FREQUENTLY ASKED QUESTIONS

The current Law of Georgia “On Personal Data Protection” does not impose an obligation to maintain a “file system catalog.” However, Article 28 of the Law specifies the information that the data controller or data processor must record in connection with data processing.

Such data must be recorded either in written or electronic form and must be provided to the Personal Data Protection Service of Georgia immediately upon request, and no later than within 3 days.

 

According to the Law of Georgia “On Personal Data Protection”, audio monitoring refers to the processing of voice signal data (audio control and/or audio recording) using technical means installed in public or private spaces. Accordingly, recording a telephone conversation falls within the scope of audio monitoring.

Data processing through audio monitoring is permissible in several cases:

  • With the consent of the data subject;
  • For the purpose of producing a recording notes;
  • To protect the legitimate interests of the data controller, provided that appropriate and specific measures are in place to safeguard the rights and interests of the data subject;
  • In other cases explicitly provided for by the legislation of Georgia.

Therefore, audio monitoring without the consent of the data subject is only permitted if one of these other legal grounds applies.

A warning sign about ongoing video monitoring must include the information required by law, specifically:

  • A clear and easily understandable inscription and image indicating that video monitoring is in progress;
  • The name of the data controller;
  • The contact details of the data controller.

This obligation also applies to a natural person conducting video monitoring of the common entrance and common areas of a residential building.

Data controller or processor are obliged to place a warning sign indicating ongoing video monitoring. The location, inscription, and image on the sign must be clearly visible to anyone entering the monitored area. Additionally, signs must be placed in all areas of the building where video monitoring is actively conducted.

The controller is obliged to ensure the security of personal data when conducting video monitoring. In particular, the video monitoring system and video recordings must be protected from unauthorized access and use. The controller must ensure that every access to the video recordings is logged within the same system, including the time and username, enabling identification of the person accessing the recordings.

The above objectives cannot be effectively achieved if the controller records access to the video monitoring manually (in writing) or by storing access information in an Excel file.

The data controller is required to determine in writing, in accordance with the principles of personal data processing, the purpose and scope of video monitoring, the duration of the monitoring, the storage period of the video recordings, the rules and conditions for accessing, storing, and destroying the recordings, as well as the mechanisms for protecting the rights of the data subject, in the document detailing the implementation of video monitoring.

The scope of video monitoring includes information about the area or perimeter under surveillance (for example, video monitoring is carried out in the corridor located on the 1st floor). The mechanisms for protecting the rights of the data subject include the rights established in Chapter 3 of the Law of Georgia “On Personal Data Protection”, such as the right to receive a copy of data, to blocking data and to appeal.

Consent is not the only legal ground for processing personal data. Data processing is permissible if any other ground provided under Article 5 of the Law of Georgia “On Personal Data Protection” (or Article 6 for special categories of data) applies.

For example, if data processing is required by the law, the consent of the data subject is not necessary.

The employer is obliged to assess and justify the period for which it is necessary to store documents containing the personal data of employees. Upon expiration of this period, the employer must ensure their destruction or storage in a depersonalized form.

It may not always be justified to delete all documents immediately after the termination of the employment relationship, including when they are needed to determine the existence or termination of a legal relationship.

It is important for the employer to evaluate the legitimate purposes for retaining each document within the scope of the employment relationship and to align the data retention period with those purposes.

The company, as the data controller, decides whether to process data through a data processor. Data processor may be either a legal entity or a natural person who processes data on behalf of the controller, based on the tasks and instructions defined by the controller.

It should be noted that the data processor may process data only on the basis of a relevant legal act or a written agreement (contract). The existence of such a contract between the controller and processor is a mandatory legal requirement for their relationship.

A natural person employed by the company is not considered data processor.

The Personal Data Protection Service of Georgia is obliged to examine the lawfulness of data processing based on a data subject's application. The period for reviewing the application shall not exceed 2 months.

In exceptional cases, this period may be extended by no more than 1 month, based on a reasoned decision of the Service.