top of page
Personal Data Protection Policy

Date of the last update: 30 July 2024

 

Introduction

 

The purpose of this document is to provide a Personal Data protection policy and the Data Protection obligations of NELE Charitable Institution for Support to Adults with Cancer - Find Your Path (hereinafter referred to as the “Organization”), as well as description of the safeguards of the data subjects’ rights in accordance with the requirements of the relevant Georgian and the European Union legislation (namely, General Data Protection Regulation - GDPR).

Definitions

 

Unless the context requires otherwise, the following definitions shall apply within this Policy.

 

Personal Data - Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly.

Special Category of Personal Data - has the meaning given to it in the law of Georgia on Personal Data Protection, including data on  a person’s mental or physical health,.

Processing of Personal Data − any operation performed on Personal Data, including collecting, obtaining, accessing, photographing, video monitoring and/or audio monitoring, organizing, grouping, interconnecting, storing, altering, retrieving, requesting for access, using, blocking, erasing or destroying, and disclosing by transmission, publication, dissemination or otherwise making available;

Controller -  A person or entity who,  determines the purposes and means of the processing of Personal Data, and who processes Personal Data directly or through a processor . For the purposes of the present Personal Data Policy, the Organization is the Controller.

Data Subject - any natural person whose Personal Data are being processed.

Processor - Any person who processes Personal Data for or on behalf of the Controller, who is not a natural person in labour relationship with the Controller.

Personal Data Protection Officer – A person determined/appointed by the Organization or the Processor to perform the functions set out in the law of Georgia on Personal Data Protection and this policy, which includes informing and consulting the Controller and the Processor, monitoring compliance with the appropriate Data Protection legislation, informing the Data Subject about details of processing and their rights, etc.

For avoidance of any doubt, the Organization does not have a Personal Data Protection Officer as of the date first indicated above.

 

The Organization - NELE Charitable Institution for Support to Adults with Cancer - Find Your Path, a non-entrepreneurial (non-commercial) legal entity registered in accordance with the laws of Georgia with identification number: 404624652.

Aim and Scope of this Policy

 

  1. The Organization, which is a Controller, and shall comply with the Personal Data Protection rules set out in the relevant Georgian legislation as the European Union legislation (namely, General Data Protection Regulation - GDPR) and this Privacy Policy.

  2. This Policy applies to all Personal Data collected, processed and stored by Data Controller in relation to its staff, service providers and clients in the course of its activities. The present policy applies equally to the employees of the Organization, as well as non-employees.

  3. The policy covers Personal Data, including Special Categories of Personal Data held in relation to Data Subjects by  the Organization. The policy applies equally to Personal Data held in automated, semi-automated and non-automated form.

 

 

Processing of Personal Data

 

In the course of its activities, the Organization acquires, processes and stores Personal Data in relation to:

 

  • Employees of the Organization;

  • Clients of the Organization;

  • Third party service providers engaged by the Organization.

 

The Organization processes Personal Data in accordance with the legislation of Georgia and the present Policy.

 

 

Due to the nature of the services provided by  the Organization, there is regular and active exchange of Personal Data between  the Organization and the Data Subjects. In addition,  the Organization, as the Controller, or the Data Subjects directly might exchange Personal Data with the Processors.

The above is consistent with the Organization’s obligations under the terms of its contracts with its Data Processors and Data Subjects, if any.

Rights of Data Subjects

 

The Organization has rights set out in the law of Georgia on Personal Data Protection, which includes, among others:

  1. Right to receive information on the processing of Personal Data;

  2. Right to access and to obtain a copy;

  3. Right to the rectification, update and completion of  Personal Data ;

  4. Right to the termination of the processing, erasure or destruction of  Personal Data ;

  5. Right to the blocking of  Personal Data ;

  6. Right to the transmission of  Personal Data ;

  7. Right to withdraw consent;

  8. Right to appeal;

The Data Subject is informed that they can obtain information about their rights, from the relevant authorized representatives of the Organization.

 

Data Subject Requests

 

Any formal, written request by a Data Subject regarding the processing of their Personal Data shall be immediately referred to the relevant authorized representative of the Organization, who shall assess and, in case of satisfaction, perform the Data Subject’s request as soon as possible, but no later than the term set out in the law of Georgia on Personal Data Protection.

Data Processors

 

In the course of its role as a Controller, the Organization engages a number of Processors to process Personal Data of Data Subjects. In each case, a formal, written contract is in place between the Organization and the Processors, outlining their obligations in relation to the Personal Data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the Personal Data in compliance with the applicable Data Protection legislation.

The Data Protection Principles

 

The Organization processes Personal Data in accordance with the principles set out in the legislation. Thus, the Organization, as the Controller, complies with, among others, the following principles:

1. Obtaining and processing Personal Data fairly and lawfully.

 

For fair processing of Personal Data, the Data Subject before or at the time of the Personal Data collection, or as set out in the applicable legislation, is aware of the following information:

a) the identity/name and the contact details of the Organization as the Controller, its representative(s) and/or the Processor(s) (if any);

b) the purposes and the legal basis of the processing of Personal Data;

 

c) whether the provision of the Personal Data is mandatory, and where the provision of the Personal Data is mandatory, the legal consequences of refusal to provide them, as well as the information that the collection/obtaining of the Personal Data is required by the legislation of Georgia or is a necessary condition for entering into a contract (if such information exists);

d) the legitimate interests of the Controller or a third party, if Personal Data are processed to protect important legitimate interests pursued by the controller or a third party;

e) the identity and the contact details of the Personal Data Protection Officer (if any);

f) the identity of the recipients or categories of recipients of the Personal Data (if any);

g) the planned transfer of Personal Data and the existence of appropriate safeguards for the protection of the Personal Data, including authorization to transfer the Personal Data (if any) if the controller plans to transfer the Personal Data to another state or an international organization;

h) the period for which the Personal Data will be stored and, if no specific period can be determined, the criteria used to determine that period;

i) the rights of the Data Subject;

j) if Personal Data are not collected directly from the Data Subject, information as to which data concerning him/her are being processed, and the source of the data, including whether the Personal Data have been obtained from a publicly accessible source.

 

2. Obtaining Personal Data only for legitimate purposes.

The Organization obtains and processes Personal Data for specified, explicit and legitimate purposes. The Organization does not process Personal Data further for other purposes that are incompatible with the initial purposes, unless it is based on the consent of the Data Subject or the law.

3.Security of Personal Data.

 

The Organization has taken technical and organizational measures available to it which ensure appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction and/or damage.

4. Necessity and proportionality of the processed Personal Data.

 

The Organization processes Personal Data only to the extent necessary to achieve the respective legitimate purpose and proportionate to such purpose.

5.  Accuracy of Personal Data

The Organization ensures through means available to it that the Personal Data are valid and accurate and, where necessary, kept up to date.

 

6. Personal Data won’t be kept for longer than it is necessary to satisfy the specified purpose(s).

The Organization has a Personal Data registry, which indicates retention period for different categories of Personal Data.

 

Once the respective retention period has elapsed, the Organization destroys, erases or depersonalizes the Personal Data

 

Implementation

 

The Organization adopts available measures to implement this Policy and perform its obligations related to Personal Data Protection. Among others, failure of the Organization’s staff to process Personal Data in compliance with this policy may result in disciplinary proceedings.

Contact information:

E-mail: 

data-processor@gotreatcancer.com

info@gotreatcancer.com

bottom of page