In the modern digital era, when personal data is rapidly transmitted both within the country and across borders, the protection of such data is particularly important. The Law of Georgia on Personal Data Protection establishes standards that must be observed by both private companies and state agencies when processing personal information.
What Data Is Considered Personal and What Is the Purpose of Personal Data Protection?
Personal data is any information related to an identified or identifiable natural person. This can be a name, personal identification number, address, email, phone number, and more.
The definition of personal data includes special categories of personal data, such as:
- Racial or ethnic origin
- Political opinions
- Religious, philosophical, or other beliefs
- Trade union membership
- Health condition
- Sexual life
- Status as accused, convicted, acquitted, or victim
- Conviction, criminal record, diversion, imprisonment
- Biometric and genetic data
The purpose of personal data protection is to ensure the protection of the fundamental rights and freedoms of individuals, including the rights to privacy and family life, personal space, and inviolability of communications.
Learn How to Protect Your Personal Information
What Is Personal Data Processing and Who Are Personal Data Processors?
Personal data processing includes any operation performed on data, including:
- Collection
- Recording
- Organization
- Storage
- Adaptation or modification
- Retrieval
- Consultation
- Use
- Disclosure
- Grouping or combination
- Restriction
- Erasure or destruction
Personal data processors are both private companies and public institutions that determine the purposes and means of data processing. They must comply with the requirements and principles established by law when processing personal information.
What Security Measures Are Used to Protect Your Personal Data?
Organizations that process personal data are obliged to implement both technical and organizational measures to ensure data security:
Technical measures may include:
- Encryption
- Access control
- Backup systems
- Firewalls and antivirus programs
- Secure networks
Organizational measures typically include:
- Development and implementation of data protection policies and procedures
- Raising employee awareness and training
- Clear data protection roles and responsibilities
- Regular security assessments
- Data breach notification procedures
- Appointment of a data protection officer (in certain cases)
- Data protection impact assessment (in certain cases)
What Rights Does the Data Subject Have?
The law establishes the following rights of the data subject:
- Right to receive information about data processing
- Right to access data and receive copies
- Right to correct, update, or complete data
- Right to terminate processing, delete, or destroy data
- Right to block data
- Right to data portability
- Right to withdraw consent
- Right to appeal
These rights give individuals the ability to maintain control over their personal information and ensure transparency about how their data is used.
Understand Your Obligations Under Georgian Law
What Right Do Organizations Have to Process Personal Data as Employers?
Employers can process employees’ personal data on several legal grounds:
- Fulfillment of contractual obligations
- Compliance with legal requirements
- Legitimate interests of the employer
- Employee consent
However, employers must adhere to the principle of data minimization, which means processing only the data necessary for clearly defined legitimate purposes. The processed data must be proportionate to these purposes.
Is Video Recording at the Workplace by an Employer Without Your Consent for the Purpose of Checking the Quality of Work Considered a Violation of the Right to Personal Data Protection?
Video monitoring in the workplace for performance assessment purposes, without employee consent, may be considered a violation of personal data protection rights. According to data protection principles, processing must be lawful, fair, and transparent.
Although employers may have legitimate interests in ensuring work quality, they must balance these interests with employees’ privacy rights. Generally, employers should:
- Inform employees about monitoring
- Explain the purpose and scope
- Implement appropriate security measures
- Restrict access to recordings
- Establish retention periods
In most cases, a legitimate interest assessment should be conducted, and employees should be properly informed about such monitoring practices.
Why Is Personal Data Protection Particularly Important in IT Organizations?
IT organizations process large volumes of personal data, often including sensitive information. Several factors make data protection particularly important in the IT sector:
- Data volume: IT companies typically process large amounts of personal data
- Technical capabilities: They have advanced tools for large-scale data analysis
- Global operations: Many IT organizations transfer data across borders
- Complex processing: They often use sophisticated algorithms and automated processing
- Security risks: They face increased cybersecurity threats
- Innovation tension: There is often tension between innovation and privacy protection
Proper data protection practices not only ensure compliance with the law but also increase customer trust and strengthen the company’s reputation in the competitive IT landscape.
Secure Your Business Against Privacy Risks
Does Video Recording at Public Events Violate Your Right to Personal Data Protection?
Video recording at public events is generally not considered a violation of the right to privacy, as individuals at such events have a reasonable expectation that they may appear in photos or videos. However, this does not mean that data protection legislation does not apply—it still extends to these cases as well.
Several factors should be considered:
- The nature and location of the event
- How clearly attendees are informed about recording
- The purpose of recording
- How the material will be used and distributed
If video recording is planned at a public event, organizers should provide appropriate notification to attendees and give them the opportunity to avoid being recorded.
What Should Be Done If Your Personal Data Is Processed Without Legal Grounds and Purposes?
If you believe that your personal data is being processed illegally, you can take the following steps:
- Contact the data processing organization directly and request:
- Information about what data is being processed and for what purpose
- Termination of processing if there is no legal basis
- Deletion or destruction of data
- If the organization does not respond or refuses the request, you can contact the Personal Data Protection Service.
- You can also go to court to protect your rights.
- In any case, it is important to collect evidence and documentation about the illegal processing.
Who Can You Contact for Advice, Which State Body Implements Personal Data Protection in Georgia?
In Georgia, the Personal Data Protection Service supervises personal data protection. This is an independent legal entity under public law, whose main functions are:
- Control of the legality of personal data processing
- Providing consultations on data protection issues
- Reviewing citizen complaints
- Raising awareness on data protection issues
- Imposing appropriate sanctions in case of law violations
If you have questions or want to file a complaint, you can contact the Personal Data Protection Service.
What Responsibility Is Provided for Violation of the Law on “Personal Data Protection”?
The Law of Georgia on Personal Data Protection provides for various sanctions for violations of the requirements and rules established by law:
- Administrative responsibility – The Personal Data Protection Service may impose administrative responsibility.
- Financial penalties – Financial sanctions may be imposed for violations of the law, the amount of which depends on the severity and nature of the violation.
- Restriction or suspension of data processing – In cases of serious violations, the Personal Data Protection Service may require restriction or temporary suspension of data processing.
- Criminal liability – In certain cases, illegal acquisition, storage, use, or distribution of personal data may result in criminal liability.
Compliance with the law is not only a legal obligation but also good business practice that increases the reliability and reputation of the organization. Therefore, it is important that all organizations pay due attention to personal data protection issues and ensure that their activities comply with legislation.
