Last modified 13 March 2026

Data Protection in Georgia

Breach notification in Georgia

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Georgia

The primary legal framework governing the protection of personal data in Georgia is the Law of Georgia on Personal Data Protection, adopted on 14 June 2023. This law replaced the previous Law on Personal Data Protection of 2011 and represents a significant reform of the national data protection regime. The main provisions of the new law entered into force on 1 March 2024.

The 2023 law aims to align Georgian data protection legislation with internationally recognised standards and the principles of the EU General Data Protection Regulation (GDPR). In particular, it introduces a number of modern data protection concepts, including enhanced safeguards for data processing, strengthened rights of data subjects, and the requirement for controllers to implement appropriate technical and organisational measures to ensure data protection, including principles similar to “data protection by design and by default”.

The reform of the Georgian data protection framework is part of the country’s broader commitment to harmonise its legislation with EU standards under the EU–Georgia Association Agreement. The adoption of the 2023 law represents an important step in the approximation of Georgian legislation with European data protection standards and aims to ensure a high level of protection of individuals’ rights and freedoms, including the right to privacy, in relation to the processing of personal data.

Footnotes

[1] See Law of Georgia on personal data protection

Related resources

Definitions

Definitions in Georgia

The Law of Georgia on Personal Data Protection provides a comprehensive set of definitions that largely correspond to internationally recognised data protection terminology and are broadly aligned with the concepts used in the GDPR.

Under the law, personal data is defined as any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified directly or indirectly, including by reference to identifiers such as name, identification number, geolocation data, electronic communication identifiers, or factors specific to the physical, physiological, psychological, genetic, economic, cultural, or social identity of that person.

The law also defines special categories of personal data, which include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, data concerning a person’s sex life, as well as genetic and biometric data processed for the purpose of uniquely identifying an individual. Certain information related to criminal proceedings, convictions, and victim status is also treated as a special category of data.

Processing of personal data is broadly defined as any operation performed on personal data, whether or not by automated means. This includes collection, recording, organisation, storage, alteration, retrieval, use, disclosure (including transfer or publication), restriction, erasure, or destruction of data. The law further distinguishes between automated, non-automated, and partially automated processing.

Similar to the GDPR framework, the law recognises the roles of data controller, joint controllers, and data processor. A controller is the natural or legal person, or public authority, that determines the purposes and means of processing personal data, while a processor processes personal data on behalf of the controller.

Additional key concepts defined by the law include data subject, consent of the data subject, recipient, third party, data protection officer, and special representative (designated by controllers or processors established outside Georgia). The legislation also introduces definitions for specific processing activities such as video monitoring, audio monitoring, profiling, pseudonymisation, depersonalisation, direct marketing, and data security incident (data breach).

These definitions establish the conceptual framework for the application and interpretation of the Georgian data protection regime.

Footnotes

[1] See Article 3 of the Law of Georgia on Personal Data Protection

Related resources

Authority

National data protection authority in Georgia

The supervisory authority responsible for overseeing the protection of personal data in Georgia is the State Audit Office of Georgia. Pursuant to legislative amendments adopted in December 2025, the functions previously exercised by the Personal Data Protection Service were transferred to the State Audit Office, which assumed these responsibilities as of 2 March 2026.¹

When exercising its powers in the field of data protection, the State Audit Office acts in accordance with the Constitution of Georgia, international treaties of Georgia, generally recognised principles and norms of international law, the Law of Georgia on Personal Data Protection, and other relevant legal acts. Its activities are guided by principles including legality, protection of human rights and freedoms, independence and political neutrality, objectivity and impartiality, professionalism, and the protection of confidentiality and secrecy.²

The State Audit Office is responsible for supervising the lawfulness of personal data processing in Georgia. Its main functions include providing consultations on data protection matters, reviewing complaints submitted by data subjects, conducting inspections of controllers and processors, and increasing public awareness regarding data protection and privacy issues.³

The authority is empowered to review complaints from data subjects concerning the processing of their personal data and to adopt appropriate measures where violations are identified. As part of its supervisory role, the State Audit Office may request documents and information from controllers and processors, carry out inspections, and assess compliance with data protection principles, security requirements, and the legal grounds for processing personal data.⁴

Where breaches of data protection legislation are identified, the State Audit Office may impose a range of corrective measures, including ordering the rectification of violations, requiring the suspension or termination of unlawful processing activities, ordering the blocking, erasure, destruction or depersonalisation of personal data, suspending unlawful international data transfers, issuing recommendations, or imposing administrative sanctions.⁵

The General Auditor may also issue subordinate normative acts and individual administrative acts within the scope of the authority’s competence in the field of data protection. In addition, the State Audit Office is required to submit an annual report to the Parliament of Georgia on the state of personal data protection in the country and on its supervisory activities.⁶

Footnotes

[1] See Law of Georgia on Personal Data Protection, amendments of 17 December 2025; transfer of supervisory powers to the State Audit Office effective from 2 March 2026.
[2] Article 39 of the Law of Georgia on Personal Data Protection.
[3] Article 49 of the Law of Georgia on Personal Data Protection.
[4] Articles 50-51 of the Law of Georgia on Personal Data Protection.
[5] Article 52 of the Law of Georgia on Personal Data Protection.
[6] Articles 40 and 48 of the Law of Georgia on Personal Data Protection.

Related resources

Registration

Registration in Georgia

The Law of Georgia on Personal Data Protection does not establish a general obligation for controllers or processors to register their personal data processing activities with the supervisory authority. Instead, the law follows an accountability-based approach, under which controllers and processors are responsible for ensuring compliance with the applicable data protection requirements.¹

However, the legislation provides for a specific registration requirement in certain circumstances. In particular, where a controller or processor registered outside Georgia processes personal data using technical means located in Georgia, it is required to appoint a special representative in Georgia prior to commencing such processing activities.²

The appointed special representative must be registered with the State Audit Office of Georgia in accordance with the procedure established by a normative act issued by the supervisory authority. In such cases, the controller or processor is permitted to process personal data using technical means located in Georgia only after the registration of the special representative.³

The obligation to appoint and register a special representative does not apply to controllers or processors established in Member States of the European Union or in countries recognised by the European Union as providing an adequate level of data protection.⁴

Footnotes

[1] See Law of Georgia on Personal Data Protection (2023).
[2] See Article 34(1) of the Law of Georgia on Personal Data Protection.
[3] See Article 34(1)–(2) of the Law of Georgia on Personal Data Protection.
[4] See Article 34(6)–(7) of the Law of Georgia on Personal Data Protection.

Related resources

Data protection officers

Data protection officers in Georgia

Under the Law of Georgia on Personal Data Protection, the appointment of a Data Protection Officer (DPO) is mandatory for controllers and processors that fall within certain categories, including public authorities, insurance organizations, banks, microfinance institutions, credit bureaus, electronic communications companies, airlines, airports, medical institutions, or any controller/processor that processes large volumes of personal data or systematically monitors the behavior of data subjects.¹

The DPO is responsible for advising and informing the controller or processor and their employees on compliance with data protection requirements and regulatory developments. They participate in drafting internal policies, procedures, and Data Protection Impact Assessments, and monitor their implementation. The DPO also analyses and provides recommendations on data subject requests and complaints, represents the controller or processor in communications with the State Audit Office of Georgia, and coordinates the provision of information and documentation requested by the authority. Furthermore, the DPO informs data subjects about the processing of their personal data and their rights and may perform other functions aimed at enhancing data protection standards within the organization.²

The DPO may be an internal employee or an external service provider, provided there is no conflict of interest. Controllers and processors may appoint a single DPO jointly for multiple entities if this ensures the effective performance of the DPO's functions.³

DPOs must possess adequate knowledge in the field of data protection. They report to the highest management level appropriate to their organization and must be provided with sufficient resources and independence to fulfil their duties.⁴

The identity and contact details of the DPO must be communicated to the State Audit Office of Georgia within 10 working days of appointment, designation, or replacement, and should be proactively published on the controller's or processor's website (if available) or otherwise made publicly accessible. Temporary absences or termination of the DPO must be immediately addressed by appointing another qualified person.⁵

The General Auditor determines the scope of controllers and processors that are not required to appoint a DPO through a normative act.⁶

Footnotes

[1] See Article 33(1) Law of Georgia on Personal Data Protection.
[2] See Articles 33(1)–(2) Law of Georgia on Personal Data Protection.
[3] See Article 33(4) Law of Georgia on Personal Data Protection.
[4] See Articles 33(5)–(7) Law of Georgia on Personal Data Protection.
[5] See Articles 33(8)–(9) Law of Georgia on Personal Data Protection.
[6] See Article 33(10) Law of Georgia on Personal Data Protection.

Related resources

Collection and processing

Collection and processing in Georgia

Under Georgian law, when personal data is collected directly from the data subject, the controller must provide, before or at the time of collection, information about their identity, contact details, purposes and legal basis of processing, whether data provision is mandatory and the consequences of refusal, significant legitimate interests, recipients or categories of recipients, planned transfers including safeguards, retention period or criteria, and the data subject’s rights. This obligation is not required if the data subject already has the information or special legislation provides otherwise. Information must be provided in a clear and understandable manner, particularly to minors, and may be delivered orally, in writing, or electronically unless written delivery is requested.¹

When data is collected indirectly, the same information must be provided, including which data are processed and the source. Information should be given within a reasonable timeframe, at the first communication if data will be linked to the subject, and no later than 10 working days from collection unless legal restrictions apply.²

Data must be processed lawfully, fairly, transparently, and without harming the dignity of the data subject. Processing should be limited to specific, explicit, and legitimate purposes, and only necessary data should be collected. Data must be accurate, updated, and corrected or erased without undue delay if inaccurate. Storage should be limited to the necessary period, with secure deletion or anonymization afterward, except when prolonged retention is necessary by law or subordinate acts with appropriate safeguards.³

Processing is permitted only with a legal basis, such as consent, necessity for a contract, legal obligation, protection of vital interests, legitimate public interest, legitimate interests of the controller or third party, or data made publicly available by the subject.⁴

Processing of special categories of data is allowed only with safeguards and a specific legal basis, including explicit consent, legal requirements, vital interests, healthcare or social protection, public safety, employment purposes, public disclosure, or archival, scientific, historical, or statistical purposes.⁵

For minors, processing requires consent from the minor if aged 16 or above, or from a parent/guardian if younger, with explicit consent needed for special categories of data. Controllers must ensure the processing respects the minor’s best interests, and consent is invalid if it threatens those interests.⁶

Footnotes

[1] See Article 24 Law of Georgia on Personal Data Protection.
[2] See Article 25 Law of Georgia on Personal Data Protection.
[3] See Article 4 Law of Georgia on Personal Data Protection.
[4] See Article 5 Law of Georgia on Personal Data Protection.
[5] See Article 6 Law of Georgia on Personal Data Protection.
[6] See Article 7 Law of Georgia on Personal Data Protection.

Related resources

Transfer of personal data

Transfer of personal data in Georgia

Under Georgian law, the transfer of personal data to another country or international organization is allowed only if specific conditions are met. Transfers are permissible when they comply with the requirements established by the law and adequate safeguards for data protection and the rights of the data subject are ensured in the recipient country or organization.¹

Transfers are also permitted if:

the transfer is provided for under an international treaty or agreement to which Georgia is a party;
the data controller ensures adequate safeguards through a contract with the recipient state, legal entity, individual, or international organization;
the transfer is required under applicable laws, including the Criminal Procedure Code, the Law on Legal Status of Aliens and Stateless Persons, the Law on International Cooperation in the Field of Criminal Law, the Organic Law on the National Bank of Georgia, or the Law on the Prevention of Money Laundering and Terrorism Financing;
the data subject provides written consent after being informed of the absence of adequate safeguards;
the transfer is necessary to protect the vital interests of the data subject who cannot provide consent; or
the transfer is necessary and proportionate to safeguard a significant public interest.²

When transferring data under these legal grounds, the controller must implement appropriate organizational and technical measures to ensure secure transfers. Transfers based on contractual safeguards require enforceable terms. Subsequent transfers to a third party are allowed only if compatible with the original purposes and in accordance with the law and safeguards.³

The existence of adequate safeguards in a recipient state or international organization is assessed by the State Audit Office based on international obligations, data subject rights and freedoms, applicable regulatory requirements, the rules for further international transfers, and the presence and powers of an independent supervisory authority. Lists of states and organizations with adequate safeguards are determined and updated by normative acts of the State Audit Office.⁴

Footnotes

[1] See Article 37 Law of Georgia on Personal Data Protection.
[2] See Article 37, paras. 1–2(a–f) Law of Georgia on Personal Data Protection.
[3] See Article 37, para. 2(f) and Article 38 Law of Georgia on Personal Data Protection.
[4] See Article 38 Law of Georgia on Personal Data Protection.

Related resources

Security

Security in Georgia

Under Georgian law, the data controller is obliged to implement appropriate organizational and technical measures to ensure that personal data is processed in accordance with the law and to demonstrate compliance with these requirements.¹

The controller and the processor must take measures to address potential and incidental risks associated with data processing, including pseudonymization, access logging, and information security mechanisms (confidentiality, integrity, availability), to protect data against loss, unlawful processing, destruction, alteration, disclosure, or misuse.²

When determining the necessary organizational and technical measures, the controller and processor must consider the categories and volume of data, processing purposes, form and means of processing, and potential risks to the data subject’s rights. They must periodically assess the effectiveness of the measures and update or implement additional safeguards if necessary.³

The controller and processor are required to maintain records of all actions performed on electronically stored data, including incidents, collection, modification, access, disclosure (transfer), linking, and deletion. For non-electronic data, records must be kept for all disclosures or alterations, including incident reports.⁴

All personnel involved in processing or with access to data must act within their assigned authority, maintain confidentiality, and protect data, including after the termination of their employment.⁵

The controller and processor must define employee access rights according to their role and implement adequate measures to prevent, detect, and stop unauthorized processing by staff, including raising awareness on data security obligations.⁶

Footnotes

[1] See Article 27, para. 1, Law of Georgia on Personal Data Protection.
[2] See Article 27, para. 2, Law of Georgia on Personal Data Protection.
[3] See Article 27, para. 3, Law of Georgia on Personal Data Protection.
[4] See Article 27, para. 4, Law of Georgia on Personal Data Protection.
[5] See Article 27, para. 5, Law of Georgia on Personal Data Protection.
[6] See Article 27, para. 6, Law of Georgia on Personal Data Protection.

Related resources

Breach notification

Breach notification in Georgia

Under Georgian law, the data controller is required to record any data incident, its consequences, and the measures taken, and must notify the State Audit Office in writing or electronically no later than 72 hours after becoming aware of the incident, except when it is unlikely that the incident will cause significant harm or pose a substantial risk to the rights and freedoms of individuals.¹

The processor must immediately inform the data controller of any incident.²

The notification must include:

the circumstances, nature, and timing of the incident;
the categories and approximate number of personal data affected, as well as the categories and approximate number of data subjects potentially impacted;
the likely consequences of the incident and measures taken or planned to mitigate or eliminate its effects;
whether the data controller intends to notify the data subject(s) under Article 30 and within what timeframe; and
contact details of the Data Protection Officer or other relevant contact person.³

If it is not possible to provide all the information at once, the controller may provide the information in stages within a reasonable period, in agreement with the State Audit Office.⁴

If the data controller fails or is unable to inform the data subject(s), the State Audit Office may publicize information about the incident based on the circumstances, potential harm, or number of affected data subjects, except where specific conditions in Article 30(3) apply.⁵

This rule does not apply if the notification includes a statement from a public or private entity that public disclosure of the incident would endanger:

state security, information or cyber security, or defense interests;
public safety;
crime prevention, investigation, prosecution, enforcement of imprisonment or other sanctions, or operational-search activities; or
significant financial, economic, public health, or social protection interests of the country.⁶

The State Audit Office may refrain from publicizing information even if the notification does not include the above statement.⁷

Entities required to provide notification must specify relevant circumstances in accordance with their competence or scope of activity. Critical information systems must indicate information and cyber security grounds in coordination with the competent authorities.⁸

Footnotes

Related resources

Enforcement

Enforcement in Georgia

Under Georgian law, the data subject has the right to file a complaint with the State Audit Office, a court, or a superior administrative authority if their rights or the procedures established under the law are violated.¹

The data subject may request the State Audit Office to issue a decision to block the processing of personal data pending the completion of the review of their application.²

The data subject has the right to challenge the decision of the State Audit Office in court in accordance with the conditions and timeframes established by Georgian legislation.³

Footnotes

[1] See Article 22, para. 1, Law of Georgia on Personal Data Protection.
[2] See Article 22, para. 2, Law of Georgia on Personal Data Protection.
[3] See Article 22, para. 3, Law of Georgia on Personal Data Protection.

Related resources

Electronic marketing

Electronic marketing in Georgia

Under Georgian law, the processing of personal data for direct marketing purposes is generally only permitted with the data subject’s explicit consent.¹ Consent must be obtained prior to processing, and data subjects must be informed clearly and understandably of their right to withdraw consent at any time, as well as the mechanism to exercise this right.²

Controllers and processors must promptly stop direct marketing upon a data subject’s withdrawal of consent, generally within 7 working days, and ensure that the withdrawal can be exercised using the same means as the marketing communication or other accessible method.³ The process must be simple, free of charge, and accompanied by clear instructions. Controllers or processors bear the burden of demonstrating that consent was obtained and that withdrawal mechanisms are adequate, and they must keep records of consent and withdrawal for the duration of marketing activities and one year thereafter.⁴

Footnotes

[1] See Article 12, Law of Georgia on Personal Data Protection.
[2] See Article 12, paras. 1-3, Law of Georgia on Personal Data Protection.
[3] See Article 12, paras. 4-6, Law of Georgia on Personal Data Protection.
[4] See Article 12, paras. 7-9, Law of Georgia on Personal Data Protection.

Related resources

Online privacy

Online privacy in Georgia

Under Georgian law, cookies, location data, and traffic data are treated as personal data. Their collection and processing must comply with the general principles of lawfulness, transparency, and data minimization under the Law of Georgia on Personal Data Protection. Clear information must be provided to users, consent obtained when required, and adequate technical and organizational safeguards implemented.

Footnote

[1] See Law of Georgia on Personal Data Protection.

Related resources

Key contacts

Data protection lawyers in Georgia

Rusa Tchkuaseli

Partner

BLC Law Office

Tbilisi

Email Full bio

Ketti Kvartskhava

Managing Partner

BLC Law Office

Tbilisi

Email Full bio

The processor must immediately inform the data controller of any incident.²

The notification must include:

the circumstances, nature, and timing of the incident;
the categories and approximate number of personal data affected, as well as the categories and approximate number of data subjects potentially impacted;
the likely consequences of the incident and measures taken or planned to mitigate or eliminate its effects;
whether the data controller intends to notify the data subject(s) under Article 30 and within what timeframe; and
contact details of the Data Protection Officer or other relevant contact person.³

If it is not possible to provide all the information at once, the controller may provide the information in stages within a reasonable period, in agreement with the State Audit Office.⁴

This rule does not apply if the notification includes a statement from a public or private entity that public disclosure of the incident would endanger:

state security, information or cyber security, or defense interests;
public safety;
crime prevention, investigation, prosecution, enforcement of imprisonment or other sanctions, or operational-search activities; or
significant financial, economic, public health, or social protection interests of the country.⁶

The State Audit Office may refrain from publicizing information even if the notification does not include the above statement.⁷

Quick links

Data Protection in Georgia

Breach notification in Georgia

Footnotes

Continue reading