Terms of Personal Data Processing of Veritas Brown LLC

Definition of Terms:

Personal data − any information relating to an identified or identifiable natural person. A natural person is identifiable when he or she can be identified, directly or indirectly, including by name, surname, identification number, geolocation data, electronic communication identifiers, physical, physiological, mental, psychological, genetic, economic, cultural or social characteristics;

Data processing − any operation performed on data, including their collection, receive, access to them, their photography, video and/or audio monitoring, arrangement, grouping, interconnection, storage, alteration, restoration, obtain on demand, use, blocking, erasure or destruction, as well as disclosure of data by transmission, publication, dissemination or making available otherwise;

Data subject − any natural person about whom data is processed;

Customer - a person in a contractual relationship with Veritas Brown LLC, who orders various services from it and within the framework of which it may share the personal data of the data subject with Veritas Brown LLC.

Person responsible for processing - a natural person, legal entity or public institution that individually or jointly with others determines the purposes and means of data processing, processes the data directly or through a person authorized to process;

Person authorized for processing - a natural person, legal entity or public institution that processes data for or on behalf of the person responsible for processing. A natural person in an employment relationship with the person responsible for processing is not considered a person authorized to process;

Third party - a natural person, legal entity or public institution, other than the data subject, the personal data protection service, the person responsible for processing, the person authorized to process, the special representative and the person authorized to process the data under the direct instructions of the person responsible for processing or the person authorized to process;

Incident - a data security breach that leads to unlawful or accidental damage, loss, as well as unauthorized disclosure, destruction, alteration, access to, collection/retrieval of data or other unauthorized processing.

Purpose of Personal Data Processing

The purpose of these Personal Data Processing Terms is to explain which personal data is processed by Veritas Brown LLC (tax code: 405270077) (hereinafter: the “Company”), for what purpose each personal data is processed, and what measures the Company takes to protect personal data.

The purpose of this document is to provide interested parties with basic information on how their personal data is processed by the Company, how the Company protects applicable legislation and the security of personal data.

The Company processes and protects personal data in accordance with the requirements of the Georgian legislation on personal data.

Grounds for processing personal data

The grounds for the processing of personal data of data subjects by the Company is the fulfillment of its obligations under the Agreement.

The Company may process the data of data subjects on two grounds:

• Based on a service agreement concluded with the Customer.

Taking into account these terms and conditions, the Customer, who is in a contractual relationship with the Company, is the person responsible for data processing. Since it is the Customer who obtains the personal data that the Company, as the person authorized to process the data, processes in order to fulfill its obligations under the agreement concluded with the Customer. The agreement concluded between the person responsible for processing and the person authorized to process provides for the obligation of the authorized person to process the data only for the purposes specified by the Customer, as well as taking into account the rules and prohibitions established by the Law of Georgia on Personal Data Protection. In this case, the Customer, as the person responsible for data processing, is responsible for obtaining the data in accordance with the Law on Personal Data.

• Based on a service agreement concluded with the Data Subject.

In this case, the Company itself is the person responsible for data processing.

Sources of personal data collection

Personal data provided by the Customer:

• The Customer shares personal data with the Company via e-mail, WhatsApp, the Company's special online platform, in order to fulfill the Company's obligations under the Agreement concluded with the Customer and transfers the personal data of the data subjects to it.

Personal data provided directly by the data subject:

• The data subject shares personal data with the Company via e-mail, WhatsApp, the Company's special online platform, in order to fulfill the Company's obligations under the Agreement concluded with the data subject.

Principles of personal data processing

• The Company processes personal data openly, fairly and lawfully, without violating the dignity of the individual;
• The Company processes data for a specific and clearly defined purpose;
• The Company respects the elements of proportionality and adequacy, namely, it processes only the data and to the extent necessary to achieve the purpose;
• Taking into account the purposes of data processing, the Company will rectify, delete or destroy inaccurate data without undue delay;
• The Company will store personal data for a legitimate period, namely, the period provided for by law or only for the period necessary to achieve a specific purpose. After achieving the purpose, the data must be deleted, destroyed or stored in a form that does not allow for the identification of a person;
• The Company takes appropriate technical and organizational measures in the process of data processing, namely, ensures complete data security using appropriate technical means.

Categories of personal data

The information processed by the Company may include the following categories of data in proportion to the purpose of their processing:

• Identification data - name, surname, gender, date of birth, personal number/passport number, photo;
• Contact information - phone number, email address, residential address (registration, actual);
• Financial information - bank account details;
• Documentary information - information specified in the submitted documentation (property address, other information about the property, etc.);
• Contractual information - information provided by the contract concluded between the Company and the data subjects;
• Other information - all information that the data subject shares with the Company.

Data security

The Company has taken all necessary organizational and technical measures to ensure data processing in accordance with the Law of Georgia "On Personal Data Protection".

The organizational and technical measures taken by the Company ensure the protection of personal data from accidental or unlawful destruction, alteration, disclosure, acquisition, unlawful use and loss.

Only those employees who need to process the data to perform their duties have access to personal data stored in the Company.

Rights of the data subject

The data subject has the right to request information about the processing of his/her personal data and to receive copies of these data. The data subject has the right to:

• receive information about what data is being processed about him/her, in particular, what is the purpose and legal basis for their processing, information about the source of data collection;
• receive information about whether his/her personal data have been transferred to a third party, information about the third party, the basis and purpose of the data transfer;
• request the correction, updating and/or addition of erroneous, inaccurate and/or incomplete data;
• withdraw his/her consent to the processing of personal data at any time, without any explanation, and request the deletion of data processed on the basis of consent;
• request the termination, deletion or destruction of data processing if:
  • Withdraws consent, which is the only basis for data processing;
  • The data processing is no longer necessary for the purpose for which they were processed;
  • The data processing is unlawful.
• Request blocking of data if:
  • The authenticity or accuracy of the data is disputed;
  • The processing of the data is unlawful, but he/she does not want them to be deleted and only requests their blocking;
  • The data are no longer necessary for the purpose of their processing, but the data subject needs them for legal proceedings;
  • A request for the cessation, deletion or destruction of data processing is being considered;
  • There is a need to store the data for using it as evidence.

The company will respond accordingly within the time limits established by the Law of Georgia “On Personal Data Protection”, no later than 10 working days from the receipt of the data subject’s notification.

The rights of the data subject may be restricted in accordance with the procedure established by the legislation of Georgia.

Restriction of rights of the data subject

The rights of the data subject may be restricted if their implementation poses a threat to:

• State security, information security and cyber security and/or defense interests;
• Public safety interests;
• Crime prevention, crime investigation, criminal prosecution, administration of justice;
• Important financial or economic (including monetary, budgetary and tax), public health and social security interests of the country;
• Detection of a violation of professional, including regulated profession, ethical norms by the data subject and imposition of liability on him/her;
• Rights and freedoms of others;
• Protection of state, commercial, professional and other secrets provided for by law;
• Substantiation of a legal claim or counterclaim.

The Company shall only use the measure of restriction of rights in a manner that is adequate and proportionate to the purpose of the restriction.

Transfer to third parties

The Company shall not transfer the personal data of data subjects to third parties. When the Company transfers its rights and obligations in whole or in part to another person, if the Company also transfers personal data in whole or in part, it shall have obtained the prior written consent of the person responsible for the processing/customer to this effect.

International data transfer

The Company shall not carry out international transfers of personal data of data subjects.

Personal data retention period

Personal data is stored for the duration of the contract concluded with the data subjects and/or the persons responsible for data processing and for a period not exceeding 10 (ten) years after its termination, starting from the year in which the agreement between the data subject/person responsible for data processing and the company is terminated.

We store personal data for as long as is necessary to fulfill the purposes for which we collected such information, including for legal and accounting purposes. The criterion for determining the retention period of personal data is also the proper conduct of the company's activities. The processing of personal data for the specified period is necessary for the company to operate properly.

After the specified period, personal data will be destroyed automatically, unless there is a legitimate interest and appropriate legal basis for storing personal data for a longer period.

Incident Management

An incident is a data security breach that results in the unlawful or accidental damage, loss, or unauthorized disclosure, destruction, alteration, access, collection, retrieval, or other unauthorized processing of data.

In the event of an incident, the Company shall record the incident, the outcome, and the measures taken within 72 hours of the incident becoming known and shall notify the Personal Data Protection Officer in writing or electronically, unless the incident is unlikely to result in significant harm and/or pose a significant risk to the fundamental rights and freedoms of individuals.

If an incident is likely to cause significant harm and/or a significant threat to the fundamental rights and freedoms of individuals, the Company shall, without undue delay after the discovery of the incident, notify the data subject of the incident and provide the following information in plain language:

• A general description of the incident and the circumstances surrounding it;
• Information on the likely/actual damage caused by the incident, measures taken or planned to mitigate or eliminate it;
• Contact details of the personal data protection officer or other person.

Right of appeal by the data subject

In the event of a violation of the rights and rules provided for in the Law of Georgia on Personal Data Protection, the data subject has the right to apply to the Company, the Personal Data Protection Service and/or the court in accordance with the procedure established by law.

The data subject has the right to contact the Company at the following e-mail address: Changes to the terms of personal data processing

These terms of processing may be revised or changed. The Company reserves the right to changes these Processing Terms, by publishing these changes on its website, cushwake.ge. We will notify data subjects about changes to these Processing Terms by publishing a relevant annotation on our website.

Clients