Introduction
On June 14, 2023, the Parliament of Georgia took a significant step toward safeguarding personal privacy by adopting a new Law “On Personal Data Protection”. Entering into force on March 1, 2024, the legislation marks a transformative shift in Georgia’s legal framework for data protection, aligning it more closely with the European Union’s (EU) General Data Protection Regulation (GDPR).
While the Georgian model strongly reflects the structure and spirit of the GDPR, it introduces its own nuances – making it both a reflection and a departure from its EU counterpart. This development holds substantial implications not just for individuals and organizations in Georgia but also for data controllers and processors across Europe who interact with Georgian entities. Understanding the new rights, institutional reforms, and enforcement challenges is essential for all stakeholders navigating this new legal terrain.
The law introduces a comprehensive set of rights for data subjects, reflecting the influence of the GDPR. These include the right to access, correct, delete, and restrict the processing of personal data, as well as the right to data portability and to object to certain types of processing. Data subjects have to be informed at the point of data collection. Information must be provided in a clear and accessible format, ensuring that individuals are aware of how their data is being processed, for what purpose, and by whom.
These obligations are critical in promoting transparency and ensuring informed consent, key principles under both Georgian and EU data protection laws. However, rights on paper do not automatically translate into rights in practice. Their effective implementation requires robust compliance frameworks, transparent internal processes, and institutional readiness – areas where both Georgia and many EU member states continue to face challenges.
Institutional Reform and Impact
One of the most important features of the new law is the affirmation of the institutional independence of the Personal Data Protection Service (PDPS). As a state authority, the PDPS has been empowered to oversee compliance with the new law, investigate violations, issue fines, and ensure that individuals can exercise their rights effectively. The independence of data protection authorities is a cornerstone of the GDPR. It ensures that enforcement is free from political influence and that regulatory decisions are based purely on legal and technical grounds. Georgia’s move to formally establish and empower the PDPS in this way is a clear indication of its commitment to aligning with international best practices.
Interestingly, the introduction of the new legislation has already had a measurable impact on data protection activity. In 2024, the PDPS received 1,662 applications and notifications from data subjects—a significant increase compared to previous years. Of these, 52% (863) were applications and 48% (799) were notifications. Notably, 90% (1,486) concerned data processing by private organizations, while 8% (140) involved public institutions and 2% (36) were related to law enforcement agencies.
This upward trend marks a substantial increase from 2023, when the PDPS processed 526 total submissions, of which 83% (436) were applications and 17% (90) were notifications. The breakdown that year showed 66% (350) of submissions related to private entities, 23% (120) to public institutions, and 11% (56) to law enforcement bodies.
Looking back further, in 2022, the Service received 447 submissions, with 64% (287) being applications and 36% (160) notifications. The data processing sectors involved were similar: 62% (277) related to private institutions or individuals, 21% (93) to public institutions, and 17% (77) to law enforcement agencies.
These year-on-year increases in both the number and complexity of cases suggest growing public awareness of data rights, increased scrutiny of private sector practices, and an expanding role for the PDPS in regulatory oversight.
Capacity and Challenges
Yet institutional independence alone does not guarantee effectiveness. The real test lies in the PDPS’s operational capacity – including adequate funding, staff expertise, and technological infrastructure. While the rising volume of cases handled by the PDPS reflects growing engagement, it also raises questions about the authority’s ability to keep pace with demand.
Georgia’s experience mirrors trends across the EU, where Personal Data Protection Authorities have also faced mounting caseloads without proportional increases in resources. Without strong institutional support, enforcement risks to become symbolic rather than substantive.
Convergence and Divergence from GDPR
The Georgian law is clearly inspired by the GDPR and the Law Enforcement Directive (LED). It incorporates core principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability. By aligning Georgian regulations with European standards, these shared principles ensure that personal data can be transferred more smoothly across borders while maintaining high levels of protection, thereby strengthening both legal compatibility and public trust.
However, the Georgian legislation is not a carbon copy of the GDPR. The Law of Georgia “On Personal Data Protection” is closely harmonized with EU standards in terms of substantive rights and legal grounds for processing. Its most distinctive features are: shorter statutory deadlines for fulfilling data subject requests (10 working days versus the GDPR’s one month), additional notification and procedural duties (e.g., informing all recipients of rectification, linking blocking to specific data), broader grounds for refusing erasure and additional restriction grounds not explicitly listed in the GDPR.
These differences suggest that Georgia’s framework, while EU-aligned, is in some respects stricter and more procedurally prescriptive, reflecting a legislative preference for rapid compliance and detailed notification duties. However, the absence of certain GDPR-style transparency safeguards in restriction measures may represent an area for further alignment. For data controllers and processors operating cross-border, understanding these differences is essential. Misinterpreting obligations due to superficial similarities could result in non-compliance or delayed enforcement responses.
While the core rights are aligned, there are some variations in the way they are defined, applied and enforced.
Under both Georgian law and the GDPR, data subjects are entitled to confirmation from the controller regarding whether their personal data are being processed, information on the lawfulness of processing, and access to relevant details free of charge. The two regimes share the requirement that information must be transparent, clear, and accessible. However, Georgia imposes shorter response deadlines: 10 working days from receipt of the request, extendable once by up to 10 additional working days, with immediate notification to the requester. Under the GDPR, the deadline is one month, extendable by two additional months for complex or numerous requests. Fee provisions are similar, allowing charges when requests are repetitive, excessive, or require disproportionate resources.
Georgia adopts stricter deadlines for rectification: inaccuracies must be corrected, updated, or completed within 10 working days. Refusals must include the grounds and appeal procedures. Georgian law additionally obliges controllers to notify all relevant recipients of the rectification, a duty that is broader and more prescriptive than under the GDPR.
Both frameworks provide for exceptions where erasure is not required, such as for the exercise of freedom of expression and information, compliance with legal obligations, public health interests, archiving, research, or statistical purposes, and legal claims. Georgian law matches these grounds but adds a broader residual right for controllers to refuse erasure where processing is otherwise legally justified. The deadline for compliance is again shorter – 10 working days unless otherwise provided by law—compared to the GDPR’s one-month period.
The conditions for data blocking are largely consistent with the GDPR, but Georgian law adds additional grounds, specifies the maximum duration, requires linking the decision to specific data, and mandates notification to the data subject within three working days of the request or refusal.
The right to data portability is a new addition to Georgian law and is closely aligned with the GDPR’s provisions. The same limitations apply, including safeguarding the rights of others and restricting applicability where processing serves public-interest tasks.
Georgia’s approach to automated decision-making is fully compatible with the GDPR. Decisions with legal or significant effects cannot be based solely on automated processing. Special category data may be used only where strictly necessary and with safeguards. Georgia lists specific legal bases covering consent, law enforcement/public interest, and cybersecurity purposes.
Both regimes allow withdrawal of consent at any time. Georgian law prescribes that no justification is required, the withdrawal must be made in the same form as the original consent, data processing must cease and the data be deleted within 10 working days, and the data subject must be informed of the legal consequences.
The right to appeal to a supervisory authority, court, or higher administrative authority is protected under both Georgian and EU law.
Restrictions are permitted if lawful, necessary, proportionate, and in line with fundamental rights. While the grounds in Georgian law generally match those in the GDPR, Georgia also explicitly allows restrictions to protect state, commercial, professional, and other legally protected secrets. Georgia’s proportionality principle is explicit, and the burden of proof rests on the controller. Controllers must inform the data subject of restrictions unless this would undermine the purpose. Unlike the GDPR, Georgia does not mandate minimum transparency elements in restriction orders (e.g., purpose, scope, categories of data affected).
Toward a Culture of Data Protection
Laws alone cannot create a culture of data protection. Building such a culture requires active participation by businesses, civil society, and individuals. Organisations must move beyond mere compliance and adopt a privacy-by-design approach, embedding data protection principles into products and services from the outset. For this to happen, clear guidance is provided by the Personal Data Protection Service (PDPS), training programs are implemented across both public and private sectors, and individuals have access to tools and awareness campaigns to understand and exercise their rights. The GDPR experience shows that even the most comprehensive legal frameworks can falter if compliance is treated as a box-ticking exercise rather than a core business value. In this spirit, the PDPS actively conducts educational initiatives on data processing and protection. To raise public awareness, it regularly organises public lectures, information sessions, and training programmes for representatives of the private and public sectors, as well as law enforcement agencies. In 2024, the Service held 108 events attended by 6522 participants, including both data subjects and data controllers/processors – a marked increase from 2023, when 62 events attracted 3158 participants. These efforts reflect the Service’s commitment to fostering a proactive and informed data protection culture across the country.
Conclusion
Georgia’s alignment with the GDPR is not just a legal milestone; it also raises the question of whether the country’s framework might one day qualify for an EU adequacy decision, or whether current implementation gaps could risk undermining that trajectory. It’s a strategic move to foster trust, enhance digital governance, and potentially facilitate international data flows, especially with the EU. As digital trade and cross-border data transfers become increasingly important, adequate data protection laws serve as a gateway to economic and political partnerships.
Georgia’s journey is just beginning. The coming years will determine whether its legal reforms will translate into tangible protections for individuals and predictable frameworks for businesses. The country must navigate the institutional learning, the practical implementation of data protection rights, the digital literacy gap among citizens, and the evolving global landscape, including AI governance and cross-border enforcement cooperation.
New data protection law is a commendable step toward modernizing privacy protections and aligning with European standards. While it echoes the GDPR in structure and spirit, it brings its own challenges and context-specific nuances. The success of this legal framework will depend on how well it is enforced, how effectively institutions perform, and how committed society is to protecting personal data. As both Georgia and the EU continue to refine their approaches to data protection, collaboration and mutual learning between their Data Protection Authorities will be vital. Georgia has the opportunity to not only protect its citizens but to serve as a model for emerging democracies navigating the complexities of digital governance.
This reform is more than just a GDPR echo-it’s a signal that digital rights are becoming a serious priority in emerging democracies. The real test now is turning paper rights into daily protections.
Irakli Leonidze is a Doctoral Candidate at the Faculty of Law of the Ivane Javakhishvili Tbilisi State University, Georgia. He is also a Research Fellow at the Institute for Business Law, Labour and Social Law at the Faculty of Law of the Albert Ludwig University of Freiburg, Germany.
