This "Madloba Limited" Personal Data Processing Policy (hereinafter - the Policy) has been developed in accordance with the Constitution of Georgia, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ETS No. 108 of 28.01.1981.
This Policy defines the procedure for processing and guarantees to ensure protection of the rights of subjects of personal data in the Limited Liability Company "Madloba" (hereinafter - Madloba and (or) the Operator) in order to protect the rights and freedoms of individuals and citizens during processing of their personal data.
.
DEFINITION OF TERMS
1.1 Basic concepts used in this Policy:
1.1.1. personal data - any information relating to a directly or indirectly identified or identifiable individual (personal data subject);
1.1.2. operator - a state body, municipal authority, legal entity or individual, individually or jointly with other persons, arranging and (or) carrying out processing of personal data, as well as determining the purposes of processing of personal data, composition of personal data to be processed, actions (operations) performed with personal data;
1.1.3. personal data processing - any action (operation) or set of actions (operations) performed with or without use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data
1.1.4. automated processing of personal data - processing of personal data by means of computer equipment;
1.1.5. dissemination of personal data - activities aimed at disclosure of personal data to an indefinite range of persons;
1.1.6. provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
1.1.7. blocking of personal data - temporary stopping of personal data processing (except cases when processing is necessary for clarification of personal data)
1.1.8. destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which tangible carriers of personal data are destroyed;
1.1.9. depersonalization of personal data - actions, as a result of which it becomes impossible, without the use of additional information, to determine the affiliation of personal data to a particular personal data subject;
1.1.10. personal data information system - a set of information technologies and technical means contained in personal data bases and ensuring personal data processing
PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING
2.1 Principles of personal data processing.
2.1.1 Processing of personal data at the Operator is based on the following principles:
lawfulness and fair basis;
Restriction of personal data processing to achieving specific, predetermined and legitimate objectives;
Avoiding processing of personal data, incompatible with the purposes of personal data collection;
not to combine databases containing personal data, processing of which is carried out for purposes, incompatible with each other
Processing only those personal data that meet the purposes of its processing
Compliance of the content and volume of processed personal data with the stated processing purposes;
Inadmissibility of processing of personal data excessive in relation to the stated purposes of its processing
Ensuring accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing;
Destruction or depersonalization of personal data upon attainment of the objectives of personal data processing or in case of loss of necessity in attainment of such objectives, if the Operator is unable to eliminate violations of personal data, unless otherwise provided by the law.
2.2 Conditions for processing of personal data.
2.2.1 The operator processes personal data if at least one of the following conditions exists:
processing of personal data is carried out with the consent of the subject of personal data to the processing of his/her personal data;
Processing of personal data is necessary for execution of a contract or agreement, a party to which, or a beneficiary or guarantor under which, is the subject of personal data, as well as for conclusion of a contract or agreement on the initiative of the subject of personal data or a contract or agreement, under which the subject of personal data will be a beneficiary or guarantor;
Processing of personal data is necessary for exercise of the rights and legitimate interests of the Operator or third parties, or to achieve socially important objectives, provided that this does not violate the rights and freedoms of the personal data subject;
Other conditions stipulated by law.
2.3 Confidentiality of Personal Data.
2.3.1 The operator and other persons obtaining access to personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by law.
2.3.2 The operator is entitled to transfer personal data to bodies of inquiry and investigation, other authorized bodies on the grounds stipulated by applicable law.
2.4 Publicly accessible sources of personal data.
2.4.1 For the purpose of information provision, publicly accessible sources of personal data (including directories, address books) may be created. Surname, name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data provided by the subject of personal data may be included in publicly available sources of personal data with written consent of the subject of personal data.
2.4.2 Information about the subject of personal data shall at any time be excluded from publicly available sources of personal data at the request of the subject of personal data or by court decision or other authorized state bodies.
2.5 Special categories of personal data, as well as biometric personal data shall not be processed by the Operator.
2.6. entrusting the processing of personal data to a third (other) party.
2.6.1 The operator has the right to assign processing of personal data to another person, including one located outside the country (cross-border transfer of personal data), with the consent of the personal data subject, unless otherwise provided by law, on the basis of the contract concluded with this person. The person processing personal data on behalf of the operator must comply with the principles and rules of personal data processing prescribed by law. The Operator's order defines a list of actions (operations) with personal data to be performed by the person performing the processing of personal data and the processing purposes, establishes the obligation of such person to respect the confidentiality of personal data and ensure security of personal data during their processing, as well as specify requirements for the protection of processed personal data in accordance with Article 19 of the Act. The transborder transfer of personal data is carried out in order to fulfill the rights and obligations under the contracts or agreements, concluded with the subjects of personal data, as well as to ensure compliance with laws and other regulations.
2.6.2 A person processing personal data on behalf of the Operator is not required to obtain consent from the subject of personal data to process their personal data.
2.6.3 If the Operator instructs another person to process personal data, the Operator shall be liable to the subject of personal data for the actions of that person. The person who processes personal data on behalf of the Operator shall be liable to the Operator.
2.7 The purpose of personal data processing.
2.7.1 Processing of personal data may be carried out by the Operator solely for the purpose of executing rights and obligations under contracts and agreements entered into with personal data subjects, to ensure compliance with laws and other regulations, as well as to observe other legitimate interests of the Operator or personal data subjects.
2.7.2 Personal data shall be collected and used to the extent justified by the purpose of processing such personal data. The operator shall seek ways and methods to use exclusively anonymized personal data to the extent and to the extent justified by the purpose of personal data processing.
2.7.3 Achievement of personal data processing objectives may be a condition for termination of personal data processing.
2.8 Regardless of the existing judicial practice and explanations of authorized bodies, the Operator classifies the following information as personal data
questionnaire and biographical data;
Data that allows identifying the subject or his or her terminal equipment (cookies, web beacons, pixel tags, IP addresses, information about the browser or other program that accesses the display of advertising) and other digital marking technologies;
other personal information.
RIGHTS OF THE SUBJECT OF PERSONAL DATA
3.1 The consent of the subject of personal data to the processing of their personal data.
3.1.1 The subject of personal data decides to provide his/her personal data and consents to its processing freely, willingly and in his/her own interest. Consent to the processing of personal data must be specific, informed and conscientious. Consent to the processing of personal data may be given by the subject of personal data or his/her representative in any form allowing to confirm the fact of its receipt, unless otherwise provided by law. If consent to personal data processing is obtained from a representative of the subject of personal data, the authority of such representative to give consent on behalf of the subject of personal data shall be verified by the Operator.
3.1.2 Consent to processing of personal data may be withdrawn by the subject of personal data. If the subject of personal data withdraws their consent to the processing of personal data, the operator has the right to continue the processing of personal data without the consent of the subject of personal data, if the grounds specified in paragraphs 2 - 11 of Part 1 of Article 6, Part 2 of Article 10 of the Act.
3.1.3 The obligation to provide proof of the subject's consent to the processing of their personal data or proof of the existence of the grounds referred to in paragraphs 2 - 11 of Part 1 of Article 6, paragraph 2 of Article 10 of the Act shall be borne by the operator.
3.2 Rights of the subject of personal data.
3.2.1 The subject of personal data has the right to obtain from the Operator information relating to the processing of his personal data, unless such right is restricted in accordance with the laws.
3.2.2 The subject of personal data has the right to request the Operator to clarify his personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated processing purpose, as well as to take statutory measures to protect his rights.
3.2.3. The Operator shall immediately cease, on the request of the personal data subject, the processing of their personal data for the above purposes.
3.2.4 Based solely on automated personal data processing, it is prohibited to make decisions that produce legal consequences with respect to the personal data subject or otherwise affect his/her rights and legitimate interests, except in cases provided by law or with the consent in writing of the personal data subject.
3.2.5 If the subject of personal data believes that the Operator is processing his personal data in violation of the requirements of the Law or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal the actions or inaction of the Operator by sending a notice to the Operator in writing, as well as appeal to the competent authority for the protection of the rights of subjects of personal data.
ENSURING SECURITY OF PERSONAL DATA
4.1 Security of personal data, processed by the operator, is ensured by implementation of legal, organizational and technical measures, necessary to ensure the requirements of legislation in the field of protection of personal data.
4.2 To prevent unauthorized access to personal data, the operator applies the following organizational, technical and legal measures
limiting the composition of persons having access to personal data;
Familiarizing the subjects of personal data with the requirements of the legislation and this Policy of the Operator on processing and protection of personal data;
Organization of accounting, storage and circulation of data carriers;
Verification of readiness and efficiency of use of information protection means;
Delimitation of user access to information resources and software and hardware for information processing
registration and accounting of actions of users of personal data information systems;
Use of antivirus and recovery tools of personal data protection system;
application of firewall, intrusion detection, security analysis, and cryptographic protection of information where necessary.
FINAL PROVISIONS
5.1 Other rights and obligations of the Operator, as personal data operator, are defined by the legislation in the field of personal data.
5.2 The Operator's officials, who are guilty of violating the norms regulating the processing and protection of personal data, shall bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by the laws.
5.3 This Policy may be amended by the Operator subject to changing legal requirements and development of organizational and technical measures for personal data protection. The text of this Policy shall be amended by replacing the current version posted on the information and telecommunications network of the Internet with a new version or by publishing amendments to such Policy.