Georgia Law on Personal Data Protection (2012)
The Georgia Law on Personal Data Protection (Law of Georgia No. 5550-IS of 28 December 2011) is the national personal data protection law of the COUNTRY OF GEORGIA (not the US state). Originally enacted 28 December 2011 + entered into force 1 May 2012; substantially AMENDED + GDPR-ALIGNED by Law No. 3144-RS of 2 June 2023 (effective 1 March 2024 + with delayed elements 1 May 2024 + 1 September 2024). Georgia has European Union accession candidate status + the 2023 amendments significantly approximated GDPR + EU Council of Europe Convention 108+ (updated CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data). KEY PROVISIONS: (1) SCOPE + APPLICABILITY - applies to natural-person + in-Georgia data processing + extraterritorial offering of goods/services to Georgia residents + monitoring of behaviour in Georgia (GDPR-aligned); (2) LAWFUL BASIS for processing aligned with GDPR Article 6 + special categories per Art. 9 + criminal data per Art. 10; (3) ENHANCED DATA SUBJECT RIGHTS - access + rectification + erasure + restriction + portability + objection + automated-decision-making protections; (4) CONSENT requirements (freely given + specific + informed + unambiguous + withdrawable + age-of-digital-consent 16); (5) DATA CONTROLLER + PROCESSOR OBLIGATIONS - lawful + fair + transparent processing + purpose limitation + minimisation + accuracy + storage limitation + integrity + confidentiality + accountability; (6) CROSS-BORDER TRANSFERS - adequacy + appropriate safeguards (SCCs + BCRs) + derogations; (7) DPO MANDATORY for public authorities + large-scale + special-category processing; (8) BREACH NOTIFICATION 72 HOURS to PDPS + without undue delay to high-risk data subjects; (9) DPIA mandatory for high-risk processing; (10) VIDEO SURVEILLANCE specific regime; (11) PERSONAL DATA PROTECTION SERVICE (PDPS) - independent supervisory authority with inspection + sanctions + complaint-handling powers + administrative fines up to GEL 20,000 + criminal sanctions for serious breaches; (12) APPEAL to PDPS + Court. SECTORAL COORDINATION: Constitution Article 15 + Criminal Code + Law of Georgia on Information Security + Law of Georgia on Cybersecurity + Law of Georgia on Electronic Communications + sector-specific laws (banking + healthcare + telecommunications + employment). EU-ACCESSION + COE PROCESS: Georgia is EU candidate country (granted candidate status December 2023) + the 2023 DPL amendments are part of the EU Acquis approximation; Georgia is signatory to CoE Convention 108+ + ratification anticipated.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
Georgia DPL: Controller + Processor Obligations, DPO, RoPA, DPIA and Security
| Code | Title |
|---|---|
| GeDPL-Controller-Processor-DPO-RoPA-DPIA | Controller + Processor Obligations + DPO + RoPA + DPIA + Security |
Georgia DPL: Cross-Border Transfers, Breach Notification (72-Hour) and Special Provisions
| Code | Title |
|---|---|
| GeDPL-CrossBorder-Breach-Surveillance-Marketing | Cross-Border Transfers, 72-Hour Breach Notification, Video Surveillance and Marketing |
Georgia DPL: Data Subject Rights (Access, Rectification, Erasure, Portability, Objection, ADM)
| Code | Title |
|---|---|
| GeDPL-DataSubjectRights | Data Subject Rights (Access, Rectification, Erasure, Restriction, Portability, Objection, ADM) |
Georgia DPL: Lawful Basis, Consent, Special Categories and Children
| Code | Title |
|---|---|
| GeDPL-LawfulBasis-Consent-Sensitive-Children | Lawful Basis, Consent, Special Categories and Children (Age 16) |
Georgia DPL: Personal Data Protection Service (PDPS), Enforcement and Sanctions
| Code | Title |
|---|---|
| GeDPL-PDPS-Enforcement-Sanctions | Personal Data Protection Service (PDPS), Enforcement Powers and Sanctions |
Georgia DPL: Scope, Applicability, Definitions and 2023 GDPR-Alignment Amendments
| Code | Title |
|---|---|
| GeDPL-Scope-Defs-2023Amendments | Scope, Applicability, Definitions and 2023 GDPR-Alignment Amendments |
Georgia DPL: Sectoral Coordination, EU-Accession + CoE Convention 108+ and 2024-2025 Status
| Code | Title |
|---|---|
| GeDPL-Crosswalk-GDPR-CoE108-NIS2 | Crosswalk to GDPR, Council of Europe Convention 108+, EU AI Act and NIS2 |
| GeDPL-EU-CoE-Status-2024-2025 | EU-Accession Status, CoE Convention 108+ and 2024-2025 Pipeline |
| GeDPL-Implementation-Roadmap | Implementation Roadmap - Organizational Roles, Training and PDPS Coordination |
| GeDPL-Sectoral-Coordination | Sectoral Coordination - Cybersecurity, Banking, Healthcare, Employment and Telecommunications |
| GeDPL-Status-2024-2025 | Implementation Status, PDPS Enforcement and 2024-2025 Pipeline |
Your Compliance Coverage
If you comply with Georgia Law on Personal Data Protection (2012), you already cover:
FDA 21 CFR Part 11
9%
1 controls mapped
Compare →Vermont Artificial Intelligence and Consumer Data Act (AICDA)
9%
1 controls mapped
Compare →Russia Federal Law on Personal Data (152-FZ)
9%
1 controls mapped
Compare →+ 17 more: Privacy Act 1988 (Australia) (9%), Law on Personal Data Protection (Official Gazette No. 42/2020) (9%)
See all 20 mapped frameworks ↓Maps to 20 other frameworks
Frequently Asked Questions
What is Georgia Law on Personal Data Protection (2012)?
Georgia Law on Personal Data Protection (2012) is a compliance framework from Georgia with 7 domains and 11 controls. The Georgia Law on Personal Data Protection (Law of Georgia No. 5550-IS of 28 December 2011) is the national personal data protection law of the COUNTRY OF GEORGIA (not the US state). Originally enacted 28 December 2011 + entered into force 1 May 2012; substantially AMENDED + GDPR-ALIGNED by Law No. 3144-RS of 2 June 2023 (effective 1 March 2024 + with delayed elements 1 May 2024 + 1 September 2024). Georgia has European Union accession candidate status + the 2023 amendments significantly approximated GDPR + EU Council of Europe Convention 108+ (updated CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data). KEY PROVISIONS: (1) SCOPE + APPLICABILITY - applies to natural-person + in-Georgia data processing + extraterritorial offering of goods/services to Georgia residents + monitoring of behaviour in Georgia (GDPR-aligned); (2) LAWFUL BASIS for processing aligned with GDPR Article 6 + special categories per Art. 9 + criminal data per Art. 10; (3) ENHANCED DATA SUBJECT RIGHTS - access + rectification + erasure + restriction + portability + objection + automated-decision-making protections; (4) CONSENT requirements (freely given + specific + informed + unambiguous + withdrawable + age-of-digital-consent 16); (5) DATA CONTROLLER + PROCESSOR OBLIGATIONS - lawful + fair + transparent processing + purpose limitation + minimisation + accuracy + storage limitation + integrity + confidentiality + accountability; (6) CROSS-BORDER TRANSFERS - adequacy + appropriate safeguards (SCCs + BCRs) + derogations; (7) DPO MANDATORY for public authorities + large-scale + special-category processing; (8) BREACH NOTIFICATION 72 HOURS to PDPS + without undue delay to high-risk data subjects; (9) DPIA mandatory for high-risk processing; (10) VIDEO SURVEILLANCE specific regime; (11) PERSONAL DATA PROTECTION SERVICE (PDPS) - independent supervisory authority with inspection + sanctions + complaint-handling powers + administrative fines up to GEL 20,000 + criminal sanctions for serious breaches; (12) APPEAL to PDPS + Court. SECTORAL COORDINATION: Constitution Article 15 + Criminal Code + Law of Georgia on Information Security + Law of Georgia on Cybersecurity + Law of Georgia on Electronic Communications + sector-specific laws (banking + healthcare + telecommunications + employment). EU-ACCESSION + COE PROCESS: Georgia is EU candidate country (granted candidate status December 2023) + the 2023 DPL amendments are part of the EU Acquis approximation; Georgia is signatory to CoE Convention 108+ + ratification anticipated. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Georgia Law on Personal Data Protection (2012) have?
Georgia Law on Personal Data Protection (2012) has 11 controls organised across 7 domains. The largest domains are Georgia DPL: Sectoral Coordination, EU-Accession + CoE Convention 108+ and 2024-2025 Status (5 controls), Georgia DPL: Controller + Processor Obligations, DPO, RoPA, DPIA and Security (1 controls), Georgia DPL: Cross-Border Transfers, Breach Notification (72-Hour) and Special Provisions (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Georgia Law on Personal Data Protection (2012) map to?
Georgia Law on Personal Data Protection (2012) maps to 20 other compliance frameworks. The top mapping partners are FDA 21 CFR Part 11 (9% coverage), Vermont Artificial Intelligence and Consumer Data Act (AICDA) (9% coverage), Russia Federal Law on Personal Data (152-FZ) (9% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Georgia Law on Personal Data Protection (2012) compliance?
Start your Georgia Law on Personal Data Protection (2012) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Georgia Law on Personal Data Protection (2012) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 11 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required