From March 1st, revisions have been enacted in the Law on Personal Data Protection. According to the changes, without prior consent, mobile operators and their SMS – service providers are prohibited from using citizens’ personal data for direct marketing purposes. Furthermore, it is now mandatory for both, public institutions and some private companies to appoint a Personal Data Protection Officer.
Legal experts evaluate the revisions positively, although they acknowledge that companies may face certain challenges. To learn more, GEORGIA TODAY interviewed Gvantsa Zhorzholiani, a lawyer who serves as the executive director of CAPRINA’s Georgian office and is a member of the supervisory board.
Gvantsa, what changes have been made in the law on personal data protection?
Before I address your question directly, I’d like to highlight that at CAPRINA, the company I represent currently, we are adapted to these changes already and prioritize the protection of our employees’ personal data at a high standard. Hence, I commend our readiness to share the insights and experiences gained through the implementation process in our company over the past six months. I am ready to consult with everyone, individuals or companies who wish to learn more and implement the same high-level practice concerning personal data protection as we implemented successfully in CAPRINA.
Under the newly enacted law, which took effect on March 1st, an important innovation is the institution of Personal Data Protection Officer. This marks the emergence of a completely novel profession in the Georgian market.
Starting June 1, 2024, the appointment/designation of a Personal Data Protection Officer will become mandatory for a number of organizations. These include public institutions (excluding religious and political organizations); insurance companies; commercial banks; microfinance organizations; credit bureaus; electronic communication companies; airline/airports; medical institutions that provide services to at least 10,000 data subjects annually; and organizations processing the data of a substantial number of individuals or conducting systematic and large-scale monitoring of their behavior.
The Personal Data Protection Officer is granted the authority to undertake additional responsibilities, provided that such actions do not create conflict of interest. The law allows companies to enter into service contracts with other companies to perform the functions of a Personal Data Protection Officer.
According to the new law, the Personal Data Protection Officer is required to possess substantial expertise in data protection. Drawing from EU standards, the Personal Data Protection Officer must be thoroughly familiar with the legislation governing personal data protection, best practices in the field of data protection, and ensure that the organization and its employees are informed, consulted and methodically assisted on a daily basis. It is crucial for the officer not only to have an in-depth knowledge of the legislation but also to possess a keen understanding of the organization’s values and grasp its IT infrastructure.
Organizations are mandated to provide the identity and contact details of the appointed or designated Personal Data Protection Officer to the Personal Data Protection Service within 10 working days of their appointment or replacement. Organizations are also required to publish the identity and contact information of the Personal Data Protection Officer on the website (if applicable) or by other accessible means. Our readers should take into account that violation of the legal obligation related to the appointment of an officer is an administrative offense.
Another important innovation is the prohibition of sending advertising messages to citizens without their consent. The revised law defines direct marketing as the direct provision of information to the data subject by phone, mail, e-mail or other electronic means in order to sell and/or support goods, ideas, services, work, as well as societal and cultural topics. Any other data processing for direct marketing purposes will require the prior written consent of the data subject. It is prohibited to send advertising messages to citizens without their consent. Organizations found in violation may face fines of up to 3,000 GEL.
The third notable advancement is the establishment of the rules and conditions of audio recording or monitoring in public or private spaces. Audio monitoring will be permitted if the data subject is informed beforehand and declares consent. Additionally, audio monitoring is allowed in remote communications and for the purpose of safeguarding personal safety, property, and confidential information.
The data processor is obliged to warn the data subject about this in advance or at the beginning of the audio monitoring.
Furthermore, the updated legislation obliges companies to report data security breaches to the inspectorate. In particular, any organization or individual that processes personal data is obliged to record all incidents of data security violations, results, measures taken, and to notify the Personal Data Protection Service no later than 72 hours after the discovery of the incident.
Will this law apply to companies that are registered as a representative office of a company in another country, and not a company registered in Georgia?
Foreign enterprises and companies are afforded the opportunity to register a branch within the territory of Georgia. Registration serves various purposes, such as subjecting the entity to Georgian legislation, facilitating tax obligations, and fostering stability in civil transactions. However, it’s important to note that registration does not confer upon the branch the status of a separate legal entity, and thus does not govern its conduct as such.
When a foreign company registers its representation in Georgia in the form of a branch, this branch is considered a part of that company and does not represent an independent company. However, if this representation is registered, such as in the form of a Limited Liability Company (LLC) within Georgia it will be considered an independent legal entity, which will be registered in Georgia. Both companies registered in Georgia and foreign representative offices are subject to Georgian legislation, including the new provisions outlined in the Law on Personal Data Protection.
As a representative of an international company, how would you evaluate this change, and how easily will you be able to adapt the reality of your company to this law?
At the outset of my discussion, I highlited that “Personal Data Protection Officer” is a completely new profession in Georgia. Within our company, CAPRINA, a subsidiary of the international holding FARAGOSTAR, with operations spanning across various countries including Luxemburg and Canada, I swiftly arranged online consultation sessions with my colleagues in these offices. It was very interesting to hear practical advice from them and to get the specifics of the operation of various modern platforms. In our company, personal information protection has been a priority for over two years, facilitated through cutting-edge applications that constantly update and safeguard employee information. In practice, we did not have an appointed Personal Data Protection Officer, although we did carry out data protection. I think this is very important for the company in the Georgian market.
I believe that most companies lack the necessary information and experience in navigating the complexities of data protection. Providing practical examples and support can be immensely valuable in this regard.
As I’ve mentioned above, I commend readiness to share the insights and experiences gained through the implementation process in our company over the past six months. Such knowledge-sharing initiatives are crucial in fostering a culture of compliance and effective data protection practices within the business community. And, as I said, I am ready to consult with both individuals and companies who are willing to learn more and implement the same high-level practice concerning personal data protection as we implemented successfully in CAPRINA.
As a representative of an international company, how often do you encounter problems related to the protection of personal data in your company?
From the moment of the establishment of the company, employee registration and regular updates of their personal information have been integral practices. I am the executive director of a development company- in the field of construction. Depending on the specifics of the case, we have mostly temporary employees. Personal information about them is constantly updated, and after the completion of their work and the expiration of the contract, their personal information is destroyed. Adhering to labor laws, we automatically delete the personal information of job seekers if no employment contract is finalized. The biggest problem and challenge we have is the instability of the banking situation of employed persons. We have cases when, for various reasons, the employee does not want to have their salary transferred to their card and prefers to receive their salary in cash, which involves the creation of documents. In this case, different departments work simultaneously to protect the employee’s personal and confidential information.
What are the basic principles that you, as a lawyer and the head of the company, adhere to in order to protect your employees’ data, and how far do you think the Georgian legislation is able to do the same?
The priority of the new law is to enhance the protection of individuals and their personal information, which of course creates a feeling of security and stability.
During the Covid pandemic, numerous regulations emerged, including the mandate for temperature checks, employee registration with temperature readings, and limits on office occupancy. With the construction process ongoing, as we had about 150 employees in the company, we decided to install a smart thermal video camera which would record people’s attendance at work, measure their temperatures and save complete information on the employee’s personal page. As a result, the occupational safety manager had constant information about the employees’ reporting to work and their temperatures. Our initiative marked the first implementation of such a system in Georgia. This underscores the importance not only of safeguarding personal information but also of creating conducive work environments that prioritize employee comfort and motivation.
According to your recommendation as a lawyer, what additional changes can be made in the mentioned law in the future?
It would indeed be beneficial if legislation offered more detailed guidance regarding the role of the Personal Data Protection Officer. For example, in the position of Labor Safety Manager, where normative acts are directly developed, it is defined what competence the person holding this position should have, what direct obligation they have during the performance of the service, etc. I hope that the status of Personal Data Protection Officer will improve over time, with additional supporting documents developed to provide further guidance.
