Политика Конфиденциальности

Владелец данных

Настоящая Политика Конфиденциальности подготовлена компанией Pillaw LLC, которая является независимо действующей юридической фирмой, учреждённой в соответствии с законодательством Грузии. Контролёром персональных данных является Pillaw LLC, с которой вы взаимодействуете (далее — «Фирма»), если иное прямо не указано.

Фирма ценит вашу конфиденциальность и уделяет особое внимание вопросам защиты персональных данных. Настоящее заявление составлено на основании Закона Грузии «О защите персональных данных» (далее — «Закон») и Общего регламента ЕС по защите данных (GDPR). В документе описывается, как Pillaw LLC собирает и использует ваши персональные данные, законные цели их сбора, основания и цели обработки данных, а также ваши права в отношении персональных данных.

Definition of Terms according to LDP

a) Personal Data (‘data’) – any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, including by his/her name, surname, identification number, location data and electronic communication identifiers, or by physical, physiological, mental, psychological, genetic, economic, cultural or social characteristics;
b) special categories of data – data connected to a person’s racial or ethnic origin, political views, religious, philosophical or other beliefs, membership of professional unions, health, sexual life, status of an accused, convicted or acquitted person or a victim in criminal proceedings, conviction, criminal record, diversion, recognition as a victim of trafficking in human beings or of a crime under the Law of Georgia on the Elimination of Violence against Women and/or Domestic Violence, and the Protection and Support of Victims of Such Violence, detention and enforcement of his/her sentence, or his/her biometric and genetic data that are processed to allow for the unique identification of a natural person;
c) biometric data − data processed using technical means and related to the physical, physiological or behavioural characteristics of a data subject (such as facial images, voice characteristics or dactyloscopic data), which allow the unique identification or confirm the identity of that data subject;
d) processing of data − any operation performed on personal data, including collecting, obtaining, accessing, photographing, video monitoring and/or audio monitoring, organising, grouping, interconnecting, storing, altering, retrieving, requesting for access, using, blocking, erasing or destroying, and disclosing by transmission, publication, dissemination or otherwise making available;
e) data subject – any natural person whose data are being processed;
f) consent of the data subject – consent freely and unambiguously expressed by a data subject after the receipt of the respective information, by an active action, in writing (including in electronic form) or verbally, to the processing of data concerning him/her for specific purposes;
g) controller – a natural person, a legal person, or a public institution, who individually or in collaboration with others determines the purposes and means of the processing of data, and who directly or through a processor processes data;
h) direct marketing − the direct and immediate delivery of information to a data subject by telephone, mail, email or other electronic means to generate and maintain interest in, sell and/or support a natural and/or legal person, product, idea, service, work and/or initiative, as well as image and social issues. The provision of information by a public institution to a natural person shall not be considered direct marketing if the provision of such information is compatible with any of the grounds for data processing as provided for by Articles 5 and 6 of LDP;

Grounds for data Processing

The Firm processes data on the following grounds:

● the data subject has given consent to the processing of data concerning him/her for one or more specific purposes – Article 5 (1) (a) of LDP; Article 6 (1) (a) of GDPR;

● data processing is necessary for the performance of a contract entered into with the data subject or to enter into a contract at the request of the data subject – Article 5 (1) (b) of LDP; Article 6 (1) (b) of GDPR;

● data processing is necessary to review an application submitted by the data subject (to provide services to him/her) – Article 5 (1) (j) of LDP;

Consent for data processing by the data subject shall be given in writing form or verbally depending on the nature of the data. Clicking the “Submit” button after describing the legal issue through the Contact form on the Firm’s website, is one of the ways for data subject to provide the consent for data processing. The Firm ensures to provide all necessary information to the data subject, before receiving consent from him/her. Information includes: grounds for data processing, specific purposes of processing data, scope of data processing and every other information that is established by this statement and Georgian Law of Data protection.

Collection of Personal Data

We collect the following categories of Personal Data about clients, prospective clients:

Basic Personal Identifiers:  Name, Surname, location data, phone number, e-mail, identification number, Passport number, physical characteristics, contact data, e-mail metadata (except IP address, message ID, Routing Information),

Client Service Data: Personal data received from clients in respect of employees, customers or other individuals known to clients, invoicing details and payment history, client feedback.

Transaction Data: Personal Data contained in documents, correspondence or other materials provided by or relating to transactions, or other legal matters on which we are advising our clients.

Compliance Data: Government identifiers, passports or other identification documents, dates of birth, beneficial ownership data, and due diligence data.

Job applicant Data: Data provided by job applicants or others on our Website or offline means in connection with employment opportunities.

The Firm does not process special categories of data.


Use of Personal Data:

The firm guides with the principles established by LDP and GDPR relating to the processing of Personal data. The firm processes personal data lawfully, fairly and in a transparent manner for the data subject, without interfering the inviolability of human dignity – Article 4 (1) of LDP; Article 5 (1) of GDPR;

Principles used by the Firm are as follows:
● data is collected/obtained strictly for specified, explicit and legitimate purposes, further processing of data is not allowed, if legitimate purpose of processing is already achieved;
● processed data is proportioned to the legitimate purpose;
● data is valid and accurate, whenever the necessity occurs data is kept up to date, inaccurate data is destroyed or erased without undue delay;

If data are to be processed for purposes other than those for which they have been collected/obtained, and the processing is not based on the consent of the data subject or on law, the firm shall, in order to decide whether the data were processed for purposes other than those for which they have been collected/obtained, take into account:

a) any link between the initial purpose for which the data have been collected/obtained and the intended further purpose;

b) the nature of the relationship between the controller and the data subject in the context of collecting/obtaining data;

c) whether the data subject has reasonable expectations as to the further processing of data concerning him/her;

d) whether special categories of data are processed;

e) possible consequences for the data subject that may accompany further data processing;

f) the existence of technical and organisational safeguards.

Storage of data: Processed data is not stored more than six months, unless the substance and the legitimate purpose of processing this data requires more time. If the ground of processing the data is ceased or the purpose of processing is achieved sooner than six months, the Firm destroys data without undue delay.

Organisational measure ensuring the security of data: members of the firm are prohibited from sharing the processed personal data to each other, unless it is necessary for the provision of services to the clients.


The purposes for which we use Personal Data are as follows:
● To provide services and respond to inquiries – we use basic personal identifiers, client service data, transaction data, Biometric data, compliance data.
● To manage our business operations and administer our client relationships - we use basic personal identifiers and client service data. This processing is necessary in order to perform our obligations under our contracts with our clients (e.g. issuing and processing invoices) and suppliers (e.g. managing the supply of goods and services to them).
● To expand and maintain our list of contacts, better understand how people use our services and improve the strength of our relationships with clients and other third parties - we use basic personal identifiers, It is necessary for our legitimate interests to keep your information accurate and up-to-date with the aim of improving the overall client experience and our relationship with you.
● To address compliance and legal obligations - such as complying with the Firm's tax reporting obligations, checking the identity of new clients and to prevent money laundering and/or fraud we use compliance data, basic personal identifiers, transaction data. This processing is necessary for the purposes of complying with legal requirements to which we are subject.
● To consider individuals for employment and contractor opportunities and manage on-boarding procedures - we use job applicant data and compliance data. The processing is necessary for the purposes of recruitment and on-boarding and for complying with legal obligations to which we are subject and which may be subject to a relevant recruitment privacy policy.
● For direct marketing purposes – we use basic personal identifiers for marketing purposes.

Data usage for direct marketing purposes:

Data is only processed for direct marketing purposes only with the consent of the data subject - Article 12 (1) of LDP;
In addition to the basic personal identifiers (name, surname, address, telephone number and e-mail address of the data subject) other data is processed only with the written consent of the data subject.

The Firm shall ensure that the data subject has the possibility to request that the processing of data for direct marketing purposes be terminated in the same form in which the direct marketing is carried out, or to determine other available and adequate means to request the termination of the processing.

The data subject whose data is processed for direct marketing purposes has right to withdraw his/her consent (Article 12 (3) of LDP, GDPR Article 7(3)). Withdrawing consent means that the the data subject refuses and he/she wants the Firm to stop processing data for direct marketing purposes. The data subject is allowed to withdraw consent at any time.

In order to withdraw consent, the data subject has follow certain steps:
● office@pillaw.ge – Send the e-mail requesting to withdraw your consent to data processing;
● The firm will respond you and terminate data processing for direct marketing purposes no later than 10 working days;

Sharing of data
The Firm does not share processed personal data to other entities or oganizations, unless it is directly required for the provision and nature of the service and prior consent is given from the data subject.

Your rights regarding Personal Data

You have the right to obtain information from the Firm whether or not data concerning you are being processed and request the following information free of charge – Article 14 (1) of LDP;

● which data concerning him/her are being processed, as well as the grounds for and the purpose of the processing;
● the source from which data were collected/obtained;
● the period for which the data will be stored, if no specific period can be determined, the criteria used to determine that period;
● the decision made as a result of automated processing, including profiling, and the logic involved in making such a decision, as well as its impact on the processing and the expected results of the processing;
● the right to access and to obtain a copy of the data concerning the data subject;

You have the right to request the Firm to update data concerning you or to complete the data in order to avoid processing and possessing inaccurate or incomplete data.

Under certain circumstances, you have the right to termination of the processing, erasure or destruction of data, to request the blocking of data (the temporary suspension of data processing (except storing)), right to withdraw consent regarding the information processed about you and you also have the right to the transmission of data. Right to transmission of data means that you have the right to receive your personal data in a structured, commonly used and machine readable format and to transmit your personal data to another organization.  

Right to withdraw consent regarding your personal data can be used any time. If it is not connected to data processed for direct marketing purposes, standard procedure of making requests regarding your personal data rights shall be used (see below) – This right is established by Article 20 of LDP and invoking this right does not require any explanation. However, the withdrawal of the consent shall be made in the same form, which it was given.

Procedure for making requests to the Firm regarding your personal data related rights:

The data subject shall submit its requests to the Firm via e-mail: office@pillaw.ge


The firm has 10 working days in order to respond the requests of data subjects and fulfill their legal rights established by law and this privacy statement.

This period may, in special cases and upon appropriate justification, be extended by no more than 10 working days, of which the data subject shall be notified immediately.


Finally, if you assume that the rules established by the law of Georgia on Personal Data Protection and/or rules described by this statement are violated, you have the right to appeal by following means:

● apply to the Personal Data Protection Service;
● to a court and/or a superior administrative body in accordance with procedures established by law;

You can request the Personal Data Protection Service to make a decision to block the data until a decision is made to complete the consideration of application. Even further, you still have the right to appeal the decision of the Personal Data Protection Service to a court, in compliance with the conditions and time limits established by the legislation of Georgia -Article 22 (1) (2) (3) of LDP.