Personal data in Georgia: consent and DPO under new rules

Since March 1, 2024, Georgia has adopted a new law, "On Personal Data Protection," which brings the country closer to GDPR-level standards. For businesses, this means two things: properly formalizing consent for personal data processing and understanding whether a data protection officer (DPO) is needed. Below, we'll explain how to establish both, and what deadlines need to be met.

When consent is needed and when it is not

Consent is only one basis for processing. Sometimes it's more appropriate to rely on contractual performance, a legal obligation, or another legitimate basis. Avoid making consent the default basis: if processing is still necessary for the contract, separate consent may only confuse and weaken your position.

How to formalize consent correctly

If you rely on consent, it must be free, specific, and informed, and the data subject must be able to revoke it as easily as they gave it. In practice, this means:

• clear text without “hidden” checkboxes and pre-selected consents;

• separate consent for specific purposes (especially for direct marketing);

• recording when and how consent was obtained;

• simple recall mechanism.

Review response times

After a valid request to revoke consent, processing must cease within the timeframe established by law (usually seven business days). Therefore, a clear process for accepting and fulfilling such requests is needed to ensure they don't become "stuck."

Who needs a data protection officer (DPO)

The law introduced the position of a data protection officer. For some organizations, the appointment of a DPO is mandatory: they monitor compliance, advise the business, and act as a point of contact. Check whether your activities meet the criteria, and if so, formalize the appointment, defining the officer's functions and independence.

Direct Marketing - Special Attention

The law has tightened the rules for processing data for direct marketing purposes. Review your newsletters and advertising scripts: on what basis are you contacting clients, how did you obtain their contact information, and how can they opt out?

Business Checklist

• the grounds for processing for each purpose are defined;

• the texts of the agreements have been put in order;

• the mechanism for recall and its timely execution is in place;

• the need for a DPO was assessed and an appointment was made, if necessary;

• Direct marketing has been revised;

• There are records confirming compliance.

Frequently asked questions

Is consent required for every operation?

No. Consent is not always required—sometimes processing is based on a contract or other basis.

Is a DPO mandatory for small businesses?

It depends not on the size, but on the nature of the processing and the legal criteria. Assess your activities and document your findings.

Is this the same as GDPR?

The law is similar in logic, but it is a separate national act; do not consider the wording to be identical.

A targeted audit will help verify your processing grounds, consent texts, and the need for a DPO. This article is for general informational purposes only and is SEO/legal information, not legal advice; responsibilities depend on your processing and applicable law. — Legal.GE NewsMaker