Preamble
York Holding Group LLC (hereinafter – the Organization) aims to respect and protect fundamental human rights
and freedoms in the processing of personal data, including the right to private and family life, inviolability of
personal space, and confidentiality of communication.
This Policy defines the core measures by which the Organization ensures that its personal data processing
activities are in compliance with the Law of Georgia of Personal Data Protection (hereinafter – the Law), in order
to achieve the aforementioned goal.
Article 1. Scope of Application
This Policy applies to all personal data (hereinafter – Data) processing activities carried out by the Organization,
including processing conducted jointly with data co-controllers and through data processors authorized by the
Organization.
Article 2. Definition of Terms
Terms used in this Policy carry the meanings defined by the Law.
Article 3. Principles of Data Processing
1. The Organization processes data subjects’ personal data in accordance with the Law, based on the legal
grounds defined by the Law, and with the following principles:
a) Data shall be processed lawfully, fairly, transparently, and with respect for the dignity of the data
subject;
b) Data shall be collected only for specific, clearly defined, and legitimate purposes and must not be used
for purposes incompatible with those;
c) Data shall be processed only to the extent that is necessary for the achievement of the relevant
legitimate purpose;
d) Data shall be accurate, truthful, and, where necessary, kept up to date;
e) Data shall be retained only for as long as necessary to fulfill the relevant legitimate purpose;
f) Technical and organizational measures shall be taken to protect data against unlawful processing and
associated risks.
2. The Organization ensures that data is processed in such a manner that allows it to demonstrate
compliance with the above principles.
Article 4. Key Measures to Ensure Lawful Processing
To ensure processing of data in accordance with Article 3 of this Policy, the Organization shall:
a) Implement appropriate technical and organizational measures to ensure data security, including assigning
ownership for each information asset within the Organization and enforcing access controls;
b) Provide periodic training to employees regarding data protection procedures;
c) Ensure timely response to incidents to mitigate or eliminate potential harm, and notify data subjects and the
Personal Data Protection Service in accordance with the Law;
d) Ensure transparency by publishing information on its website about its data processing practices, and take
additional steps to inform data subjects if necessary;
e) Ensure employees are informed about how their data is processed by making relevant information accessible
to them;
f) Respond promptly and appropriately to requests/notifications submitted by data subjects to exercise their rights
provided by the Law;
g) Assess the likelihood of risk to fundamental rights and freedoms arising from data processing, and, if a high
risk is identified, conduct a data protection impact assessment;
h) Prioritize data minimization in all products, projects, and services;
i) Maintain records of data processing activities in accordance with the Law;
j) Process data through authorized data processors only on the basis of a legal act and/or written agreement that
clearly defines the legal grounds and purposes for processing, the categories of data, duration of processing, and
obligations of the parties;
k) Take any other appropriate measures.
Article 5. Enforcement
1. To implement the measures defined in Article 4 of this Policy, the Organization will develop additional
written documentation and take other appropriate actions.
2. In order to identify and coordinate adequate responses to risks arising from the processing of data in
accordance with this Policy:
a) The Organization’s Data Protection Officer monitors the Organization’s compliance with the Law and
this Policy and provides relevant recommendations;
b) Information asset owners ensure that the data-containing assets they manage comply with the Law
and this Policy.
Article 6. Review of the Policy
This policy will be reviewed at least once a year, with appropriate amendments made if necessary.
