How can we help you?

Whether you have questions about data protection or if you have information about a possible violation, or you believe that your data are being processed unlawfully – you can easily contact us via this page and take action to protect your rights and those of others.

Contact Us

Send us a notification

If you have information about a possible violation and you want to inform the Personal Data Protection Office, you can send us a notification via this page. To do so, you must first fill in the notification field and provide us with as much details as possible about the content, place and time of violation as well as about the alleged offender. When you send us a notification it is preferable that you indicate your contact details, so that we can get in touch with you if needed. However, if you wish to remain anonymous, fill in just one mandatory field. You can send us notification via our mobile app too.

Your message was sent successfully.

Submit a complaint

If you believe that your personal data are processed unawlfully and you want The Personal Data Protection Service to address the violation, you can submit a complaint to our office at the addres: #7 Vachnadze Str, Tbilisi, and also electronically. To submit an electronic complaint, you may download a complaint template, fill it out, sign it and send a scanned version to the address: office@pdps.ge. The Personal Data Protection Office offers you an even more flexible opportunity: sign up in the Case Management System where you can submit a complaint, follow the process of hearing your complaint and receive comprehensive information - all in one virtual space.

Case management Download a complaint form

Cookie Policy

You are visiting a website of the Personal Data Protection Service. In order to improve your user experience, the website is using cookies.

For additional information on cookie policy, please move to the following Cookies Policy

I accept the use of cookies
I refuse the use of cookies

The State Inspector’s Service Imposed Administrative Liability on Several Organizations for Unlawful Processing of Personal Data in the Course of Labor Relations

2021-07-28 18:20:35

Protection of personal data in the course of labor relations is a high priority for the State Inspector’s Service as in this process institutions process large volumes of personal data of their employees, candidates wishing to get hired, as well as of former employees.

In 2020, in order to examine lawfulness of personal data processing in the course of labor relations, at the request of citizens and on its own initiative, the State Inspector’s Service inspected several organizations, including trade, insurance and microfinance organizations.

Based on the inspections, the State Inspector’s Service identified a number of violations of the provisions of the law on Personal Data Protection of Georgia. To prevent similar violations and raise the standard of personal data protection, the State Inspector’s Service shares the facts of the identified violations:

  • In one of the organizations, on the portal for internal documents flow, information about employees, including former employees, conviction status was uploaded without any necessity and was stored permanently. Since the organization could not provide legitimate aims and necessity for processing special categories of data, the action was assessed as a violation;
  • In one case, the organization permanently stored resumes of jobseekers aimed to consider their candidacy for another job vacancy in the future without informing them. Taking into consideration that after a certain period of time, the data provided in a resume about the person may change (and therefore, the document might become useless) or the person may not be interested in employment in the organization anymore and insofar as collection of large amounts of data increases risks of unlawful access to use of data, the mentioned fact was assessed as a violation;
  • In order to maintain quality of service and protect customers’ rights in several organizations, audio surveillance of telephone conversations was being conducted between employees and third parties. The party of the conversation was informed about the surveillance if the initiator of a call was a third party. In case of dialing a call to third parties, the information about surveillance of conversation was not provided. As video call surveillance had been conducted without warning, the fact was assessed as a violation;
  • In several organizations, information (date, time, identification data of the individual, the reasons for entering and leaving the building) to control entrance and exit of employees in office, was stored for more than three years, exceeding legal limits for keeping such categories of data. The mentioned fact was also assessed as a violation;
  • Additionally, the fact of disclosure of information about a position held by a former employee and employment contract to third party without a legal basis by the organization was revealed;
  • In most of the inspected organizations, measures implemented for data security were not appropriate and adequate. In some cases, employees of the organizations had access to employees’ data stored in electronic systems with the same username and password. Also, in most of the cases, electronic systems do not register all operations performed in relation to electronic data (who logged into the system, what data of which employee they had access to, what type of data was downloaded, etc.) while this is necessary to identify operations performed on data and responsible individuals.

In order to ensure safety of workplace and continuity of business activities during the pandemic, organizations have been obtaining employees’ health data, which they would not process in normal conditions. Although, the conducted inspections revealed violations in this direction as well:

  • There was a case when the organization used to register results of thermal screening in a special journal storing the data for a long period of time without any necessity and expecting instructions from state agencies to erase the data. The organization failed to provide the purpose of storage of data that was deemed as a violation of the law;
  • For effective management of work activities, one of the organizations obtained detailed information about chronic diseases of employees using a questionnaire, while it could achieve the legitimate aim by processing less amount of health data. For instance, rather than collecting information about specific diseases, the organization could collect only general information – whether the employees belonged to individuals carrying the listed diseases. Obtaining excessive amount of data was assessed as a violation of the law.

The State Inspector’s Service imposed administrative liability on the aforementioned organizations under Articles 43 (data processing without the grounds under the law), 44 (violation of principles of data processing), 46 (failure to comply with data protection requirements) and 49 (violation of rules for processing the building entry/exit data of public and private institutions) of the law on Personal Data Protection of Georgia and issued mandatory instructions for the purpose of processing data in accordance with the law in the future.