On the Approval of the Criteria for Determining the Circumstances Giving Rise to the Obligation for a Data Protection Impact Assessment, and the Assessment Procedure

Document structure

View explanations

Referenced documents

Document comments

Document Highlights

Return back
On the Approval of the Criteria for Determining the Circumstances Giving Rise to the Obligation for a Data Protection Impact Assessment, and the Assessment Procedure
Document number 21
Document issuer პერსონალურ მონაცემთა დაცვის სამსახურის უფროსი
Date of issuing 28/02/2024
Document type პერსონალურ მონაცემთა დაცვის სამსახურის უფროსის ბრძანება
Source and date of publishing Website, 28/02/2024
Activating Date 01/06/2024
Registration code 010100000.78.091.016022
21
28/02/2024
Website, 28/02/2024
010100000.78.091.016022
On the Approval of the Criteria for Determining the Circumstances Giving Rise to the Obligation for a Data Protection Impact Assessment, and the Assessment Procedure
პერსონალურ მონაცემთა დაცვის სამსახურის უფროსი

 

Order No 21

of 28 February 2024

of the Head of the Personal Data Protection Service

Tbilisi

 

On the Approval of the Criteria for Determining the Circumstances Giving Rise to the Obligation for a Data Protection Impact Assessment, and the Assessment Procedure

 

 

In accordance with Article 31(9) and Article 88(4)(b) of the Law of Georgia on Personal Data Protection, I hereby order:

 

 

Article 1

 

The annexed criteria for determining the circumstances giving rise to the obligation for a Data Protection Impact Assessment and the assessment procedure shall be approved.

 

Article 2

 

This Order shall enter into force on 1 June 2024.

 

 

Head of the Personal Data Protection Service                     Lela Janashvili

 

 

The Criteria for Determining the Circumstances Giving Rise to the Obligation for a Data Protection Impact Assessment, and the Assessment Procedure

 

Chapter I – General Provisions

Article 1 – Scope

The Criteria for Determining the Circumstances Giving Rise to the Obligation for a Data Protection Impact Assessment, and the Assessment Procedure (the Procedure) shall determine the criteria for determining the circumstances giving rise to the obligation for a Data Protection Impact Assessment and the procedure for carrying out the assessment provided for by Article 31(1) of the Law of Georgia on Personal Data Protection (the Law).

Article 2 – Terms

The terms used in this Procedure shall have the meanings as defined by the Law.

Article 3 – Purpose of the Data Protection Impact Assessment

1. The Data Protection Impact Assessment (impact assessment) shall constitute an assessment of the circumstances relating to the processing of personal data (data) which poses a threat to fundamental human rights and freedoms.

2. An impact assessment shall facilitate a controller in ensuring the following during data processing:

a) the proactive consideration of any threat posed with regard to data at the initial stage of data processing;

b) the identification, assessment and significant mitigation of threats posed to fundamental human rights and freedoms as a result of data processing;

c) taking a lawful and fair decision regarding the initiation of the process of data processing;

d) the involvement of all interested persons in the planning process of data processing;

e) the transparency of data processing;

f) compliance with the obligations provided for by Article 26 of the Law.

 

Chapter II Determining the Circumstances Giving Rise to the Obligation for an Impact Assessment

Article 4 – Obligation for an impact assessment

1. The obligation for an impact assessment shall arise if the threat of the violation of fundamental human rights and freedoms is highly probable taking into account new technologies for data processing, the data category, their amount, and the purpose and means of data processing.

2. Except for the case provided for by paragraph 1 of this article, an impact assessment on data processing shall be obligatory if a controller:

a) makes a decision with a legal, financial or any other outcome of essential significance for a data subject in a fully automated manner, including on the basis of profiling;

b) processes large quantities of a data subject’s data of a special category;

c) carries out the systematic and large-scale monitoring of the behaviour of a data subject in places of public gathering.

3. In the cases provided for by paragraph 1 of this article, in order to determine the existence of the obligation for an impact assessment, a controller shall assess whether there are circumstances for determining a threat of violation of fundamental human rights and freedoms as provided for by Article 5 of this Law.

4. For the purposes of this Procedure, not less than 3% of the population of Georgia shall be deemed as large quantities of data subjects, which shall be calculated according to the latest results of the census of population.

Article 5 – Determining a threat of violation of fundamental human rights and freedoms

To determine the high probability of a threat of violation of fundamental human rights and freedoms (threat) as a result of data processing by applying new technologies, a data category, their amount, and the purpose and means of data processing, at least two of the following circumstances shall be present simultaneously:

a) profiling, the results of which shall be taken into consideration in making a decision which produces legal effects for a data subject, or when such decision concerns offering a product or a service to a data subject, gaining a certain benefit, the assessment of the quality of work performed by employees, or other activities related to human resources management, or physical access to certain places or movement;

b) the systematic and large-scale monitoring of the behaviour or state (including physical/health status) of a data subject by means of an electronic system/technology, or when such monitoring is performed in respect of employees;

c) the use of an electronic system which aims at offering and/or providing a product or service to a user and through which the financial data and/or the data concerning the real-time location of the user are processed;

d) the implementation of new technology or an innovative application;

e) the comparison or unification of databases generated from the process of two or more different data processing activities, for different purposes and/or by different controllers;

f) data processing which may result in discrimination against a data subject;

g) data processing which may result in the refusal of an offer of a product/service or the restriction of the rights of a data subject;

h) the processing of the data of the employees of a controller, the patients of a medical institution, minors, persons with disability and those in need of special social or legal protection.

 

Chapter III Procedure for an Impact Assessment

Article 6 – Carrying out an impact assessment

1. An impact assessment shall be carried out before the initiation of data processing or in the case of its change/update.

2. If a controller carries out data processing through a processor, the processor shall, if required, assist him/her in impact assessment at the request of a controller taking into consideration the information available to him/her and the nature of data processing.

3. Joint controllers may carry out an impact assessment jointly or individually, by a legal act or on the basis of conditions determined by a written agreement, in accordance with this Procedure.

Article 7 – Persons participating in the process of impact assessment

1. A controller shall ensure the participation of the following persons in the process of an impact assessment, if any:

a) a respective structural unit or a person responsible for the creation or update of a certain product or service within the frameworks of which data processing is carried out;

b) a personal data protection officer;

c) a structural unit/person responsible for information security;

d) a structural unit/person responsible for information technologies.

2. A controller may involve the following in the process of an impact assessment, if necessary:

a) an expert possessing special knowledge regarding certain processes;

b) data subjects or their representatives;

c) other persons whose participation is important in the process of an impact assessment.

Article 8 – Ensuring communication and receiving consultations in the process of an impact assessment

1. A controller shall ensure proper communication between the respective units participating in the process and employees, as well as with the management of the controller at all stages of the process of an impact assessment.

2. A controller shall be authorised to communicate directly with data subjects or their representatives if necessary, to share opinions related to the planned process of data processing.

3. The proper communication with persons provided for by Article 7 of this Law, and receiving consultations from them during an impact assessment, shall be a continuous process and shall be carried out during the entire impact assessment cycle.

Article 9 – Stages of an impact assessment

An impact assessment shall consist of the following stages:

a) a description of the process of data processing;

b) an assessment of the necessity and proportionality of data processing;

c) a threat assessment.

Article 10 – Description of the process of data processing and assessment of the necessity and proportionality of processing during an impact assessment

1. A controller shall start an impact assessment by describing the process of data processing, which shall include information regarding the data category, the purpose and grounds for the data processing, the time limits for data storage, the extent of the data processing, the data subject category, a technical description of the process of the data processing, as well as information about any third person receiving data, a joint controller or processor, if any, relevant intraorganisational regulatory acts, and other information related to the process of the specific data processing.

2. The description/assessment of the process of data processing is an inclusive process and shall include active consultations and proper communication with the persons provided for by Article 7 of this Law.

3. During the description/assessment of the process of data processing, the following means shall be used:

a) a SWOT analysis – a strategic planning technique that assesses the condition of a controller and his/her capabilities, and studies the business environment, analyses the expectations of interested parties, as well as the advantages and disadvantages, and capabilities and threats of the data processing, and determines requirements for the controller and the skills of the participants in the process of the data processing;

b) individual and group discussions scheduled based on the necessity to transfer/share any relevant information;

c) meetings with the target groups of the process of the data processing;

d) workshops/seminars, aiming at sharing information regarding any threats, with the participants of the process of the data processing.

4. At the initial stage of an impact assessment by a controller, it shall be assessed whether the data in the amount necessary to achieve a relevant legitimate purpose only are being processed and whether the data are proportionate to the purpose for which they are being processed.

Article 11 – Process of threat assessment

1. After the description of the process of the data processing and the assessment of the necessity and proportionality of the data processing, a controller shall initiate the process of threat assessment which includes:

a) the identification of threats and their sources;

b) a qualitative threat analysis;

c) a response to the threats;

d) the registration of the threats.

2. The process of threat assessment shall be carried out in compliance with the principle of inclusiveness, using the method of continuous communication and consultation. Other relevant methods facilitating all potential threat assessments selected by a person as provided for by Article 8 of this Procedure and/or a controller may be used at each stage of a threat assessment.

3. At the stage of the identification of threats and their sources, each potential severe threat, including those provided for by Article 31(5) of the Law, and its source shall be identified.

4. The stage of qualitative threat analysis shall assess the possible harmful results of the identified threats and the degree of their impact on fundamental human rights and freedoms. During the stage of qualitative threat analysis, the following shall be assessed:

a) potential harmful results for a data subject, posed by the identified threat, which may include: the appropriation or falsification of an identity, financial loss, the discrediting of a reputation, the breach of confidentiality of personal data protected by professional secrecy, the illegal disclosure of pseudonymised personal data, the deterioration of health status, the restriction of access to an infrastructure of vital importance, as well as other kinds of significant tangible or intangible damage of physical, property or non-property value;

b) the high probability of the occurrence of a result provided for by subparagraph (a) of this paragraph, taking into consideration the measures already taken by a controller to ensure data protection and security.

5. If, at the stage of qualitative threat analysis, it is discovered that a high probability of the occurrence of one of the results provided for by paragraph 4(a) of this article is present, a controller shall start the response to relevant threats.

6. The response to threats shall include the planning and implementation by the controller of specific measures intended for the mitigation of the threats, which may serve one of the following purposes:

a) the elimination of the circumstances provided for by paragraph 4(a) of this article;

b) a decrease in the high probability of the occurrence of the circumstances provided for by paragraph 4(a) of this article.

7. As a rule, adequate technical and organisational measures for ensuring data security shall be used for the mitigation of threats.

8. If a severe threat is detected as a result of an impact assessment, a controller shall be obliged to take all necessary measures to mitigate the threat significantly and, if necessary, apply to the Personal Data Protection Service for consultation.

9. In the case of applying to the Personal Data Protection Service, a controller shall submit:

a) information on the authority of a controller, a joint controller and a processor;

b) information on the planned purposes and means of the data processing;

c) information on the security measures determined for the protection of the rights and freedoms of a data subject;

d) the contact details of the personal data protection officer (if any);

e) the Data Protection Impact Assessment;

f) any other (additional) information at request of the Personal Data Protection Service.

10. A controller may not start data processing until the response provided for by paragraph 6 of this article is carried out with regard to all identified threats.

11. If additional organisational and technical measures cannot ensure the significant mitigation of the threat, data processing shall not be carried out.

12. The registration of threats constitutes the documented registration by the controller of the identified threats, their sources, the measures of response to them and the measures taken for the mitigation of the threats, as well as the results achieved.

Article 12 – Impact assessment document

1. During an impact assessment, a controller shall be obliged to create a written document which includes:

a) the description of the data category, the purposes of their processing, proportionality, process and grounds;

b) the assessment of potential threats of violation of fundamental human rights and freedoms and the description of the organisational and technical measures intended for the purpose of protecting data security.

2. The document provided for by paragraph 1 of this article may also include the following:

a) information on persons involved in the process of the impact assessment and their opinions;

b) information on the methods used for the impact assessment;

c) information on the decisions made taking into consideration the results of the impact assessment.

3. In the case of an essential change in the process of data processing, the controller shall be obliged to update the impact assessment document.

4. The controller shall be obliged to keep the impact assessment document throughout the period of data processing and in the case of the termination of the data processing – for at least 1 year.

5. The data processing impact assessment document shall not be subject to disclosure, if it may threaten state security interests, information security and cyber security interests and/or defence interests, public safety interests, crime prevention, the conduct of operative and investigative activities, crime investigation, prosecution, the administration of justice, the enforcement of detention and imprisonment, the execution of non-custodial sentences and probation, interests relating to financial or economic matters (including monetary, budgetary and taxation matters), public health and social protection issues, and the overriding legitimate interests of a controller and a processor.

Article 13 – Revision of an impact assessment document

After the termination of an impact assessment and the preparation of the relevant document, a controller shall be obliged to carry out the constant monitoring of the impact process and, if necessary, to revise the impact assessment document taking into consideration potential changes in the process of data processing and the accompanying threats, to ensure compliance with the requirements established by the Law.