Obligations of a Data Controller

Georgia is among 110 countries with personal data protection legislation and it extends equally to public as well as private organizations. The law imposes multiple obligations on data controllers and envisages specific sanctions, including a fine, for violating these obligations.

As a data controller you carry the following obligations:

• You should process data only on the grounds prescribed by the law and observe the principles established by the law;

• If you collected data directly from the data subject, you must provide the data subject with information about data processing – identity and registration address of data controller/data processor; purposes of data processing; whether the data subject is obliged to provide the data and if so - consequences of refusal;

• Upon request you should inform the data subject on the grounds, purposes of data processing, on the means of collecting data and volume of processed data;

• You must advise the data subject about his/her right to request a copy of, rectification, blocking, erasure or destruction of processed information;

• You must protect and ensure security of data – implement organizational and technical measures that will ensure protection of data from accidental or unlawful destruction, alteration, disclosure, collection, unlawful or accidental use in any form and loss;

• You must record the facts of disclosure of data with a reference to the relevant legal ground;

• You have to ensure implementation by data processor of adequate organizational and technical measures for data protection, if you process data via a data processor;

• You must obtain the Inspector’s permission, wherever envisaged by the law;

• You must maintain a catalogue of a filing system, prior to creating the filing system or before adding a new category of data in the catalogue, and also, submit this information to the Inspector.

Principles and Grounds for Data Processing

The law establishes rules, principles, grounds and security measures that must be necessarily observed during processing of citizens’ data. Collection, storage, use, publication of data contrary to these rules is a violation of law and might become a basis for imposing an administrative sanction in you.
To determine whether the law has been breached, an individual approach and legal discussion are required for each separate case. However, there are two main conditions that have to be necessarily met in any case for lawful data processing: existence of a legal ground and observance of principles laid down in law.

Ground for Data Processing
A legal ground is the basis the absence of which makes data processing inadmissible. The list established by the law is composed of 8 grounds:
● Data subject’s consent – a person’s voluntary, informed and clearly expressed consent to processing of his/her personal data. For example, agreeing to your web-page’s privacy policy, or signing a contract, that explains what data you collect, for what purposes, whether you transfer the data to third parties, etc.
● Compliance with statutory obligations – processing of data is necessary to comply with statutory obligations, for example, storage of data for a certain time for taxation purposes.
● Protection of a vital interest - it implies the cases when processing of data is necessary to save a person’s life or averting a serious risk to one’s health. For example, if during emergency a person’s life is at risk and in order to save him/her it is necessary to locate this person.
● Accessibility of information – implies the cases when information is public in accordance with the law or it was made public by the data subject personally. For example, a photo or contact details shared publicly on social network.
● Protection of an essential public interest – data may be processed in order to protect an essential public interest, such as prevention of a crime, protection of property or a child from undue influence, etc.
● Protection of a legitimate interest - processing of data on this ground is admissible in order to protect legitimate interests of a data controller or a third person if their interests prevail over the interest of securing the rights and freedoms of a data subject.
● Handling a data subject’s complaint or provision of a service –processing of a person’s data in order to provide him/her with a service. For example, to deliver an order, you need to know a client’s address. To sell something on credit, you need to be informed about the customer’s income.

When it comes to processing of special category of data, the law establishes a higher standard and different grounds for their processing. You might not be a medical institution, but in order to provide services you might still need your client’s health data, for example, information about allergies or chronical diseases of your customers at a beauty parlor. In such cases you need to know that a data subject’s oral consent is insufficient. You should obtain the consent in a written form. You can find more details about the grounds for processing special category of data in the Law.
To avoid violation of the law in data processing, you need to rely on at least one legal ground.

Principles of Data Processing
To ensure lawful processing of data, existence of legal grounds is insufficient. Data should be processed in accordance with specific principles. As well as legal grounds, principles are established by the law.
• Fairness and lawfulness - data must be processed fairly and lawfully, without impinging a person’s dignity;
• Existence of explicitly defined, legitimate purpose – you have to define a specific purpose for which data are being processed. You should not use the data for other purposes;
• Proportionality and adequacy –data must be processed to the minimal extent that is necessary to achieve the specific purpose of processing;
● Validity and accuracy – if necessary, data must be updated and the credibility of the source of information must be verified, false or inaccurate data should be rectified;
● Storage term - you must store personal data only for the term prescribed by the law or for the term that is necessary to achieve the purpose. After achieving the purpose, you must erase the data or store them in a form that excludes identification of a person
In order to avoid violation of law in data processing, all five principles prescribed by the law must be observed.

Direct Marketing
Direct marketing is offering of goods, a service or a job via sms, mail, telephone call, e-mail or direct communication with consumers. If you chose this form of communication with the citizens, you should take the requirements of legislation into consideration:
Citizens’ data may be processed for direct marketing pruposes only if:
• A citizen has expressed a written consent;
• Information is available publicly

Each sent message must be accompanied by an opt-out mechanism and a clear indication of how a citizen can stop receiving messages – the so-called SMS OFF. In case of e-mails, the letter must have an unsubscribe mechanism.
A citizen enjoys the right to request at any time to stop processing his/her data for direct marketing purposes. You must comply with this request no later than 10 business days.
A citizen is entitled to know what data are processed and at any time request their rectification, completion, blocking, erasure or destruction; a person also enjoys a right to know who conducts direct marketing, what sources were used to collect the data and on what grounds.
If you use other company’s services to send advertising messages, take into account the company’s experience in this field and make sure that its opt-out mechanism actually works.
Violation of these rules leads to a financial sanction. First count envisages a fine of GEL 3000 while repeated commission of the same violation within 1 year will lead to a fine of GEL 10 000.