Data Protection &
Privacy Standards
Last updated: March 2026. This policy outlines how Nomos Georgia collects,
uses, and protects your data in strict compliance with the Law of Georgia on
Personal Data Protection.
The present Personal Data Protection Policy (hereinafter – the “Policy”) defines the legal grounds, purposes, and rules for the collection, processing, use, storage, and protection of users’ personal data by LLC Nomos (hereinafter – the “Company”).
The Policy has been developed in accordance with the requirements of the Law of Georgia on Personal Data Protection and is based on international standards for personal data protection, including the core principles of the General Data Protection Regulation (GDPR) of the European Union (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, security, and accountability).
01 Definition of Terms
1.1 Data Controller (Company) – LLC Nomos, which determines the purposes and means of processing personal data and carries out such processing directly or through an authorized person.
1.2 Data Subject / User – a natural person whose personal data is processed by the Company (a visitor of the website).
1.3 Personal Data – any information relating to an identified or identifiable natural person.
1.4 Data Processor / Authorized Person – a natural or legal person that processes personal data on behalf of or for the Company.
1.5 Profiling – automated processing of data aimed at evaluating the user’s professional characteristics, skills, experience, or suitability.
02 Scope of Information Collection
2.1 The Company collects and processes personal data only to the extent necessary for the functioning of the platform, the provision of services to users, and the fulfilment of obligations established by law.
2.2 Personal data is collected both through direct submission by the data subject and automatically during the use of the platform.
2.3 Personal data processed by the Company may include the following categories:
2.3.1 Identification and contact data (only if the visitor independently enters such information on the platform for the purpose of booking a consultation) – name and surname, residential address, date of birth, telephone number, email address, and name of the organisation.
2.3.3 Behavioural and technical data – information regarding the user’s interaction with the platform, including the functions used and session times, which are necessary for ensuring the proper functioning and security of the platform.
2.3.4 Documentary data – information that the user voluntarily provides in the consultation text field.
03 Sources of Data
3.1 Personal data is collected:
• through direct provision by the user;
• automatically during the use of the website and services.
04 Cookies and Similar Technologies
4.1 The Company uses cookies and similar technologies to improve user experience, personalize content, analyze traffic, and increase the efficiency of the platform. Cookies can be managed through the user’s browser settings.
05 Purposes and Legal Grounds for Data Processing
5.1 Personal data is processed for the following purposes:
• ensuring the functioning of the platform;
• communication with the visitor and receiving feedback, including for the purpose of booking legal consultations;
• fulfilment of obligations provided by law.
5.2 The legal grounds for processing include: the consent of the data subject, the legitimate interest of the Company, and obligations imposed by law.
06 Transfer of Data to Third Parties
6.1 Personal data is not transferred to third parties except in cases provided by law or to service providers with whom appropriate confidentiality agreements have been concluded.
07 Data Retention Period
7.1 Personal data is stored for the period necessary for legal or operational purposes. After the expiration of such period, the data will be deleted or anonymised.
08 Data Security
8.1 The Company applies reasonable technical and organisational measures to ensure the protection of data.
09 Rights of the Data Subject
9.1 The data subject has all rights defined by the Law of Georgia on Personal Data Protection. The Company ensures the implementation of these rights in accordance with the procedures and timeframes established by law.
9.2 The data subject has the right to request information from the Company regarding the processing of their personal data. In such cases, the institution shall provide the following information no later than 10 (ten) calendar days from receipt of the request:
9.2.1 Which categories of data are being processed about them;
9.2.2 for what purpose the data is being processed;
9.2.3 on what legal basis the data is being processed;
9.2.4 how the personal data was collected;
9.2.5 whether the data has been transferred to a third party, to whom it was transferred, and the legal basis and purpose of such transfer.
9.3 The data subject has the right to access the personal data held about them by the data controller and to receive copies of such data free of charge, except in cases where access to the data or issuance of copies:
a) requires payment as provided by the legislation of Georgia;
b) requires a reasonable fee determined by the data controller due to the resources spent for issuing data in a form different from the form of storage and/or due to the frequency of requests.
The data subject has the right to access the data specified in this Article and/or obtain copies thereof no later than 10 working days after submitting the request, unless another timeframe is established by the legislation of Georgia.
In exceptional cases and with proper justification, the period may be extended by no more than 10 working days, of which the data subject must be notified immediately.
The data subject has the right to receive the data in the form in which it is stored by the data controller or the authorized processor. The data subject may also request that copies be provided in another format for a reasonable fee established by the data controller, if technically feasible.
9.4 The data subject has the right to request the data controller to correct, update, and/or complete inaccurate, incorrect, or incomplete data concerning them.
Within 10 working days (unless another period is established by the legislation of Georgia), the institution must correct, update, and/or complete the data or notify the data subject of the grounds for refusal and explain the procedure for appealing the refusal.
If the data controller independently discovers that the data held is incorrect, inaccurate, or incomplete, it must correct, update, or complete such data within a reasonable period and notify the data subject within 10 working days after the correction.
The obligation to notify the data subject does not arise if the correction relates only to the elimination of a technical error.
9.5 The data subject has the right to request the data controller to cease the processing of their data (including profiling), and to delete or destroy such data.
Within 10 working days from the request (unless otherwise established by the legislation of Georgia), the processing must be terminated and/or the data must be deleted or destroyed, or the data subject must be informed of the grounds for refusal and the procedure for appealing such refusal.
The data subject has the right to receive information regarding the termination, deletion, or destruction of data immediately after such action is taken, but no later than 10 working days.
If the data is processed in a publicly accessible form, the data subject may additionally request the restriction of accessibility and/or deletion of copies of the data or any internet links associated with such data.
9.6 The data subject has the right to request the blocking of data if one of the following circumstances exists:
a) the data subject disputes the authenticity or accuracy of the data;
b) the processing of data is unlawful, but the data subject opposes deletion and requests blocking instead;
c) the data is no longer necessary for processing purposes, but the data subject requires it for filing a complaint or claim;
d) the data subject has requested cessation, deletion, or destruction of the data and the request is under review;
e) there is a necessity to retain the data as evidence.
The data controller is obliged to block the data upon request of the data subject if any of the above circumstances exist, except where such blocking may endanger:
a) the performance of duties imposed on the data controller by law or subordinate normative acts;
b) the performance of tasks related to the public interest or powers granted by legislation;
c) the legitimate interests of the data controller or a third party, unless there is an overriding interest in protecting the rights of the data subject, particularly a minor.
The Personal Data Protection Service may decide to block the data until the review of the data subject’s application is completed.
Despite blocking, processing may continue if necessary to protect the vital interests of the data subject or a third party, or for state security and defence purposes.
The data must remain blocked for the duration of the reason for blocking, and where technically possible, the blocking decision must accompany the relevant data.
The data subject must be informed about the decision regarding blocking or refusal to block no later than 3 working days from the request.
9.7 In the case of automated processing, if technically possible, the data subject has the right to receive the data provided by them in a structured, commonly used, and machine-readable format or request the transfer of such data to another data controller.
9.8 Except for the processing of a data subject’s name, surname, address, telephone number, and email address, the processing of other data for direct marketing purposes requires the written consent of the data subject.
The data subject has the right to withdraw consent for processing for direct marketing purposes, in which case the processing must cease within a reasonable time, but no later than 7 working days from receipt of the request.
9.9 The data subject has the right to withdraw their consent at any time without providing justification. In such a case, the processing must be terminated and/or the processed data must be deleted or destroyed within 10 working days, unless another legal basis for processing exists.
Consent must be withdrawn in the same form in which it was given.
Before withdrawing consent, the data subject has the right to request and receive information regarding the possible consequences of withdrawal.
9.10 In the event of violation of rights provided by this law, the data subject has the right to apply to the Personal Data Protection Service, a court, or a superior administrative body in accordance with the procedure established by law.
The data subject may also request the Personal Data Protection Service to decide on data blocking until the application review process is completed.
Decisions of the Personal Data Protection Service may be appealed before a court in accordance with the conditions and timeframes established by Georgian legislation.
10 Data of Minors
10.1 The platform is not intended for persons under the age of 16. If such data is identified, it will be deleted immediately.
☐ I confirm that by marking this field, I have fully read and agree with LLC Nomos:
• the Personal Data Protection Policy;
• the processing of my personal data for the purposes specified in the Policy;
• the automated processing of my data, including through profiling.
I acknowledge that this marking constitutes my voluntary, informed, and explicit expression of will and is legally equivalent to written consent.
Questions regarding your privacy?
If you have any questions or concerns about how Nomos Georgia handles your
personaldata,please contact our Data Protection Officer.