Georgia's data protection regulator – the Sazogadoebrivi Informaciis Datsvis Inspeqtori (Personal Data Protection Inspector, or Inspector's Office) – has significantly increased its enforcement activity. International companies operating in or targeting Georgian residents now face a changed compliance environment. Inaction carries direct financial and reputational consequences.
Georgia's data protection legislation, enforced by the Inspector's Office, applies to any data controller or data processor handling personal data of Georgian residents – including businesses based outside the country. Enforcement actions issued in 2025 introduced stricter expectations around consent mechanisms, cross-border data transfer documentation, and breach notification timelines. Companies operating in Georgia without a current compliance review face exposure to administrative sanctions effective immediately upon investigation.
This alert outlines what has changed, which businesses are affected, and the immediate steps required to reduce regulatory risk in Georgia.
What changed and when it took effect
The Inspector's Office has adopted a more active enforcement posture under Georgia's personal data protection legislation. Several developments define this shift.
First, the Inspector's Office has clarified its position on consent mechanisms. Pre-ticked boxes and bundled consents are no longer treated as valid. Each processing purpose requires a separate, specific, and freely given consent. This applies to both online and offline data collection.
Second, the regulator has tightened scrutiny of data transfer arrangements. Transfers of personal data to third countries – including EU member states – must now be supported by documented safeguards. Standard contractual clauses or equivalent instruments must be in place before transfer occurs, not retrospectively.
Third, the Inspector's Office has shortened its practical expectations for breach notification. While the legislation sets a general notification obligation, recent enforcement guidance indicates that the regulator expects notification within 72 hours of a confirmed breach. aligning Georgian practice with GDPR compliance standards familiar to international operators.
These clarifications took effect through enforcement decisions issued throughout 2025 and are applied immediately to all ongoing and new investigations. There is no transitional grace period for businesses already operating in Georgia.
Who is affected and the threshold criteria
The Inspector's Office has broad jurisdiction. Any entity that processes personal data in connection with Georgian residents is subject to oversight. This includes foreign companies with no physical presence in Georgia, provided they offer goods or services to Georgian residents or monitor their behaviour.
Businesses most immediately at risk include:
- E-commerce platforms and digital service providers with Georgian user bases
- Financial institutions processing Georgian resident data for KYC or credit assessment
- Healthcare providers, clinics, and telehealth platforms handling sensitive personal data
- HR technology companies and employers with Georgian staff on Georgian payroll systems
- Technology companies transferring Georgian user data to servers outside the country
There is no minimum-size exemption. A small international operator processing Georgian resident data is subject to the same obligations as a large financial institution. The distinction the Inspector's Office draws is between entities that have documented their processing activities and those that have not. Undocumented processing – even if technically lawful – invites investigation.
For companies with existing EU GDPR compliance programmes, Georgian requirements will feel familiar in structure. However, there are differences in how the Sazogadoebrivi Informaciis Datsvis Inspeqtori (Inspector's Office) interprets consent and how it handles cross-border data transfer documentation. Assuming full equivalence between Georgian data protection legislation and GDPR is a common and costly error. Our data protection advisory practice in Georgia regularly identifies gaps in GDPR-aligned programmes that do not meet Georgian-specific requirements.
To explore how Georgia's enforcement posture intersects with AI-driven data processing in your business, see our analysis of AI and technology law in Georgia.
To receive an expert assessment of your data protection exposure in Georgia, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
Companies processing Georgian resident data should treat the following steps as urgent. The Inspector's Office has demonstrated willingness to open investigations on the basis of complaints and its own monitoring activity.
- Audit your consent mechanisms. Review every data collection point touching Georgian residents. Confirm that consent is specific, informed, and separately obtained for each processing purpose. Remove bundled or implied consent structures immediately.
- Document your data transfer arrangements. Identify all outbound transfers of Georgian resident data. Confirm that appropriate safeguards – such as standard contractual clauses or an equivalent instrument – are in place and executed before the next transfer occurs.
- Establish a breach response protocol. Designate a responsible person for breach identification and notification. Ensure your internal escalation process can deliver a regulator notification within 72 hours of a confirmed incident.
- Map your processing activities. Maintain a record of processing activities that identifies each processing purpose, the legal basis, retention periods, and data categories. The Inspector's Office may request this documentation at the outset of any investigation.
- Review third-party processor contracts. Confirm that agreements with data processors operating on your behalf contain the obligations required under Georgian data protection legislation. Processors without adequate contractual coverage expose the controller to direct liability.
For international businesses with exposure across the CIS region, enforcement patterns in Georgia often signal broader regional regulatory shifts. A comparable analysis of enforcement developments in a neighbouring jurisdiction is available in our alert on data protection enforcement in Russia.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our team combines Portuguese civil law expertise with English common law tradition to deliver cross-border legal solutions in data protection compliance, regulatory investigations, and cross-border data transfer structuring. Working with a lawyer in Georgia through our network, and as a law firm in Georgia-facing matters, we support international companies in mapping their obligations under local data protection legislation and building defensible compliance programmes. Our data protection practice spans 15 practice areas and includes practitioners with experience before data protection authorities across CIS and European jurisdictions. The firm's Lisbon base provides direct access to EU regulatory standards, while our cross-border expertise supports enforcement and compliance strategies in high-growth markets including Georgia. For a preliminary review of your data protection exposure in Georgia, email info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.