6 Key Provisions from the New Law on Personal Data Protection
The Parliament of Georgia has passed the Law of Georgia on Personal Data Protection that will be effective from March 1, 2024.
Before the date, entities responsible for processing personal data should be aware of the following key amendments to ensure compliance with the new law:
1.Data Processing
Processing of personal data for direct marketing purposes will now necessitate explicit consent from the data subject. Furthermore, beyond the details like name, surname, address, telephone number, and email address, written consent will be mandatory for processing additional data for direct marketing purposes.
Prior to obtaining consent and during direct marketing communication, the responsible entity must articulate, in clear and understandable terms, the data subject’s right to withdraw consent at any time and the procedural mechanism for exercising this right.
The law also stipulates that data processing must cease within a reasonable timeframe after receiving the data subject’s withdrawal request, but not exceeding 7 working days.
2. Personal Data Protection Officer
Under the new Law, entities, including commercial banks, and companies dealing with large scale of personal information (the definition of a large scale will be specified in a regulatory decree, with expectations that this decree will be made public prior to the enactment of the law) are obligated to appoint a personal data protection officer. This officer is tasked with ensuring compliance with the Law in personal information processing, maintaining communication with the Personal Data Protection Service (national regulatory authority), and implementing measures to enhance processing standards.
The mentioned entities are required to notify the Personal Data Protection Service about the officer’s identity and contact information within 10 days and publish this information on the respective website. Importantly, the officer can be any qualified individual, including an employee of the company, and may operate under a service agreement.
3.Data Portability
In cases where personal data is processed by automated means based on consent or at the request of the data subject for a transaction, the individual has the right, if technically feasible, to receive their data in a structured, publicly usable, and machine-readable format from the responsible entity. They may also request the transfer of this data to another party.
While enhancing convenience for data subjects, the right to data transfer imposes a higher standard on data processors, necessitating increased security measures and the implementation of suitable technologies.
4.Impact Assessment
When processing data, especially with the incorporation of new technologies, data categories, scope, purposes, and means of processing, entities are now obligated, under the new law, to conduct a preliminary impact assessment on data protection if there is a high probability of a threat to basic human rights and freedoms.
Following the assessment, if a high risk of human rights violation is identified, the responsible entity must take all necessary measures to mitigate the risk. If substantial risk reduction is not feasible through additional organizational and technical measures, data processing should be terminated.
5.Access to Court Rulings
In light of amendments to the Law, related provisions in different legislations of Georgia have been revised. The revisions stipulate that the complete content of court rulings shall be deemed public information as soon as the final ruling takes legal effect.
This serves as further evidence reinforcing the overarching intent of the new law, which is to elevate the standard of transparency.
6.Responsibility
It’s imperative to note that with the implementation of the new law, violations of the principles and conditions outlined in the legislation see a substantial increase in severity, with some cases potentially incurring double the consequences.
In conclusion, the outlined amendments highlight Georgia’s ongoing commitment to align its legal framework with European Union standards and the recent adoption of the Law marks a significant step toward achieving this alignment.