An international company expanding into the South Caucasus sets up operations in Tbilisi and begins collecting customer data from users across Georgia, Russia, and the EU. Within weeks, a local employee raises a complaint about internal HR records. A regulatory inquiry follows. The company discovers that its standard GDPR-based privacy policy does not satisfy Georgian law – and that the applicable consent mechanism, notification obligations, and enforcement powers differ in ways its compliance team never anticipated.
Data protection in Georgia is governed by a dedicated personal data protection law administered by the Personal Data Protection Service. The national supervisory authority known as the Samokalako Monacemebis Dacvis Samsakhuri (Personal Data Protection Service of Georgia). Businesses that collect, store, or transfer personal data in Georgia must register as a data controller or data processor, implement documented processing grounds, and notify the authority of high-risk processing activities. The authority holds inspection, sanction, and corrective-order powers that can result in mandatory remediation within defined deadlines.
This page covers the Georgian data protection regime in full: the applicable legislative regime, key compliance instruments, common cross-border pitfalls, the EU and Russia-facing dimensions, and a practical self-assessment checklist for international operators.
Georgia's personal data protection regime: legislative foundations and regulatory scope
Georgia's personal data protection rules derive from a standalone body of privacy legislation that was substantially modernised to align with European standards. The law draws on GDPR compliance principles while adapting them to Georgia's civil law tradition and administrative structure. This alignment is not accidental. Georgia's EU Association Agreement created a legal convergence obligation, and the domestic legislative regime reflects that trajectory.
The Personal Data Protection Service – the Georgian DPA – operates as an independent supervisory authority with a mandate covering both public and private sector processing. It issues binding guidelines, conducts inspections, and imposes administrative sanctions. Its decisions are subject to judicial review before the administrative courts.
Under Georgian privacy legislation, the concepts of data controller and data processor closely mirror their EU counterparts. A data controller determines the purposes and means of personal data processing. A data processor processes data on behalf of a controller under a documented processing agreement. Both categories carry distinct obligations. Controllers bear primary responsibility for lawfulness, transparency, and data subject rights. Processors must act only on documented instructions and implement adequate technical and organisational security measures.
The law covers all natural persons whose data is processed on Georgian territory, regardless of the nationality or residency of the data subject. It applies to foreign companies that process Georgian residents' data through a local establishment or – critically – by targeting Georgian residents from abroad. This extraterritorial element is frequently overlooked by international operators who assume Georgian law only applies once a local entity is incorporated.
Processing grounds under Georgian law include consent, contractual necessity, legitimate interest, legal obligation, and vital interests of the data subject. Each ground carries specific documentary requirements. Consent must be freely given, specific, informed, and demonstrable. The consent mechanism used must be capable of evidencing affirmative action – pre-ticked boxes and silence are insufficient. For sensitive personal data categories – including health, biometric, religious, and political data – the threshold for lawful processing is higher, and most processing grounds that apply to ordinary data are unavailable.
Organisations subject to the law must also appoint a responsible person for data protection matters when the volume or sensitivity of processing meets specified thresholds. This role functions analogously to a Data Protection Officer under EU law, though the formal designation requirements differ. Practitioners in Georgia note that the practical expectation from the DPA is that larger organisations and those processing sensitive data will have a named contact point accountable for compliance.
Registration, notification, and key compliance instruments
One of the most common compliance gaps for foreign businesses entering Georgia is the failure to register with the Personal Data Protection Service before beginning data processing operations. Georgian privacy legislation requires controllers engaged in processing that meets defined risk thresholds to notify the DPA in advance. This obligation applies even where the business has no Georgian legal entity – if data of Georgian residents is processed through Georgian-based systems or infrastructure, notification may be required.
The registration procedure requires submission of prescribed information about the controller's identity, the categories of data processed, processing purposes, the legal basis for each processing activity, data retention periods, and security measures in place. Processing activities classified as high-risk. including large-scale profiling, systematic monitoring of public spaces. Additionally. Processing of special categories of data. are subject to enhanced prior notification obligations and, in some cases, mandatory prior consultation with the DPA.
Once registered, the controller must maintain an internal record of processing activities. This record must be kept current and made available to the DPA upon request. A common mistake by international companies is treating this record as a one-time filing rather than a living document. When business activities change – for example, when a new HR system is deployed, a new marketing analytics platform is integrated, or a new product category is launched – the processing record must be updated. Failure to do so does not merely create a documentation gap. It can constitute a separate compliance violation if the DPA identifies processing activities that are not reflected in the record.
Data subject rights under Georgian law include the right of access, rectification, erasure, restriction of processing, and objection. Response timelines are set by legislation. Controllers must acknowledge data subject requests and provide substantive responses within the prescribed period. For access requests, the practical challenge is often assembling data held across multiple systems. Organisations without a unified data mapping exercise in place routinely fail to provide complete responses on time – an outcome that triggers regulatory scrutiny even where the underlying processing is lawful.
Data breach notification obligations apply where a security incident results in accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. Controllers must notify the Personal Data Protection Service within the timeframe stipulated by the legislation. Where the breach creates a high risk of harm to data subjects, direct notification to those individuals is also required. The notification must identify the nature of the breach, the categories of data affected, the likely consequences, and the remedial measures taken or planned.
For international businesses operating platforms that connect to users in Georgia through AI-driven systems or automated decision tools, Georgian privacy legislation intersects with emerging technology regulation. For clients assessing how those obligations interact with data protection duties, our analysis of AI law in Georgia covers the relevant regulatory considerations.
To receive an expert assessment of your data protection compliance obligations in Georgia, contact us at info@ferrazwhitmore.com.
Practical pitfalls for international operators in Georgia
Georgia occupies a distinctive position in the data protection landscape. It is a country that has actively aligned its privacy rules with European standards while maintaining its own regulatory identity, enforcement culture, and procedural norms. International operators who assume that GDPR compliance is a substitute for Georgian compliance encounter problems quickly.
The first and most significant pitfall is the assumption of equivalence. GDPR compliance does not equal Georgian law compliance. The two regimes share a conceptual vocabulary – data controller, data processor, consent mechanism, lawful basis – but differ in registration thresholds, notification timelines, enforcement procedures, and the specific content required in privacy notices. A privacy policy drafted for an EU audience will often fail to satisfy Georgian mandatory disclosure requirements, particularly around the identity and contact details of the responsible person. The basis for data transfer outside Georgia. Additionally, the mechanism for exercising data subject rights under Georgian law.
The second common problem relates to cross-border data transfers. Georgia's legislation imposes restrictions on transferring personal data to third countries. Transfers to countries that do not offer an adequate level of protection require a legal basis – typically contractual safeguards, binding corporate rules, or explicit consent. Many international operators transfer data to cloud infrastructure, CRM platforms, or analytics tools hosted outside Georgia without considering whether those transfers meet the legislative requirements. The DPA has indicated enforcement interest in this area. When a regulatory inquiry begins, the burden of demonstrating a valid transfer basis falls on the controller.
A third area of difficulty involves employment data. Georgian labour practice intersects with data protection in ways that surprise international HR teams. Processing employee data for performance monitoring, location tracking, or communications surveillance requires a lawful basis beyond general employment consent. The courts and the DPA have emphasised that consent from employees is structurally compromised by the power imbalance of the employment relationship. Legitimate interest or contractual necessity is typically the more defensible basis for employment data processing – but it must be documented and proportionate.
Subcontractor chains also create exposure. Where a Georgian business uses international SaaS tools, payment processors, or IT service providers, each tool that accesses personal data constitutes data processor engagement. Each such engagement requires a written data processing agreement that meets Georgian legislative requirements. Many companies sign standard vendor terms without considering whether those terms satisfy Georgian processor agreement obligations. When the DPA investigates, absent or deficient processor agreements are among the first findings.
Cross-border strategy: EU and Russia-facing dimensions
Georgia sits at an intersection of regulatory influence that is legally significant for international operators. On one side, the EU Association Agreement and the approximation trajectory of Georgian law create strong alignment with European data protection principles. On the other side, a significant share of businesses operating in Georgia maintain data flows to and from Russia, creating a separate and more complex regulatory exposure.
For EU-facing businesses, Georgian data protection law increasingly provides a recognisable compliance environment. Controllers who maintain EU GDPR compliance programmes can, with targeted adaptations, satisfy Georgian requirements. The gaps to address are specific: Georgian registration and notification requirements, the precise content of local privacy notices, data subject response procedures under Georgian procedural rules, and the basis for international data transfers. A well-designed dual-compliance programme can cover both regimes without duplicating effort.
The Russia-facing dimension requires careful analysis. Russia's personal data localisation rules require that personal data of Russian citizens be stored on servers physically located in Russia. A Georgian business that processes data about Russian nationals. including in the context of e-commerce, HR. Alternatively. Financial services. may need to maintain parallel infrastructure to satisfy Russian localisation requirements while also complying with Georgian data protection law. These obligations do not simply coexist. They can conflict when Georgian law requires that data be transferred to a Georgian processor or when EU GDPR imposes restrictions on transfers to Russian infrastructure. Managing this triangular compliance position is one of the more technically demanding aspects of operating between the two systems. Our analysis of data protection in Russia addresses the localisation regime and its interaction with cross-border business models.
For businesses with EU investors, EU customers, or EU data processors, there is also a question of whether EU GDPR applies extraterritorially to Georgian operations. Where a Georgian entity offers goods or services to EU residents or monitors their behaviour, EU GDPR may apply concurrently with Georgian law. This is not a hypothetical concern for technology companies, e-commerce platforms, or financial services operators serving a pan-regional market from a Georgian base. Managing concurrent obligations requires a documented compliance position that identifies which regime governs which processing activity and where the rules align or diverge.
For businesses considering the Georgian market as part of a broader regional structure, our guide to company formation in Georgia provides the corporate foundation on which a compliant data processing structure can be built.
To discuss a tailored strategy for managing data protection obligations across Georgia and connected jurisdictions, reach out to info@ferrazwhitmore.com.
Self-assessment checklist for data protection in Georgia
Georgian data protection law applies to your business if one or more of the following conditions are met:
- You have a legal entity, branch, or representative office established in Georgia.
- You process personal data of Georgian residents from abroad by targeting them with goods, services, or content.
- You use Georgian-based infrastructure, servers, or local employees to process personal data.
- You operate an employment relationship subject to Georgian labour law and process HR data.
- You are a data processor acting on behalf of a Georgian data controller.
Before initiating or continuing data processing operations in Georgia, verify the following:
- Is your organisation registered with the Personal Data Protection Service where registration is required by your processing risk profile?
- Does your internal record of processing activities accurately reflect all current processing operations, including cloud tools, analytics platforms, and subcontracted services?
- Is the consent mechanism used for user-facing data collection compliant with Georgian law – affirmative, specific, and documented?
- Do you have written data processing agreements in place with all third-party processors accessing Georgian personal data?
- Is the basis for any cross-border data transfer to non-adequate countries identified and documented?
- Can you respond to data subject access, rectification, and erasure requests within the prescribed statutory period?
- Does your data breach response procedure identify the notification timeline and content requirements under Georgian legislation?
- If you process data about Russian nationals or EU residents from a Georgian base, have you mapped the concurrent localisation and transfer obligations?
If the answer to any of the above is unclear or negative, the compliance gap should be addressed before the DPA initiates a review. Regulatory inquiries in Georgia move quickly once triggered. The cost of remediation under inquiry conditions – including mandatory corrective orders, potential sanctions, and reputational consequences – consistently exceeds the cost of proactive compliance.
Frequently asked questions
Q: Does a foreign company with no Georgian entity need to comply with Georgian data protection law?
A: Potentially, yes. Georgian privacy legislation can apply to foreign companies that target Georgian residents with goods or services, or that process their data through Georgian-based systems, even without a local legal entity. Engaging a lawyer in Georgia with cross-border data protection experience is the appropriate first step to assess the specific territorial nexus and determine whether registration or notification obligations apply.
Q: How long does it take to complete DPA registration in Georgia, and what is the process?
A: The registration process with the Personal Data Protection Service typically involves submission of a prescribed notification covering processing purposes, data categories, legal bases, retention periods, and security measures. Processing by the authority generally takes a matter of weeks from receipt of a complete submission. The timeline can extend if supplementary information is requested. Delays most commonly arise from incomplete mapping of processing activities prior to submission – a problem that a structured pre-registration data audit addresses directly.
Q: Is Georgian data protection law essentially the same as GDPR?
A: Georgian law is aligned with GDPR principles but is not identical to it. The two regimes share key concepts – data controller, data processor, consent, lawful basis – but differ in registration requirements, notification procedures, privacy notice content, and enforcement mechanisms. A common misconception among international clients is that maintaining GDPR compliance is sufficient for Georgian operations. In practice, separate Georgian-specific compliance steps are required, particularly around DPA registration, local privacy notice content, and the documented basis for cross-border data transfers.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions on data protection, technology regulation, and cross-border compliance. Our team works with international entrepreneurs, institutional investors, and in-house legal teams navigating personal data protection obligations across civil law and common law systems. In Georgia and the wider CIS region, we advise on DPA registration, consent mechanism design, cross-border data transfer structuring, processor agreement frameworks, and regulatory inquiry response. The firm's data protection practice covers jurisdictions across Europe, the South Caucasus, Central Asia, and the Middle East, supported by a network of local counsel. Our attorneys have advised on data protection compliance matters across both the GDPR-aligned European environment and jurisdictions with distinct national legislative regimes, including localisation requirements and concurrent multi-jurisdictional obligations. As an international law firm advising clients on data protection in Georgia and connected markets, Ferraz & Whitmore combines analytical depth with practical experience before national data supervisory authorities. To discuss your data protection position in Georgia, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.