Law of Georgia On Personal Data Protection
advertisement
Law of Georgia On Personal Data Protection N5668-RS Adopted 28.12.2011 Enacted 01.05.2012 As amended 12.06.2012 Adopted by: Parliament Scope of application: miscellaneous Promulgation source: The Matsne web-portal 176.01.2012 Chapter 1. General Provisions Article 1. Goal of the Law The goal of this Law is to ensure the protection of human rights and freedoms, including privacy in processing personal data. Article 2. Definition of Terms The terms used in this Law shall have the following meanings: a) Personal data (hereinafter – data) – any information that is related to an identified or identifiable individual. An individual is identifiable when he can be identified directly or indirectly, namely by an identification number or physical, physiological, psychological, economic, cultural or social characteristics of the individual; b) Special category data – the data related to an individual’s racial or ethnic belonging, political opinions, religious or philosophical creed, membership to a professional association, health condition, sexual life or criminal record as well as biometric data enabling the identification of the individual by the signs aforesaid; c) Biometric data – any physical, mental or behavioral characteristics, which is unique and permanent for each particular individual and by which such individual can be identified (fingerprints, iris, retina (retina image), facial features, and DNA code); d) Data processing – any act person in respect of data by using automatic or nonautomatic means, namely collection, recording, photographing, audio- and videoW:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc e) f) g) h) i) j) k) l) m) n) o) p) q) r) s) t) recording, organization, retention, modification, restoration, requisition, application or disclosure by data transfer, dissemination or otherwise making it accessible, grouping or combination, blocking, deletion or destruction; Automatic data processing – processing data by application of information technologies; Data subject – any individual, in respect of whom data is processed; Consent – a voluntary permission, enabling to clearly establish the will of the data subject, expressed verbally, by means of a telecommunication or other relevant facility by the data subject to process data about him for a particular purpose after the relevant information has been obtained; Written consent of the data subject – a voluntary permission expressed by the data subject to process data about him for a particular purpose after the relevant information has been obtained, which the data subject has signed or otherwise indicated in writing or in any form equated thereto; Data processor – a public agency, an individual or a legal entity determining, individually or jointly with others, data processing goals and means; Authorized person – any individual or legal entity processing data for or on behalf of the data processor; Data recipient – a private or public agency, an individual or legal entity, a private or public sector employee who has been provided with the data other than a personal data protection inspector; Third person – any individual or legal entity, public agency other than a data subject or a personal data protection inspector; Filing system – a structured set of data, in which they are arranged and available by a particular criteria; Filing system catalogue – a detailed description of the filing system structure and content; Register of Filing System Catalogues – a register ensuring a detailed filing of the existing filing systems; Data blocking – a temporary suspension of data processing; Depersonalization of data – modifying data so as to prevent their connection to the data subject or so as for the establishment of such connection to require a disproportionately huge efforts, costs and time; Identification number – a personal identification number or any other identification number provided by law and related to an individual, through which data can be generated or disclosed from the filing system (where the identification number has also been processed); Personal Data Protection Inspector – an official responsible for monitoring the observance of data protection laws. Direct marketing – offering goods, services, employment or temporary work by mail, telephone calls, e-mail or any other communication facility. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc Article 3. Scope of Application 1. This Law applies in the territory of Georgia to data processing by automatic or semi-automatic means as well as to manual processing of the data, which are a part of a filing system or are processed to be entered to the filing system; 2. This Law also applies to: a) Data processing by Georgian diplomatic representations and consular establishments abroad; b) The activity of the data processor who, although not registered in the territory of Georgia, uses technical facilities available in Georgia to process data except where such technical facilities are used solely for data transit. In such case, the data processor must appoint/ designate a representative registered in Georgia. 3. This Law does not apply to: a) An individual’s processing of data manifestly for private purposes where such processing is not related to any entrepreneurial or professional activities of such individual; b) Data processing for proceedings of a court; c) Processing information classified as state secret; d) Data processing for public safety and national security (including economic security), defense, detective and crime investigation purposes. 4. This Law (except Article 17) does not apply to data processing by the media for public information purposes or data processing for art and literary purposes. 5. Articles 19 and 20 of this Law do not apply to the processing of data on their members by political parties, trade and other unions and religious organizations. Article 4. Data Processing Principles The following principles must be observed when processing data: a) Data must be processed fairly and lawfully, without degrading the data subject; b) Data may be processed only for clearly defined legitimate purposes; c) Data may be processed only to the extent necessary to achieve the relevant legitimate goal. Data must be adequate and proportionate to the goal, for the achievement of which they are processed; d) Data must be true and accurate. Wrong and inaccurate data must be corrected and any data collected without a lawful basis or inadequate to the processing goal must be blocked, deleted or destroyed; e) Data may be retained only as long as is necessary to achieve the data processing goal. After the goal, for which data are processed, has been achieved, W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc they must be blocked, deleted or destroyed or retained in a form preventing the identification of a person, unless otherwise provided by law. Chapter 2. Data Processing Rules Article 5. Grounds for Data Processing Data may be processed if: a) b) c) d) e) There is a permission of the data subject; Data processing is provided by law; Data processing is necessary for the data processor to discharge his legal duties; Data processing is necessary to safeguard the data subject’s vital interests; Data processing is necessary to safeguard the data processor’s or data subject’s legitimate interests except where there is an overriding interest for protect the data subject’s rights and freedoms; f) By law, data are in the public domain or have been made accessible by the data subject; g) Data processing is necessary to safeguard a public interest material by law; h) Data processing is necessary to review the application of the data subject (to provide service to the data subject). Article 6. Special Category Data Processing It shall be prohibited to process special category data except where: a) The data subject has expressed a written consent to process special category data; b) Data are processed to safeguard any public interest material by law; c) The data subject has made public the data about him without prohibiting the use of such data; d) Data are processed by a healthcare facility (employee) for the purpose of protecting the public or individual’s health or if it is necessary for the management of operation of the healthcare system. Article 7. Protection of Data on a Deceased Individual 1. Except on the grounds provided by Articles 5 and 6 of this Law, the data on the data subject after he has passed away may be processed by consent of the data W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 2. 3. 4. 5. subject’s parent, child, grandchild or spouse or if 30 years has elapsed since the death of the data subject. The data on the data subject after he has passed away may also be processed if doing so is necessary for exercising hereditary rights. Data may be processed on the grounds referred to in Paragraphs 1 and 2 of this article, if the data subject has expressed in writing his wish to prohibit the processing of data about him after his death except where the data are processed on the grounds stipulated by Articles 5 and 6 of this Law. The processing of the deceased individual’s name, sex, birth and death dates shall not require the existence of the data processing ground stipulated by this Law. Data on the deceased individual may be disclosed for historical, statistical and research purposes except where the deceased individual prohibited their disclosure in writing. Article 8. Data Processing for Direct Marketing Purposes 1. Data obtained from public sources may be processed for direct marketing purposes. 2. Notwithstanding the purpose of data collection, the following data may be processed for direct marketing purposes: name (names), address, telephone number, e-mail address, fax number. 3. Any data may be processed for direct marketing purposes based on the consent granted by the data subject in the manner provided by this Law. 4. The data subject may at any time request in writing that the data processor stop using his data for direct marketing purposes. 5. The data processor shall stop processing the data for direct marketing purposes within no later than 10 business days after receipt of the data subject’s request. 6. In processing data for direct marketing purposes, the data processor shall give the data subject a notice of the right contemplated by Paragraph 4 of this article. Article 9. Biometric Data Processing by Public Agency 1. A public agency may process biometric data strictly for the purpose of protecting an individual’s safety and property as well as for avoiding the disclosure of secret information if such purposes cannot otherwise be achieved or if their achievement requires disproportionately huge efforts. 2. Notwithstanding the provisions of Paragraph 1 of this article, biometric data may be processed to identify any individual crossing the national frontier of Georgia. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc Article 10. Biometric Data Processing by Private Person A private person may process biometric data only if doing so is necessary for performing an activity or protect the safety and property of an individual or avoid the disclosure of secret information, if such goals cannot otherwise be achieved or if their achievement requires disproportionately huge efforts. Unless otherwise provided by law, before using biometric data, the data processor must provide the Personal Data Protection Inspector detailed information on processing the biometric data, including the information that is provided to the data subject, the reason for data processing, and data protection guarantees. Article 11. Street Video Surveillance 1. Street video surveillance is permitted only to prevent crime as well as to protect an individual’s safety and property, public order and a minor from harmful influence. 2. In installing a video surveillance system, public and private agencies shall put up the relevant warning sign at a conspicuous place. In such case, the data subject shall be deemed information on processing of the data about him. 3. The video surveillance system and video records must be protected against illegal encroachment and use. Article 12. Video Surveillance of the Buildings of Public and Private Agencies 1. To conduct appropriate monitoring, public and private agencies can provide video surveillance of their buildings of doing so is necessary to protect an individual’s safety and property, a minor from harmful influence, and any secret information. 2. A video surveillance system can monitor only the external perimeter and entrance of a building. 3. A video surveillance system may be installed at a workplace only in exceptional cases of doing so is necessary to protect an individual’s safety and property or any secret information and if such goals cannot otherwise be achieved. 4. Video surveillance is prohibited in locker rooms and at hygienic places. 5. All those employed in the relevant public or private agency must be informed in writing on video surveillance and their rights. 6. The data processor shall create a filing system for saving video records. In addition to such records (pictures/voice), the system mist contain information on the data saving date, place and time. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc Article 13. Video Surveillance of Residential Buildings 1. The installation of a video surveillance system requires a written consent of more than 50% of the owners of the building. 2. A video surveillance system may be installed in a residential building only for the safety of an individual and property. 3. The video surveillance system installed in a residential building may monitor only the entrance and common space. The apartments of the owners cannot be monitored. 4. The entrance of an apartment may be monitored by means of a video surveillance system only by decision or written consent of the apartment owner. Article 14. Data Processing to Check in and Check out of the Buildings of Public and Private Agencies 1. For check-in and check-out purposes, public and private agencies can collect the following data: name, identification document number and type, address, check-in and check-out dates and times, as well as the check-in and check-out causes. 2. The term for retention of the data indicated in Paragraph 1 of this article shall not exceed three years from the date of their entry, unless otherwise provided by law. After expiry of the three-year term, they must be deleted or destroyed. Chapter 3. Rights and Duties of the Data Processor and Authorized Person Article 15. Providing Information to Data Subject 1. Data are collected directly from the data subject. The data processor or authorized person shall provide the data subject with the following information: a) Identity and registered address of the data processor and authorized person (if any); b) Data processing goal; c) Whether data provision is mandatory or voluntary; if mandatory – legal consequences of refusal to do so; d) The right of the data subject to obtain information on the data processed about him, and request their correction, updating, addition, blocking, deletion and destruction. 2. It is not mandatory to provide the information referred to in Paragraph 1 of this article if the data subject has already had them. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 3. If data are not collected directly from the data subject, the data processor or authorized person shall provide the data subject with the information referred to in Paragraph 1 of this article if the data subject so requests. 4. When collecting information for statistical, research and historical purposes, it is not mandatory to provide it if the provision of information to the data subject is related to disproportionately huge efforts. Article 16. Data Processing by Authorized Person 1. The authorized person may process data based on a legal act or a written agreement with the data processor – such contract must meet the requirements set by this Law and other normative acts and provide for the rules and prohibitions contemplated by this Law. 2. The authorized person must process data to the extent provided by the relevant normative act or contract. The authorized person may in no event further process data for any other purpose. The authorized person may in no event assign the data processing right to any other person without the consent of the data processor. 3. The data processing contract may not be signed if there is a risk that the data may be processed for any other purpose, considering the activities or/and goals of the authorized person. 4. The data processor must make sure that the authorized person takes adequate organizational and technical measures to protect data. The data processor shall monitor the data processing by the authorized person. 5. If a dispute arises between the authorized person and the data processor, the authorized person shall release the data at his disposal to the data processor upon request. 6. If the authorized person terminates his activity, the data shall be immediately provided to the data processor. 7. The contract with the authorized person shall provide for the obligation to take data security actions. Article 17. Date Security 1. The data processor shall take the organizational and technical measures ensuring the protection of data against accidental or illegal destruction, modification, disclosure, access, any other form of illegal use and accidental or illegal loss. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 2. The data processor shall record all the acts performed in respect of data held in electronic form. When processing data held in paper form, the data processor shall ensure the recording of all the acts related to data disclosure or/and modification. 3. The measures taken for data security shall be adequate to risks related to data processing. 4. Any employee of the data processor or of the authorized person who is involved in the data processing shall not go beyond the scope of the powers granted to him. However, such employee shall be bound to protect the data secrecy, including, after termination of his official duty. 5. Data security measures shall be determined by the laws of Georgia. Article 18. Duties of the Data Processor and Authorized Person as Regards Data Disclosure In disclosing data, the data processor and the authorized person shall file the following information: which data were disclosed, to whom, when and on what legal basis. The information must be held together with the data on the data subject throughout their retention term. Article 19. Filing System Catalogue 1. In respect of each filing system, the data processor shall maintain a filing system catalogue and file the following information: a) Name of the filing system; b) Names and addresses of the data processor and authorized person; c) Legal basis for data processing; d) Category of the data subject; e) Data category in the filing system; f) Data processing goal; g) Data retention term; h) The fact of and basis for restriction of the right of the data subject; i) Recipient of the data held in the filing system and their categories; j) Information on the transfer of data to any other state and international organization and the legal basis for such transfer; k) General description of the data security procedure. 2. The data processor shall ensure regular updating of the information contemplated by Paragraph 1 of this article. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc Article 20. Duty to Report to Personal Data Protection Inspector 1. Before creating a filing system and entering any new category data into it, the data processor shall give the Personal Data Protection Inspector a written or electronic notice of the information under Article 19 of this Law. 2. The data processor shall give the Personal Data Protection Inspector a notice of a change in the information under Article 19 of this Law within no later than 30 days after making such change. 3. The data processor, the quantity of whose employees exceeds 20, shall be released from the duty under Paragraph 1 of this article. Chapter 4. Rights of the Data Subject 1. The data subject may request from the data processor information on the data processed in respect of him. The data processor shall provide the following information to the data subject: a) The data being processed in respect of him; b) The data processing goal; c) Legal basis for the data processing; d) The way, in which the data have been collected; e) To whom the data about him have been released, the basis for and goal of release of such data. 2. It is not mandatory to provide the data subject with the information set out in Subparagraph e) of Paragraph 1 of this article, if the data are public by law. 3. The data subject must be provided with the information under Paragraph 1 of this article within no later than 10 days after request. 4. The form of provision of the information under Paragraph 1 of this article shall be chosen by the data subject. Article 22. Right of the Data Subject to Request Correction, Updating, Addition, Blocking, Deletion and Destruction of Data 1. If the data subject so requests, the data processor shall correct, update, add, block, delete or destroy data, if they are incomplete, incorrect, outdated or if they have been collected or processed illegally. 2. The data processor shall inform all the data recipients as regards the data correction, updating, addition, blocking, deletion and destruction except where such information cannot be provided due to the multitude of the data recipients W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc and disproportionately large costs. The Personal Data Protection Inspector must be informed of these circumstances. 3. In receiving information under Paragraph 2 of this article, the recipient of such information shall accordingly correct, update, add, block, delete or destroy the data. Article 23. Procedure for Correction, Updating, Addition, Blocking, Deletion and Destruction of Data 1. The request under Paragraph 1 of Article 22 of this Law can be submitted in writing, verbally or by means of an electronic facility. 2. Within 15 days from the receipt of the data subject’s request, the data processor shall correct, update, add, block or destroy the data or inform the data subject the basis for refusing to do so. 3. If the data processor finds on his own, without the data subject’s request, that the data held by him are incomplete, incorrect or outdated, he shall correct or update such data accordingly and inform the data subject about it. 4. Following the data subject’s submission of the request indicated in Paragraph 1 of Article 22 of this Law, the data processor may block the data based on the applicant’s request. 5. The decision on blocking the data is made within 3 days after submission of the relevant request and shall be valid until the data processor makes a decision on the correction, updating, addition, blocking, deletion and destruction of the data. 6. The decision on blocking the data shall be appended to the relevant data throughout the lack of the cause for such blocking. Article 24. Restriction of the Rights of the Data Subject 1. The data subject’s rights under Articles 15, 21 and 22 of this Law may be restricted by the laws of Georgia if the exercise of these rights may jeopardize: a) National security or defense interests of the country; b) Public safety interests; c) Crime detection, investigation and prevention; d) Material financial or economic (including, monetary, budgetary and fiscal) interests of the country; e) Rights and freedoms of the data subject and others. 2. The measure indicated in Paragraph 1 of this article may be administered only to the extent necessary for achievement of the goal of restriction. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 3. In the existence of the grounds contemplated by Paragraph 1 of this article, the decision of the data processor or Personal Data Protection Inspector shall be informed to the data subject so as not to harm the goal of restriction of the right. Article 25. Withdrawal of Consent 1. The data subject may at any time, with no explanation whatsoever, withdraw the consent granted by him and request termination of the data processing or/and destruction of the data processed. 2. Pursuant to the data subject’s request, the data processor shall terminate data processing or/and destroy the data processed within 5 days after the submission of the application, unless there is any other basis for processing the data. 3. This article shall not apply to the information on the fulfillment of monetary obligations by the data subject processed by consent of the data subject. Article 26. Right to Appeal 1. Where there has been a violation of the rights under this Law, the data subject may duly apply to the Personal Data Protection Inspector or judge but if the data processor is a public agency, the appeal may be lodged with the supervisor administrative authority as well. 2. The data subject may request that the authority of hearing block the data pending the delivery of the decision. 3. The data subject may dully appeal the decision of the supervisor administrative authority or Personal Data Protection Inspector with the court. Chapter 5. Personal Data Protection Inspector Article 27. Main Objectives of the Activity of the Personal Data Protection Inspector 1. Control over the legality of data processing in Georgia shall be provided by the Personal Data Protection Inspector (hereinafter – the Inspector), the main objectives of whose activity shall be as follows: a) Providing consultation to public and private agencies (individuals) on data protection issues; b) Reviewing data protection related applications and appeals; W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc c) Inspecting the legality of data processing in public and private agencies; d) Informing the society on the condition of data protection in Georgia as well as on the important developments in respect thereof. 2. The procedure for the Inspector to perform his activities and exercise his rights shall be provided in the regulation approved by the Government of Georgia. Article 28. Appointment of the Inspector and Termination of His Authority 1. The Inspector is appointed to office by open competition. 2. The Inspection Selection Commission is approved by the Prime Minister of Georgia. The Commission is composed of the representatives of the Government of Georgia, Parliament of Georgia, judiciary, Staff of the Public Defender of Georgia as well as of non-governmental sector. 3. The Inspector can be a person who has appropriate education and professional experience and can discharge the Inspector’s functions with his business and moral characteristics. 4. The Inspector Selection Commission shall select the candidate for the Inspector by a majority of votes and nominates him to the Prime Minister of Georgia for approval. 5. The Prime Minister shall appoint Inspector within 10 days or reopen a competition. 6. The Inspector is appointed for the term of 3 years. The Inspector may be reappointed to office only twice in a row. 7. The Inspector must be selected not earlier than 60 days prior to and not later than 30 days after the expiry of the tenure of the Inspector in office. 8. The authority of the newly appointed Inspector shall commence from the month following the month, in which the tenure of the Inspector in office expires, if he was appointed prior to the expiry of such term, and from the day following the appointment day, if he was appointed after the expiry of such term or of the authority of the preceding Inspector terminated earlier than due. 9. The Inspector’s authority terminates upon expiry of 3 years from appointment or upon early termination of his authority. 10. The Inspector shall have the Deputy who is appointed to office by the Inspector. Article 29. Inspector’s Incompatibility to Office 1. The office of the Inspector shall be incompatible with a membership to the public authorities of Georgia and representative authorities of local self-government, any office or paid activity in public service, other than research, teaching and art W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc activities. The Inspector cannot be a member of a political party or engaged in political activity. 2. Within one month after being selected, the Inspector shall discontinue any activity incompatible with his office. If within such term the Inspector does not meet this requirement, his authority shall terminate and the Inspector Selection Commission shall nominate the new candidate to the Prime Minister of Georgia. Article 30, Early Termination of the Inspector’s Authority 1. The Inspector’s authority shall terminate if: a) He has forfeited Georgian citizenship; b) He has failed to discharge his duty for four months in a row; c) A final judgment of conviction has been delivered against him; d) The Court has found him incapable, lost without trace or dead; e) Has has accepted or holds any office or engages in any activity incompatible with that of the Inspector; f) He has resigned voluntarily; g) He has passed away. 2. In cases provided by Paragraph 1 of this article, the Inspector’s authority shall be deemed terminated upon establishment of such condition, in respect of which the Prime Minister of Georgia shall be informed immediately. 3. In cases provided by Subparagraphs b) and e) of Paragraph 1 of this article, the Inspector’s authority terminates by decision of the Prime Minister of Georgia. 4. In the event of early termination of the Inspector’s authority, pending the selection of the new Inspector by the Inspector Selection Commission his duties shall be discharged by the Deputy Inspector who shall enjoy the rights and legal remedies vested in the Inspector. Article 31. Independence of the Inspector 1. In discharging his duties, the Inspector shall be independent, not subordinated to any other official or authority. The Inspector acts in accordance with the Constitution of Georgia, international agreements, this Law, other normative acts and the regulation. Any pressure upon or interference with the activities of the Inspector shall be prohibited and punishable by law. 2. To ensure the independence of the Inspector, the state shall create adequate conditions of work. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 3. The Inspector may not testify due to the facts, which have been disclosed to him as the Inspector. This right of the Inspector shall survive the termination of his authority. Article 32. Financial and Organizational Support to the Inspector’s Activity 1. The Inspector shall exercise his rights and discharge his duties with the assistance of the Inspector’s Staff (hereinafter – the Staff). 2. The Staff structure and the procedure for activity and distribution of duties among the staff members shall be determined by the Inspector in the Staff Regulation. 3. The Staff shall be headed directly by the Inspector or by his instruction – the Deputy Inspector. 4. The activities of the Inspector and Staff shall be financed from the state budget. The draft cost estimate shall be duly submitted by the Inspector. The appropriations needed for the activities of the Inspector and Staff shall be provided with a separate code of the State Budget of Georgia. 5. To exercise his rights and discharge his duties under this Law, the Inspector may obtain grants and accept donations in the manner provided by the laws of Georgia. Article 33. Inspector Providing Consultation and Performing Educational Activity 1. If so asked, the Inspector shall provide consultation to Georgian public authorities and local self-government authorities, other public agencies, legal entities under private law, and individuals on any matter related to data processing and protection. 2. The Inspector shall perform educational activity on the matters related to data processing and protection. Article 34. Inspector’s Reviewing the Data Subject’s Application 1. The Inspector shall review the data subject’s application for data processing and take the measures contemplated by this Law. 2. Within 10 days after receipt of the data subject’s application, the Inspector shall make a decision on the measures to be taken, with a notice to the applicant thereon. 3. The Inspector may conduct inspection in order to examine and investigate into the circumstances related to the data subject’s application. If so requested by the W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc Inspector, the data processor and the authorized person shall provide the relevant information and document to the Inspector. 4. The term for Inspector to review the data subject’s application shall not exceed 2 months. By the Inspector’s substantiated decision, the term for reviewing the application may be prolonged by maximum 1 month. 5. The Inspector may make a decision on blocking the data pending the completion of the review of the data subject’s application. Irrespective of such blocking of the data, the data processing may be continued if doing so is necessary for the protection of the vital interests of the data subject or third person as well as for national security and defense purposes. 6. After reviewing the data subject’s application, the Inspector makes a decision on the application of one of the measures contemplated by Article 39 of this Law, with an immediate notice to the data subject and the data processor thereon. (This article shall apply to the private sector from 1 January 2016) Article 35. Conducting Inspection by the Inspector 1. Whether on his own initiative or based on the application from a concerned person, the Inspector may conduct inspection of any data processor and authorized person. 2. The conducting of the inspection by the Inspector shall involve: a) Establishing the observance of data processing principles and legal grounds for data processing; b) Inspection of the compliance of the procedures and organizational and technical measures taken for data protection with the requirements set by this Law; c) Inspection of the observance of the requirements set by this Law as regards a filing system catalogue, register of filing system catalogues and data release filing; d) Inspection of the legality of the transfer of data to other states and international organizations; e) Inspection of the observance of the data protection rules set by this Law and other normative acts. 3. In the course of inspection, the Inspector may requisition from any agency, individual or legal entity the documents and information necessary for conducting the inspection to the extent provided by Paragraph 2 of this article. 4. The data processor and the authorized person shall immediately provide the Inspector with any information and document. If this cannot be done for physical or legal reasons, they can provide the Inspector with such information or document within no later than 15 days after request. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 5. For the purpose of conducting inspection, the Inspector may enter any agency or organization and become conversant with any document and information regardless of its content and retention form except as provided by Paragraph 6 of this article. 6. An at least 3 days prior notice of any planned inspection and scope of such inspection shall be given by the Inspector to the agency, the activities of which are related to national security and defense or which performs detective activities. 7. Depending on the findings of the inspection, the Inspector may take the measures contemplated by Article 39 of this Law. 8. The Inspector, the Deputy Inspector and the Staff shall not permit the disclosure of the information or otherwise allow its unlawful processing, which became known to them in the course of inspection or as a result of any type of official activity. (This article shall apply to the private sector from 1 January 2016) Article 36. Inspector’s Participation in the Lawmaking Process The Inspector may on his own initiative submit to the Parliament of Georgia or other public agencies proposals towards refinement of law and formulate opinions on the laws and normative acts related to data processing. Article 37. Inspector’s Cooperation with Other Organizations and Agencies The Inspector may cooperate with other agencies, international organizations and competent authorities of foreign states on any matter related to data processing. Article 38. Inspector’s Annual Report 1. Once a year the Inspector shall present to the Government of Georgia a report on the condition of data protection in the country. 2. The Inspector’s report shall contain general assessments, conclusions and recommendations as regards the condition of data protection in the country as well as information on the material violations identified and measures taken throughout the year. Article 39. Measures Taken by the Inspector to Enforce Law W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 1. If the inspector detects any violation of this Law or any other data processing regulation, he may: a) Request remedial of the violation and data processing defects in the form and within the term indicated by him; b) Request temporary or permanent termination of data processing, if the measures and procedures implemented by the data processor or authorized person do not comply with the legal requirements; c) Request termination of data processing, data blocking, deletion, destruction or depersonalization, if he finds that the data are processed contrary to the law; d) Request termination of the transfer of data to other states and international organizations, if such data are transferred in violation of the requirements of this Law; e) Issue written advice and recommendations to the data processor and authorized person as regards their minor violations of data processing rules. 2. The data processor and the authorized person shall fulfill the Inspector’s requests within the term fixed by the latter and give the Inspector a notice thereon. 3. If data processor or the authorized person does not fulfill the Inspector’s requirements, the Inspector may apply to the court. 4. If the Inspector finds any administrative violation, he may draw up an administrative offence report and accordingly impose administrative liability upon data processor or the authorized person in the manner provided by law. 5. If in the course of his activity the Inspector finds that there are some signs of a crime, he shall duly report the matter to the competent authority. 6. The Inspector’s decision shall be binding and can be appealed only in court, in the manner provided by law. (This article shall apply to the private sector from 1 January 2016) Article 40. Register of Filing System Catalogues 1. The Inspector shall maintain a Register of Filing System Catalogues, recording therein the information contemplated by Paragraph 1 of Article 19 of this Law. 2. The information recorded in the Register of Filing System Catalogues shall be public and the Inspector shall make sure it is duly published. Chapter 6. Transfer of Data to Other States and International Organizations Article 41. Transfer of Data to Other States and International Organizations W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 1. Data may be transferred to any other state and international organization if there are the data processing grounds provided by this Law and if the relevant state or international organization provides adequate data protection guarantees. 2. In addition to Paragraph 1 of this article, data may also be transferred to any other state and international organization if: a) Data transfer is provided under the international agreement or covenant of Georgia; b) The data processor provides adequate data protection guarantees and protection of the data subject’s main rights under the contract between the data processor and the relevant state, a legal entity of individual of such state or the international organization. 3. Data may be processed on the basis referred to in Subparagraph b) of Paragraph 2 of this article only after the Inspector’s permission. Article 42. Establishing Adequate Data Protection Guarantees The availability of adequate data protection guarantees in any other state and international organization shall be assessed and decided upon by the Inspector by analyzing the data processing laws and practice. Chapter VII. Administrative Liability for Violation of the Law Article 43. Data Processing without the Bases Provided by the Law 1. Data processing without the bases provided by this Law shall result in a warning or a fine of 500 GEL. 2. The same act committed by the person who came under administrative liability for the one year for the violation provided by Paragraph 1 of this article shall result in the fine of 2000 GEL. Article 44. Violation of Data Processing Principles 1. Violation of the data processing principles provided by this Law shall result in a warning or a fine of 500 GEL. 2. The same act committed by the person who came under administrative liability for one year for the violation provided by Paragraph 1 of this article shall result in the fine of 2000 GEL. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc Article 45. Special Category Data Processing without the Bases Provided by the Law 1. Special category data processing without the bases provided by this Law shall result in a warning or a fine of 1000 GEL. 2. The same act committed by the person who came under administrative liability for the one year for the violation provided by Paragraph 1 of this article shall result in the fine of 5000 GEL. Article 46. Non-compliance with Data Security Requirements 1. Non-compliance with the data security requirements set by this Law shall result in a warning or a fine of 500 GEL. 2. The same act committed by the person who came under administrative liability for one year for the violation provided by Paragraph 1 of this article shall result in the fine of 2000 GEL. Article 47. Using Data for Direct Marketing in Violation of the Rules 1. Using data for direct marketing in violation of the rules provided by this Law shall result in a warning or a fine of 3000 GEL. 2. The same act committed by the person who came under administrative liability for the one year for the violation provided by Paragraph 1 of this article shall result in the fine of 10000 GEL. Article 48. Violation of Video Surveillance Rules 1. Violation of the video surveillance rules provided by this Law shall result in a warning or a fine of 500 GEL. 2. The same act committed by the person who came under administrative liability for one year for the violation provided by Paragraph 1 of this article shall result in the fine of 2000 GEL. Article 49. Violation of the Rules for Entry to and Exit from Public and Private Agency Buildings W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc 1. Violation of the rules provided by this Law for entry to and exit from public and private agency buildings shall result in a warning or a fine of 100 GEL. Article 50. Violation of the Rules for the Data Processor to Inform Data Subject 1. Violation of the rules provided by this Law for the data processor to inform data subject shall result in a warning or a fine of 100 GEL. 2. The same act committed by the person who came under administrative liability for one year for the violation provided by Paragraph 1 of this article shall result in the fine of 500 GEL. Article 51. Data Processor’s Giving the Data Processing Instruction to the Authorized Person in Violation of the Rules 1. The data processor’s giving the data processing instruction to the authorized person in violation of the rules provided by this Law shall result in a warning or a fine of 500 GEL. 2. The same act committed by the person who came under administrative liability for the one year for the violation provided by Paragraph 1 of this article shall result in the fine of 2000 GEL. Article 52. Authorized Person’s Violation of the Rules under Article 15 of this Law 1. Violation by the authorized person of the rules provided by Article 16 of this Law shall result in a warning or a fine of 1000 GEL. 2. The same act committed by the person who came under administrative liability for one year for the violation provided by Paragraph 1 of this article shall result in the fine of 3000 GEL. Article 53. Non-compliance with the Inspector’s Requirements 1. Violation by the data processor or authorized person of the rules to provide information and document to the Inspector or to any authorized person designated by the Inspector shall result in a warning or a fine of 500 GEL. 2. The same act committed by the person who came under administrative liability for one year for the violation provided by Paragraph 1 of this article shall result in the fine of 2000 GEL. W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc Article 54. Violation of Other Data Processing Rules 1. Violation of the rules provided by this Law other than the acts covered by Articles 43-53 of this Law shall result in a warning or a fine of 100 GEL. Article 55. Hearing a Case of Administrative Offence 1. The right to hear the cases involving the administrative offences under Articles 43-54 of this Law is vested in the Inspector. 2. The Administrative Offence Report shall be executed by the Inspector. 3. The person authorized by the Inspector shall execute the Administrative Offence Report and hear the case in the manner provided by the Georgian Code of Administrative Offences. Chapter 8. Final Provisions Article 56. Enactment of the Law 1. This Law other than Articles 43-55 shall be enacted from 1 May 2012; 2. Articles 43-55 of this Law shall be enacted from 1 January 2013; 3. Articles 34, 35 and 39 of this Law shall be enacted from 1 January 2016. President of Georgia M. Saakashvili 28 December 2011 N5669-RS Filed with the Ministry of Justice of Georgia Filing number: 010.100.000.05.001.016.606 W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc W:\99910\0000136\TEMPORARY Privacy Library links\Personal Data Protection Law of Georgia Eng .doc
