Personal Data Protection Policy of York Towers LLC

Preamble

York Towers LLC (hereinafter – the Organization) aims to respect and protect fundamental human rights and freedoms in the processing of personal data, including the right to private and family life, inviolability of personal space, and confidentiality of communication.

This Policy defines the core measures by which the Organization ensures that its personal data processing activities are in compliance with the Law of Georgia of Personal Data Protection (hereinafter – the Law), in order to achieve the aforementioned goal.

Article 1. Scope of Application

This Policy applies to all personal data (hereinafter – Data) processing activities carried out by the Organization, including processing conducted jointly with data co-controllers and through data processors authorized by the Organization.

Article 2. Definition of Terms

Terms used in this Policy carry the meanings defined by the Law.

Article 3. Principles of Data Processing

1. The Organization processes data subjects’ personal data in accordance with the Law, based on the legal grounds defined by the Law, and with the following principles:

• Data shall be processed lawfully, fairly, transparently, and with respect for the dignity of the data subject;
• Data shall be collected only for specific, clearly defined, and legitimate purposes and must not be used for purposes incompatible with those;
• Data shall be processed only to the extent that is necessary for the achievement of the relevant legitimate purpose;
• Data shall be accurate, truthful, and, where necessary, kept up to date;
• Data shall be retained only for as long as necessary to fulfill the relevant legitimate purpose;
• Technical and organizational measures shall be taken to protect data against unlawful processing and associated risks.

2. The Organization ensures that data is processed in such a manner that allows it to demonstrate compliance with the above principles.

Article 4. Key Measures to Ensure Lawful Processing

To ensure processing of data in accordance with Article 3 of this Policy, the Organization shall:

• Implement appropriate technical and organizational measures to ensure data security, including assigning ownership for each information asset within the Organization and enforcing access controls;
• Provide periodic training to employees regarding data protection procedures;
• Ensure timely response to incidents to mitigate or eliminate potential harm, and notify data subjects and the Personal Data Protection Service in accordance with the Law;
• Ensure transparency by publishing information on its website about its data processing practices, and take additional steps to inform data subjects if necessary;
• Ensure employees are informed about how their data is processed by making relevant information accessible to them;
• Respond promptly and appropriately to requests/notifications submitted by data subjects to exercise their rights provided by the Law;
• Assess the likelihood of risk to fundamental rights and freedoms arising from data processing, and, if a high risk is identified, conduct a data protection impact assessment;
• Prioritize data minimization in all products, projects, and services;
• Maintain records of data processing activities in accordance with the Law;
• Process data through authorized data processors only on the basis of a legal act and/or written agreement that clearly defines the legal grounds and purposes for processing, the categories of data, duration of processing, and obligations of the parties;
• Take any other appropriate measures.

Article 5. Enforcement

1. To implement the measures defined in Article 4 of this Policy, the Organization will develop additional written documentation and take other appropriate actions.

2. In order to identify and coordinate adequate responses to risks arising from the processing of data in accordance with this Policy:

• The Organization’s Data Protection Officer monitors the Organization’s compliance with the Law and this Policy and provides relevant recommendations;
• Information asset owners ensure that the data-containing assets they manage comply with the Law and this Policy.

Article 6. Review of the Policy

This policy will be reviewed at least once a year, with appropriate amendments made if necessary.