Georgia has two government bodies in the telecommunications sector: a governmental ministry responsible for policy formulation and an independent regulatory commission, the Georgian National Communications Commission. The Commission serves as the country's regulatory authority for broadcasting and electronic communications. It functions as an independent state agency, operating as a legal entity under public law, with a commission comprising five appointed members. Although the authority enjoys operational and budgetary autonomy and is reported to operate independently of the government in decision-making, it remains accountable to the President, the Government, and Parliament, which may compromise its independence.
The Department of Communications, Information and Modern Technologies, housed within the Ministry of Economy and Sustainable Development, is the policy-making entity responsible for formulating and implementing state policy regarding electronic communications, information technologies, and postal services.

Art. 37 of Law No. 3144 stipulates that the cross-border transfer of data is permissible if the data processing requirements outlined in the Law are met and adequate safeguards are in place in the destination jurisdiction to ensure the protection of data subjects' rights. In addition, the cross-border transfer of data is allowed under other circumstances, including when: (i) the data transfer is envisaged by an international treaty and agreements of Georgia; (ii) the data controller provides appropriate safeguards for data protection on the basis of an agreement concluded between the controller and the relevant state, the appropriate public institution of such state, a legal person or a natural person, or an international organisation; (iii) the data subject gives written consent after receiving information on the lack of proper safeguards for data protection in the relevant jurisdiction and on possible threats; (iv) the transfer of data is necessary to protect the vital interests of a data subject and the data subject is physically or legally incapable of consenting to such data processing; and (v) there is a lawful public interest, and the transfer of data is a necessary and proportionate measure in a democratic society.
Onward transfer is permitted only if such data transfer serves the initial purpose of data transfer, meets the requirements for the legal basis for data transfer, and ensures adequate safeguards for data protection.
Law No. 3144, signed in June 2023, superseded Act No. 5669 with effect starting from June 2024. Art. 41 of the now-repealed Act No. 5669 established conditions for cross-border data transfers that were similar to those outlined in Art. 37 of the new Law.

Georgia has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 3144 provides a comprehensive regime of data protection in Georgia. The Law aims to bring Georgian legislation on personal data protection into closer alignment with the EU General Data Protection Regulation (GDPR) by establishing obligations such as the appointment of a data protection officer (DPO) and the conducting of a data protection impact assessment (DPIA), as well as requirements regarding data breach notifications, data subject rights, and international data transfers. Law No. 3144 superseded the Data Protection Act of 2011 (No. 5669), with effect starting from June 2024.

Art. 7 of Resolution No. 3 of the Georgian National Communications Commission "Regulations on the Rules of Provision of Services and Protection of Consumer Rights in the Sphere of Electronic Communications" addresses the information that the service provider retains about the user. The service provider must safeguard the following categories of user information for a period of four years: (a) the user's identification and contact details; (b) data related to the equipment or devices transferred to or used by the subscriber; (c) agreements or transactions related to service delivery; (d) payment information; (e) details of services received or provided, including a comprehensive record of incoming and outgoing telephone communications. Art. 3 defines a service provider as an operator of an electronic communications network or an authorised person who has access to the relevant elements or resources thereof and intends to, or is engaged in, provide electronic communication services through the elements or resources of the said network.
An article concerning the information service providers retain about consumers has been included in the Regulations since its initial version. However, it was originally listed as Art. 5, and there were some variations in the specific data categories and the duration of data retention.

Art. 31 of Law No. 3144 requires data controllers to conduct data protection impact assessments (DPIAs) in cases where there is a high probability of a threat to the violation of fundamental human rights and freedoms during data processing, taking into account new technologies, categories, the volume of data, and the purposes and means of data processing. In addition, a DPIA is mandatory if the data controller : (i) makes decisions in a fully automated manner, including on the basis of profiling, which may have legal, financial, or other significant consequences for a data subject; (ii) processes data of a special category of a large number of data subjects; or (iii) carries out systematic and large-scale monitoring of data subjects' behaviour in places of public gathering. In the case of a substantial change in data processing, the controller is obliged to update the DPIA report and keep it for the entire period of data processing and for at least one year after termination of processing.

Pursuant to Art. 33(1) of Law No. 3144, certain entities are required to appoint or designate a personal data protection officer (DPO). These include public institutions, insurance organisations, commercial banks, microfinance organisations, credit bureaus, electronic communications companies, airlines, airports, and medical institutions, as well as controllers or processors that process the data of a significant number of data subjects or conduct systematic and large-scale monitoring of individuals’ behaviour. Other controllers and processors may appoint a DPO on a voluntary basis.

Art. 8 of the Law on Electronic Communications stipulates that the Operational and Technical Agency (OTA) shall have the capability to obtain real-time communications and their identification data transmitted through the infrastructure of an electronic communication company by using stationary or semi-stationary technical means.
For this purpose, the OTA is empowered to: a) place or install a lawful interception management system and/or any hardware and software required for its function, if necessary; b) require the electronic communication company to maintain the technical capacity, via stationary means, to provide the OTA with real-time communication content and its identification data, in accordance with the architecture and interface specified by the stationary technical capacity for obtaining real-time communication. The OTA functions under the authority of the State Security Service, an organisation subject to the direct oversight of the Prime Minister of Georgia.
An electronic communications company is defined as an authorised entity whose activities or services involve the provision of telephone networks, internet networks, or related services. Electronic communication identification data is defined as user identification data, data required for tracing and identifying the source of a communication; data necessary for identifying the recipient of a communication; data required for determining the date, time, and duration of a communication; data necessary for identifying the type of communication; data required for identifying the user's communication equipment or potential equipment; and data necessary for determining the location of mobile communication equipment.

Arts. 11–13 of Chapter V of the Law of Georgia on Electronic Commerce (No. 3110-XIms-Xmp) establish an intermediary liability framework covering the three core categories of intermediation services: mere conduit (transmission), caching, and hosting. Under Art. 11, transmission providers are exempt from liability for transmitted information where they do not initiate the transmission, select the recipient, or select or modify the content, and where any temporary storage is limited to what is technically necessary for transmission. Under Art. 12, caching providers are exempt where they do not modify the information, comply with conditions on access and updating, do not interfere with lawful usage-monitoring technologies, and remove or disable access to cached content expeditiously once they become aware that it has been removed at source or restricted by a court or competent authority. Under Art. 13, hosting providers are exempt where they lack actual knowledge of illegal activity or information, or, upon obtaining such knowledge, act expeditiously to remove or restrict access; this exemption does not apply where the recipient acts on the provider’s behalf or is under its control. Art. 2 clarifies that “actual knowledge” is linked to a court decision or a decision of a competent administrative or law-enforcement body.

Arts. 11–13 of Chapter V of the Law of Georgia on Electronic Commerce (No. 3110-XIms-Xmp) establish an intermediary liability framework covering the three core categories of intermediation services: mere conduit (transmission), caching, and hosting. Under Art. 11, transmission providers are exempt from liability for transmitted information where they do not initiate the transmission, select the recipient, or select or modify the content, and where any temporary storage is limited to what is technically necessary for transmission. Under Art. 12, caching providers are exempt where they do not modify the information, comply with conditions on access and updating, do not interfere with lawful usage-monitoring technologies, and remove or disable access to cached content expeditiously once they become aware that it has been removed at source or restricted by a court or competent authority. Under Art. 13, hosting providers are exempt where they lack actual knowledge of illegal activity or information, or, upon obtaining such knowledge, act expeditiously to remove or restrict access; this exemption does not apply where the recipient acts on the provider’s behalf or is under its control. Art. 2 clarifies that “actual knowledge” is linked to a court decision or a decision of a competent administrative or law-enforcement body.

According to Art. 5.1 of Resolution No. 3 of Georgian National Communications Commission on the Approval of the Regulations in respect to the Provision of Services and Protection of Consumer Rights in the Sphere of Electronic Communications, electronic-communication service providers must record and keep information concerning consumers, including the name and surname of the consumer. It is also reported that mobile network operators must collect and store a user's personal information and proof of identity for SIM card registration.

Under Art. 37 of the General Administrative Code, as amended by Art. 1 of the Law of Georgia No. 2542 (On Adding Amendments to the General Administrative Code), public institutions are required to share personal data or commercial secrets with another public institution upon a written request, if necessary to resolve a specific issue. In such cases, the requesting institution must obtain and provide written consent from the individual whose personal data or commercial secrets are being disclosed.
Additionally, under Art. 99, an interested party in administrative proceedings is entitled to access case materials, except for intra-agency documents related to the preparation of an individual administrative act. If the interest in accessing these materials outweighs confidentiality concerns, documents containing commercial secrets may be disclosed, provided such access is authorised by law or a court decision. Copies of these materials may only be provided under similar legal or judicial authorisation.
Although the law does not explicitly mention algorithms or source codes, Art. 27.1 provides a broad definition of commercial secrets. This includes any information about a plan, formula, process, or means of commercial value, or any other information used for manufacturing, preparation, or processing of goods, rendering of services, and/or information that represents a novelty or significant technical achievement, and other information that may prejudice the competitiveness of a person if disclosed.

Georgia has a comprehensive framework regulating trade secrets, established by several laws. According to the General Administrative Code (Art. 27), a commercial secret is defined as information that, if disclosed, could harm the competitive position of an entity and is thus protected from such disclosure. The Civil Code (Art. 1105) grants entrepreneurs exclusive rights over technological, organisational, or commercial information, ensuring its confidentiality. The Criminal Code (Art. 202) imposes penalties for the illegal collection, disclosure, or use of commercial secrets. Additionally, the Constitution of Georgia (Art. 18) guarantees that public institutions protect commercial and professional secrets.

There is an obligation for passive infrastructure sharing in Georgia to deliver telecom services to end users. Art. 19 of Law No. 1514 stipulates that an authorised person may request a provider of a public electronic communication network to provide access and/or interconnection to the relevant elements of its network. Furthermore, Art. 34 mandates that an authorised person with significant market power who owns an electronic communication network shall ensure unrestricted, transparent and non-discriminatory access to the relevant elements, technical facilities of its network, and other types of electronic communication services.
In addition, in 2023, Georgia adopted the Law of Georgia on Sharing Telecommunication Infrastructure and Physical Infrastructure Applicable for Telecommunication Purposes, which establishes a mandatory infrastructure-sharing framework. Under this framework, infrastructure operators must provide authorised persons with access to passive physical infrastructure, including ducts, masts, manholes, buildings, towers, and poles, on fair, reasonable, and non-discriminatory terms. Art. 3(d) defines “physical infrastructure” as any non-active element of a network intended to host or install other network elements, and it enumerates typical passive assets, including pipes, masts, channels, inspection and maintenance manholes, booths, buildings and building entrances, interface points, antenna assemblies, towers, and poles.

Georgia mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market. Art. 29 (c) of Law No. 1514 provides that the National Communications Commission of Georgia may, by decision, impose on an authorised entity with significant market power the obligation to maintain separate records of expenditure and income in accordance with the methodological rules approved by the Commission. Furthermore, Art. 34.8 stipulates that, by decision of the Commission, an electronic communications network operator must ensure the separation of the functional resources of the relevant elements of its network, upon a reasonable request by an interested authorised entity. Additionally, Art. 27.6 establishes that the Commission may require an operator with significant market power resulting from a merger to ensure functional separation, meaning the division of functionally separated structural units into separate legal entities.