Policy on the Protection of Data Subject Rights

Policy on the Protection of Data Subject Rights

Article 1. Scope of Application

1. The Policy on the Protection of Data Subject Rights (hereinafter – the “Policy”) regulates the procedures and rules for exercising the rights provided under the Law of Georgia on Personal Data Protection (hereinafter – the “Law”) within LLC Inexphone (hereinafter – the “Organization”).
2. Compliance with this Policy is mandatory for any person employed by the Organization.

Article 2. Right to Obtain Information About Data Processing

1. A data subject has the right to request confirmation from the Organization as to whether their data is being processed, whether such processing is justified, and to receive, free of charge and upon request, the following information:

1. what data about them is being processed, as well as the legal basis and purpose of such processing;
2. the source from which the data was collected/obtained;
3. the period (duration) for which the data is stored, or, if it is impossible to specify a precise timeframe, the criteria used to determine such period;
4. the rights of the data subject as set out in this Policy;
5. the legal basis and purposes of data transfer, as well as appropriate data protection safeguards, if the data is transferred to another state or an international organization;
6. the identity of the data recipient or the categories of recipients, including information on the basis and purpose of the transfer if the data is provided to a third party;
7. any decision resulting from automated processing, including profiling, and the logic used to make such a decision, as well as the impact of the processing and the expected/probable consequences.

1. In the case referred to in paragraph 1 of this Article, the data subject submits a written request to the Organization (the request may be sent by email to: info@dpo.ge or submitted in hard copy to the Organization). The request is forwarded to the Data Protection Officer, who coordinates its review within the Organization.
2. The data subject has the right to receive the information specified in this Article no later than 10 working days from the date of the request. In exceptional cases, and with proper justification, this period may be extended by no more than 10 additional working days, of which the data subject must be informed immediately by the Data Protection Officer.
3. The Organization is entitled, where necessary, to provide any additional information to the data subject in order to ensure transparency of data processing, except in cases where the disclosure of such information would contradict the law.
4. The data subject has the right to choose the form in which the information specified in this Article is provided. If the data subject does not request the delivery of information in a different form, the information will be provided in the same form in which it was requested.

Article 3. Right to Access and Obtain Copies of Data

1. The data subject has the right to access the personal data held about them by the Organization and to receive copies of such data free of charge.
2. In the cases covered by this Article, the data subject shall submit a request to the Organization (the request may be sent by email to info@dpo.ge or submitted in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
3. The data subject has the right to access the data specified in paragraph 1 of this Article and/or receive copies thereof within no later than 10 working days from the date of the request, unless another timeframe is established by Georgian legislation.
4. In exceptional cases and based on a duly justified decision by the Organization, the period specified in paragraph 3 of this Article may be extended by no more than 10 additional working days, of which the data subject must be informed immediately by the Data Protection Officer.
5. The data subject has the right to access the data specified in paragraph 1 of this Article and/or receive copies thereof in the form in which the data is stored within the Organization. The data subject also has the right to request copies in a different format if technically feasible.

Article 4. Right to Rectification, Updating, and Completion of Data

1. The data subject has the right to request that the Organization rectify, update, and/or complete any incorrect, inaccurate, or incomplete personal data about them.
2. In such cases, the data subject shall submit a request to the Organization (the request may be sent by email to info@dpo.ge or submitted in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
3. Where applicable, the Organization shall ensure the rectification, updating, and/or completion of incorrect, inaccurate, or incomplete data and provide the data subject with information regarding the decision taken.
4. The rectification, updating, and/or completion of data shall be carried out, or the data subject shall be informed of the grounds for refusal and the procedure for appealing such refusal, within no later than 10 working days from the date of the request (unless a different period is established by Georgian law).
5. If an employee of the Organization independently discovers that the data in their possession is incorrect, inaccurate, or incomplete, they must inform the head of their structural unit, who shall notify the Data Protection Officer. The Data Protection Officer shall then notify the Organization, which shall ensure that the data is rectified, updated, and/or completed within a reasonable timeframe. The Data Protection Officer shall inform the data subject of the rectification within 10 working days after the correction has been made.
6. The Data Protection Officer is not required to notify the data subject if the rectification, updating, or completion concerns the correction/elimination of a technical error.
7. If there is an objective circumstance that makes it impossible to inform the data subject within the period established by this Article, the Data Protection Officer shall provide the relevant information as soon as the first communication with the data subject is possible.
8. The Organization is obliged to notify all data recipients, as well as all other controllers and data processors to whom it has provided the data, about the updating or completion of the data, except where such notification is impossible due to the large number of controllers/processors/data recipients and/or would require disproportionately large expenditure.
9. After receiving such notification, the parties referred to in paragraph 8 of this Article are obliged to rectify, update, and/or complete the data within a reasonable timeframe.

Article 5. Right to Suspension, Deletion, or Destruction of Data

1. The data subject has the right to request the Organization to suspend the processing of their data, or to delete or destroy such data.
2. In the cases covered by this Article, the data subject submits a request to the Organization (the request may be sent by email to info@dpo.ge or submitted in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
3. Within no later than 10 working days from the submission of the request (unless a different period is prescribed by Georgian law), the processing of data must be suspended and/or the data must be deleted or destroyed, or the data subject must be informed of the grounds for refusal and the procedure for appealing the decision.
4. The Organization may refuse to comply with the request under this Article if:

1. there is a legal ground provided by law;
2. the data is processed for the purpose of substantiating a legal claim or defense.

1. The data subject has the right to be informed of the suspension, deletion, or destruction of their data immediately upon completion of the relevant action, but no later than 10 working days. The notification is provided by the Data Protection Officer.
2. If the personal data of the data subject is publicly available, the data subject has the right to additionally request the restriction of access to such data and/or the deletion of copies of the data or any internet links connecting to it. In such cases, the data subject submits a request to the Organization (by email to info@dpo.ge or in hard copy), and the request is forwarded to the Data Protection Officer for coordination.
3. The Organization is obliged to notify all data recipients, as well as other data controllers and processors to whom the data has been transferred, about the suspension, deletion, or destruction of the data, except where doing so is impossible due to the number of such parties and/or would require disproportionately large efforts.
4. Upon receiving such notification, the parties referred to in paragraph 7 of this Article are obliged to suspend the processing of the data and delete or destroy it.

Article 6. Right to Blocking of Data

1. The data subject has the right to request the Organization to block their data if one of the following circumstances exists:

1. the data subject disputes the authenticity or accuracy of the data;
2. the processing of the data is unlawful, but the data subject objects to its deletion and requests blocking instead;
3. the data is no longer necessary for the purpose of processing, but the data subject requires it for filing a complaint or legal claim;
4. the data subject has requested suspension, deletion, or destruction of the data and the request is under review;
5. there is a need to retain the data for evidentiary purposes.

1. In the cases covered by this Article, the data subject submits a request to the Organization (the request may be sent by email to info@dpo.ge or submitted in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
2. The data subject’s request shall be granted and the data shall be blocked if at least one of the circumstances referred to in paragraph 1 of this Article exists, except when blocking the data may endanger:

1. a) the performance by the Organization of its obligations imposed by law or by legal acts issued under the law;
2. b) the fulfillment of tasks within the scope of public interest under the law or the exercise of powers granted to the Organization by Georgian legislation;
3. c) the legitimate interests of the Organization or a third party, except where there is an overriding interest in protecting the rights of the data subject, especially in the case of a minor;
4. d) the protection of the interests provided under paragraph 6 of Article 50 of the Law.

1. After blocking the data, the Organization is authorized to decide to unblock it if any of the grounds provided by this Article exist.
2. Data shall be blocked for the duration of the reason requiring the blocking and, where technically feasible, the decision to block the data shall be attached to the relevant data.
3. The data subject has the right to receive information regarding the decision to block the data or the grounds for refusal immediately upon the decision being made, but no later than 3 working days from the request.
4. In the event of blocking under paragraph 1 of this Article, the data may be further processed, apart from storage, only in the following cases:

1. a) with the consent of the data subject;
2. b) for the substantiation of a legal claim or defense;
3. c) for the protection of the interests of the Organization or a third party;
4. d) for the protection of the public interest in accordance with the law.

Article 7. Right to Data Portability

1. In cases of automated data processing on the grounds provided by law, and where technically feasible, the data subject has the right to receive the data they have provided to the Organization in a structured, commonly used, and machine-readable format, or to request the transfer of such data to another data controller.
2. In the case referred to in paragraph 1 of this Article, the data subject shall submit a request to the Organization (by email to info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates the review.
3. The Organization’s decision is communicated to the data subject by the Data Protection Officer.

Article 8. Right to Withdraw Consent

1. The data subject has the right to withdraw their consent at any time, without any explanation or justification and free of charge. In such a case, data processing must be terminated and/or the processed data deleted or destroyed within no later than 10 working days from the request, unless another legal basis for processing exists.
2. The data subject may withdraw consent in the same form in which it was given. They may submit a request to the Organization (by email to info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
3. Prior to withdrawing consent, the data subject has the right to request and receive information from the Organization regarding the possible consequences of such withdrawal. The Data Protection Officer provides this information. If the withdrawal may result in legal, financial, or other materially significant consequences for the data subject, the relevant employee of the Organization must inform the Data Protection Officer, who shall communicate this information to the data subject before the consent is withdrawn.
4. If the written document containing the consent also addresses other matters, every structural unit of the Organization is obliged to ensure that the text relating to consent is drafted in clear, simple, and understandable language, separated from the rest of the document, and consulted in advance with the Data Protection Officer.
5. If consent is given within the context of a contract or service, the voluntariness of the consent shall be assessed, among other factors, by determining whether it is a necessary condition for the conclusion of the contract or receipt of the service, and whether the service may be provided or the contract concluded without such consent.
6. In the event of withdrawal of consent by the data subject, the Organization shall immediately cease processing the data and delete or destroy the processed data unless otherwise provided by this Policy or the Law.
7. Withdrawal of consent by the data subject does not invalidate the legal consequences arising before the withdrawal and within the scope of the consent previously granted.

Article 9. Restriction of Data Subject Rights

1. The rights of the data subject set out in this Policy may be restricted if such restriction is expressly provided by Georgian law, does not violate fundamental human rights and freedoms, represents a necessary and proportionate measure in a democratic society, and the exercise of such rights may endanger:

1. information security and cybersecurity interests;
2. public security interests;
3. the prevention, investigation, prosecution of crime, or the administration of justice;
4. public health or social protection interests;
5. the detection of breaches of professional or ethical standards, including in regulated professions, and the imposition of responsibility on the data subject;
6. the performance of functions and powers of regulatory and/or supervisory authorities in the fields defined by this Article;
7. the rights and freedoms of the data subject and/or others, including freedom of expression;
8. the protection of state, commercial, professional, or other legally protected secrets;
9. the substantiation of a legal claim or defense.

1. The restriction referred to in paragraph 1 may only be applied to the extent necessary to achieve the purpose of the restriction.
2. If there are grounds as set out in paragraph 1 of this Article, the Data Protection Officer shall inform the data subject of the decision to restrict the right or refuse its exercise, except in cases where providing such information would endanger the purpose(s) specified in paragraph 1.
3. The rights of the data subject under this Policy shall be exercised free of charge.

Article 10. Rights of the Data Subject During Video and Audio Monitoring

The data subject is entitled to exercise the rights provided under this Policy and the Law during the implementation of video and/or audio monitoring, in accordance with the nature of such rights.

Article 11. Rights During Direct Marketing Activities

1. Personal data may be processed for direct marketing purposes only with the data subject’s consent.
2. Apart from the processing of the data subject’s first name, last name, address, telephone number, and email address, the processing of any additional personal data for direct marketing requires the data subject’s written consent.
3. Before obtaining consent and when conducting direct marketing, the Organization’s employee must clearly, simply, and in language understandable to the data subject, explain their right to withdraw consent at any time and the mechanism/procedure for exercising that right.
4. The data subject has the right to withdraw their consent at any time, without any explanation or justification, and free of charge. In such a case, the Organization must cease the processing within a reasonable period, but no later than 7 working days from the request. To ensure compliance with this obligation, the Organization is responsible for ensuring proper communication and action upon the withdrawal of consent by the data subject.
5. The data subject may withdraw consent in the same form in which it was given. They may do so via a NO SMS mechanism or by submitting a request to the Organization (by email to info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates the review of the data subject’s request.

Article 12. Exercise of Additional Rights

In addition to the rights provided under this Policy, the data subject is entitled to exercise any other rights afforded by law.