0

Start Order

  • Delivery
  • Takeaway
    error-image
    Delivery Date
    Delivery Time

    START YOUR ORDER

    error-image
    Takeaway Date
    Takeaway Time

    START YOUR ORDER

  • Personal Data Protection Policy

    Article 1. About provision 
    1. The present policy regulates the principles and rules of personal data protection by “Iberia Food Company” LLC (hereinafter – company). 
    2. The company processes the personal data with the basis and rule considered by legislation, in order, to ensure an economic activity of the company, marketing activity, human resources activity, customers safety of restaurant, property protection of the company, performance of financial and contractual obligations,  proper functioning of e-commerce program and delivery service for customers of the restaurant. 
    3. The present policy and issue of making changes in it is approved by the director of the company. 
     
    Article 2. Who we are 
    1. “Iberia Food Company” LLC ( hereinafter – the company) is an entrepreneurial entity registered under the legislation of Georgia and the entity responsible for the own customers/employees/procession of contractors personal data. 
    2. Company: - “Iberia Food Company” LLC 
    Identification code: - 404992273
    Address: N1 commercial area, N1 floor, N47 Tsotne Dadiani, Nadzaladevi district, c. Tbilisi. 
    Contact information:  577-20-11-22; info@ifc.ge
     
    Article 3. Scope and change of the policy on data protection 
    1. The present policy applies to the contractors, physical and legal entities, customers (potential, current) job seekers, employees of the company and any other entity(s), who are in any way related to the company, products and service of the company, including the entities, who are not able to communicate through the various channels, such as e-mail, webpage, mobile application, or the accounts of social and digital media pages (Facebook, Instagram, Youtube and etc.) managed by the company. 
    Article 4. Principles of personal data processing 
    1. The company processes the personal data with preserve of the following principles: 
    a. The company processes the personal data without violation of dignity of the entity, with preserve of the principles of justice and legality. 
    b. The company processes the personal data only for clearly defined, legal objectives. Further processing of data for other purposes incompatible with the original purpose is not allowed. 
    c. The company processes the personal data only in the volume, that is necessary for reaching the relevant legal objective. The data should be adequate and proportional of the objective, for what it is processed. 
    d. The personal data prcesed by the company should be authentic and exact, and in case of necessity renewed. 
    e. Company keeps the the personal data only for the term, which is necessary in order of data procession.  
    f. Company processes the personal data with preserve of the principle of inadmissibility of discrimination.
    g. Except the cases defined by law, processing of the personal data is made with preserve of the principle of awareness. The consent of the data subject may be oral, written, telecommunication or other voluntarily expressed consent, through which is possible to clearly determine the will of the data subject. 
      
    Article 5. Scope of data processing
    1. During communication period to the company, also after completion of it, the company is authorized, with the purposes defined by the present policy, to implement processing of information about the data subject, including the personal data. 
    2. Procession of the data by the company, without all kind of limitation, includes any action performed on data using automated, semi-automated or non-automated means, in particular, obtain, collection, access, video monitor, organize, interconnect, store, modify, restore, request, use or disclose of the data from the data subjects or/and third entity(ies) listed in #1 annex of the present policy , through transfer, distribute or otherwise make available the data, to group or combine, block, delete or destroy. 
     
    Article 6. Types of personal data processed by the company
    1.   The company uses various types of personal information, grouping of which we can in the following categories, which includes but may not be limited to the data below. 
    • Identification – name, surname, personal identification number, sample of signature, birth date. 
    • Contact – registered or/and residential address, e-mail, phone number. 
    • To ensure completion of the financial obligations the company processes the following documents containing the personal information – invoice; Bill of lading; Delivery -acceptance act; Agreement; Register of salary, one-time honorarium and payment for services; Extract from the bank account; Bank payment task; Tax declaration; Order on issue salary, one-time honorarium; The order of income and expenditure of the salary; Bank check and other accounting and tax documentation.
    • Transactional – Tax (bank) account number. 
    • Technical – information on the device used by the data subjects when using our services and other technical details, such as Internet Protocol (IP) address, operating system, log entries, etc. 
    • Related to the location - Includes data about where you are. For example, information, that is collected with the help of location-determining functions of the data subject's mobile device, when requesting such services, delivery of which depends on location of the data subject(s).  
    • Related to use - Information on use of our website(s), mobile applications, products and services, including ratings and survey responses by the data subject(s).
    • Marketing - Includes information about your preferences when receiving marketing messages from us or third parties, as well as the preferred form of communication for data subjects, information about whether you have used yes/no mechanism for direct marketing.
    • Socio-demographic – Data related to citizenship, education, working location of the person, also language, gender and age. 
    • Interactive - Information fixed by customers during direct communication with KFC restaurants, including by phone, email and other channels (Facebook, Instagram and others).
    • Registries and public data – information about the entities, which are registered in various data base, are kept in the public records (for example, in the National Agency of the Public Registry LEPL, Central Election Commission), also an information of the data subject, which openly is available on the internet or otherwise. 
    • Data of a special category - a certificate of conviction.
    • Documentary - Information about individuals stored in documents of various formats or their copies, for example, their passport, driver's license, birth certificate, vehicle license, extract and others.
    2. The company is bale to process any other data, which is related to the data subject and resulted of which is possible to identify or/and characterize it according to the present policy. 
    Article 7. What we need from the data subject 
    1. Data subject is obliged to ensure that the information provided to the company is accurate and up-to-date. Otherwise, the data subject must immediately notify us. In case if, the data subject provides the information about third entities (contact person, employee, employee family member and others) , including and not only, their personal data (name, surname, personal number, phone number, e-mail and others) he/she himself/herself is obliged to obtain the consent of the above-mentioned persons for the processing of their personal data by the company for the purposes defined by this policy, before transferring this information to the company , and in case of entrusting of the representative authority, to present the power of attorney as well. According to the above mentioned, the fact of providing such information to the company implies the prior consent of the data subject from this person(s), providing them with familiarization with the agreement to the present policy, and does not require additional confirmation from the company. 
     
     
    Article 8. Consequences of non-provision of the personal data by the data subject 
    1. When collection of the personal data of the data subject is necessary  with preserve of legislation demands, according to the agreement terms existed between us, for conclusion of the agreement or to receive/provide services, and the data subject does not provide us with the said data despite of the request, we may be deprived of the opportunity to fulfill the agreement that already exists between us or the agreement that we are preparing to conclude. 
     
    Article 9. How is made a collection of the personal data of the data subject by the company  
    The main sources through which the company obtains the personal data of the data subject(s):
    9.1. Data collection directly from the data subject, for example, when: 
     
    • Applies to us to conclude the agreement, receive services or express interest with regard to the company's products and services;
    • Will fill the relevant forms, including, which are placed on our web page and digital applications (in this case, the company processes the following personal data of the data subject(s): name, surname, mobile phone number, e-mail, address); 
    • You are communicating with company’s employees in face-to-face meetings, phone calls, through our website, mail, email, online chat, social media and other channels;
    • You are using our products and services, registering on our online services; 
    • At the time of implementation of the financial transactions based on the sale agreement; 
    • At the time of signing/concluding the purchase, service, sale with accompanied service, lease, job, labor contracts, memorandums, agreements, annexes; 
    • You participate in contests, surveys, trainings and others;
    • Provides the personal data on himself/herself and other third entity(ies) in any form and purpose. 
     
    9.2. Data collection from third entity(ies), with basics defined by law, including, where the consent of the data subject is necessary, the company may obtain an information about the data subject from the external sources, including and not only, from the following entity(ies): 
    • Collection of data from data registries and publicly available sources (public registry my.gov.ge, Central Election Commission cesko.ge, Georgian Chamber of Notaries notary.ge) - we may obtain personal data of data subject(s) from public registries and other public sources.
     
    Article 10. For what purposes does the company process the personal data of the data subject(s) 
    With consideration of the nature of the relationship with the data subject and the specific circumstances, the processing of the personal data of the data subject may be carried out for various purposes and legal bases, including:
    Objective: Identification/verification of the data subject (conclusion of the agreement, transfer of the amounts, implementation of cash and non-cash payment, registration of the restaurant customers at the company’s web page to order, participation if surveys, trainings, competitions). For this, we may need the data subject's identification, contact, banking details, as well as location-related, register and public data, video-visual, contractual and/or other data, that will help us achieve the named objective. 
    Basis: (a) Consent of the data subject when he/she himself/herself provides his/her personal data; (b) Conclusion or/and fulfillment of the agreement; (c) Review of the application of the data subject (service provision); (d) Legal obligation of the company; (e) Legitimate interest of the company, including: to effectively comply with legal and contractual obligations, to ensure that the records kept about the data subject(s) are true and accurate;
    Objective: Detection and prevention of crime (fraud, theft, appropriation, embezzlement, etc.). For this, the company may need the data subject's identification, contact, transactional, technical, register and public data, documentary and any other information obtained as a result of preventive measures.
    Basis: (a) Company’s legal obligation; (b) Company's legitimate interest, including: preventing, detecting, prosecuting fraud and potential fraud, misuse of our services and other crimes, protecting our customers and employees.  
    Objective: improvement of our products and services  - the company analyses the information, to identify improvement ways of the service and product.  For that we may need usage related and interaction data.  
    Basis: Our legitimate interest, including: to develop products/services and grow our business; To eliminate defects and improve the service.
    Objective: Protection of legitimate rights of the company - The Company may need to use the personal data of the data subject in order to protect the legal rights of the company and/or third parties, for example, in court proceedings, to respond the complaints, claims and requests. For this, we may need the data subject's identification, contact, video-visual, interactive, register and public data, contractual, documentary and/or other data that will help the company to achieve the set objective.  
    Basis: (a) Our legal obligation; (b) Our legitimate interest, including: to effectively fulfill legal and contractual obligations, to develop products/services, to grow our business; protect the company's business interests; 
    Objective: Analytics & Reporting – The company processes the data of the data subject to perform the accounting, reporting and auditing as required by the legislation of Georgia, also to provide external reporting for marketing purposes. For this, we may need the data subject's identification, contact, technical, documentary and/or other data that we will need to achieve the named objective. 
    Basis: (a) Company’s legal obligation; (b) Legitimate interest of the company, including: to effectively fulfill legal and contractual obligations, to develop products/services, grow our business; 
    Objective: Protection of property and safety - For what we may need video-visual, technical and any other information that will help us to prevent crime, detect it, protect public safety, personal safety and property. 
    Basis: (a) Important public and company’s legitimate interest, including: to prevent, detect, prosecute crimes, protect restaurant customers, employees, ensure the safety and proper functioning of restaurants; 
    Note: the company is authorized to process the data of the data subject, with any other purpose defined by legislation, also, when the objective after processing is compatible to the original objective.  
     
    Article 11. To whom will transfer the company the personal data of the data subject(s).
    1. In order for the company to fulfill the duties imposed by the law, contractual obligations, to protect legitimate interests, as well as to fully and properly provide services to the individuals, depending on the context and purposes of data processing, the company may transfer information about data subjects, including but not limited to the third parties of the following category:
    • Private audit firms – for example, to perform the requirements of the financial department of the company, transfers the agreements concluded with the private entities to the audit firms and accordingly the personal data of the data subjects protected in these agreements to audit firms for accounting, reporting and auditing. 
    • Advertising companies – for example, The marketing department of the company transfers to advertising companies in contractual relationship, in case of written consent obtained from the data subject(s), their personal data for the purpose of offering company services and valid promotions. 
    • Delivery service companies (Wolt, Glovo and Etc.) - for example, when the company cooperates with the delivery service companies in a contractual relationship, it transfers the personal data of the company/restaurant customers to them in order to ensure the quality of service and product delivery/delivery service.
    • Insurance company - for example, the company transfers the personal data of the employees and possibly their family members (name, surname, personal number, phone number, e-mail address, date of birth, etc.) to the insurance company in a contractual relationship for the purpose of health insurance of the employees.
    • Private/public expert institution - for example, the company transfers the personal data of the data subject processed and obtained by it to expert institutions in a contractual relationship for public and private interests, crime detection and protection of legitimate interests.
    • Public institutions  (including and not only: Revenue Service, Law Enforcement Authorities, National Bureau of Enforcement and others) – for example, in order to fulfill the rights -duties stipulated by the law, including the detection and prevention of crime, the company transfers the personal data of the data subject (employees) obtained and processed by the company to the public institutions mentioned above and not only to them. 
    • Private institutions (such as the transport company being in contractual relationship with the company, also “Fitpass Georgia” LLC and other) -  They provide services to the employees of the company, and themselves, the company provides them with the personal data of the employees. 
     
    Article12. International transfer of  the data subject's personal data 
    1. In the cases considered by law, including for the purposes of business analytics, restaurant service quality development and control, as well in order of trainings of the restaurant staff and ensuring the satisfaction of employees, transfer, storing of the data subject’s personal data is made outside of Georgia, based on the franchise agreement concluded between the company as a franchisee and the franchisor as s KFC MENAPAKT FZ-LLC. The franchisor is the organization registered in the country, which does not represent a country with proper guarantees of personal data protection defined by the relevant normative act of the head of the personal data protection service/his successor. Threats to sharing data in countries without adequate safeguards for personal data protection may be related to, but not limited to, the absence of local supervisory authority and individual data protection and data subject rights (or only with a limited existence). In some such countries, the privacy and data protection laws and rules regarding access to data may differ from Georgia's laws; with that, in such a case, the company ensures the signing of an appropriate agreement on the transfer of personal data, which defines the obligations of the receiving party to ensure the protection of your personal data in accordance with the requirements stipulated by the legislation.
     The international franchise agreement concluded between the company as a franchisee and the franchisor defines the obligations of the receiving party to ensure the protection of personal data of data subjects. 
     
    Article 13. Cookies policy 
    The company may use cookies and similar technologies, which will help to improve experience of the data subject, as the user at the time of visiting the web page(s). For farther information please see the cookies:
    Data subjects can block or restrict the use of cookies in any website - including our website(s) - from the settings of the browser (Internet Explorer, Mozilla Firefox, Google Chrome, etc.) and the device used to access the Internet. In the same way, you can delete cookies that are already stored in the data subject's device. 
     
    Article 14. Video monitoring 
    1. In order to prevent crime, detect it, protect personal safety and property, protect minors (including protection from harmful effects), to perform other important tasks belonging to the legitimate interest of the company, the rules specified in annex #1 of this policy and "personal data protection" in accordance with the requirements established by the law of Georgia, video monitoring of the external and internal perimeter of the building(s), including service spaces, warehouse and workplace(s) is being carried out in the restaurant. 
     
    Article 15. Processing of data of the job seeker (applicant). 
    1. The company is authorized to process the personal data of the entity, that became known to it during the decision-making process with regard to the employment and/or internship of this person (hereinafter - the applicant). If an applicant for the specific position is refused on employment, the applicant fails the selection process or fails the probationary period, the applicant's personal data is subject to destruction unless there is the applicant's consent to the further processing of his/her data (e.g. for the purpose of consideration of his/her candidacy to another position(s) in the future) and/or if there is another legal basis for data storage.  
    Article 16. Data processing of minors 
    1. Minors under the age of 18, who have a desire to use our services, must provide consent from their legal representatives (parent / guardian / carer) regarding the processing of their personal data, except for exceptions provided by law.
    2. Minors under the age of 16 who want to be employed in our company, if the relevant employment relationship does not conflict with the minor's interests, does not harm their moral, physical and mental development and does not limit their right and opportunity to receive compulsory elementary and basic education, must present their legal consent from the representatives (parent / guardian / carer) with regard to the processing of their personal data.
    Article 17. Safety and storage term of the personal data 
    1. The company has implemented appropriate technical and organizational measures to protect the data subject's personal data from unauthorized access, illegal processing or disclosure, accidental loss, alteration or destruction. In addition, the company has limited access to the personal data of the data subject, and the company's employees, contractors and other third parties have access to the personal data of the data subjects only within the scope of their assigned functions and activities. In case, if the company transfers the personal data to the third parties, including the transfer of information to resident person(s) of another country, the company ensures the signing of the relevant agreement on the transfer of personal data, which defines the obligations of the receiving party to the data subject(s) in accordance with the requirements stipulated by the law, to ensure a protection of the personal data. 
    The Company stores the personal data of the data subject(s) only for the period necessary to achieve the objectives for which the said data were collected, including for the purposes of satisfying any legal, accounting, reporting or other requirements. Normally, we will keep the personal data of the data subject for 3 (three) years from the moment we terminate the business relationship with the data subject. The mentioned will allow us to comply with legal and regulatory requirements, or to use for legitimate purposes, such as resolving a problematic issue that may arise. The Company may need to store the personal data of the data subject for a longer period if this is necessary to meet legal and regulatory requirements, for example for legal proceedings. 
    Article 18. Rights of the data subject 
    The Law of Georgia "On Personal Data Protection" grants rights to the data subject(s), which may be limited then if this is expressly provided by the laws of Georgia, does not violate basic human rights and freedoms, and is a necessary and proportionate measure in the democratic society.
    1. The right to receive the information about data processing and its – the data subject has a right to know what kind of data is collected and used about him/her. It means, that as requested, the company should transfer the information, regarding which personal data we process, for what purpose and legal basis, from which source the data was collected/obtained, for what period the data is stored, and in the event that it is not possible to determine such period, information on the criteria for determining the period, as well as information on appropriate data protection guarantees, if the data has been transferred to another country, the identity of the data recipient or the category of data recipient, including information on the basis and purpose of the data transfer, if the data has been transferred to a third party.  
    The present document of the data protection policy is the example of it. The data subject(s) also have a right to receive a copy of the personal data from the company, which is processed according to the acting legislation. 
    2. The right to correct, update and fill the data  - The data subject(s) have a right, to request  to the company to correct, update and/or fill the false, inaccurate and/or incomplete data about him/her and to provide us with the necessary information for this. 
    3. The right to stop, delete and destroy the data - The data subject(s) have the right to request to the company to stop processing, delete or destroy data about them. The company remains the right to refuse stop of the data processing, delete and destruction if: there are the basics of the data procession considered by law, data are processed for the purpose of substantiating a legal claim or objection, data processing is necessary for expression or the implementation of the right of freedom of the information, and data is processed for statistical purposes.
    4. The right to block the data - Data subject(s) may request data blocking (temporary suspension of processing), when the accuracy of personal data is disputed by the data subject and requires stop, delete and destroy of the data, during the period, which will give us the possibility to check the accuracy of personal data and consider the request; When processing is illegal, but, the data subject refuses to delete the personal data and, instead, requests the blocking of the data; The Company no longer needs the personal data for processing purposes, but you need the data to file a complaint/lawsuit; When there is a need to store data to use as the evidence. 
    5. The right to transfer the data - The data subject(s) have the right to request to receive the data they have provided in a structured, publicly usable and machine-readable format or to request transfer of this data to the person responsible for other processing. The company has the right to refuse to meet the request of the data subject(s) if it is technically impossible. 
    6. The right to call out the consent - Data subject(s) may call out the consent at any time, if the above does not contradict the requirements of the legislation. The realization of the right of request is possible when the basis of the processing is the consent of the data subject. Please, take into consideration, that call out of the consent does not cause does not lead to the cancellation of legal consequences arising before the call out the consent and within the framework of the consent. In addition, in case of call out the consent, the company, may will not be able to properly ensure our service to you.  
    7. Right to appeal - The data subject(s) have the right to apply to the Personal Data Protection Service or to the court in case of violation of the rights provided by the law and the established rules during the processing of their personal data in accordance with the terms and conditions stipulated by the legislation of Georgia. The data subject has a right to request to the Personal Data Protection Service to make a decision on data blocking before making a decision on the completion of the review of the application. For more information, you can visit the website of the service: https://personaldata.ge/  
     
    18.1 How is possible to connect the data subject to the company 
    1. The data subjects can directly contact to our team at the email address to exercise their rights: info.ifc.ge. In such case, the data subject clearly should indicate his/her identity and, within the scope of the possibility, the request must be sent to us through the own e-mail, that may be may be registered with the company. 
    We, may need specific information about the data subject to help us to verify his/her identity and provide access to his/her personal data (or to exercise his/her other legal right). This is a security measure that ensures the prevention of disclosure of the personal data of the data subject to the unauthorized person. We may also contact to the data subject upon request for additional information in order to expedite the provision of responsive information. 
     
    18.2  Payment of the fee during access to the personal data
    1. The data subject(s) have a right, to become aware of the personal data existed in the company and get the copies of the data for free, except the cases, when for awareness or/and issuance of the data copies: (a) according to the legislation of Georgia is considered the fee; or (b) A reasonable fee is determined by the company for providing the data in a form other than the storage form due to the resource expended and/or the frequency of the request. 
     
    18.3 The deadline of the company to respond to the data subject 
    1. The company will respond to the legal request of the data subjects within the term  defined by the legislation. 
     
     
    Article 19.   Obligations of the person(s) responsible for data processing, authorized for data processing and co-processing 
    According to the terms of the present policy, with consideration of the processing context and objective, at the time of processing the certain data, the company or/and the third entity mentioned in the annex #1 of the policy, may be the authorized person on processing the data and act on behalf of the person responsible for the data procession, or/and the parties act as the entities responsible for co-processing.   
    If during the data procession, according to the specifics of data processing, one of the parties is the person responsible for data processing, and the other is the person authorized for processing, the authorized person is obliged to:
     
    (a) To process data only in accordance with the written task or instructions of the person responsible for processing, only for the purposes specified in the relevant agreement;  
    (b) To ensure that the individual(s) directly involved in data processing have an obligation of confidentiality;
    (c) To ensure data safety in accordance with the requirements of legislation, including taking appropriate technical and organizational measures to protect information containing personal data from accidental or illegal destruction, alteration, disclosure, acquisition, damage, unauthorized or illegal use in any other form, and accidental or illegal loss; 
    (d) To ensure the recording (including the so-called logging) of all actions performed with respect to data in electronic form (including information on incidents, data collection, modification, access to them, their disclosure (transfer), connection and delete) and the corresponding action the ability to identify the responsible person; When processing data in non-electronic form, the person authorized to process it is obliged to ensure the recording of all actions related to data disclosure and/or change (including information about incidents). 
    (e) Without the prior consent of the person responsible for data processing, do not transfer personal data to the state and/or international organization that does not belong to the economic zone of the European Union and is not specified by the Personal Data Protection Service/its successor as determined by the relevant normative act with appropriate guarantees of personal data protection. in the list of countries; 
    (f) To ensure compliance with the obligations established by the Law of Georgia on personal data protection, to provide appropriate information to the person responsible for processing and to carry out the monitoring of data processing; 
    (g)To take appropriate organizational-technical measures to help the person responsible for the processing in timely response to the requests of the supervisory and other authorized body(s) with regard to the processing of the personal data, as well as related to the exercise of the data subject's rights (blocking, deletion, correction, updating, etc.) fulfilling obligations in compliance with the deadlines specified by the Law of Georgia on personal data protection; 
     (h) Without consent of the responsible person, the person responsible for the processing is not allowed to transfer the procession right to the other entity(ies).  In addition,  In case of the consent of the person responsible for processing the transfer, the person authorized to process is obliged to transfer the right to data processing on the basis of a written agreement, according to which, the data receiver (sub)contractor(s) will be obliged to take all necessary technical and organizational measures to protect against accidental or illegal destruction, alteration, disclosure, acquisition, damage, unauthorized or illegal use and accidental or illegal loss of the personal data in any other form, and they will be subject to all the obligations, fulfillment which is established by this agreement and the law "On Personal Data Protection", the person authorized for processing is responsible; 
     (i) To report any unauthorized access to the personal data or other breach of confidentiality (incident) immediately or within 24 (twenty-four) hours in writing/electronic form to the person responsible for data processing;  
    (j) In case of dispute related to the data processing between the person responsible for data processing and the person authorized for data processing, the person authorized for processing is obliged to immediately stop data processing and fully hand over the data in his/her possession to the person responsible for processing; 
     (k) Upon request of the person responsible for data processing, also in case of termination of the relevant agreement for any reason, The person authorized for processing is obliged to stop data processing and immediately or no later than 10 (ten) calendar days (if the said information has a significant volume and/or requires searching/gathering) must transfer the personal data to the person responsible for data processing and delete/destroy the transferred/shared data without the possibility of recovery. Personal data and information/documentation containing these data stored in electronic or physical form, if the obligation to keep them is not established by law;
    (l) Foe excluding all doubts, the parties agree, that the condition indicated in “j-k” sub-clauses does not apply to personal data processed by one of the parties with the status of the responsible person for data processing; 
    (m) The person authorized on the processing is obliged to compensate the loss to the person responsible for the processing, including any kind of monetary sanction imposed on him/her, which occurred to the latter as a result of the violation of the requirements stipulated by the present policy and legislation on personal data by the authorized person; 
    (n) The issues related to the processing of personal data by the person authorized for processing, which are not covered by this policy, are regulated in accordance with the legislation of Georgia. 
    If during the data procession, according to the specifics of data processing, the parties represent the persons responsible for data co-procession, each person responsible for co-procession (hereinafter – the co-processor) is obliged: 
     
     (a) To take appropriate technical and organizational measures to protect personal data from accidental or illegal destruction, alteration, disclosure, acquisition, damage, unauthorized or illegal use and accidental or illegal loss; 
    (b) To allow access to information only to those employees who perform the rights and duties stipulated by the relevant agreement signed between the parties and who have the obligation to protect the confidentiality of information, including after the termination of the official authority; 
    (c) Closely collaborate to the co-processor, to ensure relevance of the data to the law; 
    (d)To process the personal data within the framework of mutual cooperation, in compliance with the requirements of the relevant agreement and law;
     (e) To cooperate and within the scope of competence to provide support to the co-processor in implementation of the impact assessment on data protection, where this is required by law or relevant normative act;
     (f) Notify the co-processor immediately or no later than 24 (twenty-four) hours in writing/electronically about any unauthorized access to processed personal data or any other breach of confidentiality (incident). The notification should include the information about the incident circumstances, type and time; About the probable categories and number of data that were disclosed resulted of the accident, damaged, deleted, destroyed, obtained, lost, changed without permission, as well as about the probable categories and number of those data subjects, which were endangered as a result of the incident, about the measures implemented or planned by the person responsible for co-processing in order to reduce or eliminate the alleged damage caused by the incident, as well as information about whether the person responsible for (co-)processing plans should notify the data subject about the incident and term; 
     (g) Immediately in written/electronic form should be notified the co-processor regarding appeals received from judicial, law enforcement, regulatory/supervisory bodies and other agencies with a request for disclosure of personal data processed within the framework of the relevant agreement; 
    (h) In case of data collection directly from the data subject, to ensure his/her informing about the purposes of data processing, grounds, terms, person(s) responsible and/or authorized for (co)processing, personal data protection officer (if any) and others. also regarding the data subject's rights provided by law (data blocking, deletion, rectification, updating, etc.);
     (i) To ensure availability of the information on the distribution of obligations and responsibilities between the persons responsible for co-processing to the data subject. In addition, the data subject should not be limited in the right to apply individually to each person responsible for co-processing;  
     (j) At the time of receive the statement/demand/appeal submitted by the data subject in order of realization of his/her rights (data blocking, delete, correction, update and etc.) considered by law, the mentioned demand receiver co-processor should define the co-processor responsible for reviewing the request and in the reasonable term, not to violate the terms of consideration stipulated by the law, send the said request for response. All necessary communications with the data subject must be provided by the co-processor initially receiving the application; 
     (j.a.) The co-processor responsible for reviewing the request is defined as follows: If the data subject's data is part of a data set/combination, which may belong to one certain co-processor, the latter will be responsible for reviewing the data subject's application. In other case, the co-processor who received the data subject's application will be responsible for reviewing the application (who is applied by the data subject);
    (k) Persons responsible for data co-processing are obliged to support each other and support realization of the data subject's rights (blocking, deleting, correcting, updating, etc.) provided by the Law of Georgia "On Personal Data Protection" within the terms and in the manner established by the legislation;
     (l) To implement all other actions, that is considered for the persons responsible for co-processing provided by law; 
     (m) The issues related to co-processing the personal data, which are not considered by the present policy, are regulated in accordance with the legislation of Georgia.
     
     
     
     
    Annex #1 
    Categories of the data issuer or/and receiver third entities 
    In order for the company to fulfill the obligations imposed by the law, to protect legitimate interests, also wholly and properly implement its business activity, according to the basics of the personal data processing and objectives, the company may receive and/or transfer (to make available) information about the data subject(s) to , among others, and not only, the following category of third party(ies). 
    • Insurance company – the company transfers the personal data of their employee(s) to them, for provision of the insurance service. 
    • Courier companies – the company transfers the customers personal data processed by them (for example: phone number, address) for conduction of the courier service and development of the fast food business. 
    • Private institution – such as “Fitpass Georgia” LLC, the company transfers the personal data of their employees, for provision of the relevant service to the data subject. 
    • Public institutions – such as National Agency of Public Registry LEPL, Revenue Service LEPL, Common Courts of Georgia. The company transfers the personal data processed by them, for the purposes of reviewing the application, providing services, protecting the legitimate interests of the company, fulfilling legal obligations and reporting. 
    To the data subject is known and he/she is agree, that the list given in the mentioned annex or/and the webpages administered by the company is not exhaustive and the number of third parties may increase or decrease from time to time, however, the company's actions in terms of processing the personal data of the data subjects will be in accordance with the requirements defined by the law of Georgia "On Personal Data Protection".
    Protection of confidentiality of the personal data is ensured by the third party receiving the relevant information, and the company is not responsible for violation of the confidentiality of the said information by the person receiving the information, unless otherwise provided by law.
     
     
     
    Annex # 2
    Implementation of video monitoring 
    Implementation of video monitoring is allowed for prevention of crime, its detection, protection of personal safety and property, protection of minors (including protection from harmful effects) and other tasks belonged to legitimate interests, (including monitoring of the working process, in order of improvement of the service quality, protection of customers rights) with preserve of the requirements established by the Law of Georgia "On Personal Data Protection", in the company is conducted a video monitoring of the external and internal perimeter, including service spaces, warehouse and workplace(s) through a video surveillance system (hereinafter - monitoring). 
    Monitoring is implemented during 24/7 hours, and the recordings are stored during 15 days or/and for the term, that is necessary for reaching the specific objective, after what it is a subject to automatic destruction, unless there is a need for a longer period of data storage and there is no legal basis. 
    In order to ensure informing of the data subjects, in the visible places by the company are placed the relevant warning signs, which contains the information about video recording and on which is indicated the following kind of information: name of the person responsible for the processing and his/her contact data. 
    In addition, by the company is taken all relevant effective and adequate organizational and technical measures to prevent illegal/accidental disclosure of data reflected in the records, their use, dissemination and others, including: 
    • Theres is ensured a physical safety of the monitoring system; The monitoring system and the relevant technical equipment is placed in the room specially designated for this purpose, where are allowed only the persons with the relevant authority, accordingly access to the recordings have granted to only certain circle of persons employed in the company, at the time of defining their access level and scope are not taken into consideration the functions of the employees and the official need for their access to the records (for example such are in the restaurant branches – the general manager of the restaurant and the deputy general manager of the restaurant, and in the warehouse - the warehouse manager); 
    • The relevant measures have been taken for the information safety of the system, in order to prevent illegal access from the Internet and computer network;
    • All actions performed toward the data existed in the monitoring system totally are fully recorded; 
    • All cases of disclosure of records are recorded and is made a special journal. 
    Access to the saved video recordings, their view and in some cases, transfer to the third entity(s), may be necessary for various reasons, for example, if there is a doubt that in the video recording is shown the fact of crime or offence, the interest of accessing the relevant record is for the purposes of the investigation of the criminal case and administrative offense proceedings, as well as the Personal Data Protection Service when investigating the claim of the data subject(s) and/or in other cases defined by law. As a rule, the company discloses video recordings to third parties based on the written consent of the data subject, a written document submitted by third parties, from where the expressed consent of the data subject regarding the processing/access of his/her personal data or on the basis of the court ruling is clearly defined. 
    The Company implements view of the records and discloses them to third party(ies) (including law enforcement authorities) only if there is an appropriate legal basis(es) provided by law. 
    Data subjects have the following rights with regard to their personal data obtained as a result of video surveillance: 
    • In any time to receive all essential information about procession of their personal data, namely: which data is processed; What is the purpose and legal basis of the data procession; how the data was collected; to whom personal data is provided; what is the basis of the transfer; 
    • To request an immediate correction, addition, or/and update of the personal data; 
    • To request an immediate delete, blocking or/and destroy of the data; 
    • Other rights considered by legislation of Georgia. 
    The rights of the data subject are also defined under 17th clause of the present policy. Also in cases, if the personal data safety of the data subject(s) is under danger and this creates high risks regarding the rights and freedoms of the data subject(s) provided by the legislation of Georgia, the company will immediately notify you about the mentioned.  

     

    Up icon