top of page

Personal Data Policy
of LLC "Auto Import Georgia"

LLC "Auto Import Georgia" ID: 406203120

Address: Tbilisi, Ts. Dadiani 123/125

Director Guram Rostiashvili

Approved - 25.03.2025

Table of Contents

  1. Policy Purpose. 1

  2. Personal Data Processing Principles. 1

  3. Grounds for Personal Data Processing. 2

  4. Term Definitions. 2

  5. Individual Data Categories, Processing Purposes, Grounds. 3

  6. Direct Marketing. 4

  7. Processing Minors' Personal Data. 4

  8. Processing Data of Deceased Persons. 4

  9. Data Subject Rights. 4

  10. Obligations of Persons Responsible for Data Processing, Authorized for Data Processing, and Co-Processors. 5

  11. Measures Taken for Personal Data Security in the Organization. 5

  12. Incident Response Procedure. 5

  13. Personal Data Retention Period. 6

  14. Video/Audio Monitoring Procedure. 6

  15. Concluding Provisions. 7 Contact Information. 7 Company Guarantees. 7

 

1. Policy Purpose

For LLC "Auto Import Georgia", as a responsible company, it is important to ensure high-quality protection and security of personal data, as well as compliance of the data processing process with requirements defined by Georgian legislation and international acts.

The purpose of this document is to describe the personal data processing process within the company.

2. Personal Data Processing Principles

2.1 Personal data processing is carried out in accordance with the Constitution of Georgia, the Law of Georgia "On Personal Data Protection", other relevant national legislative or by-law acts, and international standards/acts.

2.2 When processing personal data, the company adheres to the following principles:

a) Data is processed legally, fairly, transparently, and without violating the dignity of the data subject;

b) Data collection occurs only for specific, clearly defined, and legitimate purposes;

c) Data processing is done only to the extent necessary to achieve the corresponding legitimate purpose;

d) Data processed by the company is valid, accurate, and, when necessary, updated. Inaccurate data is corrected, deleted, or destroyed without unreasonable delay;

e) Data is stored only for the period necessary to achieve the corresponding legitimate purpose of data processing. After achieving the purpose for which the data is processed, it is deleted, destroyed, or stored in a depersonalized form, except in cases established by law;

f) To protect data security, appropriate technical and organizational measures are taken during data processing, which properly ensure the protection of personal data.

3. Grounds for Personal Data Processing

3.1 The company processes personal data only in the following cases:

a) Based on permission directly given by the data subject;

b) Data processing is necessary to fulfill an obligation under a contract with the data subject or to conclude a contract at the request;

c) Data processing is provided for by law;

d) Data processing is necessary to fulfill obligations imposed on the company by Georgian legislation;

e) According to the law, the data is publicly accessible or has been made publicly accessible by the subject;

f) Data processing is necessary to protect the company's or a third party's significant legitimate interests, except in cases where there is a superior interest in protecting the subject's (including a minor's) rights;

g) Data processing is necessary to review an application (to provide service);

h) In other cases established by the "Personal Data Protection" law and Georgian legislation.

4. Term Definitions

4.1 Terms used in this document are descriptive and defined based on the company's work specifics. Definitions are in accordance with the Law of Georgia "On Personal Data Protection", and their interpretation contrary to the law is inadmissible;

4.1.2 Personal data (hereinafter - data) - any information related to an identified or identifiable natural person and used for the company's activity purposes;

4.1.3 Special category data - data related to an identified or identifiable natural person, used for the company's activity purposes, and revealing the physical person's health condition, information about criminal record, biometric information, in other cases directly specified by law;

4.1.4 Data subject - any natural person whose data is used by the company based on its own purposes. A natural person may be identified or identifiable;

4.1.5 Company - data processor, which determines the purposes and means of data processing, methods, forms, organizational and technical security measures, as well as ways to realize the data subject's rights;

4.1.6 Authorized person - a person involved in the data processing by the company, based on law or contract, who processes data on behalf of the company or/and based on its purposes;

4.1.7 Data recipient - any person to whom personal data has been transferred based on the company's activity purposes, including an authorized person, administration employee, intern;

4.1.8 Data processing - any active or passive action performed regarding personal data, including video and audio control. Processing can also be carried out using fully automatic means, semi-automatic or fully mechanical means.

4.1.9 Ready Records (so-called cookies) - when using the company's website, so-called cookies are collected. Cookies are used to personalize, improve, and ensure the security of the subject's experience when using the website. Specifically, for simplifying navigation, offering information in a preferred format, improving search parameters, secure user authorization, marketing, website design optimization, and better adaptation for the user (through ready records, the operating system version, device model, and other unique device identifiers, time spent on web pages, information about opened pages, online navigation history, browser information, information about actions performed on the company's website, language for information review).

5. Individual Data Categories, Processing Purposes, Grounds

5.1 The following types of information are processed in the company:

a) About personnel - name, surname, photo, date of birth, age, gender, address, personal number, copy of identity document, identity document series and number, identity document issuance period, driver's license copy, autobiography, resume (CV), education information, foreign language knowledge, diploma copy or education certificate, computer program knowledge, work experience, entry and exit time from the building, phone number, email address, bank account number, position, salary information, criminal record information, health condition information (Form 100);

b) About potential employees - name, surname, autobiography, resume (CV), diploma copy or education certificate, work experience, foreign language knowledge, computer program knowledge, entry and exit time from the building, phone number, email address;

c) About customers - depending on the nature of client relationship during service provision, information processed by the company may include the following data categories in proportion to the processing purpose: name, surname, gender, address (legal and actual), email, phone number.

6. Direct Marketing

6.1 The company has the right to conduct direct marketing only after receiving consent from the data subject, specifically by sending short text, voice, or other advertising messages via telephone call, email, or other telecommunication means, or by direct communication with the customer to offer services, goods, or request any type of action.

  • The data subject has the right to request the data processor to stop using their data for direct marketing purposes at any time, no later than 5 (five) working days from receiving the request.

  • Personal data processed for direct marketing purposes is stored for the duration of direct marketing from the time the data subject provides consent.

7. Processing Minors' Personal Data

7.1 The company's services are not intended for use by minors. The organization does not intentionally request or collect personal data from individuals under 18 years of age.

8. Processing Data of Deceased Persons

8.1 Data about deceased persons is processed by the company for the purpose of fulfilling contractual obligations and realizing the company's contractual authorities/interests, in accordance with the requirements of the Law of Georgia "On Personal Data Protection".

9. Data Subject Rights

9.1 Right to Receive Information and Copies of Data Processing - The data subject is authorized to be informed about the collection and use of their personal data.

9.2 Right to Correct, Update, and Supplement Data - If data processed by the organization is incorrect, incomplete, or inaccurate, the subject is authorized to request correction, update, and/or supplementation of the data.

9.3 Right to Stop, Delete, or Destroy Data Processing - The subject has the right to request stopping (including profiling), deletion, or destruction of data about themselves.

9.4 Right to Block Data - The subject can request data blocking (restriction of processing) when:

  • The accuracy of personal data is disputed by them;

  • The processing is unlawful;

  • Except in cases where there is a need to store data as evidence.

9.5 Rights Related to Automated Individual Decisions - Legislation gives the subject the right not to be subject to decisions made solely automatically, including based on profiling, except when the decision based on profiling: (a) Is based on their explicitly expressed consent; (b) Is necessary to conclude or perform a contract between parties; (c) Is provided for by law or a by-law normative act issued within the framework of delegated authority.

10. Obligations of Persons Responsible for Data Processing, Authorized for Data Processing, and Co-Processors

10.1 Take appropriate technical and organizational measures to protect personal data from accidental or illegal destruction, alteration, disclosure, acquisition, damage, unauthorized or illegal use in any other form, and accidental or illegal loss;

10.2 Allow information access only to employees who perform rights and obligations specified in the respective contract between parties and who have an obligation to protect information confidentiality, including after termination of official authority;

10.3 Process personal data within the framework of cooperation, in compliance with the respective contract and legal requirements;

10.4 Record measures related to personal data processing in electronic and/or material form.

11. Measures Taken for Personal Data Security in the Organization

11.1 The company has taken appropriate organizational and technical measures to ensure the confidentiality, integrity, and accessibility of electronically and physically existing data.

11.2 The organization has implemented appropriate technical and organizational measures to protect personal data from unauthorized access, illegal processing or disclosure, accidental loss, alteration, or destruction. Moreover, the organization's employees have limited access to personal data, and employees, agents, contractors, and other third parties can access personal data only within the scope of their assigned functions and activities.

12. Incident Response Procedure

12.1 The company's authorized person is obligated to immediately record the incident upon detection, document the resulting consequences, measures taken, and notify the Personal Data Protection Service in writing or electronically no later than 72 hours after incident detection, except in cases where it is unlikely that the incident will cause significant damage or pose a significant threat to fundamental human rights and freedoms.

13. Personal Data Retention Period

13.1 Personal data is stored throughout the service provision period. After the expiration of the respective contract:

  • Client information is stored for 3 years;

  • Documentation from labor-legal relations is stored in the organization for 10 years after contract termination;

  • For 10 years after its completion, for predefined reasons:

    • To respond to questions and complaints.

13.2 The organization reserves the right to store personal data for more than 10 years for legitimate business or legal purposes, such as security, fraud prevention, avoiding misuse, etc.

13. Personal Data Storage Period

13.1 Personal data is stored:

  • Throughout the entire service provision period

  • After the contract expiration:

    • Client information is stored for 3 years

    • Documents related to labor-legal relationships are kept for 10 years after contract termination

    • For 10 years after completion, for predefined reasons such as:

      • Responding to questions and complaints

13.2 The organization reserves the right to store personal data for more than 10 years for legitimate business or legal purposes, including:

  • Ensuring security

  • Preventing fraud

  • Preventing misuse

  • Other similar objectives

14. Video/Audio Monitoring Procedure

14.1 Video-audio monitoring is conducted through a video surveillance system to:

  • Prevent crime

  • Detect/investigate incidents

  • Ensure public safety

  • Protect individual safety and property

  • Protect confidential information

  • Achieve other significant tasks related to legitimate interests

This includes:

  • Incident management

  • Protecting user rights

  • Process monitoring

  • Risk management

Monitoring is performed in compliance with Georgia's Personal Data Protection Law, covering:

  • Internal perimeter of buildings

  • Meeting rooms

  • Service spaces

  • Workplaces

14.2 Monitoring is conducted 24/7.

14.3 Recordings are:

  • Stored for 30 days

  • Kept for the duration necessary to achieve specific goals

  • Automatically destroyed after this period, unless there's a legal basis for longer storage

14.4 Warning signs are placed in visible locations, informing about video and audio recording.

14.5 The organization has implemented comprehensive organizational and technical measures to prevent:

  • Unauthorized disclosure of recorded data

  • Unintended use

  • Inappropriate distribution

Specific measures include: a) Ensuring physical security of the monitoring system

  • Monitoring equipment placed in secured rooms

  • Access limited to authorized personnel

b) Record access restricted to:

  • Specific employees

  • Based on their functions and service needs

c) Information security measures:

  • Preventing unauthorized internet/network access

  • Comprehensive logging of all system interactions

  • Recording all instances of record disclosure

14.6 Stored video recordings may be accessed, reviewed, or shared with third parties in cases such as:

  • Suspected criminal activity

  • Potential legal investigations

  • Requests from investigative authorities

14.7 Record disclosure to third parties (including law enforcement) occurs only:

  • With legal grounds

  • In compliance with legislation

14.8 Telephone communication monitoring:

  • Automatically records incoming/outgoing calls

  • On hotlines and internal numbers

  • Purposes include:

    • Service improvement

    • Handling complaints

    • Monitoring ethical standards

    • Creating legally valid evidenc

      15. Closing Provisions

  • 15.1 Rules and processes not defined in this policy shall be regulated in accordance with Georgian legislation.
     

Contact Information

Data subjects are authorized to contact the company at any time for necessary information related to this policy at: Tbilisi, Ts. Dadiani 123/125, or by email: Mikaberidze.r@gmail.com, or contact: +995 595 53 53 71
 

The company guarantees that it will:

  • Take care of the personal data security of data subjects;

  • Not use personal data unlawfully;

  • Act in accordance with the Law of Georgia on Personal Data Protection.

bottom of page