![AIGL[1].png](https://static.wixstatic.com/media/5df718_07d7bab1f94140c19556e66ee560db69~mv2.png/v1/crop/x_0,y_321,w_595,h_200/fill/w_188,h_84,al_c,q_85,usm_0.66_1.00_0.01,enc_avif,quality_auto/AIGL%5B1%5D.png)
Personal Data Processing Policy
AIG Logistics LLC
I/C: 406447983
Address: Georgia. Tbilisi, D. Aghmashenebeli Ave, 154
Director: Guram Rostiashvili
Approved - 29.08.2025
Table of Contents
-
Purpose of the Policy. 1
-
Principles of Personal Data Processing. 1
-
Grounds for Personal Data Processing. 2
-
Definition of Terms. 2
-
Separate Categories of Data, Purposes of Processing, Grounds. 3
-
Direct Marketing. 4
-
Processing of a Minor's Personal Data. 4
-
Processing of Data About a Deceased Person. 4
-
Rights of the Data Subject: 4
-
Obligations of the Person(s) Responsible for Data Processing, Authorized for Data Processing, and Responsible for Co-processing: 5
-
Measures Taken for the Security of Personal Data in the Organization. 5
-
Incident Response Procedure. 5
-
Personal Data Retention Period. 6
-
Video/Audio Monitoring Procedure. 6
-
Concluding Provisions. 7
Contact Information. 7
The Company guarantees that: 7
1. Purpose of the Policy
For "Auto Import Georgia" LLC, as a responsible company, the high-quality protection and security of personal data is important, as is ensuring that the data processing process complies with the requirements set forth by the legislation of Georgia and international acts.
The purpose of this document is to describe the process of personal data processing within the company.
2. Principles of Personal Data Processing
2.1 Personal data is processed in accordance with the requirements of the Constitution of Georgia, the Law of Georgia "On Personal Data Protection," other relevant national legislative and subordinate acts, and international standards/acts.
2.2 When processing personal data, the company adheres to the following principles:
a) Data is processed lawfully, fairly, transparently, and without prejudice to the dignity of the data subject;
b) Data is collected only for specific, clearly defined, and legitimate purposes;
c) Data is processed only to the extent necessary to achieve the respective legitimate purpose;
d) The data processed by the company is genuine, accurate, and, if necessary, updated. Inaccurate data is corrected, deleted, or destroyed without undue delay;
e) Data is stored only for the period necessary to achieve the respective legitimate purpose of data processing. After the purpose for which the data is processed is achieved, it is deleted, destroyed, or stored in a depersonalized form, except in cases established by law.
f) To protect data security, appropriate technical and organizational measures are taken during data processing, which adequately ensures the protection of personal data.
3. Grounds for Personal Data Processing
3.1 The company processes personal data only if:
a) Consent is given by the data subject;
b) Data processing is necessary for the performance of an obligation under a contract with the data subject or to enter into a contract at their request;
c) Data processing is provided for by law;
d) Data processing is necessary for the company to fulfill its obligations imposed by the legislation of Georgia;
e) According to the law, the data is publicly available or has been made publicly available by the subject themselves;
f) Data processing is necessary to protect the significant legitimate interests of the company or a third party, except when there is an overriding interest in protecting the rights of the subject (including a minor);
g) Data processing is necessary for the consideration of an application (to provide a service to them);
h) In other cases established by the "Law on Personal Data Protection" and the legislation of Georgia.
4. Definition of Terms
4.1 The terms used in this document are descriptive only and are defined based on the specifics of the company's work. The definitions are in accordance with the Law of Georgia "On Personal Data Protection" and their interpretation contrary to the law is not permissible;
4.1.2 Personal Data (hereinafter - Data) - any information related to an identified or identifiable natural person, used for the purposes of the company's activities;
4.1.3 Special Category Data - data related to an identified or identifiable natural person, used for the purposes of the company's activities, and which reveals a natural person's health status, information on conviction, biometric information, and in other cases directly defined by law;
4.1.4 Data Subject - any natural person whose data is used by the company for its own purposes. A natural person can be identified or identifiable;
4.1.5. Company - the data controller who determines the purposes and means of data processing, methods, forms, organizational and technical security measures, as well as the ways to realize the rights of the data subject;
4.1.6. Authorized Person - a person involved in the data processing process on behalf of the company, based on law or contract, who processes data on behalf of and/or for the purposes of the company.
4.1.7. Data Recipient - any person to whom personal data has been transferred for the purposes of the company's activities, including an authorized person, administration employee, or intern;
4.1.8. Data Processing - any active and/or passive action performed on personal data, including video and audio control. Processing can also be carried out by fully automated means, semi-automated, or fully manual means.
4.1.9 Cookies - when the data subject uses the company's website, so-called cookies are collected. Cookies are used to personalize and improve the subject's experience when using the website and for their security. Specifically, for the purposes of facilitating navigation, offering information in the desired format, improving search parameters, secure user authorization, marketing, optimizing website design, and better adapting to the user (cookies determine the operating system version, device model, and other unique device identifiers, the duration of time spent on websites, information about opened pages, online navigation history, browser information, information about actions performed on the company's website, and the language in which information is viewed).
5. Separate Categories of Data, Purposes of Processing, Grounds
5.1 The company processes the following types of information:
a) About personnel - name, surname, photograph, date of birth, age, gender, address, personal number, copy of identity document, series and number of identity document, validity period of identity document, copy of driver's license, autobiography, resume (CV), information about education, information abo1ut foreign language proficiency, copy of diploma or certificate of education, information about computer program proficiency, information about work experience, time of entry and exit from the building, phone number, email address, bank account number, position held, information about remuneration, information about criminal record, information about health status (Form 100);
b) About potential employees - name, surname, autobiography, resume (CV), copy of diploma or certificate of education, information about work experience, information about foreign language proficiency, information about computer program proficiency, time of entry and exit from the building, phone number, email address;
c) About customers - depending on the nature of the relationship with the client during the provision of services, the information processed by the company may include the following categories of data in a volume proportional to the purpose of their processing: name, surname, gender at birth, address (legal and actual), email, phone number.
6. Direct Marketing
6.1 Only after receiving consent from the data subject does the company have the authority to carry out direct marketing, specifically, to send short text, voice, and/or other types of advertising messages to the data subject via telephone call, email, or other telecommunication means, or to offer services, goods, or request any action through direct communication with the user.
-
The data subject has the right to request the data controller at any time to stop using their data for direct marketing purposes, within no later than 5 (five) working days from the receipt of the data subject's request.
-
Personal data processed for direct marketing purposes is stored for the duration of the direct marketing activity from the moment the data subject gives consent for direct marketing.
7. Processing of a Minor's Personal Data
7.1 The company's services are not intended for use by minors. The organization does not intentionally request or collect personal data from persons under the age of 18.
8. Processing of Data About a Deceased Person
8.1 Data about a deceased person is processed by the company for the purpose of fulfilling contractual obligations and realizing the company's contractual authorities/interests, in accordance with the requirements of the Law of Georgia "On Personal Data Protection."
9. Rights of the Data Subject:
9.1 Right to receive information and a copy of the data processing - the data subject is entitled to be informed about the collection and use of their personal data.
9.2 Right to correct, update, and supplement data - if the data processed by the organization is incorrect, incomplete, or inaccurate, the subject is entitled to request the correction, updating, and/or supplementation of the data.
9.3 Right to stop processing, erase, or destroy data - the subject has the right to request the termination, erasure, or destruction of the processing of their data (including profiling).
9.4 Right to block data - the subject can request the blocking of data (restriction of processing) when the accuracy of the personal data is disputed by them; when the processing is unlawful; except when there is a need to store the data for use as evidence.
9.5 Rights related to automated individual decision-making - the legislation gives the subject the right not to be subject to a decision based solely on automated processing, including profiling, except when the decision based on profiling: (a) is based on your explicit consent; (b) is necessary for entering into or performing a contract between the parties; (c) is provided for by law or by a subordinate normative act issued within the scope of delegated authority based on the law.
10. Obligations of the Person(s) Responsible for Data Processing, Authorized for Data Processing, and Responsible for Co-processing:
10.1 To take appropriate technical and organizational measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, acquisition, damage, any other form of unauthorized or unlawful use, and accidental or unlawful loss;
10.2 To grant access to information only to those employees who perform the rights and duties provided for in the relevant contract between the parties and who have an obligation to maintain the confidentiality of the information, including after the termination of their official duties;
10.3 To process personal data within the framework of mutual cooperation, in compliance with the requirements of the relevant contract and the law;
10.4 To record activities related to the processing of personal data in electronic and/or material form.
11. Measures Taken for the Security of Personal Data in the Organization
11.1 The company has taken appropriate organizational and technical measures to ensure the confidentiality, integrity, and availability of electronically and physically stored data.
11.2 The organization has implemented suitable technical and organizational measures to protect personal data from unauthorized access, unlawful processing or disclosure, accidental loss, alteration, or destruction. Furthermore, the organization's employees have limited access to personal data, and employees, agents, contractors, and other third parties have access to personal data only within the scope of their assigned functions and activities.
12. Incident Response Procedure
12.1 The authorized person of the company is obliged to immediately - upon discovery of the incident - record the incident, the resulting outcome, the measures taken, and to notify the Personal Data Protection Service in writing or electronically no later than 72 hours after the discovery of the incident, except when it is unlikely that the incident will cause significant harm or pose a significant threat to the fundamental rights and freedoms of a person.
13. Personal Data Retention Period
13.1 Personal data is stored for the entire period of the service to be provided, and after the expiration of the relevant contract: information about the client is stored for a period of 3 years; based on the employment relationship, the relevant documentation is stored in the organization for a period of 10 years after the termination of the contract; also for 10 years after its completion, for predetermined reasons:
-
To respond to questions and complaints;
13.2 The organization reserves the right to store your personal data for more than 10 years for legitimate business or legal purposes, such as security, prevention of fraud and its misuse, and others.
14. Video/Audio Monitoring Procedure
14.1 For the purposes of crime prevention, its detection/investigation, public safety, protection of persons and property, protection of confidential information, and the fulfillment of other important tasks attributed to the sphere of legitimate interests (including incident management and protection of consumer rights, process monitoring, risk management, etc.), the company conducts video-audio monitoring of the internal perimeter of the building(s), including meeting rooms, service areas, and workplaces, through a video surveillance system (hereinafter - Monitoring), in compliance with the requirements established by the Law of Georgia "On Personal Data Protection."
14.2 Monitoring is carried out 24/7.
14.3 Recordings are stored for 30 days and/or for the period necessary to achieve a specific purpose, after which they are subject to automatic destruction, unless there is a need and legal basis for longer-term data storage.
14.4 To ensure information is provided, appropriate warning signs are placed in conspicuous locations, containing information about both video and audio recording.
14.5 The organization has taken all appropriate effective and adequate organizational-technical measures to prevent the illegal/accidental disclosure of data reflected in the recordings, their use for undesirable purposes, dissemination, and more, including:
a) The physical security of the monitoring system is ensured; the monitoring system and relevant technical equipment are located in a secure room(s) where only persons with appropriate authorization are allowed;
b) Access to the recordings is granted only to a specific circle of employees, whose level and scope of access are determined by considering the employees' functions and their official need for access to the recordings;
c) Appropriate measures have been taken for the information security of the system, to prevent illegal intrusion from the internet and computer network;
d) All actions performed on the data in the monitoring systems are fully recorded;
e) All cases of disclosure of recordings are recorded.
14.6 Access to, viewing of, and in some cases, transfer of stored video recordings to third parties may be necessary for various reasons, for example, if there is a suspicion that the video recording reflects a crime or other offense (including an administrative offense), the body conducting the proceedings may have an interest in accessing the relevant recording for the purposes of a criminal investigation and administrative offense proceedings.
14.7 Viewing and disclosure of recordings to third party(ies) (including law enforcement agencies) is carried out only in the presence of the relevant legal ground(s) provided by law.
14.8 During telephone communication, incoming or outgoing calls to/from the hotline (if implemented), as well as to the relevant internal number via the hotline (if any), are automatically recorded and processed through a call recording system (audio monitoring) for the purposes of improving and properly performing services, considering and responding to applications and claims, monitoring compliance with the code of ethics and standards of professional conduct, as well as protecting other legitimate interests (including the creation of evidence with legal force), or in other cases directly provided for by legislation, and where necessary, based on your consent, in compliance with the requirements established by the Law of Georgia "On Personal Data Protection."
15. Concluding Provisions
15.1 Rules and processes not defined by this policy are regulated in accordance with the legislation of Georgia.
Contact Information
The data subject is entitled to contact the company at any time to receive necessary information related to this policy, at the address: Tbilisi, Ts. Dadiani 123/125, or by e-mail: Mikaberidze.r@gmail.com, or by contacting: +995 595 53 53 71'
The Company guarantees that it will:
-
Take care of the security of the personal data of data subjects;
-
Not use personal data unlawfully;
-
Act in accordance with the Law of Georgia on Personal Data Protection.
AIG Logistics LLC
Last updated: August 29, 2025