Advancing Data Security: Georgia’s Response to GDPR Challenges

The General Data Protection Regulation (GDPR) has become a global benchmark for data protection legislation since its implementation in the European Union in 2018. Its comprehensive framework prioritizes the rights of individuals concerning their personal data and sets forth guidelines for organizations handling such information. The Republic of Georgia, in its pursuit to align its data protection standards with international norms, has taken significant steps towards implementing GDPR principles within its legal framework. 

Georgia’s Legal Framework

Georgia adopted the Law on Personal Data Protection, which drew inspiration from the GDPR. This legislation aims to regulate the processing of personal data and ensure the protection of individuals’ privacy rights. The law establishes principles similar to those outlined in the GDPR, such as data minimization, purpose limitation, and transparency. 

Key GDPR Principles

Consent: Similar to the GDPR, the Georgian law emphasizes the importance of obtaining individuals’ consent for data processing activities. It requires organizations to seek explicit consent and provide clear information regarding the purpose and scope of data processing. 

Data Subject Rights: The legislation grants individuals various rights over their personal data, including the right to access, rectify, and erase their information. This mirrors the rights guaranteed by the GDPR, empowering individuals to have greater control over their data. 

Data Security Measures: Organizations handling personal data are obligated to implement appropriate technical and organizational measures to ensure the security of data processing operations. This includes measures to prevent data breaches and unauthorized access, aligning with GDPR requirements for data security. 

Recent Developments in Georgia’s Data Protection Policy

Starting from March 1st, 2024, Georgia has activated several important amendments to its data protection policy. These amendments include various aspects, such as the consent for advertising messages. Under this amendment, advertising messages will no longer be sent without prior consent. Additionally, the policy now mandates the appointment of data protection officers. This requirement extends to both public institutions and select private companies, which will be obliged to have a personal data protection officer. Moreover, the regulations now provide clarity on audio and video monitoring. Specifically, the rules and conditions surrounding audio recording, known as audio monitoring, in public or private spaces are clearly defined. Furthermore, the policy specifies the rules regarding video monitoring, which involves recording through video cameras placed in public or private spaces. Another significant amendment involves the protection of minors’ data. Legal guarantees for the safeguarding of personal data of minors have been outlined. Lastly, the policy establishes an obligation for organizations to notify the relevant inspector in case of a data breach, ensuring swift action and response in such situations.

Challenges and the Path Forward

While Georgia has made significant strides in aligning its data protection laws with GDPR standards, challenges remain in achieving full compliance and enforcement. One major challenge is the need for robust enforcement mechanisms and regulatory oversight to ensure that organizations adhere to data protection regulations effectively. 

Georgia’s adoption of data protection legislation represents a significant milestone in its journey towards ensuring the privacy and security of personal data. While challenges persist, the country’s commitment to aligning its practices with international standards demonstrates its dedication to fostering a trustworthy digital environment.  

For further information please contact Ms. Irina Lopatina, Country Executive at Eurofast office in Georgia, Tbilisi, at

Ms. Irina Lopatina
Country Executive
Eurofast Tbilisi