Senior management and organisation
Please identify the authority’s senior management.
The head of the Office of the Personal Data Protection Inspector is the personal data protection inspector. The inspector is mandated to control and supervise the implementation of personal data protection legislation, and the legitimacy of personal data processing. More specifically, the key tasks are to inspect data processing in public and private organisations; review citizens’ complaints; consult on data processing; and informing or raising awareness of data protection developments. The inspector is independent and is not subordinated to any public body or public official. Any influence on or interference with the activities of the Inspector is prohibited and punished by law.
Tamar Kaldani is the personal data protection inspector of Georgia (tel: +995322421000, e-mail: [email protected]).
As for the senior management, the deputy personal data protection inspector supervises the activities of the legal department and the inspections department. On the instruction of the inspector, or in his or her absence, the deputy leads the Office and represents the inspector at local and international levels. The management team of the Inspector’s Office includes the heads of departments (inspections department; legal department; international relations department; and IT department) and services.
When was the head of the authority appointed?
The inspector was appointed in 2013. In 2016 she was re-elected for the second term.
How long is their term of office?
The inspector serves for a three-year term.
What is the process for nominating the head of the authority?
The process of appointing the personal data protection inspector is provided for in the Law on Personal Data Protection.
The selection committee is assembled according to the orders of the prime minister. The selection committee consists of:
- a representative of the Georgian government;
- the chair of the human rights and civil integration committee of the Georgian parliament;
- the deputy chair of the Supreme Court of Georgia (appointed by the Court’s chair); and
- the public defender of Georgia, or his or her representative.
Through a vote, the selection committee nominates at least two but not more than five candidates from the applicants, and presents these to the prime minister. Within 10 days, the prime minister presents two candidates to the Georgian parliament. Within 14 days, the parliament elects the personal data protection inspector in accordance with the rules of procedure.
The Law on Personal Data Protection further sets out detailed criteria of the applicant’s eligibility. He or she must be a citizen of Georgia; have higher education in law, as well as at least five years of work experience in human rights; and have the relevant professional and personal ethics.
How many data protection/privacy-focused staff does the authority employ?
The Office has a staff of 43 employees.
Contacting the authority
How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.
The Office of the Personal Data Protection Inspector of Georgia can be contacted via email at [email protected], or by telephone on +995 32 242 1000. The Office’s address is 7 Vachnadze str, Tbilisi, Georgia.
Legal and enforcement framework
What are your investigative powers?
The inspector is entitled to conduct inspections: to inspect data processing in public bodies and private organisations as to whether data processing is in line with the Law on Personal Data Protection.
Within the framework of the inspections, the inspector may request the documents and information necessary for the purposes (including classified ones) for the inspection. The inspector may also enter any institution and organisation, observe the data processing, and familiarise himself or herself with any document and information onsite, regardless of their content and form of storage.
Can you search premises or force the disclosure of information without having to approach the courts?
The inspector may access the information or documents related to personal data protection within the framework of inspections.
What fines can you impose on companies that breach data protection rules?
The fines imposed for the various kinds of breaches of data protection rules vary from 500 to 10,000 laris.
What other measures can you take against companies that breach data protection rules?
The inspector may impose administrative responsibility in the form of fines; insist companies restrict or block data processing in cases of illegitimate processing of data; and issue warnings or mandatory recommendations.
What measures other than fines can you impose on a company that is breaching data protection rules?
The inspector may issue warning or mandatory recommendations for companies to request remedying the breaches. The recommendation is mandatory and companies shall report to the inspector the measures they have taken to eradicate the breaches.
What emergency or interim measures can you take pending the full conclusion of your investigations?
Restrictions on the blocking of data processing.
Priorities and the future
What data protection/privacy-related guidelines have you issued to date?
The Inspector’s Office has issued the following guidelines:
- “Recommendation on the Processing of Personal Data in the Healthcare Sector”;
- “GDPR – What Should We Know About the EU’s new Data Protection Regulation?”;
- “Recommendation on Protection of Personal Data in Higher Education Institutions”;
- “Guidelines for Entrepreneurs”;
- “Recommendation on Protection of Personal Data at Schools” (for pupils and parents, and for schools); and
- “Recommendation for Users – What Rules Should We Protect While Shopping Online?”.
Are you working on any further data protection/privacy guidelines or guidance, or on amending any of your current guidance? If so, what?
The Inspector’s Office is working on guidelines regarding personal data protection in the following sectors: banking; autonomous local government; and the police.
Would you like to see further reforms to your laws (beyond GDPR implementation legislation, if applicable) or to your enforcement framework? If so, what?
The Inspector’s Office is currently working on the draft amendments to the Law on Personal Data Protection, which will consider the entry into force of GDPR and the modernised Convention 108 of the Council of Europe.