As of March 1, 2024, the new law “On Personal Data Protection” has been enacted (Hereinafter – “Law”). Certain provisions of this Law will take effect on June 1, 2024, while others will be implemented on January 1, 2025.
The primary objective of the new Law is to enhance the standards and guarantees of personal data protection while reinforcing effective mechanisms aimed at safeguarding human rights.
The amendments to the Law primarily impact video monitoring, introducing legal norms for audio monitoring and defining the basis for their implementation. Additionally, significant changes include the regulation of data processing for direct marketing purposes, the establishment of the personal data protection officer institution, and a substantial increase in sanctions for violations, marking important innovations.
The article will address crucial topics and business requirements arising from legislative changes.
1. The introduction of a new standard for video monitoring implementation
To conduct video monitoring, the data processor is obligated to specify the purpose and scope of video surveillance, the duration of surveillance and recording storage, access protocols for video recordings, procedures for storage and deletion, and mechanisms for safeguarding the rights of data subjects, all in accordance with the principles of data processing.
The data processor or authorized person must prominently display a warning sign indicating ongoing video surveillance, which should include the identity and contact details of the data processor.
2. The procedure for audio monitoring
Audio monitoring is permissible with the consent of the data subject, for protocol recording, during remote communication, for personal safety and property protection purposes, as well as for safeguarding confidential information when alternative measures are not feasible, and in other cases expressly authorized by legislation.
The data processor is required to establish in writing the purpose and extent of audio monitoring, its duration, access rules, storage and disposal procedures for audio recordings, mechanisms for protecting the rights of data subjects, and to notify the data subject in advance or promptly after the commencement of audio monitoring.
3. Data processing for the purpose of direct marketing
Data processing for direct marketing involves the processing of personal data for the purpose of sending advertising messages. It is permissible by Law only with the explicit consent of the individual whose data is being processed (data subject).
The data subject must be informed clearly, simply, and understandably that they have the right to withdraw their consent to the processing of their data at any time. Upon receiving such a request, the data processor is obligated to cease processing the individual's data within 7 working days.
4. Personal Data Protection Officer (DPO)
The Law establishes the institution of the Personal Data Protection Officer (DPO), which stands as one of the most significant innovations. The rights and duties of the DPO include informing the data controller/processor and their staff about data protection issues, providing consultation and methodological assistance, contributing to the development of internal regulations and impact assessment documents on data protection, analyzing data processing activities, handling statements and complaints, and issuing appropriate recommendations.
The Law specifies the entities responsible for appointing a Data Protection Officer:
Public institutions
Insurance organizations
Commercial banks
Micro-finance organizations
Credit Bureaus
Electronic communication companies
Airlines
Airports
Medical institutions
Data controllers process personal data of at least 3 percent of the population of Georgia or conduct systematic and large-scale monitoring of individuals' behavior.
The role of a Data Protection Officer can be fulfilled by either an employee or an external individual or entity under a service agreement.
5. Strengthened sanctions for violation of the Law
The penalties for breaching the regulations set by the new Law have been significantly strengthened. Fines are determined based on the type of offense and typically range from 1,000 to 6,000 GEL. The precise amount of the fine is determined by the individual's annual income and the presence of aggravating circumstances.
Note: All changes discussed separately in the article came into force on March 1, 2024, except for the obligation to appoint a Personal Data Protection Officer, which will come into force on June 1, 2024.
The Law establishes a high standard of personal data protection and introduces changes and additions concerning issues such as the mandatory procedure for obtaining the data subject's consent and the information required to be provided to them. Companies will be required to implement additional measures to ensure their processes comply with the standards set by the new Law.