Personal Data Processing Policy (Regarding Data Processing within the Scope of the Website and Landing Pages)

1. General Provisions

1.1. This Personal Data Processing Policy (hereinafter — the "Policy") defines the rules for processing the personal data of data subjects (clients, potential clients/leads, and website visitors) by MONT (Georgia, Tbilisi) LLC (hereinafter — the "Company") within the scope of its promotional landing pages, official website, and online contact forms.

1.2. This Policy establishes the organizational and practical measures designed to ensure data protection against accidental or unlawful loss, destruction, leakage, alteration, disclosure, or unauthorized use.

1.3. To ensure the protection of personal data, the Company takes into account the categories, volume, and purposes of data processing, as well as potential risks of violating the data subject's rights.

1.4. For the purposes of this Policy, the terms used herein shall have the meanings ascribed to them by the Law of Georgia "On Personal Data Protection".

2. Definition of Terms

2.1. In accordance with the Law No. 3144-XIმს-Xმპ of 14/06/2023 “On the PROTECTION OF PERSONAL DATA”, the following basic concepts are used in this Policy:

  • Personal data — any information relating to an identified or identifiable natural person. A person is considered identifiable if they can be identified, directly or indirectly, including by reference to a name, surname, contact information, an electronic identifier, or other specific characteristics;
  • Personal Data Processing — any operation performed in relation to personal data, including collection, receipt, recording, organization, storage, alteration, retrieval, use, blocking, erasure, destruction, or any other action;
  • Data Controller v MONT (Georgia, Tbilisi) LLC, Identification Code: 205144075, Legal Address: Tbilisi, Tsabadze St. Block N4, Floor 2; Actual Address: Tbilisi, Bokhua St. N4, which determines the purposes and means of processing data subjects' data obtained from the website, landing pages, and online forms;
  • Data Subject — a natural person (client, potential client/lead, website visitor) who independently and voluntarily fills out an information form on the website or a landing page
  • Website — the official website of the Company, including the landing pages hosted on it, contact forms, and other electronic means of communication with the user;
  • CRM System — an internal electronic system owned and managed by the Company, hosted on the Company's local servers, and used for managing customer requests, communications, and business relationships;
  • Landing Page — a targeted promotional webpage of the Company, the primary function of which is to collect user contact details solely for the purpose of initial feedback and pre-contractual communication;
  • Information/Registration Form — a set of fields on the website or landing page (name, surname, phone number, company, position, email, etc.) filled out by the user to contact the Company;
  • Authorized User — an employee (manager) of the Company who, in order to perform their official duties, is granted access to the data received from the landing page or to the CRM system;
  • Security Incident — any breach of data security that leads to the unlawful or accidental damage, loss, unauthorized disclosure, alteration of, or unauthorized access to the contact databases received from the landing page;
  • Scope of Processing — within the scope of the landing pages and the website, the Company processes only the personal data that is necessary to achieve the goals defined by this Policy. The Company does not engage in profiling or automated individual decision-making.

The Company does not collect or process:

  • Special categories of personal data;
  • Biometric data;
  • Genetic data;
  • Data relating to criminal convictions and offenses;
  • Data obtained as a result of video monitoring.

3. Core Principles of Data Processing

3.1. The processing of personal data within the Company is based on the following fundamental principles:

  • Lawfulness, Fairness, and Transparency: Data is processed fairly, lawfully, and in a transparent manner for the data subject. The data subject is informed of the purpose of data collection in advance.
  • Purpose Limitation: Data is collected only for specific, explicitly defined, and legitimate purposes (initial feedback and pre-contractual communication) and shall not be processed in any other manner incompatible with these purposes.
  • Data Minimization: The Company collects only the personal data that is adequate, relevant, and limited to the minimum necessary to achieve the intended purpose.
  • Accuracy: Data must be accurate and, where necessary, kept up to date. The Company takes steps to immediately delete or correct erroneously filled or inaccurate data.
  • Storage Limitation: Data is stored for no longer than necessary to achieve the purpose of data processing or as established by law. Upon expiration of the period, the data shall be destroyed.
  • Integrity and Confidentiality (Security): Data is processed in a manner that ensures its appropriate security, using organizational and practical safeguarding mechanism.

4. Data Collection Practices and Initial Feedback

4.1. Filling out an online form on the website or landing page and clicking the "Submit" button by the data subject constitutes their voluntary request for the Company to contact them solely for the purpose of providing the specific information requested. This communication serves to initiate a pre-contractual relationship. Filling out and submitting the form does not constitute consent to direct marketing and does not grant the Company the right to send promotional or marketing messages to the data subject, except for the information that the data subject has explicitly expressed a desire to receive.

4.2. If, as a result of the initial feedback, it is determined that the data subject filled out the form by mistake, or if it is established that they are no longer interested in the Company's services, the Company is obliged to immediately cease all further communication with them.

4.3. Since the Company does not engage in direct marketing, subjects with whom no agreement was concluded following the initial communication will not be sent any promotional, informational, or marketing materials (SMS, Email) in the future.

4.4. A link to the Privacy Policy must be displayed in a prominent place on the website, landing page, or near the relevant online form, so that prior to submitting the form, the data subject is provided with information regarding the data controller, purposes of processing, legal basis, retention period, and the data subject's rights.

4.5. The Company processes personal data only when there is a legal basis provided for by the legislation of Georgia, including:

  • Based on the consent of the data subject;
  • At the request of the data subject to establish a pre-contractual relationship or to carry out relevant actions;
  • To fulfill legal obligations imposed on the Company;
  • To realize the legitimate interest of the Company, provided that it does not violate the rights and freedoms of the data subject;
  • In other cases provided by legislation.

5. Rights of the Data Subject and Timelines for Review

5.1. Data subjects of the Company's website and landing pages have the right to contact the Company at any time and request the exercise of the following rights:

  • Access to and Receipt of Information: To receive information on whether their data is being processed, the legal basis and purpose of processing, the categories of data processed, the retention period, and the recipients of the data; as well as to review this data and receive a copy thereof;
  • Rectification, Update, and Completion: To request the correction of inaccurate, incomplete, or outdated data existing about them;
  • Ceasation of Processing, Erasure, or Destruction: To request the termination of data processing, erasure, or destruction if the data is processed in violation of the law or is no longer necessary for the purpose for which it was collected;
  • Data Blocking: To request the blocking (temporary suspension) of data if its accuracy or lawfulness is contested;
  • Withdrawal of Consent: To withdraw their consent to data processing at any time;
  • Appealing to the Personal Data Protection Service: The data subject has the right to appeal to the Personal Data Protection Service in accordance with the rules established by law if they believe that their personal data is being processed in violation of Georgian legislation.

5.2. The Company shall review and respond to the data subject's request in accordance with the rules and timelines established by the legislation of Georgia, namely:

  • Provision of information/access (giving a copy of data): No later than 10 working days from the request (if necessary, the period may be extended by no more than 10 working days).
  • Rectification, update, completion, cessation of processing, erasure, destruction, or blocking of data: No later than 15 working days from the request (extension by no more than 15 working days).

5.3. During the process of reviewing the request, if necessary, the Company has the right to request additional information or documentation for the purpose of identifying the data subject and properly evaluating the request.

5.4. To exercise the rights provided under this Article, the data subject shall contact the Company at the following email address: personaldata@monttech.ge.

5.5. The data subject can withdraw consent by sending an electronic notification to the Company at personaldata@monttech.ge or through the same channel of communication through which the consent was initially granted.

5.6. The withdrawal of consent shall not affect the lawfulness of personal data processing carried out prior to its withdrawal.

6. Access Control and Database Security

6.1. Access to data received from landing pages and online forms on the website is restricted to authorized employees of the Company, namely the General Director, Marketing Manager, Business Development Managers, and Sales Managers, who require this data to perform their official duties. The data may be stored in the Company's CRM system.

6.2. Personal, complex passwords must be used to access the CRM system or the landing page management panel from work devices (computers, smartphones). Sharing these passwords with others is strictly prohibited.

6.3. It is prohibited to download data obtained from the landing page (Excel, CSV files) for personal purposes or to share them via unofficial communication channels (WhatsApp, Messenger, etc.).

6.4. In the event of resignation or change of position of any Company employee listed in Clause 6.1 of this document, all their access to contact databases, CRM, and corporate email shall be revoked immediately.

6.5. The Company ensures that authorized users are informed about their personal data protection obligations and takes appropriate organizational measures to ensure data confidentiality.

6.6. Authorized users are obliged to protect the confidentiality of personal data known to them both during the term of their employment relationship and after its termination, unless otherwise provided by legislation.

7. Cookie Policy

7.1. The Company may use technical, functional, and analytical cookies on the website and landing pages for the purpose of ensuring the smooth operation of the website, statistical analysis, and service improvement.

7.2. Upon the very first visit to the website/landing page, the data subject must be provided with information regarding the use of cookies (Cookie Banner) and given the opportunity to accept or reject analytical cookies. Until active consent is granted by the data subject (by clicking the "Accept" button), these files shall not be activated and no data collection shall take place.

7.3. Information collected through cookies (IP address, browser type, website behavior) is used solely for the purpose of technical improvement of the website's performance and for statistical purposes.

8. Data Disclosure to Third Parties and International Transfer

8.1. Personal data received through the landing page shall not be transferred to third parties, except in cases directly provided for by the legislation of Georgia.

8.2. Access to personal data received through the landing page is restricted to authorized employees of the Company who require this data to perform their official duties.

8.3. The existence of advertising campaigns related to the products or services of partner manufacturers, suppliers, or other partner organizations does not imply the transfer of personal data received through the landing page to said organizations.

8.4. The Company does not carry out international transfers of personal data.

8.5. In the event that a necessity for the international transfer of personal data arises in the future, it shall be carried out only in compliance with the requirements established by the legislation of Georgia.

9. Security Incident Management

9.1. Any employee who detects a data security incident, data leak, unauthorized access attempt to the system, or other similar circumstances, is obliged to immediately notify the Company's management.

9.2. Immediately upon recording an incident, the Company begins investigating the circumstances, isolates the threat, takes appropriate technical and organizational measures, and assesses the potential impact of the incident on the rights and freedoms of data subjects.

9.3. If a data security breach is highly likely to pose a risk of significant violation or damage to the rights and freedoms of a natural person, the Company is obliged to notify the Personal Data Protection Service within 72 hours from the discovery of the security incident (data breach).

9.4. In cases provided for by the legislation of Georgia, where a security incident may cause significant harm to the rights and freedoms of a data subject, the Company shall also ensure that the data subject is informed about the nature of the incident, possible consequences, protection measures taken or planned, and contact means for obtaining additional information.

9.5. The Company ensures the recording and documentation of information related to all data security incidents (maintaining an internal registry/log). The documentation must include the facts of the incident, its impact (consequences), and the corrective measures taken to remedy it.

10. Security Incident Management

10.1. Personal data received through the landing page or website shall be stored for a period of no more than 1 (one) year from its receipt. This period is determined based on the necessity of communication with potential clients and the initiation of a possible business relationship.

10.2. If a business, pre-contractual, or contractual relationship is established between the data subject and the Company during this period, further processing and storage of personal data shall be carried out for the purposes of the respective relationship and within the timelines provided by the legislation of Georgia.

10.3. Upon expiration of the retention period, the data shall be deleted or destroyed in a manner that renders its recovery impossible, unless the legislation of Georgia requires longer retention of the data.

11. Review of and Amendments to the Policy

11.1. This Policy is subject to periodic review by the Company to ensure its continuous compatibility with applicable legislation, recommendations of the Personal Data Protection Service, and Company practices.

11.2. Any amendments or additions to this Policy shall be implemented by the management of the Company through the approval of a new edition.

11.3. The updated version of the Policy shall enter into force immediately upon its approval and is mandatory for compliance by all employees of the Company who handle data received from landing pages.