FREQUENTLY ASKED QUESTIONS

If, in the course of data processing, there is a high likelihood of posing a risk to an individual’s fundamental rights and freedoms - taking into account the use of new technologies, the categories and volume of data, as well as the purposes and means of the data processing - the company is obligated to carry out a Data Protection Impact Assessment (DPIA) in advance, before commencing data processing operations.

Additionally, this obligation applies if the organization carries out any of the following activities:

  • Makes decisions that have legal, financial, or similarly significant effects on a data subject and the decisions are made entirely through automated processing, including profiling (in such cases, the organization must have full knowledge of the mechanisms used for automated individual decision-making or profiling, which can be achieved through an impact assessment);
  • Processes special categories of personal data of at least 3% of the population of Georgia, as calculated based on the most recent population census;
  • Conducts systematic and large-scale monitoring of individuals’ behavior in publicly accessible areas.

The company must carry out a separate Data Protection Impact Assessment for each data processing activity.

The organization is obliged to ensure the recording of all actions performed on data in electronic form (including incidents, data collection, modification, access, disclosure (transfer), linking and deletion) through the same electronic system through which the data is processed.

Achieving this objective is not possible if actions carried out within the electronic system are recorded in a separate file and/or in physical (paper-based) form.

Accordingly, the electronic system used for data processing must include an electronic journal (also known as logging) to record actions performed on the data.

 

The right to data portability enables the data subject to obtain and reuse their personal data from a data controller for their own purposes and across different services. This right facilitates the ability of the data subject to easily transfer personal data and its copies from one information technology environment to another without hindrance.

To exercise the right to data portability, the personal data must be processed by automated means (excluding physical or paper-based files) and based either on the data subject’s consent or on a contract to which the data subject is a party.

Under this right, the data subject is entitled to receive the personal data they have provided to the data controller in a structured, commonly used, and machine-readable format. However, the right of access and the data subject to receive information on the processing of data and to obtain its copy is a general right that is not subject to specific conditions and can be exercised independently.

 

In cases where the electronic system used for processing personal data

“Cookies” are small text files that a platform stores on a data subject’s device (such as a smartphone, computer, etc.) when the user visits a website. One of the main purposes of using cookies is to analyze user activity and provide personalized content.

Cookies can be categorized as either essential or non-essential.

Essential cookies are necessary for the basic functionality of the website. Therefore, the data controller is required to inform the data subject about the use of such cookies upon their visit to the website. Non-essential cookies, on the other hand, allow the platform to process additional data that is not strictly necessary for the website’s operation - such as third-party cookies or advertising cookies used to deliver personalized advertising content to the user. If the use of non-essential cookies involves the processing of the visitor’s personal data, the data subject’s consent must be obtained prior to their use.

The processing of biometric data is permissible only under the following conditions:

  • The processing of biometric data is necessary for the performance of activities, ensuring security, protecting property, or preventing the disclosure of confidential information;
  • Furthermore, these objectives cannot be achieved by other means, or doing so would require a disproportionately high effort.

In addition to the above, Article 9 of the Law of Georgia “On Personal Data Protection” explicitly sets out the cases in which the processing of biometric data is permitted by law.

Thus, the data subject’s written consent cannot serve as a legal ground for the processing of biometric data.

Artificial Intelligence systems may often require the processing of personal data of various individuals during their development, deployment, and application (including collection, storage, and other operations).

Accordingly, the Law of Georgia “On Personal Data Protection” applies both to the processing of personal data within the lifecycle of the AI systems, as well as to the processing of third-party personal data by individuals or entities using such technologies.

According to the established practice, the transfer of personal data internationally based on the data subject’s consent constitutes an exception to the general principle governing international transfers of personal data.

If the data importer State to does not ensure adequate safeguards for data protection, it is essential that the data controller first establish such safeguards through a contract concluded with the relevant public authority of that State, a legal entity, a natural person, or an international organization.

Based on the contract mentioned above, such transfer of personal data may only take place upon obtaining a prior permit from the Personal Data Protection Service of Georgia, the procedure for the transfer in these circumstances is determined by a normative act issued by the President of the Service.

The data subject has the right to withdraw their consent at any time, without the need for any explanation or justification. In such cases, the processing of personal data must be terminated and/or the processed data must be deleted or destroyed within no more than 10 working days from the date of the request, unless there is another legal grounds for data processing.

If the data subject withdraws their consent and the data controller continues data processing based on another legal ground, the data subject shall be promptly informed thereof.

The Law of Georgia “On Personal Data Protection” establishes the obligation to define matters related to video and audio monitoring in writing. However, it does not preclude the data controller from developing a unified personal data protection policy document that outlines various aspects of data processing.

If an organization uses the personal data protection policy as the basis for informing data subjects about the use of their personal data, the information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Considering this, it is advisable to define video or audio monitoring issues in a separate written document.

The obligation to create a privacy policy derives from Article 4(1) of the Law of Georgia “On Personal Data Protection”, which establishes the requirement for transparent processing of personal data. It also stems from the Articles 24 and 25 of the mentioned law, which stipulate that the data controller must provide the data subject with comprehensive information regarding the processing of their personal data.