Privacy Policy
Personal Data Protection Policy Document
The personal data protection policy document describes the process of personal data processing by “Adjara Group” LLC and guarantees the protection of the data subject’s rights during processing.
The terms used in this document have the meanings defined by the law of Georgia “On Personal Data Protection”.
“Adjara Group” LLC respects Georgian legislation and international standards in the field of human rights protection. Protecting the privacy of our guests, employees, and individuals in contractual relationships with us is of particular importance. Accordingly, we implement all necessary organizational and technical security measures to safeguard your personal data.
- Legislation underlying the personal data protection policy document:
Your personal data is processed in accordance with the Law of Georgia “On Personal Data Protection”.
Your rights are protected in accordance with Georgian legislation and the European Data Protection Regulation (GDPR).
We take into account the recommendations of the Personal Data Protection Service of Georgia to ensure the highest standard of protection for your rights.
Based on the above regulations, you have the right to request information about our processing of your personal data.
We are prepared to furnish you with the requested information as promptly as possible and within the time limits established by the legislation of Georgia.
- Person responsible for personal data processing:
Company name: “Adjara Group” LLC (hereinafter referred to as “we”)
Identification number: 404676169
Address: Georgia, Tbilisi, Mtatsminda district, Kostava Street, No. 14
Phone number: +995 0322 02 00 99
Email: pdo@roomshotels.com
Data Protection Officer: LLC “Business Legal Support”
Identification Number: 404720263
Address: 2 King Solomon II Street, Tbilisi, Georgia
Email: bls.lawcompany@gmail.com
Phone: +995 555 375 557
- Individual authorized for personal data processing.
LLC “Adjara Collective Management” (ID 404707171) is a legal entity that processes data for or on behalf of the data controller. Data processing is carried out based on an agreement between LLC “Adjara Group” and LLC “Adjara Collective Management” and includes the provision of human and technical resources by LLC “Adjara Group”.
We process personal data independently and do not engage the services of other authorized individuals in this process. However, in cases of appropriate necessity during the provision of services to “Adjara Group“, it may be necessary to disclose information containing data to person(s) authorized by us and/or grant them access rights (for example, for technical website updates, sending technical notifications, or assistance). In such instances, the disclosure/granting of access to personal data will only occur based on a written agreement between us and the relevant authorized person. The contract will include the obligation of the authorized person to process the data solely for the purposes specified in the contract, maintain confidentiality, and adhere to the rules and prohibitions established by the Law of Georgia “On Personal Data Protection.”
The “Rooms Tbilisi” hotel is a member of the program – Marriott Bonvoy. Within the scope of the Marriott Bonvoy membership, hotel room bookings and enrollment in the loyalty program are carried out with the means of software programs, during which the identification and contact information of hotel guests are processed.
- Protection of the principles of data processing by us.
Principles we adhere to in the process of data processing:
The principle of legality and fairness – we process your personal data only according to the rules and grounds established by law. We ensure proper protection of your rights by following the principle of equality (non-discrimination).
Principle of transparency – the data processing process is transparent to you, the data subject. You can contact us at any time and receive information about the processing of your personal data in accordance with the manner and time limits established by the legislation of Georgia.
Principle of purpose limitation – we process personal data only for the specific purpose for which they were obtained. To use the data obtained with your consent for another purpose, we will ask for your consent again.
The principle of data minimization – we process data only to the extent necessary to achieve the goal, taking into account the proportionality between the goal and the volume of data.
The principle of data accuracy – we ensure that the personal data stored with us are accurate and true. We correct or delete inaccurate data immediately upon your request or upon our discovery of an error.
The principle of term limitation – we store data only for the period necessary to achieve the purpose. For the storage of personal data, we pre-determine a specific period or indicate a criterion for determining the period.
Principle of data security – To protect data security, we implement technical and organizational measures during data processing that adequately ensure data protection, including protection against unauthorized or illegal processing, accidental loss, destruction, and/or damage.
- For what purpose we process personal data:
The purposes of personal data processing are derived from the scope of activities of “Adjara Group“ and are related to the provision of our services/products, improvement of the quality of services/products and delivery, compliance with security measures, and the implementation of labor activities of persons employed at “Adjara Group“.
We process personal data for the following specific purposes:
- To provide the proposed products and services;
- For conducting automatic payment procedures;
- To enter into contracts or transactions;
- For labor relations with individuals employed at “Adjara Group“;
- For special offers and marketing purposes for customers;
- For holding events in the hotel area;
- For analytical and statistical purposes, to understand how our users interact with our website;
- To conduct various research studies to improve products and services; to study how users use our products and services;
- To develop and manage our brands, products, and services;
- To improve service quality and consider user preferences;
- For security and property protection;
- To respond to violations of hotel rules.
- How we collect personal data
How do we obtain information about hotel visitors?
When booking hotel rooms online, through the communication center, or purchasing services on site, data from the data subject is collected. Similarly, information about accompanying persons is collected, with their consent.
During online payment of the service fee.
From websites (e.g., Booking.com) through which our hotel rooms are booked, based on agreements concluded with them.
About registered members on our website:
When registering on the hotel’s website, we obtain data from the data subject, who enters the data themselves and confirms their consent to the processing of personal data by checking the appropriate box.
About our website visitors:
When you visit our website, we collect information in accordance with the “Cookies” policy.
How do we collect data about hotel loyalty program members?
A data subject who becomes a member of the Loyalty Program enters their data on the web page and agrees to join the Loyalty Program.
How do we obtain data about persons working with us?
In order to make employment decisions and enter into employment contracts, we obtain personal data from the data subjects, as well as from the referees specified by them.
How do we collect data about people participating in events held at the hotel?
If the conference space of the hotel is used within the framework of an agreement, the party participating in the agreement may provide us with information about the individuals participating in the event (names and surnames) in order to grant them access to the building.
How we collect data for direct marketing:
Personal data is obtained for direct marketing purposes solely on the basis of written consent provided by the data subject, in accordance with the procedures established by the Law of Georgia “On Personal Data Protection,” and with guarantees ensuring the protection of the data subject’s rights as outlined in paragraph 7 of this document.
How will we obtain information about the persons around the perimeter of the hotel?
For the purpose of security and property protection, video monitoring is conducted in the “Adjara Group“ building and its outer perimeter. A warning sign about video monitoring is prominently displayed. Additionally, our employees are notified in writing about video monitoring, and their written consent is obtained.
Specific rules for collecting personal data through video monitoring and guarantees of rights protection can be found in the document “Standard Operating Procedure on Video Monitoring.”
How do we obtain information about restaurant customers/food service users?
We collect information about the individuals/data subjects who use the services of the restaurant customers/food establishments when they book a table (either physically, via phone calls, or using the reservation application) and make a payment.
- Processing Personal Data for Direct Marketing
For the purpose of direct marketing, personal data is processed only based on the informed, written consent of the data subject through a special form (). Before giving consent, the data subject is provided with the following information: who is responsible for processing personal data; which personal data is processed for direct marketing purposes with the consent of the personal data subject; specific purposes of data processing; in what form they will receive messages/information from the company; guarantees of personal data protection; rights of the subject of personal data; term of personal data processing; consent withdrawal and withdrawal mechanisms; consequences of consent withdrawal.
A special consent form is available on our website, and a printed version is available at the hotel’s check-in desk. Data subjects enter the data themselves and confirm their consent by checking the appropriate box and sending their consent by pressing the “Submit” button.
- Separate categories of data, purposes of processing, bases, and terms.
What personal data do we process? | How do we collect personal data? | Purpose of data processing | data retention period |
Name, surname, telephone number, email, address, personal identification number, nationality, and passport number of the hotel visitor and/or patrons of bars/restaurants. | From the data subject:
(When booking a hotel or bars/restaurants physically, online, through a booking application, or via a call center; when making a payment; when completing a direct marketing consent form)
From online hotel reservation websites (e.g., Booking.com), based on agreements concluded with them. When booking tables in bars/restaurants using the booking app.
|
Conclusion of the contract
Provision of offered products and services —————————– Special offers and marketing Improvement of products and services, conducting various research about our products and services
Responding to guest violations of hotel rules
|
The data collected for the conclusion of the contract is stored for the duration of the contract and for a period of 10 years after the termination of the contract (provided by the civil legislation statute of limitations for contractual claims).
Personal data collected for direct marketing purposes is stored until the data subject withdraws consent. The data collected for responding to violations of the hotel’s rules by the visitor is stored for a period of 10 years after the violation was committed. In order to carry out research for the improvement of products and services, the data is stored until the end of the stated purpose, but no longer than 10 years. |
Billing address and financial data (which includes your payment card details – card number, owner, expiry date)
|
Upon the written consent of the data subject (when making reservations or payments physically or online for hotel and restaurant services) | Conducting payment procedures
Hotel room reservation
Restaurant reservation
Analytical and Statistical purposes, development of business strategy
|
Ten years after the completion of service. |
The number of services used by hotel visitors and their assessment of the service quality, number of bookings made, demographic data (age, gender, date of birth, nationality), habits, location and duration of stay, spending details, type of travel (individual, group, or corporate), dietary information, and others. | From our website with the consent of the data subject (if they are registered on the “Adjara Group“website).
______________________ From the website if the data subject is a member of the loyalty program. (Joining the loyalty program is done with the consent of the data subject).
With a questionnaire about the quality of service, which the data subject, if they wish, fills in after receiving the hotel service.
|
Implementation of special offers from “Adjara Group“.
Implementation of customer-tailored offers and use of loyalty programs.
Improving the quality of hotel services.
Analytical and statistical goals – development of the business strategy of “Adjara Group“.
|
When implementing a special offer, before the data subject withdraws consent to accept the offer (before canceling registration on the website or membership in the loyalty program).
Until the objective need to conduct research for analytical purposes, but not more than 10 years. After the expiration of the mentioned period, the data may be stored in a depersonalized form for statistical purposes.
|
When using the hotel’s conference space under the respective agreement, the following information may be collected: names and surnames of event participants, as well as the names, surnames, positions, and ID numbers of panel participants.
|
The party provides the information within the scope of the respective agreement on the use of conference space of the hotel. |
Provision of conference space for the event for the purposes to fulfill the contractual obligations
Granting event participants access to the premises.
|
Retained for 10 years following the event’s completion.
|
Log-in data, browser type and version, time zone configuration and location, device operating system, platform, and other technology used by the data subject when accessing our website. | Our website, when a user visits, subscribes to, registers on, or books hotel rooms through it.
(Cookies) |
Proper operation, development, and protection of the website from incidents.
For our analytical and statistical purposes, to understand how our users interact with our website.
|
For the purposes of proper functioning and development of the website, until the objective need to conduct research, including analytical, but no longer than 14 (fourteen) months. |
Information related to the use of the website (including information related to your use of the website, products, and services located on the same website), marketing and communication data (including your preferences regarding receiving marketing offers from us and/or other third parties, your experience as a user of ours or a given website, and your respective preferences). | “Cookies” that we use.
|
For our analytical and statistical purposes, to understand how our users interact with our website.
To conduct various researches in order to improve products and services; To study how visitors use our products and services.
To develop/manage our brands, products, and services.
|
Until the objective need to conduct research for analytical purposes, but not more than 10 years. |
Information about hotel, restaurant, and bar reservations, arrival and departure dates of visitors to the hotel, and purchases or orders made by them.
|
From the data subject when using hotel services.
When making online bookings through our website.
When booking tables in bars/restaurants using the booking app.
|
To conduct various researches in order to improve products and services; To study how visitors use our products and services.
To improve the quality of our service
To develop/manage our brands, products, and services.
For payment/settlement purposes.
|
For analytical purposes, to conduct research and improve the service until the objective need, but not more than 10 years. After the expiration of the mentioned period, the data may be stored in a depersonalized form for statistical purposes.
For payment/settlement purposes, for a period of 10 years after receiving the service.
|
Dietary restrictions and personal preferences of hotel or restaurant customers. | The data subject provides this information verbally when receiving service or when reserving tables in bars/restaurants using the reservation application. | To improve the quality of service and take into account the wishes/preferences of the user.
|
Before the data subject uses the application to reserve tables in bars and restaurants. |
Name, surname, photograph, date of birth, age, gender, address, personal identification number, copy of identity document, series and number of identity document, expiration date of identity document, copy of driver’s license, autobiography, resume (CV), information on education, information on foreign language skills, copy of diploma or certificate of education, information on knowledge of computer programs, information on work experience, time of entering and leaving the building, telephone number, email address, bank account number, health report (in accordance with the obligations stipulated in the employment contract), notification of conviction (in accordance with the obligations stipulated in the employment contract), occupied position, information about salary | The data subject/employee provides us with data during the pre-contractual and employment contract signing stages.
From the recommender specified by the data subject regarding the qualifications and experience of the data subject.
|
Conclusion of an employment contract.
Implementation of labor relations
Issuing notice from the workplace to the employee after the end of the employment relationship.
|
The period of the employment relationship and 10 years after its termination
Information about health condition required periodically (e.g., annually or monthly) is retained until a new certificate is submitted, upon which the previous one is destroyed.
If the certificate is required only at the time of hiring, it is retained for the duration of the employee’s personal file retention period, which is 10 years.
|
Information about individuals participating in the competition for vacant positions at “Adjara Group“: name, surname, photograph, date of birth, age, gender, address, personal identification number, copy of identity document, series and number of identity document, issuance date of identity document, copy of driver’s license, autobiography, resume (CV), information on education, information on foreign language skills, copy of diploma or certificate of education, information on knowledge of computer programs, information on work experience, telephone number, email address | The data subject/contestant provides us with data during the competition stage.
From the recommender specified by the data subject regarding the qualifications and experience of the data subject.
|
Holding a competition for vacant positions.
Conclusion of an employment contract. |
Until the end of the competition
With the consent of the subject, 1 year in order to consider his candidacy in future contests.
|
Image of “Adjara Group“ and persons on its perimeter in video monitoring records.
(Biometric data)
|
Video monitoring records.
_____________________
|
Ensuring and protecting hotel/restaurant customers/visitors, security and property.
The unique identification and verification of the identity of a person listed in the undesirable persons list upon arrival at the hotel.
|
The video monitoring record is stored for a period of not less than 30 calendar days.
|
- Rights of Data Subjects
We protect the rights of the personal data subject guaranteed by the Law of Georgia “On Personal Data Protection” and the European Regulation on Personal Data Protection (GDPR). Considering the scope of our activity, it is important to have information about the following basic rights:
The right to receive information about data processing
The data subject has the right to request, and we will provide the following information within 10 days: which data we process about them, the basis and purpose of data processing, the source of data collection/retrieval, the term of data storage, and if it is impossible to determine a specific term, the criteria by which we will determine the term, to whom and with what legal guarantees we will transfer their data.
We will inform the data subject without their request, as soon as possible, about any incident (a data security breach that leads to improper or accidental damage, loss, unauthorized disclosure, destruction, modification, access to, collection/retrieval, or other unauthorized processing of data) if the incident is highly likely to cause significant harm and/or pose a significant threat to basic human rights and freedoms. In case of an incident, we will inform the data subject about the incident and the circumstances related to it, the measures taken or planned to reduce or eliminate the alleged/imminent damage caused by the incident, and the contact details of the personal data protection officer.
The right to access and receive a copy of the data
The data subject can request copies of their personal data processed by us free of charge. We may set a reasonable fee if the data subject requests their release in a form other than the form of storage, and this requires the expenditure of additional resources by us. In this case, the specified fee will not exceed the amount of resources spent.
The right to correct, update, and complete data:
The data subject has the right to request that we correct, update, and/or fill in false, inaccurate, and/or incomplete data about them. We will correct the error at the request of the data subject and if we discover the error and notify the data subject thereof, unless the error is of a technical nature.
In the event of an error, we will also notify all recipients of the data, the person responsible for all other processing of the same data, and the person authorized for processing to whom we have transferred the data.
The right to stop processing, delete, or destroy data
The data subject has the right to request the person responsible for processing to stop processing, delete, or destroy data about them. The request must be fulfilled no later than 10 days. The data subject may refuse to delete and destroy data only in exceptional cases established by the legislation of Georgia.
Right to block data
The data subject has the right to request the person responsible for processing to block the data if one of the following circumstances exists: the data subject disputes the authenticity or accuracy of the data; data processing is illegal, however, the data subject opposes their deletion and requests data blocking; the data are no longer necessary to achieve the purpose of their processing, but the data subject needs them to file a complaint/lawsuit; the data subject requests the termination, deletion, or destruction of the data processing and this request is being considered; there is a need to preserve data for use as evidence. Data blocking may be refused to the data subject only in exceptional cases established by the legislation of Georgia.
The right to withdraw consent
The data subject has the right, at any time, without any explanation or justification, to withdraw the consent given by them. If there is no other basis for data processing than the consent of the data subject, in the case of withdrawal of consent, the data processing must be stopped and/or the processed data must be deleted or destroyed no later than 10 working days after the request. The data subject has the right to withdraw consent in the same form in which consent was given. Before withdrawing the data subject’s consent, upon their request, we will provide information about the possible consequences of withdrawing consent.
- Protection of personal data of minors
We process personal data of minors in accordance with the law “On Personal Data Protection”, based on the consent of the parent or legal representative, taking into account the best interests of the minor.
- Data security
We ensure the safe protection of your data and apply all necessary technical and organizational measures for this purpose.
We protect your personal data from unauthorized or unlawful access, accidental loss, damage, disclosure, or destruction.
Once the purpose of personal data processing has been fulfilled, we regularly delete and destroy personal data or store them in a depersonalized form for our analytical and statistical purposes.
Companies affiliated with us adhere to the same standard of personal data protection.
The contracts concluded by us with persons authorized to process personal data or with third parties include special provisions to ensure the protection of personal data.
We carry out video monitoring for security and property protection in accordance with the law “On Personal Data Protection”.
For a description of technical and organizational security measures, please see “Description of measures taken for personal data security” in detail.
For the rules and conditions of video monitoring, please refer to “Standard Operating Procedure for Video Monitoring”.
- Transfer of data to third parties
We will not transfer personal data processed by us to other persons except:
- Companies affiliated with our company, in accordance with the agreement that contains guarantees of confidentiality and protection of personal data. Who are persons affiliated with us – interlinked company, where company owns, is owned by another individual in the company, or is jointly owned (with another company) by another entity. An affiliate is also an individual over which our company exercises common control with another entity, or over which control is exercised by the same entity that is the controller of our company. For the purposes of this provision, control means equity participation, membership in management, or registered directorship;
- Companies that technically send messages/information on the basis of the contract concluded with us. In this case, they will only be given your phone number or email.
- “Cookies“ Policy
“Cookies” are small text files that the website stores on your computer or mobile phone during your visit. “Cookies” help us to better manage and improve the efficiency of the website. “Cookies” files store information related to your navigation on our website.
We do not store data about your address, passwords, credit and debit bank cards, or any other personal information in cookie files.
We use Google Analytics and Facebook Pixel services.
These services allow us to obtain statistical data about our website visitors (such as search content, the specific website page they visit, etc.). We receive information about from which city/country the user came to our website, how much time the visitor spends on our website, which operating system the website visitor uses, etc.
Additionally, we gather information about our visitors’ age, gender, interests, device language, location, device type, behavior (engagement, interaction with the website, frequency of website visits, and recency). This information is processed for statistical purposes only and does not allow us to identify the user.
After visiting our website, you must accept cookies policy in order to collect said information.
- Update
The said policy document is subject to updating as necessary.
- Contact Information
Phone number: +995 0322 02 00 99
Email: pdo@roomshotels.com; bls.lawcompany@gmail.com