FREQUENTLY ASKED QUESTIONS

Information regarding the designation/appointment of a personal data protection officer may be provided to the Personal Data Protection Service of Georgia via the Service's website, electronic mail (office@pdps.ge), postal consignment, or in material form - by submitting it to the Personal Data Protection Service of Georgia.

The functions of the personal data protection officer are directly provided by the first paragraph of Article 33 of the law of Georgia “On Personal Data Protection”.

The functions of the personal data protection officer can be defined as follows:

• Providing consultation on data protection issues to the organization responsible for processing and its employees;
• Participation in the development of internal regulations relating to data processing;
• Monitoring the implementation of Georgian legislation and the internal organizational documents;
• Representation of the organization in its relationship with the Service;
• Receiving consultations from the Service;
• Submission of information and documents requested by the Service;
• Coordinating and monitoring the implementation of the Service’s tasks and recommendations;
• Informing the data subject regarding the data processing and his/her rights;
• Analysing applications, complaints relating to data processing, making appropriate recommendations.

The list of duties and responsibilities of the Personal Data Protection Officer is not exhaustive. The officer may perform other functions to enhance the standards of data processing within the organization.

For instance, organizing internal institutional training for staff on the protection of personal data.

Any message sent to request consent for data processing for direct marketing is itself considered a component of direct marketing, as its content is aimed at providing marketing services.

Yes.  Direct marketing is the direct and immediate delivery of information to a data subject by telephone, mail, email or other electronic means to generate, maintain, sell, or support interest in a product, idea, service, work and/or initiative, as well as image and social issues.

Yes, the given example is also considered to be processing of data for direct marketing purposes. The purpose of such content notifications is to support a service, work or image.

A communication that doesn't have the purpose of creating, maintaining, realising and/or supporting interests is not considered direct marketing. Rather, it is linked to informing the data subject of a specific legal relationship, as illustrated by the examples given in the question.

The law provides for two types of administrative sanctions for violations of the direct marketing rules - a warning or a fine.

In particular, the issuance of a warning to or the imposition of a fine of GEL 2 000 on a natural person, public institution, non-entrepreneurial (non-commercial) legal entity, as well as a legal person, a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover does not exceed GEL 500 000. The issuance of a warning to or the imposition of a fine of GEL 3 000 on a legal person (except for non-entrepreneurial (non-commercial) legal entities), a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover exceeds GEL 500 000.

In case of an aggravating circumstance, only a fine is provided as the form of an administrative penalty, specifically:

The imposition of a fine of GEL 4 000 on a natural person, public institution, non-entrepreneurial (non-commercial) legal entity, as well as a legal person, a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover does not exceed GEL 500 000. The imposition of a fine of GEL 6 000 on a legal person (except for non-entrepreneurial (non-commercial) legal entities), a branch of a foreign enterprise, and an individual entrepreneur, whose annual turnover exceeds GEL 500 000.

The controller is the person who determines the purposes and means of processing personal data. The controller processes the data directly or through the processor.

The processor processes the data for or on behalf of the controller. The processor is not an employee of the controller.

Written consent of the data subject includes cases where the data subject has given consent in writing after receiving relevant information about data processing for a particular purpose. This includes consent given in electronic form.

Fingerprints are biometric data. The processing of biometric data is only allowed under the following conditions:

• Biometric data may be processed only if this is necessary for the purposes of carrying out activities, security, protection of property and prevention of the disclosure of secret information;
• Also, these purposes cannot be achieved by other means or involve disproportionate effort.

Accordingly, fingerprint processing for entry-exit registration is allowed only if the prerequisites as mentioned above are jointly present.