THE OFFICE OF THE PERSONAL DATA PROTECTION INSPECTOR, GEORGIA
- The Legal grounds for the protection of the personal data
- The legal position of the personal data protection authority
- The legal rights of the personal data protection inspector and its office
- Limitations of the personal data protection authority
1. The Legal grounds for the protection of the personal data
On October 28, 2005 Georgian Parliament ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) and thereby took international obligation to implement data protection standards in the domestic legislation. On July 27, 2013 Additional Protocol to the Convention 108 regarding Supervisory Authorities and Trans-Border Data Flows was also ratified.
The 1995 Constitution of Georgia provides for the individuals' right to privacy, as well as access to official public documentation.
Article 20 of the Georgian Constitution
"Everyone's private life, place of personal activity, personal records, correspondence, communication by telephone or other technical means, as well as messages received through technical means shall be inviolable."
Article 41 of the Georgian Constitution
"1. Every citizen of Georgia shall have the right to become acquainted, in accordance with a procedure prescribed by law, with the information about him/her stored in state institutions as well as official documents existing there unless they contain state, professional or commercial secret.
2. The information existing on official papers pertaining to individual's health, his/her finances or other private matters, shall not be accessible to anyone without the consent of the individual in question except in the cases determined by law, when it is necessary for ensuring the state security or public safety, for the protection of health, rights and freedoms of others."
Special Law on Personal Data Protection (hereinafter "The PDP Law") was adopted on December 28, 2011. The PDP Law lays down fundamental principles and guarantees of data protection, being in compliance with international and European standards. The Georgian Law on Personal Data Protection applies to the "processing of the data by automatic or semi-automatic means and to the processing by non-automatic means of personal data which form part of a filing system or are intended to form part of a filing system, as well as to the automatic processing of data for the purposes of the crime prevention, investigation, operative-investigational activities and protection of the public order regarded as state secret" (Article 3, Paragraph 1, PDP Law).
The Law foresees basic principles that shall be followed while processing the personal data and lays down the specific grounds for the legitimacy of data processing. There are separate grounds for the processing of general personal data and sensitive data. In addition, the Law provides for specific regulations on biometric data, video surveillance and direct marketing. A separate Chapter of the PDP Law deals with the obligations of data processor including, inter alia, obligation to provide information to the data subject, ensure data security, report to the Data Protection Inspector and maintain filing system catalogues. The rights of the data subject are also provided in a specific Chapter of the Law. Under the current regulations the data subject has a right to request information or request to supplement, correct, block, destroy, delete or erase personal data; lodge an objection or an appeal.
Special provision of the Criminal Code of Georgia criminalizes violation of data protection rules and provides criminal sanctions for illegal and unlawful collection, disclosure, dissemination or other type of processing of personal data causing significant damage (Article 157, Criminal Code of Georgia).
2. The legal position of the personal data protection authority
The Data Protection Supervisory Authority - the Personal Data Protection Inspector is elected by the Parliament of Georgia. The Inspector is independent in exercising his/her powers and is not subordinated to any other public official or body. Any influence on the Inspector or interference in his/her activities is prohibited and punished by the Law (Article 31, paragraph 1, PDP Law). The Inspector enjoys guarantees and immunities.
The Inspector performs its functions and exercises its obligations through its Office.
3. The legal rights of the personal data protection inspector and its office
The main functions of the Personal Data Protection Inspector and its Office include:
- Provide consultations to public and private institutions, and individuals. The office of the Inspector is open for consultations in order to establish correct practice of the personal data protection and to assist data controllers and data processors to follow the appropriate regulations. The Office also assists citizens to protect their rights.
- Consider applications of the citizens. Every person who thinks that his/her rights are violated in the field of the personal data protection has right to apply to the Inspector's Office and ask to stop or block illegal processing, to assess the lawfulness of the processing, etc.
- Inspect (examine) the lawfulness of data processing in public and private institutions. The Inspector is empowered to inspect data controllers and data processors on the basis of the citizens' applications and by its own initiative. The Inspector is authorized to get familiar with and request any information from the data controllers, including information regarded as the state, commercial and professional secret.
- Use sanctions. Personal Data Protection Inspector of Georgia is empowered to use sanctions, including fines in case the data protection violation is revealed.
- To raise the public awareness and inform the public about the situation concerning data protection in Georgia. The Inspector is obliged to publish Annual Report on the state of personal data protection in the country. The office of the Inspector is oriented to raise public awareness among society through its web-page, social media, PSAs and other informational resources.
- Represent Georgia on international level and participate in the activities of the international organizations working on the personal data protection.
- Provide trainings and educational activities. The Office of the Inspector regularly provides trainings on the personal data protection issues for the representatives of public and private bodies. Memorandums of Understanding were signed with several training centers of the public agencies and within the scope of the MOUs the personal data protection issues are included in the curriculum of the different training programs.
- Elaborate and Issue Guidelines and Recommendations. The Office of the Inspector prepares thematic and sector specific guidelines and recommendations for data controllers and data processors to assist in the process of the implementation of the provisions of the PDP Law in practice.
4. Limitations of the personal data protection authority
The Law on Personal Data Protection applies to the public as well as to the private sector. The scope of the PDP law and the mandate of the Inspector cover all types of data processing with the following exceptions: (i) data processing for personal purposes, (ii) data processing for the purposes of court proceedings, as far as it may damage the proceeding itself; (iii) processing of data for the purposes of state security (including economic security), defense, Intelligence and counterintelligence activities, (iv) processing of the personal information regarded as the state secret except the information processed for the crime prevention, crime investigation, operative-investigational purposes and for the protection of the public order.
The Office of the Personal Data Protection Inspector
15 Apakidze str.; 0171; Tbilisi, Georgia
Phone: (+995 32) 242 1000
Homepage: www.personaldata.ge; www.pdp.ge