Search
Login
GE

Personal Data Protection Policy

LEPL - Rural Development Agency


Article 1. General Provisions

1.1 The Personal Data Protection Policy (hereinafter referred to as "the Policy") defines the principles, objectives, and rules for processing and using personal data in the LEPL - Rural Development Agency (hereinafter referred to as "the Agency").

1.2 The terms used in this document have the meanings provided by the Law of Georgia "On Personal Data Protection."

1.3 This Policy is mandatory for all employees of the Agency who process personal data. They are obligated to maintain the confidentiality of personal data and/or information.

Article 2. Purpose and Scope of the Policy

2.1 The purpose of the Policy is to provide interested parties with basic information on how the Agency processes personal data, how compliance with the applicable legislation is ensured, and how personal data security is guaranteed.

2.2 This document applies to all persons whose personal data are processed by the Agency, as well as to data recipients and authorized persons who process personal data on behalf of or for the Agency.

2.3 The Agency processes and protects personal data in accordance with the requirements of Georgian legislation on personal data.

Article 3. Grounds and Principles for Processing Personal Data

3.1 Personal data processing by the Agency is permissible if one of the following grounds exists:

3.1.1 The subject’s consent (for individuals under 16 years old, through a parent or other legal representative); 3.1.2 Fulfillment of contractual obligations or at the data subject's request for contract conclusion; 3.1.3 Data processing is prescribed by law; 3.1.4 The data is publicly available; 3.1.5 For the protection of vital and/or public interests; 3.1.6 To fulfill obligations assigned to the Agency under Georgian legislation; 3.1.7 To protect significant legitimate interests.

3.2 The Agency processes personal data based on the following principles:

3.2.1 Legality, fairness, transparency, and respect for the dignity of the data subject - personal data must be processed openly, fairly, and lawfully without infringing upon the dignity of individuals.

3.2.2 The existence of a specific, clearly defined, and legitimate purpose - if the data is processed for a specific purpose, it cannot be processed for reasons incompatible with the initial purpose.

3.2.3 Proportionality and necessity - only the data necessary to achieve the purpose should be processed, and only to the extent required.

3.2.4 Ensuring the accuracy, truthfulness, and, if necessary, updating of the data - inaccurate data should be corrected, deleted, or destroyed without unjustified delay, considering the purposes of the processing.

3.2.5 Legitimate retention of personal data - data can only be retained for the period specified by law or for as long as necessary to achieve the purpose. Once the purpose is fulfilled, the data should be deleted, destroyed, or stored in a form that does not allow the identification of individuals.

3.2.6 Appropriate technical and organizational measures must be in place during the processing - the security of the data must be fully ensured with appropriate technical means.

Article 4. Categories of Personal Data and Their Processing

4.1 Information processed by the Agency may include the following categories of data proportional to the purpose of processing:

4.1.1 Identification data - name, surname, gender, date of birth, personal identification number/passport number; 4.1.2 Contact information - phone number, email address, residential address (registration, factual); 4.1.3 Financial information - bank account details; 4.1.4 Documentary information - information indicated in the submitted documentation; 4.1.5 Contractual information - information stipulated in contracts between the Agency and subjects; 4.1.6 Technical information - data on devices and technologies used when visiting the Agency's website; 4.1.7 Other types of information - any information the subject shares with the Agency.

4.2 The processing of personal data means the collection, recording, use, audio recording, video recording, organization, storage, alteration, deletion, or restoration of personal data using automatic, semi-automatic, or non-automatic means.

4.3 The subject's consent to the processing of personal data may be expressed orally, in writing, through communication channels, or by other means that allow determining the subject's will and making a corresponding record to confirm the expression of will.

4.4 If necessary, the Agency may process personal data with the assistance of a data processor, in accordance with the standards set by the Agency and the Georgian legislation.

Article 5. Sources of Personal Data Collection

5.1 The Agency collects personal data from subjects in the following cases:

5.1.1 When the data subject applies for employment or internship at the Agency, to participate in the Agency's projects/programs, or to enter into various types of contracts with the Agency; 5.1.2 Through the use of the Agency's communication channels or during on-site visits; 5.1.3 From electronic and physical letters received by the Agency; 5.1.4 From publicly available sources.

Article 6. Processing of Personal Data of Employees, Interns, and Employment/Internship Candidates

6.1 The Agency processes employees’/interns' personal data for the purpose of entering into contractual relationships and fulfilling its obligations. Specifically:

6.1.1 For the purpose of contract conclusion, termination, and execution; 6.1.2 For the payment of remuneration under the contract, administration of pension contributions, taxes, and, if applicable, other payments; 6.1.3 For communication with the employee/intern or candidate; 6.1.4 To protect the rights of the Agency, employees/interns, and third parties; 6.1.5 To respond to employee/intern complaints; 6.1.6 For any other legitimate purpose consistent with the Labor Code and Georgian personal data protection laws.

6.2 The Agency may collect the following types of personal data from employees/interns or candidates:

6.2.1 Identification data - name and surname, year, month, and date of birth; 6.2.2 Contact information - address, email, and mobile phone number; 6.2.3 Photograph of the employee (from an ID card photo or provided by the employee); 6.2.4 Information on education, qualifications, and work experience (as provided by the employee in the form of a resume); 6.2.5 Medical documentation - Form 100; 6.2.6 Certificate of drug registry status; 6.2.7 Certificate of criminal record; 6.2.8 Financial information - bank account details; 6.2.9 Information about the conditions of employment and internship contracts, performance or non-performance of duties.

6.3 Only authorized persons may access personal data of employees/interns or candidates, solely for the proper execution of their duties.

6.4 The Agency may transfer the personal data of employees to courts, regulatory, or investigative authorities in cases directly stipulated by law, to protect the rights, property, or other interests of the employer, employee, or third parties.

Article 7. Audio and Video Monitoring

7.1 The purpose of video monitoring at the agency's central office is to ensure security and property protection, prevent and detect crime, protect the interests of the agency and its beneficiaries (including incident management), and manage risks that could endanger the agency, its beneficiaries, or any third party's interests.

7.2 Video monitoring at the agency’s central office is conducted 24/7, monitoring entryways and corridors. Appropriate warning signs are placed near the cameras. Video footage can be accessed both in real-time and reviewed later. Recordings are stored for up to 3 months, after which they are deleted unless there is a legitimate reason or legal basis to store them longer.

7.3 A 24/7 hotline operates at the agency, recording incoming and outgoing phone calls with prior informed consent from interested parties.

7.4 The purpose of audio monitoring is to protect beneficiaries' legitimate interests, uphold ethical standards, address possible claims by beneficiaries, protect the agency’s interests, and comply with Georgia's law on personal data protection.

7.5 The agency has all the necessary technical and organizational measures to ensure the security and protection against improper use of audio and video recordings, specifically:

7.5.1 Access to the recordings is restricted to agency employees whose job functions directly require access.

7.5.2 Technical measures are in place to prevent illegal disclosure, copying, deletion, alteration, or any other interference with the recordings.

7.5.3 Video recordings are stored in a secure space, with access restricted to authorized persons with special permission.

7.5.4 Audio recordings are stored on a protected server at the Ministry of Environmental Protection and Agriculture of Georgia.

7.5.5 Designated agency personnel are responsible for managing audio and video recordings, including their storage, granting authorized access, and their destruction.

7.5.6 The agency logs each instance of access to video recordings.

Article 8. Transfer and Acquisition of Personal Data from Third Parties

8.1 The agency may transfer personal data to third parties to provide complete services to the data subject, in cases defined by Georgian legislation, to fulfill the agency’s obligations under Georgian law, or to fulfill contractual obligations.

8.2 Third parties may include individuals or legal entities, state bodies to whom the information is transferred based on Georgian law or contractual relationships.

8.3 The agency may acquire personal data from third parties for the following purposes: providing complete services to the data subject, fulfilling obligations under Georgian law, or fulfilling contractual obligations with third parties, including state organizations and partner organizations.

Article 9. Data Security

9.1 The agency has taken all necessary organizational and technical measures to ensure data processing in compliance with Georgia's Law on Personal Data Protection.

9.2 These measures ensure the protection of personal data from accidental or unlawful destruction, alteration, disclosure, unauthorized access, or loss.

9.3 Only employees who need the data to fulfill their duties have access to personal data stored by the agency.

Article 10. Data Subject’s Rights

10.1 A data subject has the right to request information about the processing of their personal data and to obtain copies, including information on:

10.1.1 What data is being processed;

10.1.2 For what purpose the data is being processed;

10.1.3 The legal basis for data processing;

10.1.4 The source from which the data was collected;

10.1.5 Whether their data has been transferred to third parties, and details about those third parties, the grounds, and purpose for the transfer;

10.1.6 The right to request correction, blocking, updating, or supplementation of incorrect, inaccurate, or incomplete data;

10.1.7 The right to request the cessation, deletion, or destruction of data processing;

10.1.8 The right to withdraw consent for data processing at any time and request the deletion of data processed based on that consent.

10.2 The agency will respond within the timeframes established by Georgia’s Law on Personal Data Protection, but no later than 10 working days.

10.3 The rights of the data subject may be restricted in accordance with Georgian law.

Article 11. Data Retention Periods

11.1 Considering the legitimate interests of data subjects (including handling possible complaints), video recordings have a maximum storage capacity of 6 TB and are stored for up to 3 months. After this period, recordings are automatically deleted unless there is a legitimate reason or legal basis for extended storage.

11.2 For the legitimate interests of data subjects (including handling possible complaints), hotline audio recordings are stored for 1 year. After this period, they are deleted unless there is a legitimate reason or legal basis for extended storage.

11.3 For the protection of the agency and its employees, as well as to ensure security standards, GPS data from vehicles owned by the agency is stored for 1 year per platform regulations.

11.4 Personal data stored by the agency is retained in accordance with the retention periods set forth in the March 31, 2010, N72 Order of the Minister of Justice of Georgia.

Article 12. Incident Management

12.1 An incident is a breach of data security that results in the unauthorized or accidental destruction, loss, disclosure, alteration, access, collection, or other unlawful processing of data.

12.2 In case of an incident, the agency records it, documents the outcome, and the measures taken, notifying the Personal Data Protection Service within 72 hours, unless the incident is unlikely to result in significant harm or a major threat to fundamental human rights.

12.3 If the incident is likely to cause significant harm or threaten fundamental rights, the agency will notify the data subject as soon as possible and provide the following information:

12.3.1 A general description of the incident and its circumstances;

12.3.2 Information on the potential or actual harm caused by the incident, as well as any measures taken or planned to mitigate or eliminate the harm;

12.3.3 Contact information for the personal data protection officer or another contact person.

Article 13. Right to Appeal

If the data subject’s rights are violated, they have the right to appeal to the Personal Data Protection Service or a court according to the procedures established by Georgia's Law on Personal Data Protection.

Article 14. Personal Data Protection Officer

14.1 The personal data protection officer ensures:

14.1.1 That responsible individuals are informed and consulted on data protection issues, including new regulatory norms;

14.1.2 Participation in the development of internal regulations on data processing and monitoring the agency's compliance with Georgian legislation and internal documents;

14.1.3 Analysis of received statements and complaints and issuing appropriate recommendations;

14.1.4 Receiving consultations from the Personal Data Protection Service and coordinating and monitoring the agency’s compliance with its requests and recommendations;

14.1.5 Providing information to data subjects on data processing and their rights.

14.2 For data-related inquiries, interested parties can contact the Personal Data Protection Officer via email at dpo@rda.gov.ge or reach the agency’s hotline at 15 01 or online help at rda.gov.ge.