities consist of processing special categories of data or data relating to criminal convictions on a large scale.
The DPO must have expert knowledge of data protection law and practice. The Data Protection Law does not specify a formal qualification requirement, but the PDPS expects the DPO to be capable of advising on compliance, monitoring adherence to the law, cooperating with the PDPS, and acting as a contact point for data subjects. The DPO may be an employee or an external service provider. Where a group of companies is involved, a single DPO may be appointed for the group provided the DPO is easily accessible from each entity.
Controllers and processors must publish the contact details of the DPO and communicate them to the PDPS. The DPO must be involved in all matters relating to the protection of personal data and must not receive instructions regarding the exercise of their tasks. The controller must ensure that the DPO does not suffer any penalty for performing their tasks, a protection that mirrors Article 38 of the GDPR.
Many international businesses operating in Georgia underappreciate the DPO requirement. A company that processes health data of Georgian employees, or that operates a platform monitoring the online behaviour of Georgian users at scale, is likely required to appoint a DPO regardless of whether it has a Georgian legal entity. Failure to appoint a DPO where required is a standalone violation that the PDPS can cite independently of any other compliance failure.
The DPO role can be outsourced to an external law firm or specialist provider, which is often the most cost-effective solution for companies without a large Georgian operation. The outsourced DPO must still have genuine access to the controller's processing activities and must be able to fulfil the statutory functions independently. A nominal appointment without substantive involvement does not satisfy the requirement and creates additional risk if the PDPS investigates.
Enforcement, sanctions, and practical risk management
The PDPS has authority to conduct both planned and unannounced inspections of controllers and processors. Inspections may be triggered by a data subject complaint, a reported breach, media coverage, or the PDPS's own risk-based selection criteria. During an inspection, the PDPS may require access to processing systems, records of processing activities, consent documentation, data transfer agreements, and security assessments.
Administrative sanctions under the Data Protection Law are tiered by severity. Minor violations - such as failure to maintain adequate records or failure to appoint a DPO - attract lower-tier fines. Serious violations - such as unlawful processing of special categories of data, failure to notify a breach, or unlawful cross-border transfers - attract higher-tier sanctions. The PDPS may also issue binding instructions requiring the controller to bring processing into compliance within a specified period, suspend processing, or delete unlawfully processed data.
Beyond administrative sanctions, data subjects may bring civil claims for damages caused by unlawful processing. Georgian courts have jurisdiction over such claims, and the Civil Code of Georgia provides a basis for both material and non-material damages. The risk of civil litigation is lower than in some EU jurisdictions but is increasing as awareness of data rights grows among Georgian consumers and employees.
Three practical scenarios illustrate the range of enforcement risk:
- A foreign e-commerce company sells goods to Georgian customers and collects their personal data without a Georgian-law-compliant privacy notice. A customer complains to the PDPS. The PDPS issues a binding instruction and a fine. The company must also retroactively notify all affected customers, which triggers further reputational cost.
- A Georgian bank transfers employee data to its parent company in a non-adequate country without standard contractual clauses. The PDPS discovers the transfer during a routine inspection. The bank is required to suspend the transfer, negotiate and execute appropriate clauses, and submit them to the PDPS within 30 days. The legal and operational cost of emergency remediation is several times higher than proactive structuring would have been.
- A technology startup processes biometric data of users for identity verification without explicit consent and without a DPO. A competitor files a complaint with the PDPS. The PDPS finds three concurrent violations: unlawful processing of special categories, absence of a DPO, and inadequate security measures. The cumulative sanctions and mandatory remediation programme effectively delay the company's product launch by several months.
The cost of non-specialist mistakes in this jurisdiction is particularly high because the PDPS treats concurrent violations as separate grounds for sanction rather than aggregating them into a single finding. A company that has multiple compliance gaps faces multiple parallel enforcement tracks.
We can help build a compliance strategy tailored to your operations in Georgia. Contact info@vlo.com to discuss your specific situation.
FAQ
What is the most significant practical risk for a foreign company processing Georgian residents' data without a local presence?
The extraterritorial scope of the Data Protection Law means the PDPS can investigate and sanction a foreign company even without a Georgian office or legal entity. The most immediate practical risk is a PDPS investigation triggered by a data subject complaint, which can result in binding instructions, fines, and mandatory suspension of processing. Foreign companies often underestimate this exposure because they assume Georgian law applies only to locally registered entities. Engaging Georgian legal counsel before entering the market is the most effective way to assess and manage this risk.
How long does a PDPS investigation typically take, and what are the financial consequences of non-compliance?
A PDPS investigation following a complaint or breach notification typically proceeds over several weeks to a few months, depending on the complexity of the case and the controller's cooperation. The financial consequences include administrative fines, which vary by severity of violation, plus the cost of mandatory remediation measures such as security audits, system changes, and retroactive data subject notifications. Legal fees for responding to a PDPS investigation generally start from the low thousands of USD. The total cost of a contested enforcement proceeding, including appeals to the administrative courts, can reach the mid-to-high tens of thousands of USD, making proactive compliance significantly more economical.
When should a company appoint an external DPO rather than an internal one, and what are the key differences?
An external DPO is generally preferable for companies with a limited Georgian operation, where the volume of processing does not justify a full-time internal hire, or where the company needs the DPO to be visibly independent from management. The key practical difference is that an external DPO brings specialist knowledge and can be engaged on a retainer basis, reducing fixed costs. The limitation is that an external DPO must have genuine access to processing activities and cannot be a purely nominal appointment. Companies should ensure the DPO engagement agreement specifies the scope of access, reporting lines, and the DPO's right to act independently, to satisfy PDPS requirements.
Conclusion
Georgia's data protection framework is substantive, actively enforced, and increasingly aligned with EU standards. International businesses must treat it as a genuine compliance obligation rather than a formality. The key action areas are establishing lawful bases for all processing, implementing GDPR-equivalent consent mechanisms adapted to Georgian requirements, structuring cross-border transfers on documented legal grounds, building a 72-hour breach response capability, and appointing a DPO where required. Proactive compliance is materially cheaper than reactive remediation after a PDPS investigation.
Our law firm Vetrov & Partners has experience supporting clients in Georgia on data protection and privacy matters. We can assist with compliance audits, DPO services, cross-border transfer structuring, breach response, and PDPS investigation defence. To receive a consultation, contact: info@vlo.com.
To receive a checklist on building a complete data protection compliance programme for Georgia, send a request to info@vlo.com.
