General Data Protection Regulation (GDPR) Guidance

The European Union General Data Protection Regulation (EU GDPR) is a new and more stringent regulation governing the use of personal data. It imposes new obligations on entities that control or process personal data about people who are located in the EU. This regulation applies both inside and outside the EU and to data about anyone in the EU, regardless of whether they are a citizen or permanent resident of an EU country. The regulation took effect on May 25, 2018.

EU GDPR applies to the control or processing of personal data, which is defined as:

Any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Examples of identifiers include but are not limited to:

  • Name
  • Photo
  • Email address
  • Identification number
  • Physical address or other location data
  • IP address or other online identifier

GDPR applies only to the extent Georgia governmental entities have a physical location within Europe, monitor consumer behavior in Europe (such as through electronic data collection or analysis), or offer goods and services into Europe. In the rare case that a Georgia governmental entity conducts any of these activities, legal counsel should be consulted to evaluate whether the activities pose a genuine compliance concern and, if so, how best to explore compliance options.

For more guidance about how GDPR affects Georgia government entities, please send an email to cto@gta.ga.gov.