Are you concerned about your personal data being misused or falling into the wrong hands? Georgia’s New Data Protection Law is designed to safeguard your information. You can read the full text of the law here.

This article explores the legal protections this law offers and how we can help ensure your data privacy.

Why Your Personal Data Matters

As technology and social media evolve, the importance of protecting personal data has become increasingly significant. However, there are often misconceptions about what constitutes personal data and why it is valuable.

Georgia’s New Data Protection Law defines personal data as any information linked to an identified or identifiable natural person. This broad definition means that if any information can lead to the identification of a specific individual, it is considered personal data. Specifically, examples include names, personal ID numbers, physical traits, geolocation data, income details, and more. Various subsets of personal data, such as health and biometric data, receive general legislative protections.

Personal data represents our digital identity, encompassing details about our lives, preferences, and interactions. Thus, protecting this information is crucial for maintaining privacy, security, and trust. In our interconnected world, responsible data handling is essential to prevent misuse, identity theft, and unauthorized access.

How Can Personal Data Be Used (or Misused)?

Corporations and government entities frequently request personal data for legitimate purposes, such as opening a bank account or registering property. However, issues arise when this information is used for illegitimate purposes.

Unfortunately, there have been numerous cases where trusted corporations have transferred data to third parties without consent. For instance, SMS marketing firms and scammers often obtain phone numbers through unauthorized data transfers. A notable example of data misuse is the Facebook scandal of the 2010s, where the company was fined $5 billion for sharing user data with a consulting firm to influence elections. This highlights the significant impact personal data can have beyond individual concerns.

Principles Data Processors Must Follow

Under Georgian law, data processors must adhere to strict principles when handling personal data. Specifically, the use of data must be lawful, respect human dignity, and have a legitimate purpose. Furthermore, it is prohibited to collect or use personal data without valid cause, and only necessary information should be processed. For example, a bank should not request health records when opening an account, as it exceeds their service scope.

Accuracy is also vital; incorrect government records, such as birth dates, violate data protection laws. In today’s digital age, data security is paramount. Publicly accessible medical histories on platforms like Google Drive or WeTransfer are strictly prohibited. Third parties must not have unauthorized access to personal data.

Your Data, Your Choice

Some corporations act as if your personal data belongs to them, which is a clear violation. Your data is yours, and you have the right to control its use.

Is Your Data Being Processed?

If you suspect your personal data is being processed, you have the right to verify. Specifically, Article 13 of the new Data Protection Law allows you to request information from any entity regarding:

  1. Whether your data is being processed
  2. What types of data are processed
  3. The valid reason behind the processing
  4. How your data was acquired
  5. Whether your data was shared with third parties

There are exceptions, such as inquiries involving Georgian Security Services or the Police, or if the information is publicly accessible. Otherwise, entities must respond within 10 days.

Restricting Data Processing

Your personal data is exclusively yours, and you have the right to grant or withhold consent for its use. Most contracts include clauses allowing entities to use your data, often accepted without thorough reading. Therefore, we advise carefully reviewing any contract to understand what data you are consenting to share.

The Georgian Data Protection Law allows you to request any entity to stop processing and erase your data. Following your request, entities have five days to comply. However, verifying compliance relies on the entity’s internal decisions and the oversight of the Data Protection Service.

Seeking Assistance

If you suspect your personal data is being misused, you can request the responsible party to cease such activities and seek help from professionals. The Georgian Data Protection Service, the official government body, investigates and takes action against data protection violations. Their website is accessible in English, making it easy to file a complaint.

For specialized support and legal guidance, ExpatHub Legal and Tax is here to help. Our team of experts in Personal Data Protection Law will ensure your activities are compliant and advocate for your rights in case of any infringement. Reach Out if you require our assistance.


Join our community group of experts & expats on Facebook. Practical discussions on business, tax, relocation, real estate, and other expat issues. | Join Our Tbilisi Expat e-News. | Download Our Free eBook: The Georgia Expat Guide.


Gaga Mamuchishvili
Gaga Mamuchishvili

Head of Legal at @ExpatHub.GE. Specialized in general commercial and corporate law, with a master's in Comparative Private and International Law, Gaga leads every legal process of the company, including real estate, immigration, contract law, and various other transactions.