Privacy and Security
Personal Data Protection Policy
of
Discounter LTD
Shop of Household Appliances DISCOUNTER
1. Explanation of the Terms
1.1 Data processor – Discounter LTD (hereinafter referred to as “the Company”);
1.2 Personal data (hereinafter referred to as “the data”) – any information related to an identified or identifiable physical person. A person is identifiable when he/she can be identified directly or indirectly, namely, by the identification number or the physical, physiological, psychological, economical, cultural or social properties characteristic to the person;
1.3 Data processing – any action carried out in relation with the data by using automatic, semi-automatic or non-automatic means, namely, collecting, recording, organizing, preserving, modifying, restoring, requiring, using or disclosing by means of
delivery, distribution of the data or making the data otherwise available, classifying or combining, blocking, deleting or destroying;
1.4 Automatic data processing – processing the data by using information technologies;
1.5 Semi-automatic data processing - processing the data by using information technologies and non-automatic means;
1.6 Data subject – any physical person in relation to whom the data are being processed;
1.7 Consent – the voluntary consent – with which the data subject’s will can be clearly determined- expressed orally or by telecommunication or other relevant means by the data subject with regard to processing the data about him/her with the specified purpose after receiving the corresponding information;
1.8 Data subject’s written consent - the voluntary consent expressed by the data subject with regard to processing the data about him/her with the specified purpose after receiving the corresponding information, and signed by the data subject or
otherwise done in written or other relevant form;
1.9 Authorized person – any physical or legal person that processes the data for or in the name of the Company;
1.10 Third person - any physical or legal person, public institution except of the data subject, State Inspector’s Service, the data processor and the authorized person;
1.11 Blocking the data– temporary suspension of data processing;
1.12 Data depersonalization –modification of the data in such a way that it is impossible to connect them with the data subject or such connection requires a great effort, charges and time;
1.13 Identification number – personal identification number;
1.14 State Inspector – an officer envisaged by Law of Georgia “On State Inspector’s Service” who is responsible for supervision of performing the data protection regulatory legislation;
1.15 Direct marketing – offering goods, service, employment or occasional
employment by mail, telephone calls, electronic mail or other telecommunication means.
2. Personal Data Processing Policy and Goal
2.1 The present policy (hereinafter referred to as “the Policy”) relates to all the physical
entities (such as the Company’s customers, employees, contractors, etc. - hereinafter
referred to as “the Data Subject”) in connection with which the Company processes the
personal data (hereinafter referred to as “the Data”).
3. Rule of Processing the Personal Data
3.1 With the purpose of providing the service to the customer, the Company processes the data subject’s following personal data:
3.1.1 First name and last name;
3.1.2 Personal number;
3.1.3 Unique characteristics of the ID card, passport, the same electronic document or/and the copy;
3.1.4 Personal electronic mail address;
3.1.5 Telephone number;
3.1.6 Legal/actual address;
3.1.7 Other information or/and data processing of which is not prohibited by legislation of Georgian, which enable to carry out personal identification of the person and are required for the purposes of concluding a contract with the Company.
3.2 Data processing is any action carried out in relation with the data by using automatic, semi-automatic or non-automatic means, namely, collecting, recording, organizing, preserving, modifying, restoring, requiring, using or disclosing by means of
delivery, distribution of the data or making the data otherwise available, classifying or combining, blocking, deleting or destroying.
3.3 Consent is expressed by the data subject orally, in written, by telecommunication or any other relevant means with which it is possible to define the data subject’s will.
3.4 The Company may process the data as the result of the needs of the service.
4. Principles of Data Processing
4.1 The requirements specified by the legislation and the present policy must be
concerned when processing the data in the Company.
4.2 The following principles are performed in the Company when processing the data:
4.2.1 The data are processed impartially and legally, protecting the right of the
data subject and without his/her humiliation;
4.2.2 The data are kept within the period which is necessary for reaching the goal
of processing the data;
4.2.3 The data are processed for concrete, clearly defined, legal purposes;
4.2.4 Data processing is adequate and proportional to the purpose;
4.2.5 The data are processed only to the extent that is necessary for reaching the
proper legal purpose;
4.2.6 The data are true and exact, and if necessary, are subject to renewal.
4.3 It is prohibited to further process the data for other purpose incompatible with the
initial purpose. The data incompatible with the initial purpose, gathered without any legal
ground must be blocked, deleted or destroyed.
4.4 After reaching the goal for which the data are being processed, they must be blocked, deleted or destroyed or kept in the form which excludes the person’s identification unless otherwise set by the legislation.
5. Collecting and Recording the Data
5.1 The data are mainly collected:
5.1.1 When communicating with the Company’s employees/contractors personally or by different means of communication;
5.1.2 When using the Internet and other electronic applications and means, and carrying out the relevant transactions or actions at this time;
5.1.3 When interacting by different means of communication with the purpose of establishing employment relations;
5.1.4 When trying to make a transaction with the Company;
5.1.5 When delivering the data to the Company by the data subject through all other means.
5.2 In case if the data subject delivers the Company the information on the third persons, the data subject confirms that he/she has obtained the full permission and takes responsibility for processing the mentioned data by the Company.
5.3 The data can be recorded manually or by other electronic means.
5.4 The data delivered must include the complete and true information; otherwise the service to be provided by the Company may be suspended or not be rendered.
6. Grounds of Processing the Data
6.1 Processing the data is permitted if:
6.2 There exists the voluntary consent expressed orally, by telecommunication or other relevant means by the data subject, with which consent it is possible to determine clearly the data subject’s will, or the data subject’s written consent, the form of which is defined in compliance with Annex N1 (Data Subject’s Written Consent on Processing the Personal Data);
6.2.1 Processing the data is envisaged by law;
6.2.2 Processing the data is necessary for the Company to fulfill the obligations imposed by the legislation;
6.2.3 Processing the data is necessary to protect the data subject’s vital interests;
6.2.4 Processing the data is necessary to protect the Company’s or the third person’s legal interests, except of the case when there exists the exceeded interest of protecting the data subject’s rights and liberties;
6.2.5 According to law, the data are publicly available or the data subject has made them available;
6.2.6 Processing the data is necessary according to law to protect an important public interest.
7. Data Preservation
7.1 The data are preserved in the Company only within the period necessary for reaching the goal of processing the data unless otherwise established by law.
7.2 During the period of data preservation, the data will be available only for the Company’s authorized employees for professional and business purposes.
7.3 Data preservation is mainly carried out within the right to object the limitation period as well as envisaging the grounds of protecting the Company’s goals and interests.
8. Data Usage or Disclosure
8.1 Data are used or disclosed only under the contract made with the data subject or in
compliance with the consent(s) expressed when using the proper products or/and
services and under the rule envisaged by the legislation.
9. Using the Data for Marketing or Information Purposes
9.1 The data obtained from publicly available sources can be processed for direct marketing purposes.
9.2 In spite of the purpose of data collection, the following data can be processed for direct marketing purposes: name (names), address, telephone number, e-mail address, fax number.
9.3 On the basis of the written consent given by the data subject under the rule set by the present law, any data can be processed for direct marketing purposes.
9.4 The data subject is entitled to demand the Company at any time to stop using the data on him/her for direct marketing purposes.
9.5 The Company is obliged to stop processing the data for direct marketing purposes or/and provide to stop processing the data for direct marketing purposes by the authorized person within maximum 10 workdays since receiving the data subject’s
request.
9.6 When processing the data for direct marketing purposes, the Company is obliged to notify the data subject about the right specified in Paragraph 9.4 and ensure that the data subject has the opportunity of demanding to stop processing the data for direct marketing purposes in the same form in which direct marketing is carried out, or/and define the available and adequate way for demanding to stop processing the data for direct marketing purposes.
10. Data Modification and Request
10.1 The data subject shall inform the Company on making modifications to the data, the notification about which is the obligation within the contractual relationship made with the Company.
10.2 The data are modified in case when the information on the data subject provided to the Company are not true or complete or the personal data are changed by the data subject.
10.3 The data subject is entitled to demand:
10.3.1 Modification/restoration of the data on him/her in case if the trustworthy ground exists and the appropriate document is provided;
10.3.2 Delivery of the information about the data subject kept in the Company;
10.3.3 The Company may establish service charge for delivering the information except of the case when the obligation of providing the information free of charge is defined by the legislation.
11. Data Correction, Renewal, Addition, Blocking, Deletion and Destruction
11.1 The data subject is entitled to receive the information about the data processed about the data subject, demand its correction, renewal, addition, blocking, deletion or destruction considering the circumstances that the Company will be able to render service to the data subject pursuant to the legislation or/and under the contract or/and comply and fulfill the legislative requirements.
11.2 Data correction, renewal, addition, blocking, deletion or destruction is carried out only if necessary when the information about the data subject kept in the Company is not true, complete, is changed or the data subject presenting the proper ground demands to carry out the mentioned actions considering the active legislation and the present policy.
11.3 Data correction, renewal, addition, blocking, deletion or destruction is carried out within the period and under the rule established by the legislation.
12. Delivery of the Data to other State and International Organization
12.1 The data can be delivered to other state and international organization in case if there exist the grounds of processing the data envisaged by the present law and if the proper state or international organization provides the appropriate guarantees of data protection.
12.2 Besides, the data can be delivered to other country and international organization in case if:
12.2.1 Data delivery is considered under the international contract and agreement of Georgia;
12.2.2 The data processor provides the proper guarantees of data protection and protection of the data subject’s main rights on the basis of the agreement entered into between the data processor and the proper state, such state’s legal or physical person or an international organization. In such case the data can be delivered only after obtaining a permit from State Inspector’s Service.
13. Data Safety
13.1 In accordance with the rule and procedures defined by the legislation of Georgia, the Company takes adequate measures to avoid accidental or illegal destruction, modification, disclosure, obtaining, illegal use in any other form and accidental or illegal loss of the data preserved.
14. Data Subject’s Rights
14.1 The data subject is entitled to demand from the Company the information about processing the data on the data subject. The Company shall provide the data subject with the following information:
14.1.1 Which data are being processed about him/her;
14.1.2 Purpose of data processing;
14.1.3 Legal basis of data processing;
14.1.4 How the data have been collected;
14.1.5 Who the data on him/her have been delivered to, the ground and purpose of data delivery;
14.1.6 Providing the data subject with the information specified in Paragraphs
14.1.1-14.1.5 is not obligatory if, pursuant to law, the data are public;
14.1.7 The data subject shall be provided with the information demanded instantly, shortly after the request or not later than 10 days since the request if the reply to the request on providing the information needs to obtain and process the documents of great volume which are not connected to each other;
14.1.8 The data subject is entitled, at any time, without any explanation, to deny the consent given by the data subject and demand to stop data processing or/and destroy the processed data. In such case the Company shall be obliged to stop data processing or/and destroy the processed data as per the data subject’s request within the period of 5 days since the submission of the notice if there is no any other ground of processing the data. This paragraph does not cover the information processed by the data subject’s own consent on fulfilling pecuniary liabilities by him/her.
14.1.9 If the data subject deems that the Company violates the rights established by Law of Georgia on Personal Data, he/she has the right to go to State Inspector’s Service or court under the rule set by law.
15. Final Provisions
15.1 The policy becomes valid since the moment of its approval by the Director.
Any additions and amendments to the present document are made under the same rule
which is established for its approval.
Annex N1: Data Subject’s Written Consent on Processing the Personal Data
Pursuant to Law of Georgia “on Personal Data”, I confirm that I have given my consent
on processing my personal data such as: the first and last names, the personal number,
the unique characteristics or/and the copy of the ID card, the passport, the same
electronic document, the address of my personal electronic mail, the telephone number,
the legal/actual address, any other information or/and data processing of which is not
prohibited by the legislation of Georgia, enable my personal identification and are
necessary for the purposes of entering into an agreement with the Company. Besides, I
agree that my personal data can be collected, recorded, organized, preserved,
modified, restored, demanded, used, blocked, deleted or destroyed.
The present consent has been given by me independently, at my free will and serves
my interest; it is specific, informative and understood by me.
I have read, agree and put my signature -----------------------------------------------