Approved

by the Director of the Chernovetskyi Fund Tea Rokva 

July 21, 2024

POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA

1. General Provisions

This document (hereinafter referred to as the Policy) is adopted by the Charitable Foundation “Chernovetskyi Fund” (hereinafter referred to as the Operator) to comply with the requirements of Georgian legislation, ensure the protection of the rights of personal data subjects processed by the Operator in the course of its business activities, and maintain the confidentiality and security of the data processing procedures.

This Policy outlines the main principles and rules used by the Operator in the processing of personal data, including defining the purposes, legal grounds, conditions, and methods of such processing, the categories of personal data subjects whose personal data are processed by the Operator, and information on the Operator’s compliance with the requirements of Georgian legislation and the implemented requirements for the protection of processed personal data. The Policy applies to all personal data processed by the Operator. 

This Policy, as well as any amendments and additions thereto, are approved by an order of the sole executive body of the Operator.

The Policy is a publicly available document that declares to any interested parties the basics of the Operator’s activities in the processing of personal data and must be posted in the public domain on the Operator’s website at: chernovetskyifund.ge

In accordance with the requirements of current legislation, the Operator determines the purposes of personal data processing, the composition of personal data to be processed, the actions (operations) performed with personal data, organizes and carries out personal data processing, and also organizes and ensures the protection of processed personal data. 

2. Purposes of Personal Data Processing

The Operator processes personal data for the following purposes:

• Providing charitable assistance (including the collection of charitable donations and payment of charitable donations); 
• Conducting informational mailings; 
• Achieving goals stipulated by international treaties of Georgia or by law; 
• Fulfilling obligations imposed on the Operator by the current legislation of Georgia;
   
• Exercising the rights and legitimate interests of the Operator and third parties, including compliance with the requirements of current Georgian legislation and ensuring the security of activities; 
• Achieving socially significant goals by creating effective tools to meet legal requirements, combat corruption, fraud, money laundering, and the financing of terrorism; 
• Exercising the rights and duties of the employer, training Operator’s employees, ensuring the personal safety of employees, controlling the quantity and quality of work performed, preserving the Operator’s property, ensuring that employees use the guarantees, compensations, and benefits established by Georgian legislation, and maintaining personnel records; 
• Making employment decisions for candidates; 
• Concluding and fulfilling obligations under civil contracts, including employment contracts and state contracts; 
• Implementing access control in the Operator’s premises; 
• Communicating with users of the Operator’s websites, including obtaining feedback, questions about the information on the websites and the Operator’s informational products, and sending responses
• Creating an anonymized digital profile of the website user or the person making payments through the Operator’s website. 

3. Legal Grounds for Personal Data Processing

The Operator conducts activities related to the processing of personal data based on and in accordance with the requirements of current Georgian legislation.

4. Scope and Categories of Processed Personal Data, Categories of Personal Data Subjects

The content and scope of the personal data processed by the Operator, and the categories of personal data subjects, are determined in accordance with the purposes of personal data processing.

The Operator does not process personal data that are excessive or incompatible with the specified purposes.

The Operator processes, among other things, the following data: IP address, cookies, geolocator, username, obtained through Yandex.Metrica, Google Analytics, Facebook. 

The Operator processes personal data of the following categories of subjects:

• Operator’s employees engaged in employment relations with the Operator; 
• Candidates for the Operator’s vacant positions; 
• Individuals visiting the Operator, whose data processing is necessary for a single entry into the Operator’s premises; 
• Individuals who are parties to transactions with the Operator or their representatives, employees of the Operator’s counterparties; 
• Individuals who are users of the Operator’s websites; 
• Individuals making payments through the Operator’s websites; 
• Individuals who are subjects of the Operator’s informational stories, mailings, and other materials; 
• Individuals whose personal data are publicly available, subject to mandatory disclosure or publication according to Georgian law, or included in public state registers or information systems
• Individuals who are founders, members of management bodies, or control bodies within the Operator’s group of entities, including the Operator itself. 

The sources of personal data processed by the Operator include:

• Personal data subjects (including the Operator’s employees, candidates for vacant positions, members of the Operator’s management and control bodies, visitors, counterparties, individuals who provided information to the Operator according to Georgian law); 
• The Georgian Federal Tax Service, other state bodies, and authorized organizations in cases stipulated by current Georgian legislation; 
• Media; 
• The Operator’s counterparties (transaction parties); 
• Individuals within the Operator’s group of entities; 
• Other persons provided they confirm the information to the Operator.

5. Procedure and Conditions for Personal Data Processing

The Operator ensures compliance with the principles of personal data processing in its activities, including:

• Legality and fairness in the purposes and methods of personal data processing; 
• Alignment of the purposes of personal data processing with the purposes predetermined and declared during the collection of personal data, as well as the Operator’s authority; 
• Consistency in the scope and nature of the processed personal data and the methods of processing with the purposes of their processing; 
• Accuracy of personal data, their sufficiency for processing purposes, and the inadmissibility of processing personal data that are excessive relative to the purposes declared during the collection of personal data
  
• Prohibition of combining databases containing personal data that were created for incompatible purposes; 
• Storing personal data in a form that allows for the identification of the personal data subject no longer than required by the purposes of their processing, unless the storage period is established by Georgian law, a contract to which the personal data subject is a party, beneficiary, or recipient; 
• Destruction of personal data upon achieving the purposes of their processing or if there is no longer a need to achieve those purposes unless otherwise provided by law.

In relation to personal data, the Operator performs actions (operations) or a combination of actions (operations) performed with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, updating (modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data. 

For the storage of personal data, the Operator uses databases located in Georgia.
 
The Operator uses a mixed method (using both automation tools and non-automation tools) for processing personal data, transferring information through the Operator’s internal local network and the information and telecommunication network “Internet.” 

The Operator ensures the recording, systematization, accumulation, storage, updating (modification), and retrieval of personal data of Georgian citizens using databases located on the territory of Georgia, except in cases provided by law. 

The conditions for the processing of personal data by the Operator are determined by the Operator’s internal regulations that govern the corresponding areas of the Operator’s activities. 

The Operator discloses processed personal data only based on and in cases stipulated by Georgian law, including in connection with the release and distribution of products through mass media. 

The processing periods for personal data are determined in accordance with the period specified in the consent of the personal data subject, as well as in accordance with other requirements of Georgian law and the Operator’s regulatory documents. 

The Operator stops processing personal data in the following cases:

• Achieving the purpose of personal data processing;
• Amendment or invalidation of regulatory legal acts that establish the legal grounds for personal data processing; 
• Detection of unlawful personal data processing by the Operator;
• Withdrawal of the personal data subject’s consent to the processing of their personal data.

The destruction of personal data by the Operator is carried out in the manner and within the timeframes established by Georgian law.

The Operator processes personal data of individuals who are users of the Operator’s websites only to the extent of the data provided by the subject within the feedback form that contains the condition of the subject confirming their consent to such processing. 

The Operator receives data on website visits in anonymized form and uses it for statistical purposes to analyze user interest in the website materials, to create a digital profile of the website user, and for those making payments through the site. This data may be transferred to third parties. 

6. Information on Implemented Data Protection Requirements

When processing personal data, the Operator takes all necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, dissemination, and other unlawful actions regarding personal data. 

The Operator implements necessary legal, organizational, technical, physical, and cryptographic measures to protect personal data and ensure compliance with obligations.

These measures include:

• Appointing a person responsible for organizing personal data processing; 
• Issuing internal regulations of the Operator governing personal data processing and protection issues; 
• Familiarizing employees directly involved in personal data processing with Georgian legislation on personal data, including protection requirements, the Operator’s internal regulations on personal data processing, and information on liability for disclosure, violation of processing rules, and other unlawful actions regarding personal data, as well as training these employees in handling personal data
  
• Establishing a system for and conducting internal control and/or audit for compliance of personal data processing with Georgian law and adopted normative legal acts, data protection requirements, and the Operator’s internal regulations; 
• Analyzing, identifying, and assessing threats to the security of personal data during processing in information systems; 
• Implementing organizational and technical measures to ensure personal data security during processing, including using appropriate information security tools in personal data information systems; 
• Monitoring and evaluating the effectiveness of security measures before and during the operation of the relevant personal data information system; 
• Keeping records of material (paper, machine) carriers of personal data and ensuring their safekeeping; 
• Prompt detection of personal data disclosure, leakage, unauthorized access, and taking appropriate measures, including restoring personal data modified or destroyed due to unauthorized access; 
• Reserving technical means and duplicating information arrays and carriers; 
• Establishing rules for accessing personal data, including those processed in information systems, and ensuring registration and accounting for all actions performed with personal data;
• Monitoring the security measures for personal data and the protection level of personal data information systems.

7. Rights of Personal Data Subjects

A personal data subject has the right to obtain information about the processing of their personal data by the Operator, except in cases provided by Georgian law.

The personal data subject has the right, under the procedure and conditions established by Georgian law, to request the Operator to clarify, block, or destroy their personal data if it is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the declared purpose of processing, and to take legal measures to protect their rights.

The personal data subject has the right to withdraw their consent to the processing of personal data.

To exercise their rights and protect their legal interests, the personal data subject may contact the Operator. The Operator reviews and responds to appeals and complaints from personal data subjects, thoroughly investigates violations, and takes all necessary measures for their immediate correction, punishment of guilty parties, and resolution of disputed and conflict situations out of court.

If a personal data subject believes that the Operator is processing their personal data in violation of Georgian law or otherwise violates their rights and freedoms, the personal data subject may appeal the Operator’s actions or inaction to the authorized body for the protection of personal data subjects’ rights or through the courts.

The personal data subject has the right to protect their rights and legal interests, including compensation for damages and/or moral harm through the courts. 

8. Updating, Correction, Deletion, and Destruction of Personal Data, Responses to Requests for Access to Personal Data

If it is confirmed that personal data is inaccurate or unlawfully processed, the personal data must be updated by the Operator, and the processing must be terminated accordingly. 

Upon achieving the purposes of personal data processing or withdrawal of consent by the personal data subject, the personal data must be destroyed unless: 

• Otherwise provided by the contract to which the personal data subject is a party, beneficiary, or guarantor
  
• The Operator is not entitled to process the data without the personal data subject’s consent under Georgian law “On Personal Data Protection” or other laws
  
• Otherwise provided by another agreement between the Operator and the personal data subject.

The Operator must inform the personal data subject or their representative about the processing of their personal data upon request. 

Requests or appeals from personal data subjects and their representatives, as well as authorized bodies regarding inaccuracies, unlawful processing, consent withdrawal, and access to personal data, are processed by the Operator within 30 calendar days unless a shorter period is established by Georgian law.
Requests can be sent or delivered in person, by mail, email, or through courier services. The request form is arbitrary. The request must identify the person sending it and may include contact details for the response. 

9. Information about the operator, legal basis and purposes of personal data processing

The charitable foundation “Chernovetskyi Fund”, established under Georgian law, is located at: 11 Vissarion Zhgenti street, Vake district,Tbilisi, Georgia

Company identification code: 404940711.