Privacy Policy on Personal Data Processing
1. General Provisions
This Personal Data Processing Policy has been developed in accordance with the requirements of Federal Decree Law No. 45/2021 on the Protection of Personal Data (United Arab Emirates) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR).
This Policy defines the procedure for processing personal data and measures to ensure the security of personal data implemented by Salva Restaurant LLC (hereinafter referred to as the “Operator”).
1.1. The Operator considers the observance of human and civil rights and freedoms in the processing of personal data—including the right to privacy, personal and family confidentiality—as a top priority in its business activities.
1.2. This Privacy Policy applies to all information that the Operator may obtain about visitors to the website https://old-tbilisi.com.
⸻
2. Key Terms Used in This Policy
2.1. Automated Processing of Personal Data – processing of personal data using computer technology.
2.2. Blocking of Personal Data – temporary suspension of the processing of personal data (except where processing is required to clarify the data).
2.3. Website – a combination of graphic and informational content, as well as software and databases, available online at https://old-tbilisi.com.
2.4. Information System of Personal Data – a set of personal data stored in databases and processed using information technology and technical means.
2.5. Depersonalization of Personal Data – actions that render it impossible to determine the identity of the data subject without additional information.
2.6. Processing of Personal Data – any action (operation) or combination of actions (operations) performed with or without automation tools, including collection, recording, systematization, accumulation, storage, updating, retrieval, use, transfer (distribution, access), depersonalization, blocking, deletion, and destruction of personal data.
2.7. Operator – a government body, municipal authority, legal or natural person, that independently or jointly determines the purposes, scope, and means of personal data processing.
2.8. Personal Data – any information directly or indirectly related to a specific or identifiable User of the website https://old-tbilisi.com.
2.9. Personal Data Made Public by the Subject – personal data made publicly available by the data subject through consent for dissemination under applicable law.
2.10. User – any visitor to the website https://old-tbilisi.com.
2.11. Disclosure of Personal Data – actions directed at revealing personal data to a specific person or a specific group.
2.12. Distribution of Personal Data – any actions aimed at disclosure of personal data to an indefinite group of people (transfer or publication), including placement in media or public networks.
2.13. Cross-Border Transfer of Personal Data – transfer of personal data to a foreign country, foreign individual, or foreign legal entity.
2.14. Destruction of Personal Data – actions that result in the irreversible deletion of personal data with no possibility of restoring them.
⸻
3. Rights and Obligations of the Operator
3.1. The Operator has the right to:
• Receive accurate information and/or documents containing personal data from the data subject;
• Continue processing personal data even if consent is withdrawn, where such processing is legally justified under data protection law;
• Independently determine the scope of measures needed to comply with applicable laws, unless otherwise specified by legislation.
3.2. The Operator is obliged to:
• Provide the data subject with information about the processing of their personal data upon request;
• Ensure lawful processing of personal data under UAE regulations;
• Respond to data subject inquiries and legal representatives in accordance with applicable law;
• Submit required information to the UAE data protection authority within 10 days of receiving a request;
• Publish or otherwise provide unrestricted access to this Policy;
• Implement legal, organizational, and technical measures to protect personal data from unauthorized access, modification, disclosure, or destruction;
• Stop processing, providing, or distributing personal data, and destroy it as required by applicable law;
• Fulfill other obligations as required under PDPL or GDPR.
4. Rights and Obligations of Data Subjects
4.1. Data subjects have the right to:
• Receive information about the processing of their personal data, except where otherwise provided by law. The information must be provided in an accessible form and must not contain data about other individuals unless legally justified;
• Request that the Operator correct, block, or delete their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing, and take other measures to protect their rights as provided by law;
• Require prior consent for the processing of their personal data for marketing purposes (e.g., promoting goods or services);
• Withdraw their consent to the processing of personal data and demand that processing be stopped;
• File complaints with the authorized data protection authority of the UAE or take legal action if their data rights are violated by the Operator;
• Exercise any other rights provided by UAE law.
4.2. Data subjects are obligated to:
• Provide the Operator with accurate personal data;
• Inform the Operator of any updates, changes, or corrections to their personal data.
4.3. Individuals who provide inaccurate personal data or disclose the personal data of others without proper legal basis or consent are liable under UAE law.
⸻
5. Principles of Personal Data Processing
5.1. Personal data shall be processed lawfully and fairly.
5.2. Processing is limited to the achievement of specific, predefined, and legitimate purposes. Processing for purposes incompatible with the original collection purpose is prohibited.
5.3. The combination of databases containing personal data for incompatible purposes is not permitted.
5.4. Only personal data that is relevant to the purposes of processing shall be processed.
5.5. The content and scope of processed data must correspond to the declared purposes. Excessive collection of personal data is not permitted.
5.6. The Operator ensures the accuracy, sufficiency, and—where necessary—relevance of personal data to the purposes of processing, and shall take measures to correct or remove incomplete or inaccurate data.
5.7. Personal data is stored in a form that allows identification of the subject only as long as necessary to fulfill the purposes of processing, unless a longer period is required by law or contract. Upon achieving the processing purposes, or if such purposes become irrelevant, the data must be deleted or anonymized unless otherwise required by law.
⸻
6. Purposes of Personal Data Processing
Purpose of Processing:
Providing the User with access to services, content, and/or materials available on the website.
Personal Data Categories:
• Full name
• Email address
• Phone numbers
• Date and place of birth
• Photographs
Legal Grounds:
Federal Decree Law No. 45/2021 (UAE) and Regulation (EU) 2016/679 (GDPR)
Types of Processing:
• Collection
• Recording
• Systematization
• Accumulation
• Storage
• Anonymization
• Destruction
Additional Use:
Sending informational emails to the User’s email address.
7. Legal Grounds for Personal Data Processing
7.1. Personal data is processed based on the consent of the data subject to the processing of their data.
7.2. Processing is necessary for the fulfillment of obligations under international treaties or laws of the United Arab Emirates, and for the exercise of functions, powers, and duties assigned to the Operator by legislation.
7.3. Processing is necessary for the administration of justice or the enforcement of judicial acts, decisions of public authorities, or officials as required by UAE enforcement legislation.
7.4. Processing is required for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract.
7.5. Processing is necessary to protect the legitimate interests of the Operator or third parties or to achieve socially significant objectives, provided such processing does not infringe the fundamental rights and freedoms of the data subject.
7.6. The processing involves personal data made publicly accessible by the data subject or at their request.
7.7. The processing involves mandatory publication or disclosure as required by UAE law.
⸻
8. Procedure for Collection, Storage, Transfer, and Other Processing of Personal Data
The Operator ensures the security of personal data by implementing legal, organizational, and technical measures necessary to comply with applicable legislation on data protection.
8.1. The Operator ensures the confidentiality and safety of personal data and takes all reasonable steps to prevent unauthorized access to the data.
8.2. User data will never be transferred to third parties except:
• In accordance with applicable legislation; or
• If the data subject has given explicit consent for such transfer to fulfill contractual obligations.
8.3. If any inaccuracies in personal data are discovered, the User may update their data by contacting the Operator at hello@old-tbilisi.com, using the subject line: “Personal Data Update”.
8.4. The processing duration is determined by the time required to achieve the purposes for which the data was collected unless otherwise specified by law or contract.
The User may withdraw consent at any time by emailing hello@old-tbilisi.com, using the subject line: “Withdrawal of Consent”.
8.5. Information collected by third-party services (e.g., payment systems, communications platforms, or external providers) is stored and processed by those parties in accordance with their own privacy policies and user agreements. The Operator is not responsible for the actions of such third parties.
8.6. Any restrictions imposed by the data subject on disclosure, transfer, or conditions of processing of public data do not apply in cases where data is processed for public, governmental, or legal interests as defined by UAE law.
8.7. The Operator ensures the confidentiality of personal data throughout its processing.
8.8. Personal data is stored in a way that allows identification of the subject only as long as necessary to fulfill the processing purposes, unless otherwise required by law or contract.
8.9. Grounds for termination of processing may include:
• Fulfillment of processing purpose
• Expiry of consent
• Revocation of consent by the data subject
• Discovery of unlawful processing
⸻
9. List of Actions Taken by the Operator with Personal Data
9.1. The Operator performs the following actions:
Collection, recording, systematization, accumulation, storage, updating (modification), retrieval, usage, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction.
9.2. The Operator may conduct automated processing of personal data with or without the transmission of data via telecommunications networks.
⸻
10. Cross-Border Transfer of Personal Data
10.1. Before conducting any cross-border data transfers, the Operator must notify the authorized data protection authority of the UAE about its intent to do so.
This notice must be submitted separately from any general data processing notifications.
10.2. Before submitting such a notification, the Operator must obtain appropriate assurances from the foreign authority, legal entity, or individual who will receive the data.
11. Confidentiality of Personal Data
The Operator and any other persons who have gained access to personal data shall not disclose or distribute such data to third parties without the data subject’s explicit consent, unless otherwise required by federal law.
⸻
12. Final Provisions
12.1. The User may request clarification or further information regarding the processing of their personal data by contacting the Operator via email at:
📧 hello@old-tbilisi.com
12.2. Any amendments to this Policy regarding the processing of personal data will be reflected in this document.
This Policy remains valid indefinitely until replaced by a new version.
12.3. The current version of the Policy is publicly available at:
🌐 https://old-tbilisi.com/privacyen