GEO

I.    Aim of the Data Protection Policy
1.1.    As part of its social responsibility, the Liberty Bank JSC (hereinafter – Bank or We) is committed to international compliance with data protection laws. This Data Protection Policy (hereinafter – Policy) fully applies to the Bank and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy business relationships and the reputation of the Bank as an attractive employer.
1.2.    The Data Protection Policy provides one of the necessary framework conditions for domestic and cross-border data transmission among the Bank, its subsidiaries, affiliates and other partners. It ensures the adequate level of data protection prescribed by the European Union Data Protection Directive  and the laws of Georgia for domestic and cross-border data transmission, including in countries that do not yet have adequate data protection laws.

II.    Scope and amendment of the Data Protection Policy
2.1.    This Data Protection Policy fully applies to the Bank and is applied for the purposes of personal data processing.
2.2.    The Policy applies to the Bank’s customers, natural persons and legal entities, non-juridical entities, state or self-government entities, legal entities of public law, job applicants, merchants, payment system providers and other entities having no specific framework agreement with the Bank on regulating issues related to personal data processing.
2.3.    Anonymized and non-identifiable data, e.g. for statistical evaluations or studies, is not considered to be personal data and is not subject to this Data Protection Policy.
2.4.    This Policy may be updated from time to time. We therefore ask you to consult it on a regular basis. The latest version of the Policy is available at: www.libertybank.ge

III.    Application of national laws
3.1.    This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy.

IV.    Principles for processing personal data
4.1.    Fairness and lawfulness
When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
4.2.    Restriction to a specific purpose
Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
4.3.    Transparency
The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
(a)    The identity of the Data Controller;
(b)    The purpose of data processing;
(c)    Third parties to whom the data might be transmitted;
4.4.    Deletion
The Bank shall continue to process personal data pursuant to the purpose set forth by the Policy ((including transfer the data to or from LEPL Public Service Development Agency, Creditinfo Georgia JSC and third parties set forth in Annex #1 to this Policy) as long as it is deemed appropriate for the purposes of the Bank’s aims and interests, is required by regulatory body and/or applicable laws and regulations.
4.5.    Factual accuracy; up-to-dateness of data
Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
4.6.    Confidentiality and data security
Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.

V.    Scope of data processing
5.1.    Throughout the period of using the Bank’s services and after the termination of a contractual relationship, the Bank shall be entitled to process the information, including personal data, of a data subject in compliance with the purposes set forth in Paragraph VII of the Policy.
5.2.    Data processing by the Bank, without any limitation, includes every action executed towards the data using automated, semi-automated or non-automated means. More precisely, data processing means obtaining, collecting, recording, photographing, audiorecording, videorecording, organizing, storing, altering, restoring, revocing or disclosing (including transfering and/or disclosing information to third parties set forth in Annex #1 of the Policy who will subsequently process the data in compliance with the purposes set forth by the Policy) from the data subject or third parties set forth in Annex #1 of the Policy for the purpose of transferring, disseminating or making available through different means, grouping or combining, blocking, erasing or destroying. 
5.3.    The Bank and/or third parties set forth in Annex #1 of the Policy process the data of a data subject or indicated by him/her third party. Data processing also includes but is not limited to data processing by third parties upon the Bank’s instructions and/or when the Bank is a data processor and acts in favor and with instructions of a third party (data controller). Data processing and/or transferring or disclosing information to third parties set forth in Annex #1 of the Policy in compliance with purposes determined by this Policy including but not limited to the following personal data:
(a)    Name and surname of data subject;
(b)    Personal identitiy number and/or unique features of electronic identitiy card;
(c)    Address of registration and/or factual residency;
(d)    Telephone/mobile phone number;
(e)    E-mail address;
(f)    Credit history (negative as well as positive, including debts ongoing and/or already covered, loans and details of payment thereof) and solvency status (Solvency score of data subject, criterias and/or methodology thereof);
(g)    Immovable and movable things and features thereof, under the ownership and/or possession of data subject.
(h)    Data related to employer, as well as information related to the terms of employment (place of employment, salary, working time and so forth);
(i)    Data related to data subject’s bank account(s) in the Bank and other commercial banks operating in Georgia, including, but not limited to, outsdanting balance of such accounts for a specific time and date and executed transactions on these accounts throughout specific period of time;
(j)    Any data related to cards emitted by the Bank and/or other commercial banks operating in Georgia and corresponding card accounts, including, but not limited to outsdanting balance of such card accounts for a specific time and date and executed transactions on these card accounts throughout specific period of time, as well as access codes of such cards;
(k)    Data related to data subject account/subscriber recorded by various payment providers. Such information includes but is not limited to account/subscriber number, address, outsdanding balance and/or debt occurred on subscriber accounts for a specific time and date, transactions executed on subscriber account and/or top-up and/or debt payment and so forth);
(l)    Data disclosed while using various electronic channels and/or the internet (including but not limited to web-cookies and so forth) and activities of data subject and/or third parties indicated by data subject while using abovementioned channels (including but not limited to authentification into such channels and actions executed or transaction history);
(m)    Data related to family member, relative and other persons residing at data subject’s address of factual residency. 
(n)    Any other type of data related to the Client which enables to identify and/or characterize and/or group the data subject by his/her physical, physiological, psychological, economic, cultural or social qualities or by using transactional activities listed or referred to above.
5.4.    In case the data subject, for the purpose of using the Bank’s service, provides the Bank with information (including bot not limited to personal data, solvency, property (asset) status and so forth) related to the third parties (additional card holder, guarantor, family memebers, employer and so forth) and the Bank processes such information, including personal data, for the purposes of performing banking services and/or marketing, the data subject is held personally responsible for obtaining the consent of any such third party on processing their respective personal data by the Bank. When the data subject provides the Bank (or its authorized personnel) with such information, it is presumed that the data subject has obtained their respective consent and the Bank is not further required to obtain such consent by itself. The data subject is personally responsible for any damage/loss which may occur to the Bank by the data subject’s failure to comply with or under-perform the obligation to obtain the consent of third parties. The data subject hereby consents and agrees to indemnify and protect the Bank from any damage/loss whatsoever (including buy not limited to consequential damages), complaints, expenses (including but not limited to the costs that will be borne by the Bank for the purpose of exercising its legal rights), legal proceedings and any other obligation that may occur to the Bank as a results of such violation by the data subject.
5.5.    The processing of data subject’s information by the Bank while using various electronic channels (including but not limited to web-browser, the Bank’s website, internet banking, mobile banking, bank’s mobile applications, payment machines, ATMs and/or other technical means and channels of data transfer and receipt) also includes recording and processing the data subject’s activities (for example, identifying data subject’s location while using an electronic channel, describe and analyze input data, the frequency of product choice and/or  any other statistical data).

VI.    Basis of data processing
6.1.    The data subject hereby agrees and acknowledges that throughout the period of using the Bank’s services and after the termination of a contractual relationship, it is necessary for the Bank to process data (including personal data) related to the data subject or third parties indicated by the data subject for the purposes of:
(a)    Reviewing the application of and/or performing a service to the data subject;
(b)    Protecting the legal interests of the Bank and/or third parties;
(c)    Performing obligations of the Bank under the legislation;
(d)    Making a marketing offer to the data subject;
(e)    Other cases permitted by the legislation;
6.2.    In case the legislation requires the Bank to obtain a consent of the data subject before processing the data (eg. for marketing purposes) such a consent shall be deemed obtained on the basis of a statement made by the data subject by using electronic and/or non-electronic means where he/she agrees to the Policy and the terms herein.

VII.    Purposes of data processing
7.1.    The bank and/or third parties set forth in Annex #1 of the Policy may process personal data of the data subject or third parties indicated by the data subject for various purposes including but not limited to:
(a)    Performing banking services duly and properly;
(b)    Using eMoney electronic wallet, which represents a joint service of the Bank and eMoney. eMoney electronic wallet enables the client of the Bank or eMoney to have a multi-currency electronic wallet, which can be used to make and receive payments and/or execute various actions permitted by the law and/or by respective terms and conditions of a product. Such actions include but are not limited to using the client’s eMoney wallet account (and/or telephone number and/or email or password) for authenticating on the websites where authorization by eMoney is permitted.
(c)    Cases determined by the legislation, for making the information available to audit companies, prospective assignee or assignor, regulatory, controlling or other supervisory authoritie;
(d)    Optimising and developing the Bank’s services during which the Bank analyses the data of a data subject related to credit history, statistical data and so forth;
(e)    Preparing and presenting various reports, researches and/or presentations;
(f)    Providing the safety as well as detecting and/or preventing fraud, money laundering or other criminal activities;
(g)    Offering to increase the amount of an ongoing credit or other conditions (including but not limited to maturity and interest rate) thereof during which checking a credit history of the data subject represents a necessity;
(h)    Offering a new and/or additional credit or non-credit product, during which checking a credit and/or transactional history and/or behavioural patterns of the data subject represents a recommended and/or absolute necessity 
(i)    Offering various services/products of the Bank and or third parties set forth in Annex #1 of the Policy for marketing purposes. 

VIII.    Processing data of applicants or employees
8.1.    Processing personal data for the purposes of initiating, carrying out and terminating employment agreement.
The bank is entitled to processing subject’s personal data which was disclosed for the purpose of considering an initiation of employment and/or internship of such a person (hereinafter – Applicant). If the applicant is rejected, failed to proceed through selection process, unsuccessfully ended the trial period, his/her data must be deleted, unless the applicant has agreed (by electronic as well as non-electronic means) to remain on file for a future selection process by the Bank and/or third parties. 
8.2.    If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of data protection laws have to be observed
8.3.    There must be legal authorization to process personal data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include: a) legal requirements, b) consent of the applicant (by electronic as well as non-electronic means) or c) the legitimate interest of the the Bank or third party and d) purposes set forth in Paragraph VII of the Policy.

IX.    Processing of highly sensitive data
9.1.    Highly sensitive personal data can be processed only under applicant’s (data subject) written consent or without such consent when processing is expressly permitted or prescribed under national law (including but not limited to considering an initiation of employment). Highly sensitive data is data about racial and ethnic origin, political beliefs, religious or philosophical beliefs, union membership, health and sexual life, criminal record, administrative detention, preventive measures, plea bargain, diversion, recognition as a victim or an affected by the crime, as well as biometric and genetic data, which enable the identification of a physical person.
9.2.    Applicants consent on processing highly sensitive personal data must be clearly expressed. 

X.    Obligation of data controller and processor thereof
10.1.    Pursuant to the terms of this Policy, the Bank, while processing certain type of data, may be the data processor and act on behalf of a data controller, including third parties set forth in Annex #1 to this Policy or be a sub-contractor of such third parties. Correspondingly, each party to such relationship (data processor as well as data controller and its sub-contractors) is obligated to be in full compliance with applicable data protection legislation and strictly observe the terms listed below:
10.1.1.    Personal data should be processed in compliance with legislative principles. If it is required to obtain a consent of a data subject (including the consent to process data for marketing purposes), such a consent should be obtained (in written or electronic form).
10.1.2.    Processing of data transferred from one party to another should be carried out, without any limitation, in order to achieve the purposes set forth in Paragraph VII of the Policy.
10.1.3.    If during data processing, depending on the specificity of such a process, one party represents the data processor and another – data controller, the data processor has an obligation to:
(a)    Process the data transferred/disclosed by other party in compliance with the extent and scope as defined by terms of the Policy or is permitted by legislation or by the request of a regulatory authority; 
(b)    Implement every reasonable technical and organizational measure and execute every necessary action in order to prevent unauthorized processing, loss, destruction. damage, unauthorized modification or disclosure of data transferred/disclosed by data controller and keep data controller informed about every measure taken in that regard;
(c)    Allow the access for an authorized data controller personnel, upon data controller’s written notice, to a workspace where data transferred/disclosed by data controller is being processed for the purpose of estimating effectiveness of measures implemented by data processor for data security. 
(d)    Notify the data controller within 5 (five) business days if:

  • A request is submitted by the data subject on information related to his/her personal data;
  • A complaint or statement is submitted in connection with data controller’s compliance with legislative requirements; 

(e)    Cooperate with and assist data controller in terms of examining a complaint or a statement about the data transferred/disclosed by the data controller, including:

  • Provide the data controller with detailed information related to circumstances in complaint or statement, including data about the data subject which was transferred/disclosed to the data processor by the data controller;
  • Within a reasonable time, provide data controller’s access to data held by the data processor (including electronic data);
  • Within a reasonable time, provide any relevant piece of information related to the data transferred/disclosed by the data controller;

(f)    Without prior written consent of the data controller, prevent any data processing (transferring) activity to a country and/or international organization, which are not part of the European Union Economic Zone and are not listed in list of countries with adequate levels of personal data protection determined by Order #1 dated 16th of September 2014 of Personal Data Protection Inspector.
(g)    Without the consent of data controller, prevent transfer/disclosure of data transferred/disclosed by the data controller to the third parties (except when transfer/disclosure of the data to a third party is necessary for performing activities set forth by the Policy). Moreover, on any ground whatsoever, in case the data is transferred/disclosed to the third party, the data processor is obliged to transfer/disclose the data pursuant to a written agreement, under which the third party and its sub-contractors shall be obliged to take every necessary technical and organizational measure to action in order to prevent unauthorized processing, loss, destruction, damage, unauthorized modification or disclosure of data.
(h)    Indemnify any damage/loss which may occur to the data controller as a result of data processor’s failure to take and/or underperform any necessary action (pursuant to the Policy and legislation). The data processor hereby consents and agrees to indemnify and protect the Bank from any damage/loss whatsoever (including buy not limited to consequential damages), complaints, expenses (including but not limited to the costs that will be borne by the Bank for the purpose of exercising its legal rights), legal proceedings and any other obligation that may occur to the Bank as a results of such violation by the data processor.
(i)    Unless otherwise determined by the agreement between the data controller and the data processor, after the termination of contractual relationship between the data controller and the data processor, the data processor is obliged to:

  • Return any data (including personal data) transferred/disclosed from the data controller before the termination of an agreement. Data should be returned in a form (manner) as received by the data controller and processing of such data should be immediately ceased; and/or
  • Observing every necessary security measure, which will prevent any unauthorized access to the data by third parties, destroy the data (including personal data) transferred/disclosed by the data controller and notify the data controller confirming such an action;

(j)    The parties hereby agree that terms of sub-article “i” are not enforceable unless the data is being processed by either party as the data processor in favor of the other party, which, correspondingly, for the purposes of the law, is the data controller.  


XI.    Transferring/disclosing information to and from the third parties
11.1.    In order the Bank to perform its services to the data subject duly and properly, within the scope of data processing, it is necessary the data related to the data subject and/or third party indicated by the data subject to be disclosed to and/or transferred from third parties set forth in Annex #1 to this Policy.
11.2.    For the purpose of receiving banking services and to a necessary extent compatible with such a purpose, the data subject grants the Bank a irrevocable right, pursuant to which, without the data subject’s prior or further consent:
(a)    The Bank, pursuant to the manner determined by the legislation, shall have the right to repeatedly obtain personal data related to the data subject from electronic database of Public Services Development Agency LEPL
(b)    At the Bank’s own discretion and in a manner agreed upon with Creditinfo Georgia JSC and/or any other entity with similar activities (Identification Code: 204470740; hereinafter – Creditinfo) transfer to and obtain from Creditinfo the data related to the data subject and/or any other additional cardholder, which includes but is not limited to the data of the data subject and/or third party indicated by the data subject (any additional cardholder, guarantor and so forth) identification data, origin of an ongoing debt, credit history, amount, purpose, interest accrued and other terms, maturity, debt payment schedule, debt outstanding balance and the results of judicial and enforcement proceedings in case of a court/arbitration dispute.
(c)    Consent Creditinfo to transfer/disclose data transferred/disclosed by the Bank related to the data subject and/or third parties indicated by the data subject (any additional cardholder, guarantor and so forth) to third parties provided that data transferred/disclosed by the Bank related to the data subject and/or third parties indicated by the data subject (any additional cardholder, guarantor and so forth) is transferred/disclosed to a party, which, on its own part, transfers/discloses the same type of information to Creditinfo and with whom Creditinfo has entered into a corresponding contractual relationship.
(d)    Search for, obtain and use the data related to the data subject and/or third parties indicated by the data subject (any additional cardholder, guarantor and so forth) from Creditinfo database.
(e)    Pursuant to the manner determined by the legislation, repeatedly transfer/disclose to and from the third parties (inclusing but not limited to affiliates, controlling/supervisory authorities, audit companies, prospective assignee or assignor and so forth) necessary to the Bank data (including but not limited to personald data, outstanding balance on the accounts and/or ongoing debts, transaction history and so forth) related to the data subject and/or third party indicated by the data subject (any additional cardholder, guarantor and so forth).
 
XII.    Direct Marketing
12.1.    The data subject hereby grants the Bank a right to use his/her telephone number, email and other contact address recorded with the Bank, with a periodicity determined by the Bank, to send SMS, voice and/or other types of advertising messages (direct marketing), until such time as the Bank receives from the data subject otherwise in accordance with a written and/or electronic form determined by the agreement between the parties and/or legislation.
12.2.    The data subject hereby grants the Bank a right to transfer/disclose the data or confidential information related to the data subject to the Bank’s affiliates for the purpose of making various marketing offers. The data subject has a right to demand the Bank’s affiliates to cease direct marketing, in accordance with a written and/or electronic form determined by the agreement between the parties and/or legislation.
12.3.    For the purpose of this Parahraph, direct marketing shall not be deemed as and, correspondingly, the data subject shall not be entitled to demand cessation thereof, receiving advertising/information messages at points of service of the Bank (eg. Advertising banner, flyer, verbal offer and so forth) or while using electronic channels (including ATMs, internet banking, mobile banking an so forth.) of the Bank (or the Bank’s affiliate).

XIII.    Video surveillance and audio recording
13.1.    For the purposes of safety and protection of property and confidentiality, also for the purposes of service quality control, in accordance with the requirements of Law of Georgia on Personal Data Protection, the outer perimeter and entrances of the buildings, workplace are under video surveillance and audio recording. Video surveillance is also being carried out using ATMs and other electronic devices and audio-recording is being carries out while communicating with the Bank using the telephone. 
13.2.    The data subject shall be informed using appropriate means at points of service of the Bank and while communicating with the Bank about ongoing video surveillance and video-recording. The data subject acknowledges the importance of video surveillance and audio-recording and hereby consents the Bank to process his/her data in that regard. 

XIV.    Copyright
14.1.    The data subject hereby agrees that data related to the data subject (print, audio and/or visual) published on the Bank’s website, internet banking, mobile banking, mobile applications and other electronic means, shall be deemed as the Bank’s property and the Bank shall own a copyright over such data immediately after its publishing unless it is not classified as personal data of the data subject.

XV.    Data update. Processing and retention period
15.1.    Throughout the period of using the Bank’s services and after the termination thereof, the Bank shall continue to process the information set forth in this paragraph for the purposes determined by this paragraph (including disclosing to and transferring from Public Services Development Agency LEPL, Creditinfo Georgia JSC and third parties set forth in Annex #1 to this Policy) for the period of time consistent with the Bank’s purposes and interests, regulatory/supervisory authority request and/or legislation.
15.2.    Processing of data which was transferred to the Bank from the data subject while using electronic channels (web-browser, the Banks website, internet banking, mobile banking, mobile applications and/or other means of data transmission) shall not cease even after the data subject erases such data from electronic channels. Such data shall be retained by the Bank for the period of time consistent with the Bank’s purposes and interests, regulatory/supervisory authority request and/or legislation.
15.3.    In case of the data subject’s request, the Bank, with scope consistent with the legislation, shall provide the Client with information about personal data related to the Client kept by the Bank. The Bank is entitled to impose a service fee for providing the Client with such information, except when providing the information free of charge is prescribed by the law. 
15.4.    Should the data subject deem data related to him/her kept in the Bank as incomplete or not exact, the data subject shall be obliged to immediately notify the Bank with written notice.
15.5.    Unless otherwise determined by the legislation, the data subject is not entitled to require the Bank to erase the personal data related to him/her kept by the Bank.

XVI.    Rights of the data subject
16.1.    Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject:
(a)    The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected.
(b)    If personal data is transmitted to third parties, information must be given within a reasonable time, about the identity of the recipient or the categories of recipients in case the data subject submits such request;
(c)    If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
(d)    The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use in case the data subject submits a refusal on processing his/her personal data for the purposes of advertising or marketing.
(e)    The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
(f)    The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
(g)    Additionally, every data subject can assert the rights under the Policy as a third-party beneficiary if a company that has agreed to comply with this Data Protection Policy does not observe the requirements and violates the party’s rights.

XVII.    Confidentiality of processing
17.1.    Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees of the Bank, its subsidiaries and/or affiliates is prohibited. Any data processing undertaken by an employee of the Bank, its subsidiaries and/or affiliates that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. Employees of the Bank, its subsidiaries and/or affiliates may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities. 
17.2.    Employees of the Bank, its subsidiaries and/or affiliates are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.

XVIII.    Processing security
18.1.    Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data.

XIX.    Data protection control
19.1.    Compliance with this Data Protection Policy and the applicable data protection laws is checked regularly by authorized employees of corresponding structural units of the Bank. The responsible data protection authority can perform its own controls of compliance of the bank, its subsidiaries and affiliates with the regulations of this Policy, as permitted under national law.

 

Annex #1 - Transferring/disclosing information to and from the third parties

1. The Bank takes every necessary precaution to protect the confidentiality of its Client’s information, including the confidentiality of personal data. However, we (the Bank) are entitled to transfer (disclose) the personal data of our Client to and from the third parties listed hereunder (hereinafter – Third Parties) if it: a) is necessary for performing the service properly, b) is permitted by the legislation and/or c) serves the commercial purpose of the Bank: Data is transferred or disclosed for:
•    The list of Bank’s partner companies, with whom the Bank cooperates on commercial terms, including not limited to: 
-    Emoney Georgia (Identification Code: 202376026);
-    Emoney LLC (Identification Code: 204557540);
-    Ecapital JSC (Identification Code: 404981338);
-    Money Movers LLC (Identification Code: 200274318);
•    Performing the service properly;
•    Making a marketing offer to you (the Client) by the Bank and/or the Third Parties;
•    The purpose permitted by the legislation (For example identifying the Client);
•    The purpose of other legitimate commercial interest in compliance with the requirements of Law of Georgia on Personal Data Protection;
•    Supervisory, controlling and/or registration authorities, state or local authorities and legal entities created by them, including but not limited to:
-    The National Bank of Georgia;
-    Financial Monitoring Service of Georgia LEPL;
-    National Agency of Public Registry LEPL;
-    Public Services Development Agency LEPL;
-    Revenue Service LEPL and other tax authorities;
-    Social Service Agency LEPL;
-    Service Agency of MIA of Georgia LEPL;
•    Performing the service properly;
•    The purpose permitted by the legislation (For example identifying the Client);
•    The purpose of other legitimate commercial interest in compliance with the requirements of Law of Georgia on Personal Data Protection;
•    Credit bureaus and/or debt collection organizations, which including but not limited to:
-    Creditinfo Georgia JSC (Identification Code: 204470740) and/or other entity with similar activities;
-    Troubled Asset Management Agency LTD (Identification Code: 402008554), Capital LTD (Identification Code: 405094491) and other troubled asset management and debt collection organizations, which facilitate the payments of troubled debts and/or the purchase (assignment) of such debts;
•    Performing the service properly;
•    Making a marketing offer to you (the Client) by the Bank and/or the Third Parties;
•    The purpose permitted by the legislation (For example identifying the Client);
•    The purpose of other legitimate commercial interest in compliance with the requirements of Law of Georgia on Personal Data Protection;
•    International and local payment service operators, which including but not limited to:
-    International Payment System Operator VISA Inc;
-    International Payment System Operator MASTERCARD Incorporated;
-    International Payment System Operator UnionPay;
-    H2H (Direct hosting, when payments between payment providers or the exchange of information is executed without the involvement of international payment providers) member processing companies and/or commercial banks (For example UFC, TBC Bank JSC and other UFC member commercial banks, Procredit Bank JSC, Cartu Bank JSC and so forth.);
-    Payment service providers (except commercial banks, for example Nova Technology JSC, TBC-Pay LLC, Money Movers LLC and so forth.) and/or their contractors (such entities use the services of payment service providers and the service is performed with the bank’s involvement, for example Telasi JSC, Georgian Water and Power LLC and so forth.)
-    International and local money transfer operators (including but not limited to The Western Union Company, MoneyGram International Inc., Zolotaya Korona and other entities listed on the Bank’s website - http://libertybank.ge http://bit.ly/1nqyz2J)
•    Performing the service properly (including the execution of payment operations)
•    The purpose permitted by the legislation (For example identifying the Client);
•    The purpose of other legitimate commercial interest in compliance with the requirements of Law of Georgia on Personal Data Protection
•    The Bank’s contractors and/or corporate clients, which use the Bank’s payment service for accepting the payments (billing) of their own clients (subscribers), including but not limited to:
- Telasi JSC;
- Georgian Water and Power LLC 
- Kaztransgas-Tbilisi LTD and other entities listed on a bank-administered payment website: - http://pay.ge
•    Performing the service properly (including the execution of payment operations);
•    Making a marketing offer to you (the Client) by the Bank and/or the Third Parties;
•    The purpose permitted by the legislation (For example identifying the Client);
•    The purpose of other legitimate commercial interest in compliance with the requirements of Law of Georgia on Personal Data Protection;
 
2. In case the Bank transfers (discloses) the data to the third parties, including the resident person(s) of other countries, reasonable safety measures in compliance with Law of Georgia on Personal Data Protection shall be taken.
3. The Client hereby acknowledges and confirms that the lists of third parties available on bank-administered websites (including but not limited to http://libertybank.gehttp://pay.ge) are not complete, exhaustive and the number of such third parties may be increased or decreased from time to time. However, the Bank shall ensure that actions related to data processing remain in compliance with the requirements of Law of Georgia on Personal Data Protection.