Actions taken:

Actions Taken:

1.     ESTABLISHMENT OF PERSONAL DATA PROTECTION SERVICE OF GEORGIA

On March 1, 2022, the Personal Data Protection Service of Georgia (hereinafter ― PDPS or Service) was established as an institutionally independent, personal data protection supervisory authority, which is accountable only to the Parliament of Georgia. In general, the control over the lawfulness of personal data processing in Georgia dates back to 2013. The main directions of the activities of the Service encompass control over the lawfulness of data processing and monitoring of the covert investigative actions and the activities carried out at the central databank of the electronic communication identification data in Georgia. Besides, it implements preventive activities targeting public awareness, raising and establishing a culture of respect for privacy and data protection.

2.     UP TO DATE REGULATIONS AND RAISED STANDARDS FOR DATA PROTECTION

• Adoption of the new Law “On Personal Data Protection” and Measures Related to Its Implementation

To strengthen the standards and guarantees for the protection of personal data and privacy, a new law “On Personal Data Protection” was adopted by the Parliament of Georgia on 14^th of June 2023, the main part of which entered into force on 1^st of March this year. The new Law establishes internationally recognized standards for the protection of personal data, which is a significant stride to harmonize national legal framework with the European legislation.

Harmonization and consolidation of the legal basis for the protection of personal data are obligations assumed by Georgia under the Association Agreement with the European Union and the Association Agenda. it is extremely important to harmonize Georgian legislation on personal data protection with EU legal framework and, accordingly, to implement new standards at the national level. The values and standards of the EU GDPR have been incorporated into the new Law, as a result of which the national legal framework for the data protection is in line with the EU standards to ensure the effective protection of human rights and freedoms, including privacy.

• Development of Strategic Action Plan for the Implementation of the New Law

In order to effectively manage the implementation process of the new Law, during the reporting period, the Service developed a strategy and action plan, aiming at facilitating the compliance by data controllers/processors with the new regulatory framework. As part of the action plan, the following activities and events were carried out to raise public awareness:

• Information campaign on the new Law “On Personal Data Protection” – The implementation of information campaigns meant informing the target groups about the legislative novelties. The information campaign included both face-to-face meetings and various activities on social networks and media;
• “Conversations regarding the new Law” – A cycle of meetings was launched to inform the public and target groups concerning the new Law;
• A series of podcasts on the new Law – In order to provide interested parties with comprehensive information on the legislative changes, the Service recorded a series of podcasts;
• Consultations on the new Law – The Service offered a new format of individual consultations every Friday at the Service’s office for those interested in the standards introduced by the new Law. Interested parties have the opportunity to receive consultations concerning the new Law “On Personal Data Protection” from the Service’s representatives in face-to-face meetings;
• Online campaign “#NewLaw” – In order to inform the public about the changes introduced by the new Law, the Service launched an active campaign on social networks. In particular, information cards were prepared to inform interested parties about the changes in the Law in a language they could understand. Illustrated information cards with relevant explanations were gradually placed on the Facebook and LinkedIn pages. To allow free participation in the events, registration links for the events were actively published in the social networks of the Service;
• Development of a Data Breach (Incident) Notification System for the Service – The Service has developed an Electronic Incident Notification System, through which the data controller will have the opportunity to provide information to the Service in case of a data breach. The mentioned system is available via the official website of the Service. It should be noted that the Service took into account the practice of the Latvian Data Protection Authority when developing the standards for notification of an incident;
• Obligation to provide the Personal Data Protection Service of Georgia with information on the identity and contact details of a personal data protection officer, which is published on the official website of the Service – A controller and a processor are obliged to provide to the Personal Data Protection Service of Georgia information on the identity and contact details of a personal data protection officer. Simultaneously, Personal Data Protection Service of Georgia publish the submitted information on its official website.

• Adoption of Normative Acts by the Personal Data Protection Service of Georgia

By March 1^st, 2024, as part of the implementation of the new Law, the Service of Georgia has developed the following four normative acts, regarding:

• The Criteria for Determining a Data Breach that constitutes a significant threat to Human Rights and Fundamental Freedoms, and the Procedure for Reporting an Incident to the Personal Data Protection Service of Georgia;
• The list of persons who are not obliged to designate/appoint a Personal Data Protection Officer;
• The criteria for determining the circumstances giving rise to the obligation to assess the impact on data protection and the assessment procedure;
• The procedure for registration of a special representative by the personal data protection service of Georgia.

It should be noted that within the framework of donor support the normative acts have undergone the legal assessment.

• Development of Guidelines to Facilitate the Implementation of the New Law

In the scope of the Strategy and Action Plan on the new Law, within the reporting period, the PDPS developed the following recommendations/guidelines on:

1. Implementation of Measures Related to the Data Breaches;
2. Personal Data Protection Officer;
3. Data Processing Using an Unmanned Aerial Vehicle System;
4. Right to Data Portability;
5. Principles of Personal Data Processing;
6. Rights and Profiling Related to Automated Individual Decision-Making;
7. Processing of Personal Data of Minors;
8. Implementation of Video Monitoring and Audio Monitoring.

In addition to the above, the number of guidelines adopted by the “European Data Protection Board” (EDPB) were translated with donor support within the framework of the project of the Regional Fund of the Eastern Partnership of Public Administration of the German Corporation for International Cooperation (GIZ) and published on the website of the Service. The guidelines cover the following topics:

1. Transparency;
2. Consent;
3. Processing of Personal Data under Article 6(1)(B) GDPR in the Context of the Provision of Online Services to Data Subjects;
4. Right to Data Portability;
5. Data Protection by Design and by Default;
6. Automated Decision-Making and Profiling;
7. Processing of Personal Data through Video Devices;
8. Targeting of Social Media Users;
9. Virtual Voice Assistants.

3.     NUMBER OF CONDUCTED INSPECTIONS

The Service inspects the legality of data processing by public and private institutions, law enforcement bodies via planned and unplanned inspections. According to order №ბ / 0046 – 2024, January 18, 2024, of the Head of the Personal Data Protection Service, “On the Approval of the 2024 Plan for the Planned Examinations (Inspection) of the legality of Personal Data Processing”, the planned examination (inspection) of the legality of data processing is carried out in line with the annual plan of inspections approved by the individual legal act of the Head of the Service. Whereas the unplanned examinations (inspections) of the legality of data processing are conducted by the Service on its own initiative or based on the received notifications of the interested persons.

From March 1^st, 2022, to June 30^th, 2024 Personal Data Protection Service of Georgia, in the scope of planned and unplanned inspection, carried out 434 examinations (inspections). Out of 434 examinations 149 were conducted in 2022, 192 – in 2023, and 93 from January 1^st to June 30^th, 2024.

4.     CONSULTANCY ACTIVITIES OF THE SERVICE

The Service conducts the consultancy activities on the issues about personal data processing. For this purpose, the Service is contacted by the representatives of private and public sector, law enforcement bodies as well as citizens. The consultations are provided both verbally (through telephone and face-to-face meetings) and in writing.

In total, during the reporting period, the Service conducted 19599 consultations on monitoring the legality of personal data protection and other legal issues. Specifically, in 2022 3292 consultations were conducted, in 2023 – 5106, from January 1^st to June 30^th, 2024 – 11 201.

5.     PUBLIC AWARENESS RAISING, INFORMATIONAL MEETINGS AND TRAINING

The Service actively carries out educational activities on data processing and protection-related topics. In order to raise awareness about personal data protection, the Service systematically conducts public lectures, information meetings and training sessions for representatives of the private and public sectors, law enforcement agencies.

During the reporting period, the Service conducted 185 meetings with 9411 attendees, part of them represented both data subjects and data controllers. Namely, in 2022 the Service held 36 meetings with 1007 attendees, in 2023 – 62 meetings with 3158 attendees, and from January 1^st to June 30^th, 2024, 87 meetings with 5246 attendees.

Implementation completion:

Yes

Implementation completion:

Attached Files:

Personal-Data-pledge-Pending.docx