FREQUENTLY ASKED QUESTIONS
Applying to the Service does not involve any kind of fee and is completely free of charge.
Biometric data is a data processed using technical means and related to the physical, physiological or behavioural characteristics of a data subject (such as facial images, voice characteristics or dactyloscopic data), which allow the unique identification or confirmation the identity of that data subject.
A photograph or video image is not considered biometric data until it undergoes processing using technical means, such as a facial recognition system, and uniquely identifies a person.
The Law of Georgia “On Personal Data Protection” does not specify a term related to data storage. Personal data may only be stored for the period necessary to achieve the legitimate purpose of data processing.
After achieving this interest, the data must be deleted/destroyed/stored in a depersonalised form reserved.
Exceptions are made when data processing is directly defined by law/subordinate normative act and data retention is a necessary and proportionate measure to protect the best interests in a democratic society.
Video monitoring of the common entrance/space of the residential building is allowed with the written consent of more than half of the owners.
The video monitoring of an entrance to an individual property in a residential building is permitted only by a decision of the owner/possessor or with his/her written consent, provided it does not harm the legitimate interests of others.
If the video monitoring system includes public/common spaces or another person's residential building, a warning sign about the monitoring must be displayed.
Conflict of interest occurs when the personal data protection officer in an organization holds other functions and duties that enable them to determine the purpose and means of data processing.
The personal data protection officer should not be directly involved in the process of personal data processing or perform functions conflicting with compliance with data protection legislation.
Examples include positions such as director, head of human resources or information technology department, or roles involving public information provision within a public institution and any other position/function within the framework of which he/she may be directly involved in the process of personal data processing.
The Law of Georgia “On Personal Data Protection” directly defines in what cases where audio and video monitoring are permissible.
Video monitoring is permitted for the purposes of crime prevention/detection, public safety, the protection of personal safety and property, the protection of minors, the protection of secret information, examination/testing, and for the other legitimate interests. provided that the video monitoring must be adequate and proportionate to the purpose of data processing.
While, Audio monitoring shall be permitted, with the consent of the data subject, to make a record, to protect important legitimate interests pursued by the controller, provided that appropriate and specific measures are in place to protect the rights and interests of the data subject, in other cases expressly provided by the legislation of Georgia.
However, data shall be processed only to the extent necessary to achieve the respective legitimate purpose.
Accordingly, in each case, it should be assessed individually, on the one hand, to what extent there are grounds for the implementation of audio and video monitoring, and on the other hand, how proportionate is the processing of this volume of data.
The Law of Georgia “On Personal Data Protection” does not provide for the definition of “workspace”. Accordingly, “work space” must be define individually in each case and can be considered as the space intended for the performance of basic official functions, where the persons employed in the institution directly exercise their official authority (example, work room, procedure room, cash box).
It should be noted, that video monitoring of an employee's workspace will be allowed only in cases where the achievement of his legitimate interests (example: protection of property, personal safety and etc.) is impossible by other means or requires disproportionate effort.
The Law of Georgia “On Personal Data Protection” does not provide for consent as the basis for video monitoring of an employee's work space.
Video monitoring is permitted only in exceptional cases where other means cannot achieve the purposes under Article 10 paragraph 1 of Law of Georgia “On Personal Data protection” or involve disproportionate effort.
If this basis exists, it is obligatory that the employee must be warned in writing about the specific purpose/purposes of video monitoring.
An incident is a breach of security of data leading to the unlawful or accidental:
- damage;
- loss of data;
- unauthorised disclosure;
- destruction;
- alteration;
- access to data;
- the collection/obtaining of data;
- other unauthorised processing.
Types of incidents are violation of confidentiality, integrity, accessibility.
Controller/Processor for processing must develop security measures, which will enable effective prevention of incidents, and in case of occurrence - detection and prevention. For this, it is recommended to have an internal procedure for incident assessment and response and to have specific persons responsible for the process.
- Processing of data relating to a minor under the age of 16 shall be permitted with the consent of his/her parent or other legal representative.
- If a minor has attained the age of 16, processing of data about him/her shall be permitted on the basis of his/her consent.
- The processing of special categories of data relating to a minor shall be permitted only on the basis of the written consent of the minor’s parent/legal representative.
The consent of a minor, his/her parent/legal representative to the processing of data shall not be considered valid if the processing of the data jeopardises or harms the best interests of the minor.