| Personal Data Protection Policy Tbilisi, Georgia |
| 1. General Information 1.1 Padel World LLC (Identification No.: 404786175, legal address: No. 3, Mikheil Zandukeli Street, Mtatsminda District, Tbilisi, Georgia), duly registered and operating in accordance with the legislation of Georgia (hereinafter referred to as the “Company”), represented by its Director, Ketevan Kipiani (Personal No.: 01017043803), is committed to protecting the personal data of its customers, employees, as well as other individuals who are duly connected with the Company, in compliance with the Law of Georgia on Personal Data Protection and applicable international standards. |
| 1.2 The purpose of this Personal Data Protection Policy (hereinafter referred to as the “Policy Document”) is to establish the procedures for data processing, as well as the rights and safeguards provided for by applicable law. 1.3 This Policy applies to the Company’s employees, customers (prospective, current, and former), partners, agents, and any individual who communicates with the Company via email, the Company’s website, or social media platforms. |
| 2. Definitions 2.1 “Personal Data” means any information relating to an identified and/or identifiable natural person. A person shall be considered identifiable where he or she can be identified directly or indirectly, including in combination with other characteristics. Personal Data may include, but is not limited to, a first name, last name, personal identification number, email address, telephone number, address, and any other information as defined under the legislation of Georgia.
2.2 “Data Processing” means any operation or set of operations performed on data using automated, semi-automated, and/or non-automated means, including, but not limited to, collection, recording, photographing, video recording, retrieval, disclosure, blocking, modification, storage, use, and transfer. |
| 2.3 “Data Subject” means any natural and/or legal person whose Personal Data is used, processed, and/or stored by the Company in accordance with its business purposes. 2.4 “Company” means the entity that determines the purposes, means, and methods of data processing, as well as the technical and organizational security measures. 2.5 “Authorized Person” means a person who, by virtue of authority granted by the Company, processes Personal Data on behalf of the Company and/or in accordance with the Company’s purposes. 2.6 “Data Recipient” means any person to whom Personal Data has been transferred in accordance with the Company’s purposes, including an Authorized Person. 2.7 “Website” means https://gnpf.ge/, through which the Company provides services and markets its products in accordance with the applicable legislation of Georgia. 2.8 Terms not defined in this Policy Document shall have the meanings ascribed to them under the Law of Georgia on Personal Data Protection. |
| 3. Principles of Data Processing 3.1 The storage, protection, and processing of Personal Data by the Company shall be carried out in compliance with the requirements of the legislation of Georgia.
3.2 When processing data, the Company adheres to the principles established by the Law of Georgia on Personal Data Protection, including the following: 3.2.1 Personal Data shall be retained for a period no longer than is necessary to achieve the purpose of data processing; 3.2.2 Personal Data shall be processed for lawful and specific purposes; 3.2.3 Personal Data shall be processed only to the extent necessary for the relevant purpose; 3.2.4 Data processing shall be proportionate to the purpose for which the data is processed. |
| 3.2.5 Personal Data shall be accurate and, where necessary, kept up to date; 3.2.6 The Company shall take all measures available to it to ensure the secure processing of data, including the implementation of appropriate technical and organizational security measures. 3.3 Further processing of data for purposes incompatible with the original purpose is prohibited. Data collected and processed without a lawful basis or in violation of applicable processing requirements shall be destroyed, blocked, or erased. 3.4 Upon achievement of the purpose for which the data is processed, such data shall be blocked or erased, or, unless otherwise provided by law, retained in a form that does not permit identification of the data subject. |
| 4. Legal Grounds and Purposes for Personal Data Processing 4.1 The consent of the Personal Data Subject may be expressed, in the case of a Company employee, by submitting written consent, and in the case of a customer, by clicking the specifically designated consent button on the Company’s website and/or by consenting to the use of cookies.
4.2 Performance of contractual obligations. |
| 4.3 Protection of property rights; 4.4 Existence of another legitimate purpose, which must be clearly defined and for which the processing of Personal Data is necessary. 4.5 Further processing of Personal Data for purposes incompatible with the original purpose is prohibited. Data collected without a lawful basis or processed in a manner inconsistent with the original purpose shall be blocked, erased, or destroyed. |
| 5. Data Processing
5.1 The Company processes the following categories of data regarding its customers: 5.1.1 First name, last name, gender, personal identification number, email address, mobile phone number, address, account number, bank details and card information, date of birth, and age; 5.1.2 Customer data may be disclosed to third parties if such disclosure is expressly required by law and/or by competent authorities, or serves to protect the legitimate interests of the Data Subject; 5.1.3 Following the cancellation of a customer’s registration on the Company’s website, their information shall be deleted, blocked, and/or destroyed within a reasonable period as determined for this purpose. |
| 5.1.4 Data recorded when you access the Company’s website is anonymized, and your identity cannot be determined. From your personal account/profile, you may obtain more detailed information, including:
· Your IP address or the IP address of a proxy server;
· The domain name you requested; · The name and serial number of your device; · The name of your Internet service provider (sometimes inferred from your ISP connection configuration); · The time, date, and duration of your visit to the website; · The number of visits to the Company’s website during a specific period; · The URL you viewed and related information; · The website that referred you to the Company’s website (if applicable). |
| 5.2 The Company may process the following information regarding vendors: 5.2.1 Name, identification code, address, email address, mobile phone number, name and surname of the managing person, bank details, and information regarding products to be placed on the Company’s website (if applicable); 5.2.2 Information regarding vendors may be disclosed to third parties if the vendor has provided consent and/or if such disclosure is expressly required by law and/or by law enforcement authorities; 5.2.3 Upon termination of cooperation with the Company, the Company shall, within a reasonable period, delete, block, and/or destroy the vendor’s personal data. |
| 5.3 Data Processing Regarding Company Employees
5.3.1 The Company may process the following categories of data regarding its employees: first name, last name, personal identification number, mobile phone number, residential and email address, date of birth, information regarding education and work experience, information on criminal records (including financial and/or cybercrime offenses), account number, and health status information, if required (e.g., submission of Form 100 for military service purposes). 5.3.2 Personal information regarding employees shall be disclosed to third parties only with the consent of the Data Subject and/or in cases expressly provided by law or upon request by law enforcement authorities. |
| 5.3.3 In the event that an employee requests the destruction, deletion, and/or blocking of their Personal Data, the Company shall carry out such request within a reasonable period established for this purpose. 5.3.4 The Personal Data of a Data Subject shall be stored by the Company for a reasonable period determined to achieve the relevant legitimate purpose – namely, three (3) years. 5.3.5 In the event that a Data Subject requests the blocking, deletion, and/or destruction of their Personal Data, such actions shall be carried out by a specifically designated person appointed for this purpose. |
| 6. Cookies and Device Identifiers
6.1 The Company uses “cookies” and/or similar technologies. 6.2 A cookie is a text file automatically created by your internet browser/search engine and stored on your device (laptop, personal computer, phone, tablet, etc.). Cookies help the Company facilitate efficient navigation between pages, remember user preferences, and generally improve the user experience. These files ensure that advertisements viewed by the user online are better tailored to the individual user and their interests. |
| 6.3 Some of the cookies used by the Company are deleted automatically at the end of the internet browser/session (so-called session cookies). Other categories of cookies remain on your device for a longer period and allow the Company to recognize your device during subsequent visits (so-called persistent cookies). 6.4 These cookies are necessary for the efficient and uninterrupted functioning of the Company’s website. They also store certain information and settings entered by you, so that you do not need to re-enter them, which may reduce the time required to complete a purchase. |
| 7. Data Protection in the Context of On-Site Video Monitoring
7.1 For the purposes of ensuring the safety of individuals and protecting property, the Company may conduct video monitoring on its premises. 7.2 When video monitoring is carried out on the external perimeter of objects owned or used by the Company, it records the external areas of the Company and the individuals moving within them. Cameras are marked with visible signage informing about the implementation of video monitoring. 7.3 It is prohibited to place video cameras within internal areas designated for hygiene purposes. |
| 7.4 Appropriate signage shall be placed in areas designated for video monitoring, both on the external and internal perimeter, to inform Data Subjects about the ongoing video monitoring. |
| 7.5 In the event of video monitoring, recordings shall be deleted immediately after the legitimate purpose for which they were made has been achieved. 7.6 Extraction of recordings from the video surveillance system shall be carried out only when there is a legitimate purpose and with the consent of the managing person. Law enforcement authorities are entitled to request the extraction of recordings from the video surveillance system based on a court order and/or a prosecutor’s directive, and only to the extent specified in the court order and/or directive. |
| 8. Data Protection When Using Email and Mobile Numbers 8.1 The Company processes and stores only those email addresses and mobile phone numbers for which the Data Subject has provided consent for processing. 8.2 The Company may request the customer to provide additional email addresses and/or mobile phone numbers to prevent the loss of information. |
| 8.3 The Data Subject shall be solely responsible for any damage resulting from their refusal to comply with the request set forth in Clause 8.2 of this Policy Document, and the Company shall bear no liability of any kind in this regard. 8.4 The Data Subject is obliged to update or correct any invalid email address and/or mobile phone number provided to the Company. |
| 9. Transfer of Personal Data to Third Parties
9.1 The Company shall transfer Personal Data concerning a Data Subject to third parties only with the Data Subject’s prior written consent, and only to the extent specified in such consent regarding the disclosure of their information to third parties. 9.2 Prior written consent of the Data Subject is not required for the processing of Personal Data that must be transferred to investigative authorities and/or courts, where such transfer is mandated by a court order and/or a prosecutor’s directive. 9.3 The Company shall provide the Data Subject’s Personal Data to courts and investigative authorities only to the extent specified in the relevant court order and/or directive. |
| 10. Rights of the Data Subject
10.1 The Data Subject has the right to receive information regarding the processing of their Personal Data, including, in particular: the purpose of Personal Data processing, the method of processing, information on the persons processing their Personal Data, whether their Personal Data has been disclosed to any third parties, and, if so, the legal basis for such disclosure. 10.2 The Data Subject may choose the form in which the data is provided, and the Company is obliged to provide all requested information immediately, but no later than seven (7) days from the request.
10.2.1 Retrieval and processing of information from another institution and/or structural unit, or consultation with them.
10.2.2 Retrieval and processing of a significant volume of unconnected documents. |
| 10.2.3 Consultation with its structural subdivision or another public institution located in a different settlement. 10.3 The Data Subject has the right to request the Company to correct, add to, delete, block, update, or destroy their Personal Data. 10.4 The Data Subject is obliged to notify the Company of any changes to their Personal Data. 10.5 The Data Subject is entitled to request their Personal Data from the Company at any time. 10.6 The Company is obliged, upon the Data Subject’s request, to provide their Personal Data free of charge. 10.7 The storage of the Data Subject’s Personal Data by the Company shall be carried out for a reasonable period determined to achieve the legitimate purpose, and in any case, for no less than two (2) years. |
| 11. Monitoring of Data Protection
11.1 Monitoring of Personal Data protection within the Company shall be carried out by persons designated by the managing person. 11.2 The person responsible for monitoring is obliged to systematically oversee the processing of data by the responsible parties, including taking such organizational and technical measures as are necessary to ensure the protection of data against accidental and/or unlawful destruction, alteration, disclosure, any other form of unlawful use, and loss.
11.3 The person responsible for monitoring is obliged, upon detection of any violations related to the processing or protection of Personal Data, to immediately notify the Company’s management for appropriate action. |
| 12. Direct Marketing
12.1 The Company carries out direct marketing activities. To avoid any ambiguity, the Data Subject grants the Company the authority to process and store their Personal Data in accordance with the nature of the Company’s activities, so that the Company can freely communicate with the Data Subject, inform them about actions to be taken, and facilitate communication with employees, vendors (if applicable), and customers. For these purposes, the Company may use the communication channels specified in this Policy Document, and shall process, store, and appropriately protect the Data Subject’s Personal Data. |
| 13. Familiarization with This Document
13.1 The Company shall ensure the publication of this Policy Document on its official website in a location accessible and available to everyone, so that any interested person can review it. |
| 14. Final Provisions 14.1 This Policy Document has been drafted and approved by the Company’s managing person. 14.2 Any amendments or additions to the Policy Document shall be made based on the order of the Company’s managing person. 14.3 The invalidity of any provision of this Policy Document for any reason shall not affect the validity of the other provisions. In such a case, the Company shall supplement the invalid provision in accordance with the Law of Georgia on Personal Data Protection. |