Harmonization of the personal data protection legislation is one of the obligations assumed by Georgia under the Association Agreement with the European Union. According to the first annex of the Association Agreement, Georgia is obliged to ensure the compliance of the personal data protection legislation with the European Union Directive No. 95/46/EC, the 108 Convention of the Council of Europe and its Additional Protocol, as well as with the European Union Framework Decision 2008/977/JHA of November 27, 2008, and the Ministerial Decision of the Council of Europe with the recommendation of the Committee of November 15, 1987, No. R (87)15. According to the “Road Map of Georgia’s Integration into the European Union (RoadMap2EU)”, it is also one of the important directions.
The new Law of Georgia “On Personal Data Protection” is fully based on the General Data Protection Regulation (GDPR) of the European Union.
The GDPR was adopted by the European Parliament and the Council on April 27, 2016, and has been effective since May 25, 2018. The aforementioned regulation established new standards for personal data protection, and introduced new important concepts and institutions in the field of personal data protection, taking into account modern technological progress.
GDPR applies not only to a company registered in the European Union, but also to a company registered in any other country, that provides products or services in the territory of the European Union and, for this purpose, processes the personal data of persons in the territory of the European Union. Accordingly, GDPR may also apply to legal entities registered in Georgia.
Quite high fines are established for violation of the rules defined by the GDPR. In particular, two categories of fines are established, the maximum amount of which is – not more than 10 million euros or 2% of global turnover (whichever is higher) and 20 million euros or 4% of global turnover (whichever is higher). Also, the data subject can request compensation for the damage caused.
Based on the above, even though your company is registered in, for example, Georgia, depending on the content of your activity, you may be subject to the GDPR and have an obligation to comply with it.
Contact us for additional information and we will provide you with detailed information about your obligations.
