Art. 31 of Law No. 3144 requires data controllers to conduct data protection impact assessments (DPIAs) in cases where there is a high probability of a threat to the violation of fundamental human rights and freedoms during data processing, taking into account new technologies, categories, the volume of data, and the purposes and means of data processing. In addition, a DPIA is mandatory if the data controller : (i) makes decisions in a fully automated manner, including on the basis of profiling, which may have legal, financial, or other significant consequences for a data subject; (ii) processes data of a special category of a large number of data subjects; or (iii) carries out systematic and large-scale monitoring of data subjects' behaviour in places of public gathering. In the case of a substantial change in data processing, the controller is obliged to update the DPIA report and keep it for the entire period of data processing and for at least one year after termination of processing.

Pursuant to Art. 33(1) of Law No. 3144, certain entities are required to appoint or designate a personal data protection officer (DPO). These include public institutions, insurance organisations, commercial banks, microfinance organisations, credit bureaus, electronic communications companies, airlines, airports, and medical institutions, as well as controllers or processors that process the data of a significant number of data subjects or conduct systematic and large-scale monitoring of individuals’ behaviour. Other controllers and processors may appoint a DPO on a voluntary basis.

Art. 8 of the Law on Electronic Communications stipulates that the Operational and Technical Agency (OTA) shall have the capability to obtain real-time communications and their identification data transmitted through the infrastructure of an electronic communication company by using stationary or semi-stationary technical means.
For this purpose, the OTA is empowered to: a) place or install a lawful interception management system and/or any hardware and software required for its function, if necessary; b) require the electronic communication company to maintain the technical capacity, via stationary means, to provide the OTA with real-time communication content and its identification data, in accordance with the architecture and interface specified by the stationary technical capacity for obtaining real-time communication. The OTA functions under the authority of the State Security Service, an organisation subject to the direct oversight of the Prime Minister of Georgia.
An electronic communications company is defined as an authorised entity whose activities or services involve the provision of telephone networks, internet networks, or related services. Electronic communication identification data is defined as user identification data, data required for tracing and identifying the source of a communication; data necessary for identifying the recipient of a communication; data required for determining the date, time, and duration of a communication; data necessary for identifying the type of communication; data required for identifying the user's communication equipment or potential equipment; and data necessary for determining the location of mobile communication equipment.

Arts. 11–13 of Chapter V of the Law of Georgia on Electronic Commerce (No. 3110-XIms-Xmp) establish an intermediary liability framework covering the three core categories of intermediation services: mere conduit (transmission), caching, and hosting. Under Art. 11, transmission providers are exempt from liability for transmitted information where they do not initiate the transmission, select the recipient, or select or modify the content, and where any temporary storage is limited to what is technically necessary for transmission. Under Art. 12, caching providers are exempt where they do not modify the information, comply with conditions on access and updating, do not interfere with lawful usage-monitoring technologies, and remove or disable access to cached content expeditiously once they become aware that it has been removed at source or restricted by a court or competent authority. Under Art. 13, hosting providers are exempt where they lack actual knowledge of illegal activity or information, or, upon obtaining such knowledge, act expeditiously to remove or restrict access; this exemption does not apply where the recipient acts on the provider’s behalf or is under its control. Art. 2 clarifies that “actual knowledge” is linked to a court decision or a decision of a competent administrative or law-enforcement body.

Arts. 11–13 of Chapter V of the Law of Georgia on Electronic Commerce (No. 3110-XIms-Xmp) establish an intermediary liability framework covering the three core categories of intermediation services: mere conduit (transmission), caching, and hosting. Under Art. 11, transmission providers are exempt from liability for transmitted information where they do not initiate the transmission, select the recipient, or select or modify the content, and where any temporary storage is limited to what is technically necessary for transmission. Under Art. 12, caching providers are exempt where they do not modify the information, comply with conditions on access and updating, do not interfere with lawful usage-monitoring technologies, and remove or disable access to cached content expeditiously once they become aware that it has been removed at source or restricted by a court or competent authority. Under Art. 13, hosting providers are exempt where they lack actual knowledge of illegal activity or information, or, upon obtaining such knowledge, act expeditiously to remove or restrict access; this exemption does not apply where the recipient acts on the provider’s behalf or is under its control. Art. 2 clarifies that “actual knowledge” is linked to a court decision or a decision of a competent administrative or law-enforcement body.

According to Art. 5.1 of Resolution No. 3 of Georgian National Communications Commission on the Approval of the Regulations in respect to the Provision of Services and Protection of Consumer Rights in the Sphere of Electronic Communications, electronic-communication service providers must record and keep information concerning consumers, including the name and surname of the consumer. It is also reported that mobile network operators must collect and store a user's personal information and proof of identity for SIM card registration.

Pursuant to Art. 10.2(c) of Resolution No. 3 of the Georgian National Communications Commission approving the Regulations on the Provision of Services and Consumer Rights Protection in the Electronic Communications Sector, the owner of an internet site must examine any link made available on the site to ensure that the linked site or page does not contain offensive or otherwise inadmissible content. Where such content is identified, the site owner must take appropriate measures to eliminate it.
It is reported that individuals or entities who own a website are required to regularly monitor their web content to prevent the publication of inadmissible material. However, this monitoring is often inconsistent and is usually carried out only at the request of the Georgian National Communications Commission.

Georgia has a comprehensive framework regulating trade secrets, established by several laws. According to the General Administrative Code (Art. 27), a commercial secret is defined as information that, if disclosed, could harm the competitive position of an entity and is thus protected from such disclosure. The Civil Code (Art. 1105) grants entrepreneurs exclusive rights over technological, organisational, or commercial information, ensuring its confidentiality. The Criminal Code (Art. 202) imposes penalties for the illegal collection, disclosure, or use of commercial secrets. Additionally, the Constitution of Georgia (Art. 18) guarantees that public institutions protect commercial and professional secrets.

There is an obligation for passive infrastructure sharing in Georgia to deliver telecom services to end users. Art. 19 of Law No. 1514 stipulates that an authorised person may request a provider of a public electronic communication network to provide access and/or interconnection to the relevant elements of its network. Furthermore, Art. 34 mandates that an authorised person with significant market power who owns an electronic communication network shall ensure unrestricted, transparent and non-discriminatory access to the relevant elements, technical facilities of its network, and other types of electronic communication services.
In addition, in 2023, Georgia adopted the Law of Georgia on Sharing Telecommunication Infrastructure and Physical Infrastructure Applicable for Telecommunication Purposes, which establishes a mandatory infrastructure-sharing framework. Under this framework, infrastructure operators must provide authorised persons with access to passive physical infrastructure, including ducts, masts, manholes, buildings, towers, and poles, on fair, reasonable, and non-discriminatory terms. Art. 3(d) defines “physical infrastructure” as any non-active element of a network intended to host or install other network elements, and it enumerates typical passive assets, including pipes, masts, channels, inspection and maintenance manholes, booths, buildings and building entrances, interface points, antenna assemblies, towers, and poles.

Georgia mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market. Art. 29 (c) of Law No. 1514 provides that the National Communications Commission of Georgia may, by decision, impose on an authorised entity with significant market power the obligation to maintain separate records of expenditure and income in accordance with the methodological rules approved by the Commission. Furthermore, Art. 34.8 stipulates that, by decision of the Commission, an electronic communications network operator must ensure the separation of the functional resources of the relevant elements of its network, upon a reasonable request by an interested authorised entity. Additionally, Art. 27.6 establishes that the Commission may require an operator with significant market power resulting from a merger to ensure functional separation, meaning the division of functionally separated structural units into separate legal entities.

Georgia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Georgia has two government bodies in the telecommunications sector: a governmental ministry responsible for policy formulation and an independent regulatory commission, the Georgian National Communications Commission. The Commission serves as the country's regulatory authority for broadcasting and electronic communications. It functions as an independent state agency, operating as a legal entity under public law, with a commission comprising five appointed members. Although the authority enjoys operational and budgetary autonomy and is reported to operate independently of the government in decision-making, it remains accountable to the President, the Government, and Parliament, which may compromise its independence.
The Department of Communications, Information and Modern Technologies, housed within the Ministry of Economy and Sustainable Development, is the policy-making entity responsible for formulating and implementing state policy regarding electronic communications, information technologies, and postal services.

Art. 37 of Law No. 3144 stipulates that the cross-border transfer of data is permissible if the data processing requirements outlined in the Law are met and adequate safeguards are in place in the destination jurisdiction to ensure the protection of data subjects' rights. In addition, the cross-border transfer of data is allowed under other circumstances, including when: (i) the data transfer is envisaged by an international treaty and agreements of Georgia; (ii) the data controller provides appropriate safeguards for data protection on the basis of an agreement concluded between the controller and the relevant state, the appropriate public institution of such state, a legal person or a natural person, or an international organisation; (iii) the data subject gives written consent after receiving information on the lack of proper safeguards for data protection in the relevant jurisdiction and on possible threats; (iv) the transfer of data is necessary to protect the vital interests of a data subject and the data subject is physically or legally incapable of consenting to such data processing; and (v) there is a lawful public interest, and the transfer of data is a necessary and proportionate measure in a democratic society.
Onward transfer is permitted only if such data transfer serves the initial purpose of data transfer, meets the requirements for the legal basis for data transfer, and ensures adequate safeguards for data protection.
Law No. 3144, signed in June 2023, superseded Act No. 5669 with effect starting from June 2024. Art. 41 of the now-repealed Act No. 5669 established conditions for cross-border data transfers that were similar to those outlined in Art. 37 of the new Law.

Georgia has not joined any agreement with binding commitments to open transfers of data across borders.

According to Art. 22(2) of Law No. 1791, any applicant lacking a residence or registered legal address within Georgia must appoint a Georgian patent attorney to represent before the National Intellectual Property Centre of Georgia (Sakpatenti) in the application process.