THE OFFICE OF THE PERSONAL DATA PROTECTION INSPECTOR, GEORGIA
- Legal grounds for the protection of personal data in the national legislation
- The status and the legal position of national DPA
- The legal rights and the limitations of the national DPA
- Contact information
1) legal grounds for the protection of personal data in the national legislation:
On October 28, 2005 Georgian Parliament ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) and thereby, undertook international obligation to implement data protection standards in its domestic legislation. On July 27, 2013 Georgia has also ratified the Additional Protocol to the Convention 108 regarding Supervisory Authorities and Trans-Border Data Flows.
The 1995 Constitution of Georgia provides for the individuals' right to personal and family privacy and privacy of communication, as well as access to the information about individuals processed by public institutions. In particular:
Article 15 of the Georgian Constitution
„Personal and family life shall be inviolable. This right may be restricted only in accordance with law for ensuring national security or public safety, or for protecting the rights of others, insofar as is necessary in a democratic society.
Personal space and communication shall be inviolable…“
Article 18 of the Georgian Constitution
„...Everyone has the right to be familiarised with information about him/her, or other information, or an official document that exists in public institutions in accordance with the procedures established by law, unless this information or document contains commercial or professional secrets, or is acknowledged as a state secret by law or in accordance with the procedures established by law as necessary in a democratic society to ensure national security or public safety or to protect the interests of legal proceedings.
The information contained in official records pertaining to an individual’s health, finances or other personal matters shall not be made available to anyone without the consent of the individual, except as provided for by law and as is necessary to ensure national security or public safety, or to protect public interests and health or the rights of others...“
The Law of Georgia on Personal Data Protection (hereinafter "The PDP Law") was adopted on December 28, 2011. The PDP Law lays down fundamental principles and guarantees of data protection, being in compliance with international and European standards. The Georgian Law on Personal Data Protection applies to the "processing of the data by automatic or semi-automatic means and to the processing by non-automatic means of personal data which form part of a filing system or are intended to form part of a filing system, as well as to the automatic processing of data for the purposes of the crime prevention, investigation, operative-investigational activities and protection of the rule of law regarded as state secret" (Article 3, Paragraph 1, PDP Law).
The PDP Law provides for basic principles that shall be followed while processing the personal data, as well as the specific grounds for the legitimacy of data processing. Separate grounds for processing of general personal data and sensitive data are envisaged by the mentioned Law. In addition, the PDP Law sets out specific regulations on biometric data, video surveillance and direct marketing. A separate Chapter deals with the obligations of data controller including, inter alia, obligation to provide information to the data subject, ensure data security, maintain filing system catalogues, etc. The rights of the data subject are also provided in a specific Chapter of the PDP Law. Under the current regulations the data subject has a right to request information or request to supplement, correct, block, destroy, delete or erase personal data; lodge an objection or an appeal.
Special provision of the Criminal Code of Georgia criminalizes violation of data protection rules and provides criminal sanctions for illegal and unlawful collection, disclosure, dissemination or other type of processing of personal data causing significant damage (Article 157, paragraph 1, Criminal Code of Georgia).
2) The status and the legal position of national DPA:
The Georgian Data Protection Authority - the Personal Data Protection Inspector is elected by the Parliament of Georgia. The Inspector is independent in exercising his/her powers and is not subordinated to any other public official or body. Any influence on the Inspector or interference in his/her activities is prohibited and punished by law (Article 31, paragraph 1, PDP Law). The Inspector enjoys guarantees and immunities.
The Inspector performs its functions and exercises its obligations through its Office.
3) The legal rights and the limitations of the national DPA:
The main functions of the Inspector and its Office include:
Limitations of the personal data protection authority
- Provision of consultations to public and private institutions, and individuals. The Office of the Inspector is open for consultations to assist any interested party in exercise of its rights and obligations under the PDP Law.
- Examination of the citizens’ applications. Citizens may challenge the lawfulness of processing operations before the Inspector by submitting a written application. On the basis of such application the Inspector shall launch the process of examination of the lawfulness of the processing operations challenged in the application.
- Inspection (examination) of the lawfulness of data processing in public and private institutions. The Inspector is empowered to conduct inspections on the basis of either citizens' applications or upon its own decision. The Inspector has access to and is authorized to request any information from data controllers, including information regarded as the state, commercial and professional secret.
- Imposition of sanctions. The Inspector is empowered to impose sanctions, including fines when data protection violation is revealed. Furthermore, the Inspector is authorized to give specific instructions to data controllers and data processors in order for them to bring data processing operations in compliance with the acting law.
- Raising public awareness and informing the public about the situation concerning data protection in Georgia. The Inspector is obliged to publish Annual Report on the state of personal data protection in the country. The Office of the Inspector actively works to raise public awareness among society through its web-page, social media, PSAs and other informational resources.
- Representation of Georgia on international level and participation in the activities of the international organizations working on the personal data protection.
- Conducting trainings and educational activities. The Office regularly provides trainings on the personal data protection issues for the public and private entities, as well as monthly trainings for any interested individual.
- Elaboration of guidelines and recommendations. The Office of the Inspector prepares thematic and sector specific guidelines and recommendations for data controllers and data processors to assist them in the process of the implementation of the provisions of the PDP Law in practice.
The Law on Personal Data Protection applies to the public as well as the private sector. The scope of the PDP Law and the mandate of the Inspector cover all types of data processing with the following exceptions: (i) data processing for personal purposes, (ii) data processing for the purposes of court proceedings, as far as it may damage the proceeding itself; (iii) processing of data for the purposes of state security (including economic security), defense, Intelligence and counterintelligence activities, (iv) processing of the personal information regarded as the state secret except the information processed for the crime prevention, crime investigation, operative-investigational purposes and for the protection of the public order.
4 ) Contact information:
The Office of the Personal Data Protection Inspector
7 Nato Vachnadze str.; 0105; Tbilisi, Georgia
Phone: (+995 32) 242 1000
Homepage: www.personaldata.ge; www.pdp.ge