JSC "Insurance Company Wizer" — Protection of Personal Data, Confidential Information, and Mandatory Guarantees
1.1 These Terms (hereinafter the "Terms") define the rights and obligations of the parties regarding the protection of personal data and confidential information when the insurer/insured uses their personal profile through the mobile/web application of JSC Insurance Company Wizer ("the Organization").
1.2 The Policyholder/Insured must fully review these Terms and Conditions, provide the personal information required by the App, and digitally confirm acceptance. By doing so, the Policyholder/Insured acknowledges that they have read and understood these Terms and Conditions in detail and fully agree to them.
1.3 Registration/authorization by the insurer/insured in the Organization's application and expressing agreement to these Terms constitutes obtaining the right to use the application in accordance with these Terms.
2.1 By registering in the App, the Policyholder/Insured confirms that he/she is:
of legal age;
has full (unrestricted) legal capacity, is not under the influence of narcotic, alcoholic, psychotropic or toxic preparations, is not under the influence of error, fraud, pressure, threat or any other unlawful influence and is not the object of violence, threat, deception, misrepresentation or other prohibited action by the lender or any third party, is fully aware of the content of the expression of his/her will and the legal consequences arising therefrom;
the information provided regarding their identity, activities, use of other insurance products, residential address, and contact information is true, accurate, and complete;
the information provided regarding insured minor children is complete and accurate;
they grant Organization the right to process and store their personal data and the personal data of minor children (if insured) within the insurance contract framework and in accordance with applicable laws;
they will not disclose any confidential information obtained within these legal relations.
2.2 The Organization guarantees that it will: protect user confidentiality; ensure the inviolability of users' personal information at all times; store and process personal data in accordance with applicable laws; and store users' personal data on a secure server.
2.3 When the insurer/insured/authorized person fills out an application required for issuing an insurance policy, registers an insurance claim, or submits a claim for reimbursement (including for insurance products where compensation is processed through special mechanisms), the user must activate technical settings - such as geolocation live mode during a traffic accident - that eliminate any inaccuracies in the registration process (e.g., uploading outdated photos) or incomplete information necessary for claim processing.
2.4 The Policyholder/Insured/authorized user is entitled to use the mobile application's camera functionality in order to capture and submit photographic copies of documents required for insurance-related purposes, including but not limited to identification documents, medical documentation, and any other supporting materials necessary for claim processing and reimbursement procedures.
By using this functionality, the user confirms that all documents and images submitted through the application are authentic, complete, and provided voluntarily for the purpose of insurance service administration.
The Organization processes such submitted images and documents solely for insurance contract administration, claim assessment, verification, and related service provision in accordance with applicable laws and data protection regulations.
3.1 By agreeing to these Terms, both the insurer/insured and the Organization undertake to maintain confidentiality of all information arising from the insurance contract and use of the application. This confidentiality obligation does not apply to: (i) information that is or becomes publicly available independently of the parties; (ii) information that can be obtained from other sources; or (iii) information disclosed by either party in accordance with legal requirements.
3.2 By agreeing to these Terms, both parties confirm that the contractual provisions herein are confidential. Any information related to this agreement and use of the application may be disclosed to third parties only in accordance with Georgian legislation or in cases explicitly agreed upon in writing by the parties.
The Organization respects and protects fundamental human rights and freedoms in the processing of personal data, including the inviolability of private life, personal space, and communications.
As a provider of insurance services, the Organization carries out processes related to the registration of insured persons, management of medical records, billing, and insurance documentation turnover. It pays particular attention to protecting the data of the insured, employees, and partners, including health data (special category data).
This Policy defines the key measures through which the Organization ensures that personal data processing activities comply with the Law of Georgia "On Personal Data Protection" (hereinafter, the "Law") and safeguards the lawful rights of data subjects.
This Policy applies to all processes involving the Organization's processing of personal data (hereinafter, "Data"), including:
The terms used in this Policy have the meanings assigned to them by the Law.
1. The Organization processes data in accordance with the Law, only where a legal basis for data processing exists as defined by law, and in compliance with the following principles:
Data must be processed lawfully, fairly, transparently, and with full respect for the dignity of the data subject;
Data must be collected only for specific, clearly defined, and legitimate purposes and must not be used in a manner incompatible with those purposes;
Data must be processed only to the extent necessary to achieve the relevant legitimate purpose ("data minimization");
Data must be factual, accurate, and, where necessary, kept up to date;
Data must be stored only for as long as necessary to achieve the relevant purposes, or for the retention periods established by law;
Appropriate technical and organizational measures must be implemented to protect data from unlawful processing, especially health data.
2. The Organization ensures the structuring of data processing activities in a manner that enables it to demonstrate compliance with the above principles.
To process data in accordance with Article 3 of this Policy, the Organization shall:
Implement appropriate technical and organizational measures to ensure data security and address threats, including: role-based access control (RBAC), authentication/audit logging, encryption / pseudonymization (where necessary), data backup, network segmentation; designate an owner for each information asset and ensure access control to prevent unauthorized access to personal data, especially health data;
Provide periodic training for employees on data protection, medical confidentiality, and information security rules;
In the event of an incident, ensure immediate response, mitigation/elimination of damage, documentation of the incident in the prescribed manner, and, where necessary, notification of the data subject and/or the supervisory authority;
Uphold the principle of transparency by publicly disclosing information on key processing activities and, where necessary, using additional channels to inform patients (e.g., posters/brochures, SMS/email notifications);
Make internal documents on the processing of employees' data accessible for their information;
Ensure timely and proper response to data subjects' rights requests;
Conduct Data Protection Impact Assessments (DPIA), where necessary;
Apply "privacy by design and by default" principles in all products, projects, and services;
Maintain records of processing activities (ROPA) in accordance with the Law, including purposes, categories, retention periods, and categories of recipients;
When engaging persons authorized to process data, act on the basis of a legal act or written agreement that clearly defines the legal grounds and purposes of processing, the categories of data (e.g., name, contact information, extract from medical record, payment/insurance details), retention periods, confidentiality obligations, and security measures; and comply with statutory rules for cross-border data transfers;
Implement other relevant measures, including anonymization of data for statistical/research purposes where necessary, in accordance with the Law.
1. To ensure the measures set out in Article 4 of this Policy, the Organization prepares additional written documents (internal rules, incident response plan, data retention matrix, etc.) and adopts the relevant measures.
2. For the purpose of identifying risks and coordinating appropriate measures within the Organization:
Data Protection Officer (DPO) (Nexia Georgia LLC; E-mail: dpo@nexia.ge; Mobile: 505 053 053) – monitors the compliance of data processing activities with the Law and this Policy, provides recommendations, and participates in DPIAs and incident management;
Information Asset Owners – ensure that assets under their ownership containing data comply with the Law and this Policy;
Medical Department/Clinical Managers – are responsible for the accuracy of medical records, restricting access based on the "need-to-know" principle, and upholding medical confidentiality.
This Policy shall be reviewed at least once a year and, where necessary, amended in line with updates to the Organization's technological, operational, or legal environment, including through the revision of associated documents and procedures.
1. The Policy on the Protection of Data Subject Rights (hereinafter – the "Policy") governs the rules and procedures for exercising the rights established under the Law of Georgia on Personal Data Protection (hereinafter – the "Law") within the Organization.
2. Compliance with this Policy is mandatory for any person employed by the Organization.
1. A data subject has the right to request confirmation from the Organization as to whether their personal data is being processed, whether such processing is justified, and, upon request, to receive the following information free of charge:
the personal data being processed about them, as well as the legal basis and purpose of such processing;
the source from which the data was collected/obtained;
the retention period of the data or, if a specific period cannot be determined, the criteria used to define the period;
the rights of the data subject provided under this Policy;
the legal basis and purposes of any data transfer, as well as the appropriate data protection safeguards, if the data is transferred to another country or international organization;
the identity of the data recipient or categories of data recipients, including the legal basis and purpose of such transfer if the data is disclosed to a third party;
the decision resulting from automated processing, including profiling, the logic involved in such decision-making, as well as its impact and the expected/potential outcome for the data subject.
2. In the cases referred to in paragraph 1 of this Article, the data subject shall submit a request to the Organization (either by email at info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review within the Organization.
3. The data subject has the right to receive the information referred to in this Article no later than 10 working days from the date of the request. In exceptional cases, and with appropriate justification, the Organization may extend this period by no more than an additional 10 working days. The Data Protection Officer shall notify the data subject immediately of such an extension.
4. The Organization is authorized to provide the data subject with any further information necessary to ensure transparency of data processing, except where the provision of such information would be contrary to the Law.
5. The data subject has the right to choose the form in which the information referred to in this Article is provided. If the data subject does not request a specific format, the information shall be provided in the same form in which the request was submitted.
1. A data subject has the right to access the personal data held about them by the Organization and to receive copies of such data free of charge.
2. In the cases referred to in this Article, the data subject shall submit a request to the Organization (either by email at info@dpo.ge or in hard copy). The request shall be forwarded to the Data Protection Officer, who coordinates its review.
3. The data subject has the right to access and/or receive copies of the data referred to in paragraph 1 of this Article no later than 10 working days from the date of the request, unless a different period is established by Georgian legislation.
4. In exceptional cases, and based on a reasoned decision by the Organization, the period referred to in paragraph 3 of this Article may be extended by no more than 10 working days. The Data Protection Officer must immediately notify the data subject of such extension.
5. A data subject has the right to access and/or receive copies of the data referred to in paragraph 1 of this Article in the format in which the data is stored at the Organization. The data subject also has the right to request copies in a different format if this is technically feasible.
1. A data subject has the right to request the Organization to rectify, update, and/or complete inaccurate, incorrect, or incomplete personal data concerning them.
2. In the cases referred to in this Article, the data subject shall submit a request to the Organization (by email at info@dpo.ge or in hard copy). The request shall be forwarded to the Data Protection Officer, who coordinates its review.
3. If such data exists, the Organization shall rectify, update, and/or complete the inaccurate, incorrect, or incomplete data and shall inform the data subject of the decision taken.
4. Personal data shall be rectified, updated, and/or completed no later than 10 working days from the date the request referred to in paragraph 1 of this Article is submitted (unless a different period is established by Georgian legislation), or the data subject shall be informed of the grounds for refusal and the procedure for appealing such refusal.
5. If an employee of the Organization independently identifies that data in their possession is inaccurate, incorrect, or incomplete, they shall inform the head of their structural unit, who shall convey the information to the Data Protection Officer. The Data Protection Officer shall notify the Organization, which shall ensure that the data is rectified, updated, and/or completed within a reasonable timeframe. The Data Protection Officer shall then notify the data subject of the rectification within 10 working days from the date of correction.
6. The Data Protection Officer has no obligation to notify the data subject if the rectification, updating, or completion concerns the correction/elimination of a purely technical error.
7. If there is an objective circumstance that makes it impossible to fulfil the obligation to notify the data subject within the period specified in this Article, the Data Protection Officer shall provide the information about the changes at the first opportunity when communication with the data subject is possible.
8. The Organization is obliged to inform all data recipients and all other controllers and processors to whom it has disclosed the data of its rectification, updating, or completion, unless it is impossible to do so due to the multiplicity of such recipients/controllers/processors or because such notification would require a disproportionately large effort.
9. Upon receiving the relevant information, the persons referred to in paragraph 8 of this Article shall rectify, update, and/or complete the data within a reasonable timeframe.
1. A data subject has the right to request the Organization to terminate the processing of their personal data, or to delete or destroy such data.
2. In such cases, the data subject shall submit a request to the Organization (by email at info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
3. Within no later than 10 working days from the submission of the request (unless otherwise provided by Georgian legislation), data processing must be terminated and/or the data must be deleted or destroyed, or the data subject must be informed of the grounds for refusal and provided with an explanation of the procedure for appealing such refusal.
4. The Organization may refuse to comply with the request if:
there is a legal basis provided by law; or
the data is being processed for the purpose of substantiating a legal claim or defense.
5. The data subject has the right to be informed of the termination, deletion, or destruction of data immediately upon completion of such action, but no later than 10 working days thereafter. Notification is provided by the Data Protection Officer.
6. If the data subject's personal data is being processed in a publicly accessible manner, they have the additional right to request the Organization to restrict access to such data and/or to delete any copy or internet link referring to the data. In such cases, the data subject submits a request to the Organization (by email at info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
7. The Organization is obliged to inform all data recipients, as well as all other controllers or processors to whom the Organization has disclosed the data, about the termination, deletion, or destruction of the data, except where such notification is impossible due to the number of such parties and/or would require a disproportionately large effort.
8. The persons referred to in paragraph 7 of this Article must, upon receipt of the notification, terminate the processing of the data and delete or destroy it.
1. A data subject has the right to request the Organization to block their data if any of the following circumstances apply:
the data subject disputes the accuracy or correctness of the data;
data processing is unlawful, but the data subject objects to deletion and requests blocking instead;
the data is no longer needed for the purpose of processing, but the data subject needs it to file a complaint or claim;
the data subject requests termination, deletion, or destruction of data and such request is under review;
there is a need to retain the data for use as evidence.
2. In such cases, the data subject shall submit a request to the Organization (by email at info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
3. The request of the data subject shall be granted and the data shall be blocked if at least one of the circumstances set out in paragraph 1 of this Article exists, except where blocking the data may endanger:
the fulfillment by the Organization of obligations imposed by law or subordinate normative acts issued under the law;
the performance of tasks falling within the sphere of public interest in accordance with the Law, or the exercise by the Organization of its powers as provided by Georgian legislation;
the legitimate interests of the Organization or a third party, except where the overriding interest is the protection of the rights of the data subject, particularly if the data subject is a minor;
the interests provided under paragraph 6 of Article 50 of the Law.
4. After a decision is made to block the data, the Organization may decide to unblock the data if any of the grounds defined under this Article exists.
5. Data shall be blocked for the period during which the reason for blocking exists, and, if technically possible, the decision on blocking shall be attached to the relevant data during this period.
6. The data subject has the right to receive information about the decision to block the data or to refuse the blocking immediately upon such decision, and no later than 3 working days from the request.
7. In the event of blocking personal data in accordance with paragraph 1 of this Article, the data may, except for storage, be further processed only in the following cases:
with the consent of the data subject;
for the substantiation of a legal claim or defense;
for the protection of the interests of the Organization or a third party;
for the protection of the public interest in accordance with the Law.
1. Where personal data is processed automatically on the legal grounds provided by law, and if technically feasible, a data subject has the right to receive the data they have provided to the Organization in a structured, commonly used, and machine-readable format, or to request the transfer of such data to another controller.
2. In the cases referred to in paragraph 1 of this Article, the data subject shall submit a request to the Organization (by email at info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
3. The Data Protection Officer shall inform the data subject of the Organization's decision.
1. A data subject has the right to withdraw their consent at any time, without any explanation or justification and free of charge. In such cases, at the request of the data subject, data processing must be terminated and/or the processed data must be deleted or destroyed no later than 10 working days from the request, unless there is another legal basis for processing.
2. A data subject may withdraw consent in the same form in which consent was given. The data subject may submit a request to the Organization (by email at info@dpo.ge or in hard copy). The request is forwarded to the Data Protection Officer, who coordinates its review.
3. Prior to withdrawing consent, the data subject has the right to request and receive information about the possible consequences of the withdrawal. Such information is provided by the Data Protection Officer. If the withdrawal of consent would cause legal, financial, or otherwise significant consequences for the data subject, the employee of the Organization must inform the Data Protection Officer, who shall inform the data subject of the consequences before the withdrawal is made.
4. If consent is given in the form of a written document that also concerns other issues, every structural unit of the Organization shall ensure that the text relating to consent is drafted in clear, simple, and understandable language, is clearly separated from other parts of the document, and is reviewed in consultation with the Data Protection Officer.
5. If consent is given in the context of a contract or service, the voluntariness of such consent shall be assessed taking into account whether the consent is a prerequisite for the contract or service and whether the relevant service or agreement can be provided without consent.
6. In case of withdrawal of consent by the data subject, the Organization shall immediately terminate the processing of the data and delete or destroy the processed data, unless otherwise provided by this Policy or the Law.
7. Withdrawal of consent by the data subject shall not invalidate any legal consequences arising before the withdrawal or within the scope of the consent.
1. The rights of the data subject provided under this Policy may be restricted if this is expressly provided by Georgian legislation, does not infringe fundamental human rights and freedoms, constitutes a necessary and proportionate measure in a democratic society, and if the exercise of such rights would endanger:
information security and cybersecurity interests;
public safety interests;
crime prevention, crime investigation, criminal prosecution, or the administration of justice;
public health and social protection interests;
the detection of violations of ethical norms of a professional, including a regulated profession, and the imposition of liability;
the exercise of the functions and powers of regulatory and/or supervisory authorities in the fields referred to in this paragraph;
the rights and freedoms of the data subject and/or others, including freedom of expression;
the protection of state, commercial, professional, or other secrets provided by law;
the substantiation of a legal claim or defense.
2. The measures provided under paragraph 1 of this Article may be applied only to the extent necessary to achieve the purpose of the restriction.
3. If any of the grounds set out in paragraph 1 of this Article apply, the Data Protection Officer shall notify the data subject of the Organization's decision to restrict or refuse the exercise of the relevant right, except where providing such information would endanger the achievement of the purpose(s) referred to in paragraph 1 of this Article.
4. The exercise of the rights provided under this Policy by the data subject is free of charge.
A data subject is entitled to exercise the rights provided under this Policy and the Law throughout the process of video and/or audio monitoring, taking into account the nature and specifics of such rights.
In addition to the rights established under this Policy, a data subject retains the right to exercise any other rights provided by the Law.