Data protection & privacy laws in Georgia (2026)

Law No. 3144/2023, adopted 14 June 2023, establishes data-protection principles (lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity) closely mirroring the EU GDPR. It replaced the 2011 Personal Data Protection Law.

Core provisions took effect 1 March 2024; Data Protection Impact Assessment and DPO obligations from 1 June 2024; further provisions being phased in from January 2025 through January 2027.

Individuals hold rights of access, rectification, erasure, data portability, restriction of processing, and objection to direct marketing, mirroring GDPR Chapter III rights.

Appointing a Data Protection Officer is mandatory for government bodies, commercial banks, insurance firms, microfinance organisations, electronic communications companies, healthcare institutions, airlines/airports, credit bureaux, and entities processing data on more than 3% of Georgia's population or more than 1% of special-category data.

The Personal Data Protection Service (PDPS) is an independent state authority empowered to conduct scheduled and unscheduled inspections, investigate complaints, and impose fines. In 2024 it conducted 265 inspections and received 1,662 data-subject applications. Fines range from GEL 1,000 to a maximum of GEL 20,000 per single inspection.

The reform was driven in part by Georgia's EU Association Agreement and candidate-country aspirations; the law was developed with EU4Digital support and is explicitly modelled on the GDPR framework to harmonise Georgian data-protection standards with EU requirements.