Privacy Policy

Privacy Policy

The Personal Data Protection Policy (hereinafter “the Policy”), which can be found on the official page of the Personal Data Protection Service (www.pdps.ge), describes the processing of personal data of users within the Personal Data Protection Service website (hereinafter "the Service").

The terms used in this Policy have the meanings defined by the Law of Georgia "On Personal Data Protection" and other normative acts.

Purposes and grounds for data processing

The Personal Data Protection Service is an active independent state body established and operating on the basis of the Law of Georgia "On Personal Data Protection" (hereinafter referred to as "the Law"). In carrying out its activity, the Personal Data Protection Service shall be guided by the Constitution of Georgia, international treaties of Georgia, generally recognised principles and norms of international law, laws and other relevant legal acts.

According to Article 49, the Personal Data Protection Service monitors the lawfulness of the processing of personal data in Georgia. In this regard, the main areas of activity of the Personal Data Protection Service are as follows:

• Providing consultations on matters related to data protection; (Article 49(a) of the law)
• reviewing applications related to data protection (Article 49(b) of the law);
• examining (inspecting) the lawfulness of data processing (Article 49(c) of the law);
• Informing the public on the data protection status in Georgia, and important events related thereto, and ensure the raising of awareness among the public (Article 49(d) of the law).

Pursuant to paragraph 2 of article 53, the Personal Data Protection Service carries out educational activities on issues related to data processing and data protection.

The Personal Data Protection Service processes the data of its website users for the following reasons:

• To monitor the lawfulness of personal data processing - when receiving applications and notifications on personal data protection;
• To carry out educational activities – during registrations on personal data protection trainings.
• To perform the obligation laid down in article 33 (8) – publicize information of the Personal Data Protection Officer that was appointed/designated by the controller and processor;
• To receive a notification regarding a data breach with the use of the Electronic control system for incident notification integrated within the website according to article 29.

Data received by the Personal Data Protection Service via the Website may be processed for statistical and/or analytical purposes.

Data processed via the website

The data processed through the website is provided by the users of the website themselves. The following information is collected through the Site:

While receiving an application/notification on personal data protection - name, surname, telephone number, e-mail address of the user, also, data provided through an application/notification and additional documents (if applicable). All fields of the application form are necessary, in case of a notification form, to protect user anonymity, only content of the notification is necessary;

While registering for a training on personal data protection – the user’s name, surname, telephone number, e-mail address, sector (private or public). All fields necessary;

While publishing information about the Personal Data Protection Officer – name, surname, telephone number and e-mail address of the Personal Data Protection Officer that was appointed/designated by a controller and a processor.

While being notified about data breach– name, surname, position and contact information (phone number, email address) of the that is person responsible for filling out an breach notification form; if applicable the name, surname and contact information (telephone number, e-mail address) of the personal data protection officer; if applicable, name, surname, position and contact information (telephone number, e-mail address) of another contact person.

Sharing user data

• In order to study the conditions set out in the request / notification and to determine the lawfulness of the data processing, to study in detail the alleged offence and to issue appropriate obligations and/or recommendations to public/private organisations/natural persons as a result of the discussion of the examination of the request, the Personal Data Protection Service may transmit the user's data (including information and documents provided by them at any time) to the public/private organisation or natural person against whom the request / notification is made. In addition, if necessary, during the examination of the case, the Personal Data Protection Service may request information about the user from a third party.
• The information collected when registering for a training course on the protection of personal data is processed in order to identify the participants and to communicate with them on topics related to the training course. This data may be used before and after the training to provide additional content to the participants, to study the quality of the training provided, to organise activities to test the knowledge acquired, to prepare and give certification, and to provide additional information on various training activities planned by the Service.

Processing of additional information through the website

In order to protect the legitimate interests of the Service, to detect a possible information about data breach, which is important to protect the integrity of the electronic system of the Service, the Service processes additional information through the website.

The Personal Data Protection Service server logs the date, time and method by which the user accesses the Website, the Internet Protocol address, the referral and other data indicating the activities carried out by the user on the Website.

Disclosure of data to third parties

• The personal data collected by the Personal Data Protection Service are confidential. The Personal Data Protection Service does not transfer personal data to third parties within its website, except in the following circumstances, which are established by law:
• For the Personal Data Protection Service to perform its statutory duties (look at data processed via the website);
• For court proceedings (to present evidence to the court in case of a complaint)
• For Data to be processed by the processor.

The data will be processed only for the purposes indicated by the Personal Data Protection Service in order to protect the principles and rules established by law. The Personal Data Protection Service processes the data independently and doesn't use the services of other (third party) controllers, but in case of additional requirements, processors may be disclosed to data/get permission to access data while they are working for the Personal Data Protection Service (for example, during the technical work of a website renewal). In such a case, the disclosure of data/permission to access it will only happen on the basis of a written agreement between the Service and the processor, the agreement will include the obligation of the processor to process the data only for the purposes outlined by the Service and following the principles and rules outlined by the law.

Transfer of data to another state and/or international organization

Data processed by the Personal Data Protection Service via the website will not be transferred to another state and/or international organization.

Data retention period and security

User data collected via the website when receiving a notification on an alleged offence of data processing is stored for a period of 3 years (In case of a complaint).[1] User data collected via the website on the website registration is stored for a period of 1 year. [2] User data collected through the website on user activity within the website is stored for a period of 1 year. [3] Data security is provided according to the information security policy of the Service. To ensure data security within the website the Service takes appropriate organizational-technical measures (for example, penetration tests).

1. In case a decision is appealed, the period will be counted from the date of entry of the final decision of the court.
2. The period will be counted from the end of a training.
3. The period will be counted from the last deletion of data/activity of the user. Level of access to data is assessed by taking into account the relevant job functions.

Rights of the website user

The website user has the right to request and receive the following information without a fee:

• Is data about them being processed, is the data processing justified; b) details on the processed data, as well as the ground and purpose of the processing of such data; c) the source of data collection/acquisition d) the period of data storage, and information on data criteria if a period is impossible to assess. e) Identity or category of the data receiver; and if the data is transferred to a third person provide information on the grounds and purpose of the data transfer;
• Get to know the user’s data within the Personal Data Protection Service and receive copies of such data without a fee, except in cases where fees exist for the access and issuing of copies as defined by Georgian Law;
• Request rectification, update, completion, blocking, termination of processing, erasure or destruction of their data in cases where data is incomplete, inaccurate, is not updated or was processed unlawfully;
• Withdraw consent – without further explanation at any time deny the consent they provided and request an end and/or destruction of the processed data (if other basis for data processing exist);
• Appeal – if the data subject suspects that the data processing by the Personal Data Protection Service violates the rules established by law, they have the right to appeal at the Tbilisi city court (address: Tbilisi Davit Aghmashenebeli Avenue №64).

Restricting rights of the website user

The website user’s rights can be restricted if it is directly accounted for by Georgian legislation, this does not violate fundamental human rights and freedoms, is an important and proportionate measure in a democratic society and exercising these rights may create danger to:

• National security, information security and cyber security and/or defense interests;
• Public safety interests;
• Crime prevention, investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, and the conduct of operative and investigative activities;
• Interests relating to financial or economic (including monetary, budgetary and taxation), public health and social protection issues of importance to the country;
• The detection of the data subject’s violations of professional ethical standards, including those of a regulated profession, and the imposition of liability on the data subject;
• The protection of the rights and freedoms, including freedom of expression, of the data subject and others;
• The protection of state, commercial, professional and other secrets provided for by law;
• The substantiation of a legal claim or a statement of defense.

A measure to restriction may be applied only to the extent necessary to achieve the purpose of the restriction.

If the grounds to restriction exist, the decision of the Personal Data Protection Service shall be notified to the data subject, in a manner in which the provision of the information would not jeopardize the purpose of the restriction of the right.

If you wish to have your personal data deleted from the website, please contact the Data Protection Department by email at office@pdps.ge.

Policy updates and additional information

This policy document will be updated as necessary.