Search
Login
GE

Personal Data Protection Policy

Non-Entrepreneurial (Non-Commercial) Legal Entity - Rural Development Agency

Article 1. General Provisions

1.1 This Personal Data Protection Policy (hereinafter referred to as the "Policy") defines the principles, purposes, and rules for processing and using personal data at the Non-Entrepreneurial (Non-Commercial) Legal Entity - Rural Development Agency (hereinafter referred to as the "Agency").

1.2 The terms mentioned in this document have the meanings provided by the Law of Georgia on Personal Data Protection.

1.3 The Policy is mandatory for all employees of the Agency who process personal data. They are obliged to maintain the confidentiality of personal data and/or information.

 

Article 2. Purpose and Scope of the Policy

2.1 The purpose of the Policy is to provide interested parties with basic information on how personal data is processed by the Agency, how compliance with current legislation is ensured, and how the security of personal data is protected.

2.2 This document applies to all persons whose personal data is processed by the Agency, as well as to data recipients and authorized persons who process personal data on behalf of or for the Agency.

2.3 The Agency processes and protects personal data in accordance with the requirements of the legislation of Georgia on Personal Data Protection.

 

Article 3. Grounds and Principles for Processing Personal Data

3.1 The processing of personal data by the Agency is permissible if one of the following grounds exists:

3.1.1 The subject's consent (in the case of a person under 16 years old, through their parent or other legal representative);

3.1.2 Fulfillment of an obligation stipulated by a contract or for the purpose of concluding a contract at the request of the data subject;

3.1.3 Data processing is provided by law;

3.1.4 The data is publicly available;

3.1.5 For the protection of vital and/or public interests;

3.1.6 For the performance of duties imposed on the Agency by the legislation of Georgia;

3.1.7 For the protection of significant legitimate interests;

3.2 The Agency processes personal data according to the following principles:

3.2.1 Legality, fairness, transparency for the data subject, protection of the dignity of the data subject - personal data must be processed openly, fairly, and lawfully, without compromising personal dignity.

3.2.2 Specific, clearly defined, and legitimate purpose - if data is processed for a specific purpose, it cannot be used for any other purpose incompatible with the original purpose.

3.2.3 Proportionality and adequacy - only the necessary amount of data should be processed to achieve the purpose.

3.2.4 Ensuring the accuracy, authenticity, and update of data as necessary - inaccurate data must be corrected, deleted, or destroyed without unjustified delay, considering the purposes of data processing.

3.2.5 Retention of personal data for a legitimate period - data can be stored for the period provided by law or only as long as necessary to achieve the specific purpose. After achieving the purpose, the data must be deleted, destroyed, or kept in a form that does not allow the identification of the person.

3.2.6 The existence of appropriate technical and organizational measures during the processing - full data security must be adequately ensured with appropriate technical means.

 

Article 4. Categories of Personal Data and Their Processing

4.1 The information processed by the Agency may include the following categories of data proportional to the purpose of processing:

4.1.1 Identification data - name, surname, gender, date of birth, personal number/passport number;

4.1.2 Contact information - phone number, email address, residential address (registration, factual);

4.1.3 Financial information - bank account details;

4.1.4 Documentary information - information indicated in submitted documents;

4.1.5 Contractual information - information provided in the contracts between the Agency and the subjects;

4.1.6 Technical information - information about the devices and technologies used during visits to the Agency's website;

4.1.7 Other types of information - all information shared by the subject with the Agency.

4.2 Processing of personal data involves the collection, recording, use, audio recording, video recording, organization, storage, alteration, deletion, or restoration of personal data using automatic, semi-automatic, or non-automatic means.

4.3 The consent of the subject for the processing of personal data can be expressed orally, in writing, through communication, or other means that allow for the determination of the subject's will and the creation of a corresponding record of the expressed will.

4.4 The Agency may process personal data with the help of a data processor, following the standards set by the Agency and in accordance with the legislation of Georgia.

 

Article 5. Sources of Obtaining Personal Data

5.1 The Agency receives personal data from the subject in the following cases:

5.1.1 When the subject contacts the Agency for employment or internship purposes, to participate in the Agency's projects/programs; when signing various types of contracts with the Agency;

5.1.2 During the use of the Agency's communication channels and on-site visits;

5.1.3 From electronic and material letters received by the Agency;

5.1.4 From publicly accessible sources.

 

Article 6. Processing of Personal Data of Employees, Interns, and Employment/Internship Candidates

6.1 The Agency processes the personal data of employees/interns for the purpose of entering into and performing its contractual obligations. Specifically,

6.1.1 For the purpose of entering into, terminating, and performing the contract;

6.1.2 For the purpose of paying remuneration under the contract, administering payable pension contributions, taxes, and other payments, if applicable;

6.1.3 For the purpose of communicating with the employee/intern or candidate;

6.1.4 For the purpose of protecting the rights of the Agency, the employee/intern, and third parties;

6.1.5 For responding to complaints from employees/interns;

6.1.6 For any other similar legitimate purpose that complies with the Labor Code and the legislation of Georgia on Personal Data Protection.

6.2 The Agency may collect the following types of personal data from an employee/intern or candidate:

6.2.1 Identification data - employee's name and surname, date of birth;

6.2.2 Contact information - address, email address, and mobile phone number;

6.2.3 Employee's photo (identity card photo or photo shared by the employee);

6.2.4 Information about education, qualifications, and work experience (within the scope shared by the employee in the form of a resume);

6.2.5 Medical documentation - Form 100;

6.2.6 Certificate of narcological registration;

6.2.7 Certificate of criminal record;

6.2.8 Financial information - bank account details;

6.2.9 Information about the terms of the employment and internship contract, the performance or non-performance of duties;

6.3 Only authorized persons may have access to the personal data of employees/interns or candidates for the proper performance of their duties and only within the appropriate limits.

6.4 The Agency may transfer the personal data of an employee to the court, any regulatory or investigative body, only in cases directly provided by law, to protect the rights, property, or other interests of the employer, employee, and/or third parties.

 

Article 7. Audio and Video Monitoring

7.1 The purpose of video monitoring at the Agency (central office) is to protect security and property, prevent crime, detect it, protect the interests of the Agency and its beneficiaries (including incident management), manage risks that may threaten the interests of the Agency, beneficiaries, and any third party.

7.2 Video monitoring is conducted at the Agency (central office) 24/7, at the entrances and corridors of the building. There is an appropriate warning sign near the video monitoring cameras. It is technically possible to access video recordings in real-time as well as later viewing. The recordings are stored for a maximum of 3 months. After this period, the recordings are deleted unless there is a legitimate interest and legal basis for longer retention.

7.3 The Agency operates a hotline 24/7, recording incoming and outgoing telephone calls, based on the prior informed consent of interested parties.

7.4 The purpose of audio monitoring is to protect the legitimate interests of beneficiaries, uphold ethical standards, review possible complaints from beneficiaries, protect the interests of the Agency, and comply with the requirements established by the Law of Georgia on Personal Data Protection.

Article 7.5. Agency’s Technical and Organizational Measures for the Security of Audio and Video Recordings

7.5. The agency has all necessary technical and organizational measures in place to ensure the security and protection against unauthorized use of audio and video recordings, specifically:

7.5.1. Access to the recordings is granted only to those agency employees whose direct job responsibilities entail the right and obligation to access the recordings;

7.5.2. The agency has implemented appropriate technical measures to prevent unauthorized disclosure, copying, deletion, modification, or other manipulation of video and audio recordings;

7.5.3. Video recordings are stored in a specially secured area accessible only to authorized personnel with special passes;

7.5.4. Audio recordings are stored on a secured server of the Ministry of Environmental Protection and Agriculture of Georgia;

7.5.5. Specific individuals responsible for audio and video recordings within the agency are designated, ensuring the security, authorized access, and destruction of recordings;

7.5.6. The agency logs each instance of access to video recordings.

 

Article 8. Transfer and Acquisition of Personal Data to/from Third Parties

8.1. The agency may transfer personal data of the data subject to third parties for the purpose of providing complete service to the subject, in cases defined by Georgian legislation, to fulfill obligations imposed by Georgian legislation on the agency, and to fulfill obligations under contracts signed by the agency.

8.2. Third parties may include physical or legal persons, state bodies, to whom the transfer of information is mandated by Georgian legislation or based on contractual relations.

8.3. The agency may obtain personal data of the data subject from third parties for the following purposes: to provide complete service to the data subject, in cases defined by Georgian legislation, to fulfill obligations imposed by Georgian legislation on the agency, and to fulfill obligations under contracts signed with organizations operating in the public sector or partner organizations.

 

Article 9. Data Security

9.1. The agency has adopted all necessary organizational and technical measures to ensure the processing of data in accordance with the Law of Georgia "On Personal Data Protection."

9.2. The organizational and technical measures adopted by the agency ensure the protection of personal data from accidental or illegal destruction, alteration, disclosure, access, unauthorized use, or loss.

9.3. Only employees who need to process the data to fulfill their duties have access to personal data stored in the agency.

 

Article 10. Rights of Data Subjects

10.1. Data subjects have the right to request information about the processing of their personal data and to receive copies of this data, specifically:

10.1.1. What data is being processed about them;

10.1.2. The purpose of data processing;

10.1.3. The legal basis for data processing;

10.1.4. The source from which their data was collected;

10.1.5. Whether their personal data has been transferred to third parties, information about the third party, and the basis and purpose of the data transfer;

10.1.6. To request the correction, blocking, updating, or addition of incorrect, inaccurate, or incomplete data;

10.1.7. To request the cessation of data processing, deletion, or destruction of data;

10.1.8. At any time, without any explanation, to withdraw their consent to the processing of their personal data and request the deletion of data processed based on that consent;

10.2. The agency will respond accordingly to the notification provided in the first paragraph of this article within the timeframes defined by the Law of Georgia "On Personal Data Protection," no later than 10 working days.

10.3. The rights of the data subject may be restricted as prescribed by Georgian legislation.

 

Article 11. Retention Periods of Personal Data

11.1. Considering the legitimate interests of data subjects (including for the review of possible statements or complaints), video recordings with a volume of up to 6 TB are retained for a maximum period of 3 months. After this period, the recordings are automatically deleted, except in cases where there is a legitimate interest and corresponding legal basis for longer retention.

11.2. Considering the legitimate interests of data subjects (including for the review of possible statements or complaints), audio recordings of the hotline are retained for 1 year. After this period, the recordings are deleted, except in cases where there is a legitimate interest and corresponding legal basis for longer retention.

11.3. To protect the interests of the agency and its employees, and to comply with safety norms, GPS data installed on agency-owned vehicles is retained for 1 year according to the rules of the relevant platform;

11.4. Personal data in the agency is retained in accordance with the retention periods defined by the order N72 of March 31, 2010, of the Minister of Justice of Georgia "On the Approval of the List of Standard Management Documents Created in the Process of Activities of Institutions (with Indication of Their Retention Periods)," which is approved in the agency by the relevant document.

 

Article 12. Incident Management

12.1. An incident is a breach of data security that leads to the accidental or unlawful destruction, loss, unauthorized disclosure, destruction, alteration, access, collection, or other unauthorized processing of data.

12.2. In the event of an incident, the agency logs the incident, the result, and the measures taken within 72 hours of discovering the incident, and notifies the Personal Data Protection Service in writing or electronically, except when it is unlikely that the incident will cause significant harm or pose a significant threat to fundamental human rights and freedoms.

12.3. If the incident is likely to cause significant harm or pose a significant threat to fundamental human rights and freedoms, the agency notifies the data subject about the incident as soon as possible and without undue delay, providing the following information in simple and understandable language:

12.3.1. A general description of the incident and related circumstances;

12.3.2. Information about the potential or actual harm caused by the incident and the measures taken or planned to reduce or eliminate it;

12.3.3. Contact information of the personal data protection officer or other contact person.

 

Article 13. Right to Appeal

Data subjects have the right to appeal to the Personal Data Protection Service or the court in accordance with the procedures established by the Law of Georgia "On Personal Data Protection" in case of violation of their rights and established procedures.

 

Article 14. Personal Data Protection Officer

14.1. The personal data protection officer ensures:

14.1.1. Informing, consulting, and providing methodological assistance to the responsible person, authorized person, and their employees on data protection issues, including the adoption or amendment of regulatory legal norms;

14.1.2. Participation in the development of internal regulations and data protection impact assessment documents related to data processing, and monitoring the compliance of the responsible person or authorized person with Georgian legislation and internal organizational documents;

14.1.3. Analyzing complaints and applications received regarding data processing and providing appropriate recommendations;

14.1.4. Receiving consultations from the Personal Data Protection Service, representing the responsible person or authorized person in interactions with the Personal Data Protection Service, submitting information and documents upon their request, and coordinating and monitoring the implementation of their tasks and recommendations;

14.1.5. Providing information to the data subject about data processing processes and their rights upon request;

14.1.6. Performing other functions to raise data processing standards by the responsible person or authorized person.

14.2. Interested parties can contact the personal data protection officer regarding issues related to personal data at the email elene.surguladze@rda.gov.ge, through the agency's hotline 15 01, and online assistance on the website rda.gov.ge.