Under Georgian law, when personal data is collected directly from the data subject, the controller must provide, before or at the time of collection, information about their identity, contact details, purposes and legal basis of processing, whether data provision is mandatory and the consequences of refusal, significant legitimate interests, recipients or categories of recipients, planned transfers including safeguards, retention period or criteria, and the data subject’s rights. This obligation is not required if the data subject already has the information or special legislation provides otherwise. Information must be provided in a clear and understandable manner, particularly to minors, and may be delivered orally, in writing, or electronically unless written delivery is requested.¹

When data is collected indirectly, the same information must be provided, including which data are processed and the source. Information should be given within a reasonable timeframe, at the first communication if data will be linked to the subject, and no later than 10 working days from collection unless legal restrictions apply.²

Data must be processed lawfully, fairly, transparently, and without harming the dignity of the data subject. Processing should be limited to specific, explicit, and legitimate purposes, and only necessary data should be collected. Data must be accurate, updated, and corrected or erased without undue delay if inaccurate. Storage should be limited to the necessary period, with secure deletion or anonymization afterward, except when prolonged retention is necessary by law or subordinate acts with appropriate safeguards.³

Processing is permitted only with a legal basis, such as consent, necessity for a contract, legal obligation, protection of vital interests, legitimate public interest, legitimate interests of the controller or third party, or data made publicly available by the subject.⁴

Processing of special categories of data is allowed only with safeguards and a specific legal basis, including explicit consent, legal requirements, vital interests, healthcare or social protection, public safety, employment purposes, public disclosure, or archival, scientific, historical, or statistical purposes.⁵

For minors, processing requires consent from the minor if aged 16 or above, or from a parent/guardian if younger, with explicit consent needed for special categories of data. Controllers must ensure the processing respects the minor’s best interests, and consent is invalid if it threatens those interests.⁶