Version: 1.0
Date: 2025
Prepared by: the Administrative Department
Approved: the president of the organization
1 Confidentiality Policy
1.1 About the Organization
N(N)LE Curatio international Foundation (Hereinafter- ‘the Foundation’) ID: 203834716 Legal address: 37D Chavchavadze Ave., Vake District, Tbilisi, Georgia Actual Address: 3 Kavsadze Str., Vake District, Tbilisi, Georgia; date of registration: April 16, 1999.
1.2 Definition of Terms
For the purpose of the document the terms provided below shall have the following meaning:
Personal data (hereinafter referred to as ‘the data’) – any information related to an identified or identifiable individual. An individual is identifiable when it is possible to identify the person, directly or indirectly, including by the first name, last name, personal identification number, geolocation data, electronic communication identifiers as well as by physical, physiological, mental, psychological, genetical, economic, cultural or social characteristics.
Processing of data – any operation performed on personal data, including collecting, obtaining, accessing, photographing, video or audio recording, organizing, grouping, interconnecting, storing, altering, retrieving, requesting for access, using, blocking, erasing or destroying as well as disclosing by transmission, publication, dissemination or otherwise making available.
Data subject – any individual, whose data are processed.
Audio-video recording – using technical facilities by a representative of the Foundation to process audio signals, specifically to make audio recordings.
Data controller/the Foundation – N(N)LE International Curatio Foundation – the organization which individually determines the purposes and means for the processing of personal data and performs the processing itself.
Authorized person – An expert/researcher of the Foundation, or a person employed by the Foundation, who makes audio recordings and/or any person designated by an internal act of the President who is granted the right to access audio recordings.
Incident − breach of security of data leading to unlawful or accidental damage or loss of data or the unauthorized disclosure, destruction, alteration of or access to data or the collection/obtaining of data or other unauthorized processing.
Data destruction – an event that results in data not existing at all or not existing in any usable form.
Damaging data – an event that results in altering data, making them inaccurate of incomplete.
Data loss – an event when data may still exist, however, they are no longer in the possession of the Foundation or are held in the Foundation but without the Foundation having control over them and/or access to them.
Working place – An internal or external area of the Foundation, where the people employed by the organization perform their job duties.
The Law – The Law of Georgia on Personal Data Protection that is in effect at the time of approval of this policy.
Other terms used in this policy document have the meaning as defined by the Law of Georgia on Personal Data Protection.
1.3 Purpose of Confidentiality Policy
As a responsible organization, N(N)LE Curation International Foundation considers it important to provide a high standard of personal data protection and security as well as to ensure that data processing complies with the requirements of Georgian legislation and applicable international regulations.
The purpose of this document is to describe the personal data protection process in the Foundation.
1.4 Principles of Data Processing
The Foundation processes personal data in accordance with the requirements of the Constitution of Georgia, the Law of Georgia on Personal Data Protection, other relevant national legislative or sub-legislative acts and applicable international standards/acts.
When processing personal data, the Foundation adheres to the principles of lawfulness, fairness, transparency, data processing without infringing data integrity, purpose limitation, data minimization, data authenticity and accuracy, data retention limitation and data security.
Which personal data does the Foundation collect?
1.5 Categories of Personal Data
In order to duly perform its functions, the Foundation collects and processes personal data that can be grouped into the following categories:
|
Data Category |
Description |
|---|---|
|
Identification data |
First name, family name, gender, date and place of birth, personal identification number/passport number (ID card/passport data), citizenship |
|
Contact details |
E-mail address, telephone number, place of residence |
|
Sociodemographic data |
Information about employment/profession, education |
|
Data related to social relationships |
Information about family members, including about children |
|
Financial data |
Bank account details |
|
Special category data |
Health condition-related data |
|
Other data |
A photo |
1.6 Whose Personal Data the Foundation Collects, for What Purpose(s) and on What Ground(s)?
I. Employees’ personal data
|
Purpose of data processing |
Data category |
Basis for the processing of personal data |
Retention period |
|---|---|---|---|
|
Conclusion of an employment contract and fulfillment of obligations arising from it |
Identification data; Contact details; Sociodemographic characteristics; Data concerning social relationships (for health insurance); financial data; other data (a photo) |
Consent of the data subject To perform contractual obligations Legitimate interest of the data subject The Foundation’s legal obligation |
After the termination/expiration of the contract, for the period necessary to fulfill the obligation specified by law and additionally for the period necessary to achieve the legitimate purpose of issuing a certificate to a former employee. The Foundation shall retain employee data – such as health certificates/certificates of sick leave – for which the obligation to retain the data does not arise from legislation and no other legitimate interest is apparent for a period of no more than 1 (one) year. |
|
The source of data collection |
The data is collected directly from an employee |
II. Personal Data of Job Applicants
|
Purpose of data processing |
Data category |
Basis for the processing of personal data |
Retention period |
|---|---|---|---|
|
Determining the suitability of a job applicant’s qualification in relation to the position to be filled |
Identification data Contact details Sociodemographic characteristics |
Consent of the data subject Legitimate interest of the Foundation |
The Foundation does not retain and ensures the destruction of personal data of the candidates who were not offered employment |
|
The source of data collection |
The data is collected directly from a job applicant |
III. Research subject data
|
Purpose of data processing |
Data category |
Basis for the processing of personal data |
Retention period |
|---|---|---|---|
|
Conducting research by the Foundation |
Identification data; Contact details; Sociodemographic characteristics |
Consent of the data subject Legitimate interest of the Foundation |
For the period specified in the research protocol approved by the Ethics Committee |
|
Conducting research by the Foundation |
Special category data |
Consent of the data subject Legitimate interest of the Foundation |
For the period specified in the research protocol approved by the Ethics Committee |
|
The source of data collection |
The data is collected directly from the data subject |
IV. Personal data related to contracts for the purchase of service and/or goods
|
Purpose of data processing |
Data category |
Basis for the processing of personal data |
Retention period |
|---|---|---|---|
|
Receipt and purchase of items/goods and services by the Foundation |
Identification data; contact details; sociodemographic characteristics (these data are collected only when a respective agreement is signed with a legal entity, with respect to the position held by its representative in this legal entity) |
Consent of the data subject Legitimate interest of the Foundation For the fulfillment of contractual obligations |
For a period of 4 years from the date of termination/the due date of the agreement, to comply with obligations prescribed by law. |
|
The source of data collection |
Personal data are collected directly from individuals or from legal entities with whom the agreement is signed. |
1.7 Data of Minors
The Foundations does not process personal data of minors, other than when these data is shared by an employee with an insurance company.
1.8 Personal Data of a Deceased Person
The Foundation processes personal data of deceased persons for the purpose of fulfilling contractual obligations and exercising Foundation’s contractual rights and interests, in accordance with the requirements of the Law of Georgia On Personal Data Protection.
1.9 Monitoring
The Foundation does not conduct continuous video and audio monitoring. Monitoring is conducted in exceptional cases.
Occasionally, the Foundation records webinars and/or meetings for educational purposes in order to share them subsequently with a limited audience. In such cases, the Foundation notifies the attendees and obtains their consent. Anyone who does not wish to be recorded may choose not to attend the webinar.
The Foundation also makes audio recordings of interviews as part of qualitative research. The details of the relevant procedure are set out in the Procedure for Audio-Video Recording[NR1] in this policy document.
1.10 Sources of Data Obtained by the Foundation and Measures Taken to Protect Them
The Foundation receives personal data of the data subject, when:
-
The data subject applies to the Foundation for a vacant position;
-
The data subject becomes an employee of the Foundation;
-
A service or other types of agreement is signed with the data subject;
-
The data subject sends letters via regular mail or email;
-
The data subject registers on the Foundation’s expert database;
-
The data subject participates in qualitative or quantitative research organized by the Foundation, having signed an informed consent form in accordance with the ethical norms of the research;
-
Participates in meetings/webinars organized by the Foundation.
1.11 Personal Data Security
The Foundation has implemented appropriate technical and organizational measures to ensure that personal data of the data subject are processed lawfully. Moreover, the Foundation has taken organizational and technical measures to safeguard the confidentiality, integrity and accessibility of data in both electronic and physical form.
1.12 Rights of the Data Subject
The data subject is entitled to:
-
Request confirmation as to whether the Foundation processes their personal data and whether such processing is substantiated; upon request receive free of charge the information about the data being processed, including the purpose and basis of such processing, the source from which the data was collected/obtained etc.
-
Review the personal data held by the Foundation and receive copies of such data;
-
Request the correction, updating and/or completion of false, inaccurate and/or incomplete data about him/her;
-
Request termination, erasure or destruction of the personal data;
-
Request the blocking of the personal data;
-
In the case of automated data processing, if this is technically feasible, the data subject may receive the data provided to the Foundation by them, in a structured, commonly used and machine-readable format or request the transfer of such data to another data controller;
-
To withdraw the consent on data processing given to the Foundation at any time, without any clarification or substantiation;
-
In case of violation of the rights, the data subject may apply to the Personal Data Protection Service and/or the court in compliance with law.
1.13 Personal Data Obtained from Third Parties
In accordance with procedures and within the limits established by law, the Foundation has the right to request and receive personal data of the data subject from third parties, provided there is a proper basis, including the consent of the data subject.
In such a case, the Foundation shall consider the rights and obligations established by Article 25 of the Law of Georgia on Personal Data Protection, including the obligation to inform the data subject.
1.14 Sharing Personal Data
In order to perform a specific assignment, the Foundation may share personal data of the data subject to a third party, in cases when the Foundation uses services of third parties or other providers as part of its basic activities, for example: i. A company providing IT services; ii. Legal, audit, accounting or other professional services provided to the Foundation by lawyers, notaries, authorized representatives, audit companies etc.; iii. The insurance company, which provides insurance services for Foundation employees (former employees, their family members and relatives); iv. The commercial bank, through which Foundation employees receive renumeration for the work performed; v. Personal data are transferred for the purpose of fulfilling obligations imposed by Georgian law; vi. Sharing personal data to third parties for a similar legitimate purpose.
The Foundation transfers personal data to third parties solely based on a legislative act or an agreement, which specifies the grounds and purpose for data processing, the categories of data to be processed, the period of data processing as well as rights and obligations of both the data controller and data processor.
The Foundation complies with the requirements of the laws of Georgia and is obliged, as required law, to transfer the requested information, including personal data, to state authorities and/or organizations specified by law, at the frequency prescribed by law.
In accordance with the laws of Georgia, the Foundation transfers personal data, solely for the purpose of fulfilling its legal obligations and, as such, has no control over the publication and/or subsequent processing of those data. In order to obtain additional information and/or exercise their rights in this respect, the information subject must apply to the state authorities. The Foundation bears no responsibility for transferring personal data for this purpose.
1.15 International Data Transfer
The Foundation may transfer personal data internationally during an employee’s business trip, to a relevant organization. In this respect, the Foundation obtains the employee’s prior consent, as required by law.
Moreover, the Foundation may use a platform or software solutions for electronic document management provided by a foreign company, the server of which is located outside of Georgia. In such cases the Foundation will use only those platforms or software solutions provided by companies located in countries that offer adequate personal data protection guarantees, as defined by Order No. 23 of the Head of the Personal Data Protection Service (dated February 29, 2024)
In above-mentioned cases the Foundation will take appropriate technical and organizational measures to ensure the security of personal data.
1.16 Procedure for Termination of Processing, Erasure and Destruction of Data
The Foundation terminates data processing, erases or destroys personal data on its own initiative or at the request of the data subject.
On the Foundation’s initiative, personal data are erased or destroyed within 30 (thirty) calendar days following the expiration of the period of the personal data retention period. Data in physical form are destroyed using a shredder, while data in electronic form are erased electronically, in a manner that prevents their recovery.
A request for the termination of data processing and for the erasure or destruction of personal data may be submitted in writing, either by sending an e-mail ([email protected] ([email protected]) or by delivering a hard copy of the letter to the Foundation (address: 3 L. Kavsadze St., Office 5, Tbilisi).
The Foundation shall no later than within 10 working days from the submission of the request (unless some other period is established by Georgian law) terminate the data processing and/or erase/destroy the data or decline the data subject’s request, indicating the grounds for such refusal and explaining the procedure for appeal.
An act of destruction/erasure of personal data shall be drawn up on the destruction/erasure of the data, indicating at least the following information: details of the destroyed/erased data, the basis for the destruction/erasure, the method of destruction/erasure, the signature(s) of the authorized person(s) and the date of destruction or erasure.
The person(s) authorized for the erasure and destruction of personal data shall be designated by an order of the president of the Foundation.
1.17 Other Conditions
Matters not covered by this policy document shall be regulated by the Law of Georgian on Personal Data Protection and normative acts adopted pursuant to that law.
1.18 Amendments to Confidentiality Policy
This document shall be updated periodically by the Foundation.
Amendments to the document shall be made through publication on the website of the Foundation. Data subjects are responsible for periodically reviewing such amendments. The Foundation will provide a personal notice of any amendments only when such obligation is imposed by law.
1.19 How to Contact the Foundation?
If the data subject would like to exercise its rights granted by law and this document, they may contact the Foundation via email: [email protected] or visit the Foundation in person or through a representative to submit an application (address: 3 Kavsadze Str., Office 5, Tbilisi). Moreover, to ensure that the Foundation discloses personal data to the data subject or their authorized representative, the application shall be accompanied by a copy of the ID card (when the application is submitted by the data subject) or by a power of attorney and a copy of the ID card (when the application is submitted by an authorized person/ representative). The data subject’s application is reviewed in accordance with the Procedure for Considering Applications on Personal Data approved by the Foundation.
www.curatiofoundation.org
Except for using the above-mentioned channels, it is possible to contact the Foundation
at the following telephone number: +995 032 2 25 31 04
or by email at [email protected] Monday through Friday.