Personal Data Protection Policy
Preamble
LLC “Data Protection Officer” (hereinafter “the Organization”) is committed to respecting and safeguarding fundamental human rights and freedoms—particularly the right to privacy, family life, personal space, and the confidentiality of communications—when processing personal data.
This Policy sets out the principal measures through which the Organization ensures that all personal-data processing activities carried out within the DPO Care Card framework comply with the Law of Georgia on Personal Data Protection (hereinafter “the Law”), thereby achieving the above objectives.
Article 1. Scope
This Policy applies to all processes involving the processing of personal data (hereinafter “Data”) carried out by the Organization within the DPO Care Card framework—including those conducted jointly with data-processing partners and those performed by any authorized processors.
Article 2. Definitions
All terms used in this Policy shall have the meanings assigned to them by the Law.
Article 3. Principles of Data Processing
1. The Organization shall process personal data in accordance with the Law, on the basis of a legally permitted ground for processing, and in compliance with the following principles:
a) Lawfulness, fairness and transparency – Data shall be processed lawfully, fairly, and in a transparent manner, without harming the dignity of the data subject.
b) Purpose limitation – Data shall be collected only for specific, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes.
c) Data minimization – Processing shall be limited to the minimum extent necessary to achieve the relevant legitimate purposes.
d) Accuracy – Data shall be accurate and, where necessary, kept up to date.
e) Storage limitation – Data shall be retained only for as long as is necessary to fulfil the purposes for which it was collected.
f) Integrity and confidentiality – Appropriate technical and organizational measures shall be taken to protect data against unlawful processing and accidental loss, destruction or damage.
2. The Organization shall ensure that it can demonstrate compliance with the above principles at all times.
Article 4. Key Measures Ensuring Lawful Processing
In accordance with Article 3 of this Policy, for all processing activities the Organization shall:
a) Implement appropriate technical and organizational measures to ensure data security, including designating an owner for each information asset within the Organization and enforcing access controls over those assets;
b) Provide regular data-protection training to all employees of the Organization;
c) In the event of an incident, respond promptly to mitigate or eliminate any potential harm, and notify data subjects in accordance with the procedures set out by law;
d) In line with the principle of transparency, publish on the Organization’s website up-to-date information regarding its data-processing activities, and, where necessary, take additional steps to inform data subjects;
e) Make information about its processing activities readily available to employees whose data are processed by the Organization;
f) Respond to all requests submitted by data subjects in a timely and appropriate manner to ensure the exercise of their rights as provided by law;
g) Assess the likelihood that any processing activity may infringe on fundamental human rights and freedoms, and, if a high risk is identified, conduct a data-protection impact assessment;
h) Prioritize data protection by design and by default across all products, projects, and services;
i) Maintain records of all data-processing activities in accordance with the Law;
j) Process personal data via authorized processors only on the basis of a legal act and/or a written agreement that clearly specifies the legal grounds and purposes of processing, the categories of data involved, the duration of processing, and the responsibilities of each party;
k) Implement any other measures necessary to ensure compliant and secure personal-data processing.
Article 5. Enforcement
1. To ensure implementation of the measures set forth in Article 4 of this Policy, the Organization shall develop additional written documents and take any other appropriate actions.
2. To coordinate the identification of risks arising from data-processing activities under this Policy and the taking of necessary measures:
a) Data Protection Officer – shall monitor the Organization’s data-processing activities for compliance with applicable law and this Policy, and shall issue relevant recommendations;
b) Information Asset Owners – shall ensure that the information assets under their responsibility containing personal data comply with applicable law and this Policy.
Article 6. Review
This Policy shall be reviewed at least once a year and updated as necessary to incorporate any required changes.
© 2025. All rights reserved.