Personal Data Protection Policy of the LEPL - Georgian National Tourism Administration

The Georgian National Tourism Administration (hereinafter - Administration) is a legal entity of public law, whose goals and objectives are to develop and implement state policy for the development of tourism in Georgia, promote sustainable tourism, contribute to the growth of high export revenues and the creation of new jobs in the country through the development of tourism, as well as attract foreign tourists to Georgia and develop domestic tourism, promote the development of tourist sites, infrastructure and of human resources in the field of tourism.

When processing personal data in the course of its activities, the Administration respects fundamental human rights and freedoms, including the rights to private and family life, and correspondence. Therefore, the protection of personal data in accordance with applicable legislation and international standards is one of the main priorities for the Administration, as a data controller.

The purpose of the Personal Data protection Policy of the LEPL - Georgian National Tourism Administration (hereinafter - Policy) is to provide information on personal data processing to interested parties in the course of the Administration’s activities, including through the web resources of the Administration: https://gnta.ge/ge/; https://places.georgia.travel; https://georgia.travel/ka; https://www.gceb.ge/#block-1; https://exhibitions.gnta.ge, as well as when using communication and feedback channels. This also includes the provision of data subjects with information about their rights and mechanisms for the implementation of these rights.

The issues not regulated in this policy document are regulated by the Law of Georgia on Personal Data Protection and the applicable legislation of Georgia.

In the process of data processing, the Administration is guided by the following principles:

• Legality, fairness and transparency - the Administration collects and processes personal data legally, having a specific legal basis for each data processing process and respecting the dignity of the subject. To ensure transparency, the Administration informs the data subject about the purposes and methods of data processing.
• Purpose limitation - for each data processing process, the Administration defines specific legal purposes for data collection and further processing. It does not process data for other purposes incompatible with the original purpose.
• Data minimization - the Administration processes only those data that are necessary for specific legal purposes. In addition, it ensures that the amount of data processed shall be proportionate and adequate in relation to the legal purpose.
• Accuracy - the Administration takes reasonable measures to ensure that the personal data that we process is true, accurate and updated as necessary. Taking into account the purposes of processing, the Administration, both on its own initiative and at the request of the data subject, corrects, deletes or destroys inaccurate and/or outdated data.
• Limitation of the data retention period - the Administration stores the data for the period necessary for the purposes of data processing, taking into account the requirements of the legislation of Georgia.
• Data security - the Administration takes appropriate technical and organisational measures to ensure proper data protection.
• Accountability - the Administration adheres to the principles of data processing, demonstrates compliance with these principles, other obligations provided for by law, as well as respect and protection of the rights of data subjects, including through the implementation of this policy, updating relevant procedures and taking technical and organisational measures to ensure data security.

The Administration processes different categories of personal data about different data subjects, depending on which service/product of the Administration they use, in what relationship they are with the Administration, which web resource they use or what information the person provides to the Administration. Accordingly, the Administration may process the data of the following data subjects:

• visitors to the Administration's web resources, registered users, news subscribers;
• persons applying to the Administration;
• representatives of the tourism industry: representatives of guides, accommodation and catering facilities, representatives of travel and transport companies;
• bloggers and media representatives working in the field of tourism;
• persons attending events and trainings of the Administration;
• persons providing various services to the Administration;
• persons communicating with the Administration through various channels and methods, including when visiting the office/information centre, remotely - through a hotline, chats on the website, feedback forms, social networks;
• visitors to the central office and information centres;
• employees, former employees, their family members, interns, job seekers.

The category of personal data processed about these persons may include:

• identification data (for example, first name, last name, personal ID number);
• contact information (e.g. phone number, address, email address);
• information about tourism activities (for example, the name of the tourist facility that the person represents/owns; the position held /activity implemented in the tourism sector (for example, a guide); information about the services provided/offered; information about the certification of the person; the region and sector in which the person carries out tourism activities; photos and videos reflecting the activities; information about social networks/media platforms/blogs and links to relevant accounts);
• information on satisfaction with the use and experience of tourism services (for example, the length of stay in the country; the purpose of the visit to the country; the region that the person plans to visit/visited; information about an interesting tourist site; information about a priority tourist activity; information about the use of transport infrastructure, food and accommodation facilities and satisfaction);
• information about the submitted application/requested service (for example, an application for registration in a database; an application for participation in a project; an application for requesting public information);
• audio-visual data (for example, recordings of incoming/outgoing phone calls on the hotline, video surveillance system recordings);
• data related to employment relations (for example, position held; CV, information about education and work experience; bank details; information about remuneration; information related to the use of insurance; information about incentives/disciplinary liability; information about hours/days worked, etc.);
• sensitive data (for example, information on the state of health; information on criminal record and drug treatment records (only within the framework of employment relations with the Administration));
• technical information (for example, about the device used when using web resources, browser type, Internet Protocol (IP) address, operating system, time zone setting and location, etc.).

Taking into account the current legislation of Georgia, in a particular case, the Administration may need to process other types of data.

The Administration collects the above data mainly from the following sources:

• directly from the data subject - when contacting/requesting the services of the Administration; when registering on web resources; when visiting the office and information centres; when communicating remotely (by phone, e-mail, social network, website) with the Administration/subscribing to news; when signing/filling out relevant contracts/applications; when applying the Administration with a statement/complaint, when responding to a vacancy and in other cases when the data subject himself/herself provides information to the Administration in various forms;
• automatically through technology - for example, when visiting web resources;
• from various public platforms, as well as from individuals and legal entities - for example, from the Public Register of Entrepreneurs of the LEPL - National Agency of Public Registry; from tourist sites.

The Administration primarily processes personal data for the purposes and tasks defined by its Statute, such as:

• collection of information about tourist sites throughout the country, creating and updating databases of information necessary for tourists;
• creating and updating of a database of local tourism service providers, constantly communicating with them and promoting their activities;
• creating and updating a database of local business tourism service providers;
• preparing and distributing promotional and informational materials about tourist sites, products, projects;
• organising and conducting study and hosting introductory tours for media representatives, bloggers, tour operators, photographers and representatives of relevant fields in order to develop various tourism destinations;
• maintaining a database of local tourism service providers trained by the Administration;
• informing travel service providers registered in the database of the National Tourism Administration about planned seminars, festivals, various events, etc.;
• identifying existing problems in the field of tourism and finding ways to solve them, searching and analysing information for this purpose, informing relevant departments;

as well as

• for the safety and protection of the property of the Administration, its employees and visitors;
• for the purposes of implementing administrative functions, including case management, financial, accounting, public procurement and legal relations, provision of human resources and implementation of labour relations, provision of public information, communication with citizens and provision of information to the public;
• in order to protect the legitimate rights and legitimate interests of the Administration, including in court;
• for the purposes of analytics and reporting, including providing access to data for a higher-level and supervisory authority.

The Administration processes personal data on the following legal grounds provided for by the Law of Georgia on Personal Data Protection:

• with the consent of the data subject;
• data processing is necessary for the performance of a contract to which data subject is party or to conclude an agreement at the request of the data subject;
• data processing is provided for by law;
• data processing is necessary to fulfil the duties assigned to the Administration by law;
• in accordance with the law, the data is publicly available, or if the data subject has made the data publicly available;
• data processing is necessary to protect the legitimate interests of the Administration or a third party, and there is no overridding interest of protecting the rights of the data subject;
• data processing is necessary for the consideration of the application of the data subject/provision of the service.

Sensitive data may be processed on the following grounds:

• with the written consent of the data subject;
• processing of special category data is directly and specifically regulated by law;
• processing of special category data is necessary depending on the nature of employment obligations and relationships, including for making a decision on hiring or evaluating an employee’s work skills;
• processing of special category data is necessary in the field of social security and social protection, including for the management of the social security system and services, in order to fulfil the duty assigned to the person responsible for processing in accordance with the legislation of Georgia, or to exercise specific rights of the data subject.

The information posted on the Administration’s web resources is publicly available to any interested person. In other cases, the recipients of personal data processed in the Administration may be private and public institutions, natural persons only in cases and in the manner prescribed by the law. In such cases, data is shared only to the extent necessary. For example:

• for higher-level, controlling and authorized state bodies - for example, the Ministry of Economy and Sustainable Development of Georgia, LEPL - Eenterprise Georgia; LEPL - Revenue Service, LEPL - Pension Agency, LEPL - State Procurement Agency;
• for various service providers - for example, legal, audit consultants, security services, postal and courier organisations, IT service providers and electronic systems/software and/or other service providers.

Information/documentation containing personal data is stored in the Administration in accordance with the data retention periods defined by the legislation of Georgia and the legitimate purposes of data processing. The Administration stores the data only for the period necessary to achieve the purposes for which they were collected/processed, including in order to comply with legal, regulatory, tax, accounting or reporting requirements.

If necessary, the Administration may transfer the data to another State and/or an international organisation in which, according to the legislation of Georgia, appropriate guarantees of data protection and protection of the rights of the data subject have been adopted. In addition, the Administration may carry out international data transfer in cases and in the manner provided for by law, for example:

• if the transfer of data is provided for by an international agreement of Georgia;
• if the data subject agrees to the transfer of data after being informed of the lack of appropriate data guarantees and possible threats in the relevant State/international organisation;

In addition, the Administration may transfer data outside Georgia, provided that the relevant data protection guarantees are provided for by the agreement concluded between the Administration and the recipient of the data.

The security of personal data is ensured by the Administration with appropriate technological and physical security measures, which are determined taking into account the nature, volume, means, context and purposes of personal data processing. Access of employees to data in electronic databases is limited in accordance with the authority and the functions of employees. Each employee uses his/her own individual username and password to log into electronic systems. Electronically filed data is stored on the password-protected computers of employees.

With regard to personal data processed by the Administration, a natural person may enjoy the rights related to the protection of personal data guaranteed by the legislation of Georgia.

At the request of the person, the Administration provides:

• right to information about the processing of data about him/her: what data is being processed; the purpose of data processing; the legal basis for data processing; the source(s) of data collection; criteria for determining the duration/period of data storage; on the rights of the data subject; on the transfer of data to another State or international organisation and the relevant basis; on the category of recipient/recipients data, as well as the basis and purpose of data transmission; on automated data processing and its expected results (if any);
• access to data stored about him/her in the Administration and receipt of this data is free of charge, with the exception of data for which the legislation of Georgia provides for a fee;
• correcting, updating, supplementing, blocking, deleting, destroying or terminating the processing of data if they are false, inaccurate, incomplete, not updated or if their collection and processing were carried out in violation of the law;
• exercising the right to data portability - transfer of data in a structured, commonly used and machine-readable format to the data subject or another data controller, if technically possible;
• terminating and/or destructing of data processing, if they are processed only on the basis of the consent of the data subject and there is no other reason for data processing.

Before responding to such a request from an interested person, the Administration may require identification of the identity of the data subject in various ways.

In accordance with the legislation, the rights of the data subject may be limited to an appropriate extent if their implementation is under threat, including:

• national security, information security and cybersecurity and/or defence interests;
• public safety interests;
• crime prevention, crime investigation, criminal prosecution, administration of justice, operational investigative activities;
• interests related to important financial and economic (including monetary, budgetary and tax), health and social protection issues of the country;
• detection of violations of professional, including regulated profession, ethical norms by the data subject and holding him/her accountable;
• the rights and freedoms of the data subject or other persons;
• protection of state, commercial, professional and other types of secrets provided for by law;
• substantiation of a legal claim or counterclaim.

Regarding the protection of personal data, including in the case of filing a claim/complaint, you can contact Personal Data Protection Officer of the Administration by e-mail: m.orjonikidze@gnta.ge

The legality of data processing by the Administration may also be appealed to the Personal Data Protection Service and/or to the court.