Personal Data Protection

The Training and Consulting Center of the Georgian Institute of Public Affairs (GIPA) and Privacy Logic Group, a consulting company specializing in personal data protection, offer a professional certificate program in Personal Data Protection.

The goal of the program is for participants to gain foundational, practical knowledge and essential skills to establish and effectively manage personal data protection standards within their own organizations. Throughout the course, participants will:

Become familiar with current regulations and be able to implement their requirements in practice;
Learn to identify and properly document data processing processes and flows;
Be able to identify high-risk processes and determine appropriate countermeasures;
Work on developing relevant policies and rules;
Become acquainted with the key mechanisms for monitoring and ensuring compliance;
Gain knowledge of the rules, rights, and obligations regarding interaction with the supervisory authority;
Also become familiar with the GDPR as the international "gold standard" of personal data protection, which is highly relevant in the Georgian context.

The teaching process is interactive and involves active participation from participants. During the course, participants will work on real case-based examples, identify problems, and develop practical solutions. They will also prepare template documents and, at the end of the course, complete a final summary project.

The program is intended for individuals who are involved in the processing of personal data (representatives of legal, human resources, marketing, and other departments) or who are responsible persons for data protection / data protection officers.

Upon completing the program, participants will be able to work as Data Protection Officers (DPO), compliance specialists, legal or data protection consultants in various sectors, including financial, telecommunications, healthcare, technology, and international organizations.

Program Content

Module 1 - Fundamentals of Personal Data Protection

What constitutes personal data
Categories of personal data
What personal data processing means
Key terms in personal data protection
Overview of key international and Georgian legislation on personal data protection, Convention 108+, GDPR
Scope of data protection legislation

Module 2 - Identification and Documentation of Data Processing Processes

Identification of data flows
Mapping of processing processes
Records of Processing Activities (ROPA)
Defining responsibilities within the organization

Module 3 - Legal Bases and Compliance

General prerequisites for the lawful processing of personal data
Principles of data processing
Accountability and transparency
Determining the necessity of data processing and storage periods
Legal bases for data processing and their identification in practice
"Consent" in data protection legislation
Definition of legitimate interest and conducting the balancing test
Processing of data of minors

Module 4 - Special Cases of Data Processing

Rules for audio monitoring
Rules for video monitoring
Permissible cases for processing biometric data
Direct marketing
Data processing in employment relationships

Module 5 - Persons Involved in the Data Processing Process

Controller, joint controller
Processor
Identification of roles
Data processing agreement
Prior vetting of persons involved in processing and subsequent monitoring mechanisms

Module 6 - New Technologies

Cloud, Cookies, IoT
Use of AI tools
Profiling and automated decisions
Data Protection Impact Assessment (DPIA) and development of the assessment document

Module 7 - Data Security and Risk Management

Privacy by Design & Default – incorporating data protection principles when developing new products/services
Identification and assessment of security risks
Minimum technical and organizational requirements for data security
Pseudonymization, anonymization, access control
Security incident management and notification procedures

Module 8 - Rights of the Data Subject

Right of access, rectification, updating, completion, blocking, erasure, destruction, portability, right to receive a copy, right to lodge a complaint
Right to object to automated decision-making
Procedures for implementing mechanisms to exercise data subject rights
Response timelines and documentation obligations
Exercising rights in practice:
- How HR should handle employee access or rectification requests
- How CRM should handle erasure requests
- How PR should handle requests to remove images and videos
Permissible cases for restricting data subject rights

Module 9 - International Transfer of Data

Regulation of international transfers
Countries to which data transfer is permitted
Possible instruments for international transfer
Exceptional cases – procedure for obtaining permission from the supervisory authority for international data transfer

Module 10 - Data Protection Officer and Implementation of a Data Protection Program in an Organization

Role and functions of the Data Protection Officer and their place in the internal organizational structure
Internal compliance audit
Implementation and monitoring of data protection rules and policies
Communication and reporting of data protection matters to management
Role of other structural units in the data protection program
Raising awareness of personal data protection
Practical approaches to strengthening a data protection culture

Module 11 - Relations with the Supervisory Authority

Mandate and competence of the personal data protection supervisory authority
Rules, rights, and obligations regarding interaction with the supervisory authority
Sanctions for violations of the law and key issues of administrative proceeding

Upon completing the program, participants will develop a data protection program framework and various types of policy documents for companies across different profiles.

Technical Details

Duration: 2 months; lectures will be held twice a week, on Tuesdays and Thursdays, from 19:00 to 21:30.
Classes will begin on March 10, 2026. The registration deadline is March 4, 2026. After registration closes, an interview with the admissions committee will be held.
Language of instruction: Georgian; materials are available in both English and Georgian.

Certificate

Participants will receive a "Data Protection Specialist" certificate.

Prerequisites for obtaining the certificate:

Throughout the program, participants must complete all assignments.
At the end of the course, participants must present an individual project.

Ana Kapanadze - A professional certified by the International Association of Privacy Professionals (IAPP), Certified Information Privacy Professional (CIPP/E), and Certified Information Privacy Manager (CIPM).

Ana is the Director of Privacy Logic Group, a personal data protection consulting company, and has been working in the field of personal data protection since 2013, both in Georgia and abroad. Her work includes consulting and Data Protection Officer services for both private and public institutions. She has conducted general, segmented, and organization-specific thematic trainings tailored to the needs of particular organizations.

Ana holds Master's degrees in Public Law (Tbilisi State University) and Political Science (Central European University – CEU).

Salome Bakhsoliani – Salome has over 10 years of experience in the field of personal data protection. From 2014 to 2022, she held leading positions in Georgia's personal data protection supervisory authorities, including serving as Deputy State Inspector from 2020 to 2022, where she oversaw data processing practices of public, private, and law enforcement agencies, and was involved in the process of harmonizing Georgian legislation with the EU's GDPR.

Since 2022, Salome has been advising organizations on the development of data protection governance frameworks and the compliance of existing personal data processes and technological solutions. In parallel, she conducts academic work and delivers trainings on data protection issues.

Salome is the recipient of the prestigious American Fulbright and Edmund Muskie scholarships. Through these scholarships, she obtained a Master's degree and worked at a research organization in Washington, D.C., where she studied EU and global data protection and digital services regulatory frameworks.

Salome holds Master's degrees in Public Administration and Law from Georgian and American universities (Loyola University New Orleans, GIPA, Caucasus University). Salome is also an IAPP-certified professional (CIPP/E).

Program Fee: 1500 GEL

Payment Schedule: Payment is made in 2 installments:

1st installment – 1,000 GEL
2nd installment – 500 GEL

Discount System

The program includes individual and corporate discounts.

Individual Discounts:

For GIPA alumni – 10%
For family members enrolling in the same course simultaneously – 10%

Corporate Discounts:
If an organization covers its employees' development costs, the following discounts apply:

Two or three employees – 10%
Four employees – 15%
Five or more employees – 20%

A participant may take advantage of only one type of discount.

Payment:

Payment must be made to the organization's bank account. The personal ID number and program name must be indicated in the payment order.

Bank Details:

JSC TBC Bank
Bank Code (BIC): TBCBGE22
Beneficiary Name: Non-Entrepreneurial Legal Entity – Georgian Institute of Public Affairs (GIPA)
Account Number: GE84TB1100000110700419 / GEL

Persons interested in the certificate program must complete the registration form.

The registration deadline is September 20, 2026. After registration closes, an interview with the admissions committee will be held.

Classes will begin on October 5, 2026.

Selection Criteria:

Motivation
Communication skills
Work experience
Preferred: English at Intermediate Level and work experience

Ketevan Avaliani
Coordinator
Training and Consulting Center

Address: 2 Marie Brosset St., Tbilisi, 0108
Email: k.avaliani@gipa.ge
Mobile: (+995) 599 17 67 17