Personal Data Protection Policy
LLC “W-Geo Restaurants“ is a company registered in compliance with Georgian law (hereinafter referred to as the “Company”)
Identification code: 405404076
Address: I. Chavchavadze Ave #74b, Tbilisi
Website: www.wendys.ge
Article 1. Personal Data Protection
1.1 The personal data protection policy of LLC “W-Geo Restaurants” (hereinafter “Policy”) lays out the goals, fundamental principles, and procedures for processing personal data and outlines the key measures to ensure data security.
Article 2. Purpose and Scope of Personal Data Collection
2.1 The purpose of the policy is to define the rules and procedures for protecting and handling personal data gathered by the company, taking into account its objectives and operations, to ensure that the procedure for data processing is carried out in compliance with the law, to protect the rights of individuals, and to assure processing transparency.
2.2 This policy is entirely applicable to any personal data processed by the company, regardless of the method and regulates both the protection and processing of personal data. This policy applies to the company’s customers, users of the website and/or its individual components, users of the company’s application, employees of the company, contractors, and anyone else whose data is handled by the Company; it also covers data recipients and authorized individuals who process personal data on behalf of the company.
Article 3. Definition of Terms
3.1. The terminology used in this document are solely descriptive and defined in accordance with the company’s job specifications. The definitions are compliant with the Georgian Law on Personal Data Protection and their interpretation contrary to the law is not permitted;
3.1.2. Personal data (hereinafter referred to as “data”) is any information pertaining to an identified or identifiable natural person that may be used for the objectives of the company’s operations;
3.1.3. Special category data – information about an identified or identifiable natural person that may be used for the company’s activities and includes, but not limited to, details about the person’s health, criminal record, and biometric information;
3.1.4. Data subject – any natural person whose existing data is used by the company for its own objectives. A natural person can be identified or identifiable;
3.1.5. Company – data processor that sets the goals and means of data processing, methods, forms, organizational and technological security measures, and ways for exercising the data subject’s rights;
3.1.6. Authorized person – a person who, pursual to law or contract, is involved in the company’s data processing activity and processes data on behalf of the company and/or for its own purposes.
3.1.7. Data recipient – any individual to whom personal information has been sent for the purposes of the company’s activities.
3.1.8. Data processing – any active and/or passive action taken on personal data, including video and audio control. Processing can also be done using entirely mechanical, fully automated, or semi-automated methods.
Article 4. Purposes of Data Processing
4.1 The purposes of processing personal data are determined by the activities of the company and are related to the provision of services and goods, enhancing the quality and delivery of such services and goods, adhering to safety regulations, and carrying out labor-related operations for employees of the company.
4.2 Personal data is processed for the following specific objectives:
- Providing offered services;
- Concluding contracts or deals;
- Managing employee relationships;
- Special offers and marketing for consumers;
- Evaluating user behavior on the company website through statistical and analytical evaluation;
- Conducting research to improve products and services, and analyzing consumer usage of the company’s products and services;
- Improving service quality and considering consumer needs;
- Ensuring safety and property protection.
Article 5. Principles and Bases of Data Processing
5.1 The company handles information in a lawful, equitable, transparent manner for the data subject, without infringing upon their dignity.
5.2 Data will be gathered only for specific, clearly defined, and lawful purposes, and it will be only handled to the degree required to fulfill this lawful purpose.
5.3 The company will only collect and retain original, correct and, if needed, updated data. Inaccurate data will be modified, removed, or destructed without delay for the purpose to comply with data processing purposes;
5.4 Data will be store for just the time required to meet the applicable lawful purpose of data processing. Data will be deleted, destroyed, or stored in a depersonalized form once the intended use has been met, except when data processing is required by law and/or subordinate normative act issued in compliance with the law, or where storing data is an essential and appropriate precaution to safeguard dominant interests in a democratic society.
5.5 Additionally, the company guarantees that sufficient organizational and technical safety measures will be applied throughout data processing to protect data from unauthorized or unlawful processing, accidental loss, destruction and/or damage.
Article 6. Personal Data Processed in the Course of Business Activities
The company processes the subsequent categories of data:
6.1 Regarding personnel – name, surname, photo, date of birth, age, gender, address, personal number, copy of identity document, series and number of identity document, validity period of identity document, copy of driver’s license, autobiography, resume (CV), information about education, information about proficiency in foreign languages, a copy of diploma or certificate of education, details about computer programs, information about work experience, the time of entry and exit from the building, phone number, email address, bank account number, information regarding military duty, current employment (job title), information about remuneration, criminal record, and health status (Form 100); relevant details about the contact person, and social relationship information.
6.2 Regarding job applicants – name, surname, resume (CV), a copy of diploma or certificate of education, information about work experience, information about proficiency in foreign languages, details about computer programs, the time of entry and exit from the building, phone number, email address; identity card.
6.3 Regarding consumers – Depending on the nature of the relationship with the client during service provision, the information it processes may comprise the following data categories in a volume proportional to the reason for processing them: name, surname, date of birth, gender, address (legal and physical), email address, and phone number;
6.4 The term of storage for data processed by the company is determined in accordance with the requirements provided by the Georgian law;
6.5 The company stores its processed data in a file system;
6.6 The company guarantees that employees and consumers are informed of the personal data processing through the contract and data protection policy document.
Article 7. Direct Marketing
7.1 Only with the express consent of the data subject is the company authorized to carry out various marketing offers, send brief text, voice and/or other types of advertising messages to the data subject via phone call, email, or other telecommunication means, or to offer goods or services, or request any kind of action through direct communication with consumer.
- The data subject is entitled to request, at any time, that the data processor stop using their data for direct marketing purposes, but no later than 5 (five) working days of the data subject’s request being received.
- Personal data processed for direct marketing purposes is stored from the moment the data subject gives consent for direct marketing until the duration of the direct marketing campaign.
Article 8. Rules and Conditions for Consent to Process Data About Minors:
8.1 Data processing about a minor is permissible with their consent if they are over 16; If they are under 16, processing a minor’s data is allowed with consent of their parent or other legal representative, unless otherwise specified by law, such as where processing data requires the consent of a minor between the ages of 16 and 18 and their parent or other legal representative.
Article 9. Protection of Data Concerning a Deceased Person
9.1 Following a data subject’s death, data processing is only allowed in the manner expressly stated in the Law of Georgia on Personal Data Protection.
Article 10. Rules for Video and Audio Control
10.1 To ensure safety and property protection, and service quality control in compliance with the requirements set forth by the Law of Georgia on Personal Data Protection, the company uses video surveillance and audio recording systems to monitor the external perimeter and entrances of the building, as well as workplaces.
10.2 A warning sign regarding video surveillance on the external perimeter of the company is placed in appropriate visible places;
10.3 Audio control is only allowed in situations directly specified by the Law of Georgia on Personal Data Protection and with the subject’s consent;
10.4 Records retrieved from audio/video surveillance are stored for a duration ranging from 14 to 60 days, depending on the facilities.
10.5 To improve customer service, the data subject will be notified about ongoing video surveillance and audio recording in the company’s service areas, as well as recording of telephone calls during the company’s phone communication, in compliance with the requirements of the law.
Article 11. Rules for Using Email and Phone Number
11.1 To facilitate efficient and timely communication, the company processes the email addresses and phone numbers of employees and service providers;
Article 12. Subjects with the Right to Access Data
12.1 The relevant departments within the organization have access to the data processed within their own competence under the scope of the relevant purpose and applicable proportions.
Article 13. Person Responsible for Personal Data Processing
13.1 To ensure the effective protection of the subject’s rights and the proper fulfillment of the requirements of personal data protection legislation, the company has designated the head of the Human Resources Management Service, IT Service, Financial Department, Procurement Department, and Marketing Department, as the person responsible for processing personal data, based on functions and duties distributed among departments.
13.2 Employees of the company are only granted access to the data and to the extent required to perform their duties. In the event that an employee is unable to perform their duties due to vacation or other circumstances, the person carrying out the duty has access within the extent of the person whose duties they are executing.
Article 14. Personal Data Protection Officer
14.1 The company has a personal data protection officer who ensures that personal data processing procedures adhere to applicable personal data protection legislation. They operate independently and report to the company’s top management.
14.2 Personal data protection officer:
14.2.1 Monitors the company’s processing of personal data;
14.2.2 Takes part in the data processing risk assessment procedure when needed;
13.2.3 As required, collaborates with the Personal Data Protection Service;
14.2.4 Provides training and information to employees about issues related to the personal data protection;
14.2.5 Examines the statements, complaints, and/or appeals made by data subjects;
14.2.6 Establishes communication with appropriate interested parties on the issues of personal data protection;
14.2.7 Identifies, investigates, and promptly responds to personal data breaches.
Article 15. Data Security
15.1 The company has implemented appropriate organizational and technical measures to ensure protection of data against accidental or unlawful destruction, alteration, disclosure, collection or any other form of unlawful use, and accidental or unlawful loss.
15.2 The company has a strong commitment to protecting the confidentiality of personal data. Access to data is restricted to personnel who require it for the fulfillment of their assigned duties.
15.3. The personal data protection officer oversees the protection of personal data within the company and controls its processing practices to guarantee adherence to this policy, legislation, and internal procedures of the company.
16. Personal Data Storage Period
16.1 The company will store personal data:
- For the period as required to fulfill the processing goal;
- A candidate’s data is stored on file for three years after it has been submitted;
- Within the scope of service provision – for the duration of the service, and for ten years following the fulfillment of the contractual duty;
- For the period of the employment contract, and in the event of termination – for ten years;
16.2 Following the expiration of the period outlined in section 16.1 of this policy, the company will destruct the documentation in compliance with the rules established by law.
Article 17. Rights and Obligations of the Data Subject
17.1 The data subject has the right to obtain information from the company regarding the processing of their data. The company shall provide the requested information no later than 10 (ten) calendar days after getting notified of the request.
17.2 The data subject has the right to contact the company at any time and request that their personal data be corrected, blocked, updated, added, deleted, or destroyed if it is incomplete, inaccurate, out of date, or if it was collected and processed in violation of applicable law.
17.3 The data subject has the right, at any time and without explanation, to withdraw (to request the cessation of data processing and/or the destruction of processed data) their consent to the processing of their personal data.
Article 18. Final Provisions
18.1 When using or receiving the company’s services, as well as after they are terminated, the processing of information obtained by the company for relevant purposes will continued/be carried out for a period that corresponds to the company’s goals and interests and/or as required by legislation. After expiration of these terms, the company shall ensure the destruction of relevant personal data (both electronic and paper) in compliance with the company’s regulations.
18.2 At the request of the data subject, the company will, in compliance with legal requirements, give them access to information about their personal data that is available within the company.
18.3 The data subject shall notify the company in writing of their concerns, as soon as possible, if the data subject considers that the information about them maintained by the company does not correspond the reality or is incomplete, and the company shall promptly ensure the correction of any pertinent information.
18.4 Rules and procedures not defined by this policy are governed by Georgian legislation.
Article 19. Contact Information
19.1 The data subject may contact the company at any time for information relevant to this policy, at the address: 11, Mosashvili Street, Tbilisi, email at: info@wendys.ge, or by phone: 0322 557 557.