Personal Data Protection Policy

Introduction

This document explains the principles, purpose and rules of processing and using of user’s personal data by JSC “International Insurance Company IRAO” (identification code: 205023856, legal address: N88/15 Bochorishvili Str., Tbilisi, Georgia).

By electronically ticking/acknowledging the agreement of the terms and conditions on the website/application of “IRAO”, the user confirms that at the same time he/she agrees to this personal data protection policy, the information provided by the user is accurate and reliable. The information was provided at the user’s own request and for this he/she has all rights and permissions provided by the law.                                  

By electronically ticking/acknowledging the agreement of the terms and conditions of the website/application, the user declares his/her consent to authorize “IRAO” to perform user identification, verification, checking, comparison, analysis, legal and/or contractual obligation(s) requested and received information about him/her, including personal data.

Definition of terms

Application – mobile application/program “which is developed specifically for small, wireless computer devices such as smartphones and tablets.

Website – collection of websites with the domain https://www.irao.ge

IRAO/Company/Authorized Person for Data Processing – Joint Stock Company “International Insurance Company IRAO” (Identification Code: 205023856 , Legal Address: N88/15 Bochorishvili Str., Tbilisi, Georgia) established in accordance with the law of Georgia, which determines purposes and means of the personal data processing, directly or through an authorized person, who carries out data processing;

User – means any person who has access to the Website/Application and uses it to obtain information or services;

Personal Data – any information relating to an identified or identifiable individual. Individuals are identifiable when they can be identified directly or indirectly, including by name, surname, identification number, geolocation data, identifiable data of electronic communication, physical, physiological, mental, psychological, genetic, economic, cultural or social characteristics.

1. Policy and purpose of protection of personal data

1.1.  The company focuses on the protection of personal data and information confidentiality, in full compliance with both international data protection standards and the requirements of the applicable law of Georgia “on personal data protection”.

1.2.  Ensuring of data protection is an important basis for reliable, honest business relations and the reputation of an attractive partner.

1.3.  “IRAO” processes personal data in order to fulfill the obligations stipulated by the law of Georgia.

2. Scope of data protection policy

2.1.      This policy fully applies to the processing of personal data by “IRAO” by automatic, semi-automatic, or non-automatic means and is used in the process of personal data protection.

2.2.     The mentioned policy applies to the users of “IRAO”, the company’s employees, contractors, all the persons whose data is processed by the company, as well as the data recipient and the authorized persons who process personal data on behalf of or for the company.

3. Principles and basics of personal data processing

3.1.      Personal data can be processed in “IRAO” only in compliance with the following principles provided by the law:

3.1.1.   The data is processed legally, fairly, without harm to the data subject and without violating its dignity;

3.1.2.   Data is only collected for specific, clearly defined and legitimate purposes. It is not allowed to process the data for a purpose incompatible with the original purpose of the data processing;

3.1.3.   Data is processed only to the extent necessary to achieve the respective legitimate purpose;

3.1.4.  Data must be true, accurate and updated where necessary. Data that is inaccurate, taking into account the purpose of data processing, must be corrected, deleted or destroyed without undue delay;

3.1.5.   Data shall be retained only for the period necessary to achieve the relevant legitimate purpose of data processing;

3.1.6.  In order to protect data security, during data processing, such technical and organizational measures should be adopted that adequately ensure data protection, including against unauthorized or illegal processing, accidental loss, destruction and/or damage;

3.1.7.   Data processing is necessary based on the data of the subject’s application in order to provide services to him/her;

3.1.8.  in other cases, provided by the law;

3.2.     Data processing is allowed if there is one of the following grounds:

3.2.1.   The data subject has consented to the processing of data about him/her for one or more specific purposes;

3.2.2.  Data processing is necessary to fulfill the obligation assumed by the transaction concluded with the data subject or to enter into a transaction at the request of the data subject;

3.2.3.  Data processing is provided for by the applicable law of Georgia;

3.2.4.  Data processing is necessary for the company to fulfill its obligations under the law of Georgia;

3.2.5.  According to the law, the data is publicly available or the data subject himself/herself has made it publicly available;

3.2.6.  Data processing is necessary to protect the vital interests of the data subject or another person, including monitoring the epidemic and/or preventing its spread, managing humanitarian crises, natural and man-made disasters;

3.2.7.  Data processing is necessary to protect a significant public interest;

3.2.8.  Data processing is necessary to protect the significant legitimate interests of the person responsible for processing or a third party, unless there is an overriding interest in protecting the rights of the data subject (including a minor).

3.2.9.  Data processing is necessary to consider the data subject’s application (to provide services to him/her).

3.3.      Further data processing for other purposes incompatible with the original purpose is not allowed. Data collected without a lawful basis and incompatible with the purpose of processing must be blocked, deleted or destroyed.

4. Special Category Data Processing

4.1.      Special categories of data are processed by IRAO while protecting the rights and interests of the data subject and in the event that there is one of the following grounds for the processing:

a) the data subject has given written consent to the processing of special categories of data for one or more specific purposes;

b) processing of special categories of data is directly and specifically regulated by law and their processing is a necessary and proportionate measure in a democratic society;

c) processing of special categories of data is necessary to protect the vital interests of the data subject or another person, and the data subject is physically or legally incapable of giving consent to special category data processing;

d) processing of special categories of data is necessary in the field of health care for preventive, prophylactic, diagnostic, curative, rehabilitative and palliative care, quality and safety of services, medical devices and products, public health and management of the health care system for the purposes of the law of Georgia or the contract concluded with the health care specialist (if this data is processed by a person who has the obligation to protect professional secrecy) accordingly;

e) processing of special categories of data is necessary in the field of social security and social security, including, for the management of the social security system and services in order to fulfill the duty assigned to the person responsible for processing according to the law of Georgia or to exercise specific rights of the data subject;

f) processing of special categories of data is processed to ensure informational security and cyber security;

g) processing of special categories of data is necessary depending on the nature of the labor obligations and relationship, including for making a decision on employment or evaluating the labor skills of the employee;

h) special category data processing is necessary to protect important public interest;

i) special categories of data is processed for the purpose of functioning of the unified analytical system of migration data;

j) the data subject has made his/her data public without reserving an explicit prohibition of use;

k) in the cases directly established by the applicable law of Georgia.

5. Personal data category and its processing

5.1.      “IRAO” collects and processes mainly several categories of personal data. In particular: name, surname, personal number, phone number, e-mail, address, bank account data, bank card data, as well as movable property legally owned by the user – vehicle mark, model, type, year of manufacture, VIN code, state number, steering wheel, mileage, engine capacity, fuel type, technical passport, IP address used to access the website/application belonging to “IRAO”, characteristics of the real estate owned by the user.

5.2.     Processing of personal data means collecting, recording, photographing, audio recording, video recording, organizing, storing, changing, restoring personal data of a person using automatic, semi-automatic or non-automatic means.

5.3.     Personal data is mainly processed by “IRAO” during the provision of any type of service related to insurance to the user, during the review of the user’s application, for the purpose of performing contractual relations of various types/contents, employment, direct marketing;

5.4.     Personal data is processed only when there is the consent of the data subject, data processing is provided by law and/or data processing is necessary for fulfillment of the duties assigned to it by the law.

5.5.     The consent of the data subject shall be expressed orally, in writing, by telecommunication, electronic or other appropriate means, in a manner that can be used to determine the will of the data subject and make an appropriate record.

5.6.     The company may process data based on the needs of the service or only in special cases with the help of a person authorized to process other data and on the basis of a written agreement concluded with him/her, which must comply with the strictly established standards of “IRAO” and the requirements established by the law of Georgia.

6. Direct Marketing

6.1.      The data of subject’s data is processed by the company for the purpose of direct marketing only based on his/her consent.

6.2.     In addition to the name, surname, address, telephone number and e-mail address of the data subject, the company processes other data for direct marketing purposes based on the written consent of the data subject.

6.3.     Before obtaining the consent of data subject, the company provides the user with information about the right to withdraw the consent at any time and the mechanism/rule for exercising this right in a simple and understandable language.

6.4.     “IRAO” is obliged to stop the processing of data for direct marketing purposes free of charge and/or to ensure the termination of data processing for direct marketing purposes by an authorized person within a reasonable time, but no later than 7 (seven) working days after receiving the request from data subject.

6.5.     The data subject has the right to refuse the termination of data processing for direct marketing purposes in the same manner in which direct marketing is carried out or to contact “IRAO” at the following e-mail address: Office@irao.ge or at the number of “IRAO” : +995 (32) 2 949 949.

7. Video/audio monitoring

7.1.      In order to ensure security and property protection, as well as control the quality of service, in compliance with the requirements established by the Law of Georgia “On Personal Data Protection”, the external perimeter and entrances of the building, workplaces are monitored through a video surveillance system, and audio recording is carried out during telephone communication with IRAO.

7.2.     In order to improve the customer service, the data subject is informed about the video surveillance and audio recording in the service areas of “IRAO”, as well as the recording of phone calls during telephone communication with “IRAO” in the form stipulated by the law.

7.3.      Audio monitoring is carried out in “IRAO” in order to improve the service. The continuation of the telephone conversation is considered the automatic consent of the data subject to audio monitoring.

7.4.     Video recordings are stored according to the capacity of the hard disk and not more than 6 months. The video hard drive works in overwrite mode, and old data is deleted by overwriting new data.

7.5.     The retention period of any telephone call recording in IRAO is defined as no more than 5 (five) years, except in cases where such records need to be kept for a longer period of time due to ongoing litigation.

7.6.     Only those employees of the organization who need it to perform their duties have access to video/audio recordings.

8. Transfer of personal data to third parties

8.1.      “IRAO” may transfer the personal data of data subject’s to third parties for the following purposes: for the perfect service of the data subject, in the cases defined by the law of Georgia, for the purpose of fulfilling the duties assigned to “IRAO” under the law of Georgia, as well as based on the agreements signed with other companies, organizations operating in the state sector and assumed by “IRAO” for the purposes of fulfilling obligations.

8.2.     “IRAO’s” provider institutions, organizations operating in the state sector, organizations operating in the insurance industry, “IRAO” partner companies, reinsurance companies, Insurance-Information Bureau LLC, JSC Credit Information Bureau Creditinfo Georgia present the third party.

8.3.     The company has the authority to transfer personal data to third parties by “IRAO” based on the law or the agreements signed with the data subject.

8.4.     “IRAO” transfers personal data to third parties in accordance with the Law of Georgia “on Personal Data Protection”.

9. Obtaining of personal data from the third parties

9.1.      “IRAO” may obtain the personal data of the data subject from the third parties for the following purposes: for the perfect service of the data subject, in the cases determined by the law of Georgia, in order to fulfill the duties imposed on the company by the law of Georgia, as well as the obligations assumed by the company based on the agreements signed with other companies, organizations operating in the state sector, partner organizations for performance of the purposes.

9.2.     “IRAO’s” provider institutions, organizations operating in the state sector, organizations operating in the insurance industry, “IRAO” partner companies, reinsurance companies, Insurance-Information Bureau LLC, JSC Credit Information Bureau Creditinfo Georgia present the third party.

9.3.     The company has the authority to obtain personal data from the third parties by “IRAO” based on the law or the agreements signed with the data subject.

9.4.     “IRAO” obtains personal data from the third parties in accordance with the Law of Georgia “on Personal Data Protection”.

10. Data processing by an authorized person

10.1     Based on the terms of this policy, data may be processed by an authorized person on behalf of “IRAO” only if the “Company” has signed an appropriate written agreement with the authorized person. Before signing the agreement, “IRAO” is always convinced in advance of the party’s reliability and the agreement stipulates the obligation of the authorized person to take such organizational and technical measures that ensure the protection of the personal data of the data subject in accordance with the requirements stipulated by law.

11. Data security

11.1.     In “IRAO” organizational and technical measures corresponding to the possible and accompanying threats of data processing have been adopted, which ensure data protection in the company against their loss, illegal processing, including destruction, modification, disclosure or use.

11.2.    Confidentiality of personal data is strictly protected in the “Company”. Only those employees who need to process the data to perform their duties have access to the subject data.

11.3.    The protection of personal data in the “Company”, the control of compliance of their processing with the present policy, legislation and internal procedures of the company is ensured by the personal data protection officer/person responsible for personal data protection.

12. Rights and obligations of the data subject

12.1.    The data subject has the right to request from “IRAO” to confirm whether the data about him/her is being processed, whether the data processing is justified or not, and to receive the following information free of charge in accordance with the request:

a) about the data that is being processed, as well as the basis and purpose of this data processing;

b) about the data collection/retrieval source;

c) about the term (time) of data storage, and if a specific term cannot be determined, about the criteria for determining the term;

d) about the rights of the data subject;

e) about the legal basis and purposes of data transfer, as well as appropriate guarantees of data protection, if data are transferred to another state or international organization;

f) about the identity of the data recipient or categories of data recipients, including information on the basis and purpose of data transfer, if the data is transferred to a third party;

g) About the decision made as a result of automated processing, including profiling, and the logic used to make such a decision, as well as its impact on data processing and the expected / likely result of processing.

12.2.   The data subject has the right to receive information no later than 10 (ten) working days after his/her request. In special cases and with proper justification, this term can be extended by no more than 10 (ten) working days, about which the data subject must be notified immediately.

12.3.    Unless otherwise provided by the law of Georgia, the data subject has the right to choose himself according to 12.1 of this policy. The form of providing information by item. In addition, if the data subject does not require the provision of information in another form, the information will be provided to him in the same form in which the information was requested.

12.4.   The data subject has the right to get acquainted with the personal data available about him/her and to receive copies of this data free of charge in the cases provided for by the law of Georgia on “Personal Data Protection”.

12.5.   The data subject has the right to request from “IRAO” to correct, update and/or fill in false, inaccurate and/or incomplete data about him/her. Also, the data subject has the right to request the company to stop, delete, destroy, block data processing (including profiling). In the circumstances stipulated by the law, the data subject has the right to receive information about the decision to block data or the grounds for refusal to block data, immediately, but no later than 3 (three) working days after the request.

12.6.       “IRAO” operates in accordance with the law of Georgia, based on which the possibility of immediate deletion of personal data may be limited. The above obligations may arise from fighting against money laundering, tax, insurance and consumer protection laws and other legal acts.

13. Right to withdraw consent

13.1.    The data subject has the right, at any time, without any explanation or justification, to withdraw the consent given by him/her. In this case, according to the request of the data subject, the data processing must be stopped and/or the processed data must be deleted or destroyed no later than 10 (ten) working days from the request, if there is no other basis for data processing.

13.2.    The data subject has the right to withdraw his/her consent in the same form in which he/she gave his/her consent or in the form prescribed by this policy.

13.3.    Before withdrawing consent, the data subject has the right to request and receive information about the possible consequences of withdrawing of the consent from “IRAO”.

14. Right of appeal

The data subject has the right to apply to the personal data protection service, court and/or higher administrative body in case of violation of the rights provided by the law and established rules.

15. Contact Information

You can contact us at the following e-mail address: office@irao.ge , and/or at the “IRAO” number: (+995 32) 2 949 949 for any issues related to the protection of personal data by JSC “International Insurance Company IRAO”.