Amendments to the Law

From March 1, 2024, the main provisions of the new law of Georgia "On Personal Data Protection" come into force. The changes concern the following issues:

Video/audio monitoring

The person responsible for the processing for video/audio monitoring (the person who processes the data directly or through a person authorized for processing) is obliged to define in writing the purpose and scope of the video/audio monitoring, the duration of the video/audio monitoring and the storage period of the recording, access to the recording, in accordance with the principles established by law. , the manner and conditions of its storage and destruction, mechanisms for protecting the rights of the data subject.

The video/audio monitoring system and recordings must be protected from unauthorized access and use. The person responsible for processing must ensure that records are kept of each instance of access, including the time of access and the user name that allows the identification of the person making the access.

Additional requirements have been established regarding the information to be included on the warning sign. In particular, the sign should contain an appropriate inscription, an easy-to-understand image about the progress of video/audio monitoring, as well as the name and contact information of the person responsible for processing. In addition, the person responsible for the processing/the person authorized for the processing (the person who processes the data for or on behalf of the person responsible for the processing) is exempted from the obligation under the new law with respect to the warning signs that he posted before March 1, 2024.

Video monitoring of the work process/space of the employed person is permitted only in exceptional cases, if the objectives specified for video monitoring cannot be achieved by other means or are associated with a disproportionately large effort. In this case, the employed person must be warned in writing about the specific purpose(s) of video monitoring;

Audio monitoring is allowed: with the consent of the data subject, for the production of minutes, to protect the important legitimate interest of the person responsible for processing, if appropriate and specific measures are determined to protect the rights and interests of the data subject, as well as in other cases directly provided for by the legislation of Georgia. In addition, the person responsible for the processing is obliged to warn the data subject about the implementation of the audio monitoring in advance or at the beginning of the audio monitoring and to explain his right to refuse (if any).

The law prohibits the implementation of video monitoring in changing rooms, areas designated for hygiene or in such a space where the subject has a reasonable expectation of privacy and/or the implementation of video monitoring is contrary to generally recognized moral norms.

Data processing for direct marketing purposes

Direct marketing is defined as the direct and direct provision of information to the data subject by telephone, mail, e-mail or other electronic means to generate interest in an individual and/or legal entity, goods, idea, service, work and/or initiative, as well as image and social issues, For maintenance, marketing and/or support purposes.

Regardless of the basis of data collection/retrieval and their availability, data may be processed for direct marketing purposes only with the consent of the data subject. However, in addition to the name, surname, address, telephone number and e-mail address of the data subject, the written consent of the data subject is necessary for the processing of other data for the purpose of direct marketing;

Before obtaining the consent of the data subject and during the implementation of direct marketing, the person responsible for processing/the person authorized for processing must explain to the data subject in a clear, simple and understandable language his/her right to withdraw consent at any time and the mechanism/rule for exercising this right. In addition, the time and fact of consent to data processing and withdrawal of consent must be recorded and stored for the duration of direct marketing and within 1 year after the termination of direct marketing;

The processing of personal data for direct marketing purposes must be terminated within a reasonable time after receiving the relevant request from the data subject, but no later than 7 working days. In addition, the data subject must have the possibility to request the termination of data processing for direct marketing purposes in the same manner in which direct marketing is carried out, or another available and adequate means for requesting the termination of data processing must be determined;

It is not allowed to impose any fees or other restrictions on the exercise of the data subject's right to withdraw consent.

Data security and information accounting

The person responsible for the processing is obliged to take appropriate technical and organizational measures to ensure the processing of data in accordance with the law and to be able to confirm the compliance of the data processing with the law; In addition, the effectiveness of the technical and organizational measures taken to ensure data security should be periodically evaluated and, if necessary, adequate measures to protect data security should be taken and/or updated;

The person responsible for processing and the person authorized for processing are obliged to implement data pseudonymization, data access accounting, information security mechanisms (confidentiality, integrity, availability) and others that ensure data protection against data loss, illegal processing, including destruction, deletion, modification, from disclosure or use. When fulfilling the mentioned obligations, data categories, volume, purpose of data processing, form, means and possible threats of violation of the data subject's rights should be taken into account.

The scope of access to the data of any employee of the person responsible for processing and the person authorized for processing should be determined, as well as adequate measures to prevent, detect and prevent the facts of illegal data processing by employees, including the importance of informing employees about data security protection issues so that the employee does not exceed the authority granted to him. scope to protect data secrecy and confidentiality, including after termination of employment.

The person responsible for the processing and the person authorized for the processing have the obligation to ensure that all actions (including incidents) performed with respect to data in electronic form (including incidents (breach of data security) that lead to improper or accidental damage to data, loss, as well as unauthorized disclosure, destruction, modification, access to them, their collection/retrieval or other unauthorized processing), about data collection, change, access to them, their disclosure (transfer), connection and deletion of information). And when processing data in non-electronic form, they are obliged to ensure recording of all actions (including information about incidents) related to data disclosure and/or change.

The person responsible for the processing has the obligation to record the incident, the resulting result, the measures taken and not later than 72 hours after the discovery of the incident, to notify the personal data protection service about it in writing or electronically, and in the cases provided for by law, also to the data subject.

The person responsible for the processing is obliged to record, in writing or electronically, and upon the corresponding request, immediately, but no later than 3 working days, to provide the personal data protection service with information related to data processing:

about the identity/title and contact information of the person responsible for the processing, the special representative, the personal data protection officer, the person authorized for the processing;

on the purposes of data processing;

about data subjects and data categories;

About categories of data recipient (including data recipient in another state or international organization);

Regarding the transfer of data to another state or international organization, as well as appropriate guarantees of data protection, including the permission of the personal data protection service (if any);

about data storage periods, and if a specific period cannot be determined, about the criteria for determining their storage period;

on the general description of organizational-technical measures adopted for data security;

About incidents (if any).

The law can be read in full at the following link: https://shorturl.at/fhsz7