Chernovetskyi Charity Fund

Confidentiality Policy

Edition dated 08.06.2018

This Data Confidentiality Policy (hereinafter – "Confidentiality Policy") is addressed to the public at large (hereinafter – "the Users") – visitors and registered users of non-profit-making institution (NGO) “Chernovetskyi Fund”, identification code: 404940711, contact data: 25 Gorgasali Str., II turn, Tbilisi, Georgia, tel.: +995 577 92 40 45, +995 322 19 33 21 (hereinafter – "the Fund"), in the Internet with domain name (including all subdomains and separate pages) chernovetskyifund.ge (hereinafter – "the Website") and is valid in relation to all the information which can be obtained by the Website about the User during his using the Website and/or separate Website services..

References to the Website in the Confidentiality Policy shall mean Fund employees authorized to manage the website who arrange and (or) carry out processing of personal data and define the purposes of personal data processing, composition of personal data subject to processing, actions (operations) done with personal data, as well as other actions provided by the Confidentiality Policy according to the requirements of valid legislation and this Confidentiality Policy.

The Confidentiality Policy is aimed to inform the User about what personal data is, which personal data is collected by the Website, how and why the Website uses personal data, who the Website can transmit personal data to, how the Website protects personal data confidentiality, how one can get in contact with authorized persons of the Website and who shall the User address if there are questions concerning personal data processing and other issues on personal data use.

1. Terms and definitions:

1.1. Legislation – laws and regulations used to regulate personal data processing. Personal data is processed according to the requirements of the Law of Georgia "On protection of personal data"; personal data processing of Users in the territory of the RU or who are EU citizens shall be regulated, in particular, by the EU General Data Protection Regulation 2016/679 (hereinafter - "GDPR"). In addition, the legislation of the countries where other Website Users are citizens (in which territory they are located) can establish additional requirements.

1.2. Personal data controller - physical or legal entity defining the purposes and means of personal data processing and bearing the main responsibility for their processing. According to the Confidentiality Policy, the Fund is the personal data controller.

1.3. Personal data processing - any operation (set of operations), done with personal data or personal data arrays using or not using such automated procedures as collection, recording, systematization, structuring, storage, change, ordering, viewing, use, publication or any other type of access provision to third parties, including to employees of the controller or processor of personal data, as well as deletion thereof.

1.4. Specific categories of personal data – so called "sensitive" personal data which may harm the data subject in his work, at his educational institution, in his living environment, or which may lead to his discrimination in the society (personal data containing information about race, political or religious views, memberships in unions, health condition, sexual life, biometric or genetic data etc.).

1.5. Personal data- any information of personal nature allowing a third person to identify the physical entity (data subject). In this case the identified physical entity means a physical entity which can be identified expressly or by implication, in particular by reference to certain identifier (name, surname, document number or another identifier).

1.6. User – person with access to the Website via the Internet, who uses the Website (in particular, but not as a limitation thereof, using all or specific Website services).

1.7. Personal data processor- physical or legal entity who processes personal data for the controller based on instructions (indications, prescriptions). According to the Confidentiality Policy, HetznerOnlineGmbH is the Personal Data Processor.

1.8. Personal data subject- physical entity who the personal data refers to and who can be identified by these personal data or who has already been identified.

2. General Provisions of the Website Use

2.1. Using the Website by the User (without registration procedures on the Website/filling in Personal Data, etc.) presupposes an agreement with separate provisions of the Confidentiality Policy if they do not dwell upon User Personal Data which requires a separate agreement of the User. Otherwise the User shall discontinue using the Website.

2.2. The Confidentiality Policy is only applicable to the website chernovetskyifund.ge (including all subdomains and separate Website pages). The Website does not control and shall not be responsible for websites of third persons which can be opened by the User by following the links available on the Website.

2.3. The Website does not verify accuracy of the personal data (except for e-mail address of the User which is required to confirm his registration) provided by the Website Users.

3. Statement on Personal Data Protection

3.1. The Fund makes all the required actions to protect the confidentiality of the Personal Data and takes all the measures to prevent any misuse of the Personal Data obtained by the Website. Personal data processing is done in strict compliance with the requirements of the applicable Legislation and exclusively provided the availability of legal basis for such processing.

3.2. The Fund controls the means of Personal Data collection and defines the purposes for which Personal Data is used. The Fund is the "data controller" for the purposes of the EU General Data Protection Regulation 2016/679 (hereinafter - "GDPR") and any other applicable European legislation on data protection.

3.3. The Fund processes Personal Data of the User only if one of the provisions indicated in article 6 of the GDPR is fulfilled, including without limitation: User's consent for Personal Data processing was received; the processing is required for the purposes envisaged by the Confidentiality Policy; similar processing is required by the Legislation etc. In case of processing personal data of special category (for instance, health data), at least one of provisions indicated in article 9 of the GDPR shall be met.

3.4. The Website can update the Confidentiality Policy at its own discretion, including if it is required by the valid Legislation. A registered User can obtain information on updating of the Confidentiality Policy immediately on the Website (via message received in the User area) by receiving an electronic message from the Website (by e-mail) or by any other means not forbidden by the Legislation.

4. Personal data processed by the Website

4.1. Personal data allowed for processing in the framework of this Confidentiality Policy is provided by the users by filling in specific forms on the Website and comprises the following information:

4.1.1. Name and Surname;

4.1.2. E-mail address;

4.1.3. User Contact telephone number;

4.1.4. Date of birth;

4.1.5. Country, region, locality (place of stay or living of the User);

4.1.6. Gender;

4.1.7. Photos (images indicated by the User as his photos);

4.1.8. References to data of User account (accounts) in social networks in public profile (publicly available data or access to them is provided by the User);

4.1.9. Information on amounts of donations;

4.1.10. Credit card number;

4.1.11. Other Personal Data which can additionally be indicated (updated) by the User on his own initiative in electronic/paper message/statement/communication, in user area settings or otherwise.

4.2. Any other Personal Information not specified above (IP-addresses, used browsers and operational systems etc.) shall be properly stored and not disclosed, except for cases provided by the Legislation and/or this Confidentiality Policy.

5. Purposes of Personal Data Processing

5.1. The Website can use Personal Data of the User (under condition that the User has agreed for processing of his Personal Data for one or several purposes indicated below) for the following purposes:

5.1.1. Provision of the User with efficient client and technical support in resolving any issues related to the Website use.

5.1.2. User identification for registration on the Website; receiving feedback from the User, including sending notifications, requests concerning use of the Website, provision of information, processing of requests and communications from the User.

5.1.3. Provision of information to the User via sending out push-messages, Skype, Viber, WhatsApp and other messages using various ОТТ-applications, SMS, messages of other types/transmission means, in order to inform the User about the Website, active and new projects, as well as to learn about User's wishes and needs.

5.1.4. In case of the User's consent, provision of updated information about Website projects, statistics, special offers, including about joint projects and actions with the partners, newsletter and other information on behalf of the Website or on behalf of the Website partners.

5.1.5. Collection and input of User Personal Data into the special Website database.

5.1.6. Carrying out information activity upon the User's consent.

5.2. If storage of User's Personal Data is not required in order to provide services to the User, then, in accordance with para. 9.1. of the Confidentiality Policy, the Website shall delete them.

6. Place of Personal Data Storage

6.1. According to the Georgian Legislation, the Fund provides for organizational and technical measures to ensure data security against occasional or unlawful destruction, modification, disclosure, blackmail and any other forms of illegal use or occasional or unlawful loss thereof.

6.2. In order to ensure security of Personal Data databases on the Website, they are stored in data processing centers of HetznerOnlineGmbH (Industriestrasse 25, D-91710 Gunzenhausen, Germany). The Fund and the authorized person owning the database in Germany have exclusive access to the databases. According to this Confidentiality Policy, HetznerOnlineGmbH is the Authorized Person of the Fund (physical or legal entity which processes the data for the Fund or on its behalf).

7. Transfer of Personal Data to Third Persons

7.1. The User agrees that the Website is entitled to transfer Personal Data to third persons if this meets the requirement of the Legislation or is necessary to achieve the purposes of the Website.

7.2. For the purposes of the Website functioning (provision of the main and additional services to the User) the Website may transfer Personal Data to third persons, including without limitation: state bodies (in cases provided by Law), Website partners, developers (to modify, improve and correct the Website which may entail interaction with databases) of the Website, etc.

8. Data Protection Measures

8.1. For the purpose of safe storage of personal data the Website uses a number of technical and organizational measures which protect Personal Data from unauthorized or illegal processing and from unintended loss, destruction or damage.

8.2. The Website observes the principle of Personal Data Minimization, processing only that User information which is required or the information which was additionally provided by the User upon his consent. The interface of the Website and applications is adjusted to provide services in such a way so that maximum confidentiality is observed.

8.3. Therefore, the User shall inform only those minimum Personal Data which are required in order to provide the necessary service, receive newsletters or answer to a request or a claim. At the same time, if the User decides to inform additional Personal Data to the Website, it shall process them with the required level of protection.

8.4. The most secure and verified ways of data transfer are used when Personal Data is transferred to third persons. When the User makes a donation through a bank card it can be done via forwarding to websites of electronic payment systems UFC (www.ufc.ge),libertypay.ge, as well as MoneyMovers, PayPal, WebMoney, Qiwi, GooglePay, ApplePay and others. In this case security of payments and Personal Data is ensured by using SSL protocol for transfer of User confidential information through closed bank networks with the highest level of protection. In this case input of payment data is done through services of payment services, without transfer of data to the Website; so, payment data are not processed by the Website purposefully.

8.5. In case of loss or disclosure of Personal Data the Website informs the User about the loss or disclosure of Personal Data of the User. Along with the User the Website takes all the necessary measures to prevent any losses or other negative consequences resulting from loss or disclosure of Personal Data of the User.

8.6. If Personal Data security is violated the Website shall inform the supervisory body about Personal Data violation without unreasonable delays and, if possible, not later than 72 hours after it became aware of the fact of such violation. Supervisory body in this Confidentiality Policy means a supervisory body in accordance with GDPR provisions (if it was actually created by Georgian state authorities) or the Inspector on Personal Data protection of Georgia. If the notification was not sent to the supervisory body within the indicated term the Website shall substantiate the reasons of such delay.

9. Ways of Payment and Terms of Processing (storage) of Personal Data 

9.1. User Personal Data is processed until the user is registered on the Website, by any legal way, including informational systems of Personal Data using automation means (or without the use of such means). User Personal Data processing is discontinued if the User revokes his consent for such processing, final (not related with temporary technical malfunctions) closedown of the Website and/or in other cases provided by Law.

9.2. The Website does not store the User's data longer than it is necessary for implementation of the purpose for which such data is processed, or to observe the requirements established by Law.

9.3. In order to determine the necessary storage period the Website defines the nature and category of the Personal Data, its processing purposes, as well as whether it is possible to achieve the purposes using other means (without use of Personal Data).

10. Rights of Personal Data Subjects

10.1. Rights of Personal Data Subjects in accordance with the legislation of Georgia:

10.1.1. To receive the following information (provision of such information is not obligatory if the personal data subject already has it):

a) personality and registered address of the person who processes information and the authorized person (if available);

b) data processing purpose;

c) whether it is obligatory or optional to provide the data; if it is obligatory – legal consequences to do this.

d) right of data subject to receive information about his processed data, to request their correction, update, supplementing, locking, deletion or destruction.

10.1.2. To receive information about data processing (the form of information provision shall be selected by the data subject), notably:

a) which data about personal data subject are processed;

b) data processing purposes;

c) legal bases for data processing;

d) way of data collection;

e) who the data was given to, basis and purposes of their transfer (itis not obligatory to provide information if the abovementioned data is public according to the Legislation).

10.1.3. Information provided by para. 10.1.2. The Confidentiality Policy shall be provided to the personal data subject upon request, immediately or not later than 10 days after his request if the following is required to answer the information request:

a) collection and processing of information in another institution or structural unit or consultation with them;

b) collection and processing of large documents which are not related with each other;

c) consultation with its structural unit located in another locality or with another public institution.

10.1.4. To request corrections, updates, supplementing, blocking, deletion or destruction of Personal Data if it is incomplete, not precise, not updated or illegally collected and processed. In this case the person processing the data shall inform all the receivers about correction, updates, supplementing, blocking, deletion or destruction of the data except for the case when provision of such information is impossible due to the big number of receivers and unreasonable expenses (personal data protection inspector shall be informed about the latter).

10.1.5. The abovementioned rights of personal data subjects can be limited if their realization can create additional risks envisaged by the norms of Legislation. In such a case the data subject shall be informed about the decision of the person processing the Personal Data in such a way so that it does not make harm to the purposes of limitation of the rights.

10.2. Rights of Personal Data Subjects in accordance with GDPR:

10.2.1. Right for information

10.2.1.1. The Website provides the Users with information about which of their Personal Data is processed (list of data which shall be provided is indicated in articles 13 and 14 of GDPR). In order to obtain information the User shall address an appropriate request stating his specific requirements allowing to consider his request and provide an answer in the most efficient way based on the provisions of GDPR.

10.2.2. Right to correct data

10.2.2.1. If the User has detected that separate Personal Data processed by the Website are incorrect or outdated, he can inform this to the Website and/or any other authorized person, stating his specific requirements.

10.2.2.2. If the Website provides for the possibility of independent correction of Personal Data (by entering the user account), the User can make the correction all by his own.

10.2.3. Consent for Personal Data processing and right to be forgotten

10.2.3.1. If the Website processes Personal Data of the User based on his consent thereto, the further processing may be discontinued via revocation of the consent by the User. In such a case the Website shall discontinue processing the data and (or) destroy the processed data within 5 days upon reception of such a claim if there is no basis for data processing.

10.2.3.2. If the User decided to use his right to be forgotten, then according to the bases provided by art. 17 of GDPR, the Website shall destroy Personal Data processed by the Website, except for the Personal data which the Website is obliged to preserve according to the requirements of the legislation.

10.2.4. When the User addresses for implementation of the rights provided by GDPR the personality of the data subject shall be confirmed. This can be done by exchange of electronic messages using electronic digital signature or in a personal addressing; in case of reasonable doubts concerning the personality of the data subject the Website shall have the right to ask to provide a document confirming the personality. These measures are necessary to protect Personal Data against unauthorized use (change) by third persons.

10.3. The Website processes User requests in the shortest time reasonably required to identify and provide the necessary information, but not longer than 1 (one) month.

11. Addressing on Personal Data issues

11.1. Addressing of Users on any issues related to Personal Data and (or) this Confidentiality Policy (questions, remarks, claims, suggestions etc. concerning Personal Data protection and processing), shall be sent to the Fund authorized person by e-mail office-fsp@fsp.ge or by telephone+995 577 92 40 45, +995 322 19 33 21. Additionally, Users may address questions indicated above through the Website via personal message, sending an e-mail or in any other form not forbidden by the Law.

11.2. The User may as well address his claims or propositions on Personal Data processing procedure (if the subject of personal data has detected violations in Personal Data processing procedure) to the Inspector on Personal Data Protection of Georgia and/or to court authorities.