The Parliament of Georgia recently adopted the new Law of Georgia on Personal Data Protection (the New PDP Law or the New Law). The New PDP Law contributes to Georgia’s fulfillment of international obligations and brings existing legislation in the field of personal data protection closer to the European standards. The New Law has entered into force on 1 March 2024.
The New PDP Law introduces several novel amendments that controller or/and data processor (the Controller or/and Processor) should consider. The Personal Data Protection Service (the Service), an independent state authority, is responsible for monitoring compliance with the New PDP Law.
Novel Grounds of Data Processing
The New Law introduces additional legal grounds for permissible data processing, such as contractual necessity, protection of important public interests, or investigative purposes. Based on these novel grounds, data processing is considered permissible when it is deemed necessary for either performance or conclusion of an agreement with the data subject or upon explicit request of the data subject. According to the New Law, data processing is also permissible when necessary to perform tasks falling within the scope of public interest as defined by Georgian legislation. These include activities related to crime prevention, investigation, prosecution, administration of justice, detention and imprisonment, non-custodial sentences and probation, operative and investigative activities, public safety safeguarding, protection of the rule of law, including information security and cyber security.
New Rules Related to Consent of the Data Subject
The New Law determines specific requirements with respect to obtaining consent of the data subject. If the Processor plans to obtain the consent of the data subject with a document that also covers other issues, the Processor is obliged to separate written consent form from other parts of the document and formulate it in a clear, simple, and comprehensible language. Also, if the consent is given within the scope of the agreement, it should be evaluated whether this consent is a necessary condition of the agreement and whether it is possible to receive the relevant service without this consent. As for the processing of special category data (such as data on/ data connected to a person’s racial or ethnic origin, political views, religious or philosophical beliefs, membership of professional organizations, state of health, sexual life, criminal history and others), such data may be processed on the basis of the written consent of the data subject or other enumerated grounds for processing of special categories of data set out in the New PDP Law.
Technical and Organizational Measures to Ensure Data Security
The Processor is obliged to take appropriate technical and organizational measures to ensure the processing of the data in accordance with the New PDP Law. Such measures should adequately ensure data protection, including against unauthorized or illegal processing, accidental loss, destruction and/or damage. The Processor must ensure that technical and organizational measures are taken to automatically process only the amount of data that is necessary for the specific purpose of the processing. These measures should be applied in such a way that an indefinite number of people are automatically granted access to only a minimum amount of data before a permitted alternative approach is chosen. Furthermore, technical, and organizational measures should be periodically updated according to categories, volume, purpose, form, means of data processing and possible threats of violation of the data subject’s rights.
New Rules related to Direct Marketing
Under the New Law, in case the personal data is processed for direct marketing purposes, receiving the written consent of the data subject is mandatory. The Controller/Processor should explain to the data subject their right to withdraw their consent at any time in a clear and comprehensible form with the simple mechanism/procedure for exercising this right. The Controller/Processor should also ensure that the data subject has the possibility to request the termination of the data processing for the direct marketing purposes in the same manner as the direct marketing is carried out.
Regulations regarding Video Monitoring
Video Monitoring of the working process and space is permitted only in exceptional cases, if the purposes for video monitoring cannot be achieved by other means or such means are associated with a disproportionately large effort. In the case of video monitoring of the working process and space, the Controller / the Processor is obliged to inform the employee regarding the purpose of video monitoring in writing. Further, in case of video monitoring, the Controller is obliged to define in writing the purpose, scope, duration and the storage period of video monitoring, the manner, and conditions of access to the video recording, its storage and destruction and the mechanisms for protecting the rights of the data subject in accordance with the principles of data processing. A crucial novelty related to video monitoring is that the warning sign must be installed in a visible place and contain an appropriate inscription, an easily perceptible image about carrying out video monitoring as well as the name and contact data of the Controller.
Mandatory Reporting of Incidents
The New PDP Law imposes the obligation to notify the Service, regarding the occurred incidents of data security breaches. Specifically, the Controller is required to maintain the registry of incidents which describe the incident, its outcome and the measures taken. Each and every incident that may cause significant harm and/or pose a significant threat to fundamental human rights, shall be reported to the Service in writing no later than 72 (seventy-two) hours after the discovery of such incident. As required under the New Law, the Service adopted the order which sets out the rules of reporting and criteria for determining whether specific incident poses harm and/or threat to fundamental human rights. According to the rules published by the Service, the information about the incident shall be submitted to the Service electronically through the official webpage of the Service.
Mandatory Appointment of the Personal Data Protection Officer
Another notable aspect of the New PDP Law is the introduction of the position the personal data protection officer (the Officer), which comes into effect from 1 June 2024. Appointment of the Officer is mandatory in various sectors such as public institutions, insurance organizations, commercial banks, microfinance organizations, credit bureaus, electronic communication companies, airlines, airports, and medical institutions and this obligation extends to entities processing substantial volumes of data or engaging in systematic and large-scale monitoring, regardless of specific mention. As required under the New Law, the Service adopted order on the list of persons who do not have the obligation to appoint or designate the Officer. According to this order, there is no obligation to appoint an Officer if the Processor: (i) processes the personal data of less than 3 percent of the population of Georgia; (ii) process the special category data of less than 1 percent of the population of Georgia; or (iii) does not engage in systematic and large-scale monitoring of data subject behavior. For the purpose of calculating the list of persons whose data is being processed, the employees of the Processor are not counted in (regardless of their number). The Processor who has an obligation to appoint the Officer may meet this requirement through three options: (i) Appointing the Officer; (ii) Adding the functions of the Officer to an employee; or (iii) Outsourcing. The Processor is obliged to publish the identity and contact information of the Officer on its website or through other accessible channels.
Rules related to Data Protection Impact Assessment
The New Law introduces the rules on data protection impact assessment, which enter into force from 1 June 2024. If, considering new technologies, categories, volume, purposes, the risk of undermining fundamental human rights and freedoms is highly likely, the Controller is obliged to assess in advance the impact on data protection. Such assessment entails adoption of the document describing the category, process, purposes of and grounds for Data Processing as well as organizational and technical measures provided for the purpose of data security protection. The data protection impact assessment is mandatory if the Controller makes decisions in a fully automated manner (including on the basis of profiling) or processes special category data of a large number of data subjects or implements systematic and large-scale monitoring of the behavior of data subjects in public gathering places.
Sanctions for Breach of the New PDP Law
The New PDP Law increases the penalties for breach. Depending on the nature of the breach, the organizational form, and the annual turnover of the offender as well as the existence of aggravating and mitigating circumstances, administrative liabilities may vary from warning to penalty in the amount of GEL1,000 (one thousand) to GEL20,000 (twenty thousand), depending on the nature of the breach of the New PDP Law.
Practical Effect of the New Law
Considering the novelties set out in the New PDP Law, the Processors of personal data should review their internal processes, technical and organizational measures and internal documents to ensure compliance with the New Law. Specifically, each Processor / Controller shall: (i) review its internal policies regarding data protection and consent form for obtaining consent; (ii) update these documents as necessary; (iii) create a register of incidents and procedures for notifying the Service; (iv) determine whether it is under obligation to appoint the Office and appoint such Officer no later than 1 June 2024, if applicable; (v) determine whether it is under obligation to adopt the data protection impact assessment and adopt such document no later than 1 June 2024, if applicable.