Personal Data Processing Rules

Article 1. Scope of Application
This rule applies to the processing of personal data (hereinafter referred to as “data”) by the Public Assembly of Georgia (hereinafter referred to as the “Assembly”) using automatic, semi-automatic, and non-automatic means.

Article 2. Definition of Terms
The terms used in this rule have the meanings assigned by the Law of Georgia on Personal Data Protection (hereinafter referred to as the “Law”).

Article 3. Principles of Data Processing

1. The Assembly processes data in accordance with the principles established by the Law of Georgia on Personal Data Protection.

2. The Assembly processes data fairly, lawfully, without infringing on the dignity of the data subject, transparently, and ensures that data subjects are informed and have access to their data upon request, within the limits and procedures established by Georgian legislation.

3. The Assembly processes data only for specific, predefined, and clearly defined lawful purposes. Data is not processed for purposes incompatible with the original purpose.

4. Data is processed only to the extent necessary for the achievement of the lawful purpose. The amount of processed data is adequate and proportionate to the purpose.

5. Data processed by the Assembly is accurate, truthful, and updated when necessary. Data without a legal basis or relevance to the purpose shall be blocked, deleted, or destroyed.

6. The Assembly processes data only for the period necessary to achieve the specific and lawful purpose. After the purpose is achieved, the data is blocked, deleted, or destroyed.

7. The Assembly takes appropriate organizational and technical measures to ensure data security, including protection from unlawful or unauthorized processing, accidental loss, destruction, or damage.

8. The Assembly ensures compliance with the principles defined in this article, including by means of this document.
   
   

Article 4. Purposes of Data Processing
The Assembly processes personal data for the following lawful purposes:
a) Identifying Assembly members;
b) Creating and administering interest groups for Assembly purposes;
c) Completing surveys and collecting information for Assembly purposes;
d) Communicating with Assembly members and other interested persons, providing them with information and receiving feedback;
e) Preparing petitions and statements for Assembly purposes;
f) Informing the public about the Assembly’s activities;
g) Conducting accounting, financial reporting, payment, and transfers for Assembly purposes.

Article 5. Legal Grounds for Data Processing

1. The Assembly processes data if at least one legal ground defined by the Law on Personal Data Protection exists:
   a) The data subject has given consent for the processing of data for one or more specific purposes;
   b) The data processing is provided by law;
   c) The data processing is necessary to review the data subject’s application (to provide service).

2. Special category data is processed only based on the data subject’s written consent or if the data subject has made the data publicly available without explicit restriction.

3. When data is processed based on consent, the burden of proof regarding the legal ground lies with the Assembly. Such consent is considered valid only if:
   a) It is given voluntarily by the data subject after receiving relevant information, for a specific purpose, orally, in writing, via telecom or other appropriate means;
   b) It is not a condition for service provision;
   c) It is not an integral part of a contract;
   d) The data subject has been properly informed of the right to refuse consent.
   
   

Article 7. Categories of Data Subjects
The Assembly may process data of the following categories of data subjects:
a) Any person who joins the Assembly;
b) Any person who fills out a questionnaire on the Assembly’s website;
c) Any person who signs a petition and/or statement initiated/distributed by the Assembly;
d) Any person who participates in an Assembly event;
e) Any person who financially contributes to the Assembly’s activities.

Article 8. Sources of Data Collection

1. The Assembly usually collects data directly from the data subject, through shared data in completed forms.

2. The Assembly is also authorized to collect/receive data for the purposes defined by this rule from any lawful source.
   
   

Article 9. Categories of Processed Data
Depending on the nature of interaction with the data subject and the purpose of processing, the Assembly may process the following personal data:
a) Identification data – first name, last name;
b) Contact data – phone number, email;
c) Geographic data – region of residence, municipality, legal and actual address;
d) Professional data – workplace and specialization;
e) Photo/video image;

Article 10. Recording Data Processing Information
The Assembly maintains a special record of information related to the processing of data, as required by law.

Article 11. Rights of the Data Subject

1. Upon request, within 10 (ten) business days of notification, the Assembly shall provide the data subject with the following information, access, or copies:
   a) Data being processed, as well as the legal ground and purpose of processing;
   b) Source of data collection/acquisition;
   c) Data retention period, or if not possible, the criteria for determining it;
   d) Rights of the data subject;
   e) Legal basis and purpose of data transfer, and data protection guarantees if data is transferred to another state or international organization;
   f) Identity or category of data recipients, and the legal ground and purpose of transfer if sent to third parties;
   g) The logic used in automated processing, including profiling, and the likely effects or consequences of such processing.

2. In exceptional cases, with justification, the period may be extended by no more than 10 business days, with immediate notice to the data subject.

3. The request under paragraph 1 is reviewed and responded to within 10 (ten) business days.

4. The data subject has the right to request correction or updating of inaccurate/incomplete data, or supplementation, including by providing additional documentation.

5. The data subject has the right to request termination, deletion, or destruction of their data. The Assembly must fulfill the request within 10 (ten) business days (unless otherwise required by law) or explain the grounds for refusal and the appeal procedure.

6. The data subject may request data blocking in accordance with the law. The Assembly must inform the data subject of its decision within 3 business days.

7. The data subject may withdraw consent at any time without explanation and request termination and/or destruction of the data. The Assembly must comply within 10 (ten) business days unless other legal grounds exist for processing.

8. Data subject rights may be restricted only in cases directly provided by law. Any restriction must be appropriate and proportionate.

9. In addition to the rights provided herein, data subjects enjoy other rights granted by Georgian legislation.
   
   

Article 12. Data Disclosure

1. Processed data may be disclosed to the following third parties under legal grounds and procedures:
   a) Law enforcement agencies;
   b) Courts;
   c) Personal Data Protection Service;
   d) Other entities defined by law.

2. When disclosing data under paragraph 1, the Assembly records: what data was disclosed, to whom, when, and under what legal basis. This record is kept with the data subject’s records for the duration of retention.
   
   

Article 13. International Data Transfers
The Assembly may transfer data to other countries or international organizations only if the legal conditions for data processing are met and appropriate safeguards for data and data subject rights are in place.

Article 14. Data Retention

1. The Assembly retains only data necessary to achieve specific and lawful processing purposes, and determines retention periods in line with data processing principles.

2. Data retention period and rule: 2 years from the last interaction.
   
   

Article 15. Data Security

1. The Assembly stores data in secure environments protected from unauthorized access and ensures protection from accidental or unlawful destruction, alteration, disclosure, access, or any form of misuse through appropriate organizational and technical measures.

2. The Assembly maintains data confidentiality. Only persons whose duties require it have access to the data, and only to the necessary extent.

3. Data is processed only in systems protected by individual usernames and complex passwords, which allow logging of performed actions.
   
   

Article 16. Responsibilities
The Assembly complies with legal requirements for data processing. Each Assembly member with access to or participating in data processing must:
a) Ensure the security of processed data;
b) Process only the data necessary for performing their functions;
c) Not disclose data to unauthorized persons, including by leaving it unattended or discussing it in the presence of unauthorized persons.