Consent to the Processing of Personal Data and Privacy Policy

This consent regulates the legal relations arising in connection with personal data processing between the parties, where one party provides its data to the other for processing.

The law sets out the rules, principles, grounds, and security measures that must be followed when processing personal data of individuals.

To determine whether the law has been violated, each case should be approached individually on the basis of legal regulations. However, there are two basic conditions that are always necessary for lawful data processing: the existence of a legal basis and the established legal grounds for processing data.

Legal grounds are what make data processing permissible. Data processing is permissible if:

a) There is consent from the data subject — a voluntary, informed, and explicit consent to processing their personal data; for example, acceptance of a privacy policy posted on a website, or signing an agreement that clarifies what data will be collected, for what purpose, etc.;

b) Data processing is provided by law;

c) Data processing is necessary for the data processor to fulfill its obligations under the law;

d) Data processing is necessary to protect the vital interests of the data subject;

e) Data processing is necessary for the protection of the data processor's or third-party interests, except where there is an overriding interest of protecting the rights and freedoms of the data subject;

f) According to the law, the data is publicly available or the data subject has made it publicly available, for example, any statement posted by you on social media;

g) Data processing is necessary to protect important public interests in accordance with the law;

h) Data processing is necessary to consider the data subject's request or provide them with services.

When it comes to processing special categories of data, the law sets higher standards and provides different grounds for processing such data.

Processing of special categories of data is permissible only with the written consent of a data subject or when:

a) Processing data related to criminal convictions or health status is necessary for employment relations and based on the nature of the relationship, including, without limitation, for hiring decision-making;

b) Data processing is necessary to protect the vital interests of the data subject or a third party and the data subject is physically or legally unable to give consent to data processing;

c) Data is processed by a public health institution, healthcare facility or worker for the purposes of protection of an individual's health, or where it is necessary for managing or functioning of a healthcare system;

d) The data subject has made their personal data publicly available without explicit prohibition on its use;

e) Data is processed by a political, philosophical, religious, or professional association or a non-profit organization for legitimate purposes. In such cases, data processing can only relate to members of the association/organization or those having a continuous relationship with them;

f) Data processing is carried out for the purpose of maintaining a register of personal files and a register of accused/convicted persons, individual planning of sentence execution, and/or parole release of a convicted person from an unserved sentence and substituting a lesser sentenced for their unserved part of the original one;

g) Data is processed to enforce court rulings as provided in Article 2 of the Law of Georgia "On the Procedure of Execution of Non-custodial Sentences and Probation";

h) Data processing is carried out in cases expressly provided by the Law of Georgia "On the Procedure of Execution of Non-custodial Sentences and Probation";

i) Data is processed for the purposes of operation of a unified migration data analysis system;

j) Data is processed to implement the right to education for individuals with special educational needs.

In order to avoid violating the law during data processing, there must be at least one legal ground.

For lawful data processing, it is not enough to have a legal ground. Data processing must be carried out according to specific principles. Like the grounds, the principles are prescribed by law.

Fairness and Lawfulness – Personal data must be processed fairly and lawfully, without infringing the dignity of the individual.

Specific Legal Purpose – There must be a clear, defined purpose for processing the data. Using data for any other purpose is prohibited.

Proportionality and Adequacy – Data should be processed to the minimum extent necessary to achieve the specific purpose of processing and must be appropriate for the stated purpose.

Authenticity and Accuracy – Data must be accurate and authentic, and if necessary, updated. Data collected without legal grounds and irrelevant to the processing purpose should be blocked, deleted, or destroyed.

Storage Duration – Personal data must be stored for the period prescribed by law or for as long as necessary to achieve the purpose. After achieving the purpose, data must be deleted or stored in a form that prevents identification of the individual, unless otherwise prescribed by law.

To ensure that data processing does not violate the law, all the five principles defined therein must be adhered to.

Personal data may only be disclosed in cases provided by the legislation of Georgia. This includes instances where a third party requires disclosure in accordance with statutory requirements, such as disclosure of personal forensic information or for the protection of your or others' vital interests, such as in case of an emergency or an imminent threat to life.

We will store and process your personal data for the purposes outlined in this document, for the duration necessary to perform the activities mentioned herein, or for a period otherwise communicated to you, or for the period permitted by applicable law. For example, we may store your personal data if required for legal obligations, legal requirements, disputes, or judicial/arbitration/mediation processes.

Unless otherwise prescribed by applicable law, the maximum retention period for personal data is 3 (three) years from the date of receipt and initial processing. After the expiration of this three-year period, such personal data will be deleted or otherwise destroyed.

Please note that you have the right to withdraw your consent to the processing of personal data at any time by sending a written notice. In such a case, the company will cease processing the personal data for which you have withdrawn your consent.

This document shall be governed and interpreted under the current legislation of Georgia, including the Law of Georgia on the Protection of Personal Data.

By acknowledging this Policy, you recognize that this Personal Data Processing Policy is part of our Terms and Conditions, and by providing your consent, you unconditionally agree that by registering through the application or on the website and becoming a user, you agree to the data processing policy applicable to your personal information.