License agreement is subject to regulation under the Law of Georgia on Copyright and related rights and the Civil Code of Georgia. As in most cases end-user agreements include situations when the licensee is an individual and not a legal entity, protection of personal data may become one of the important moments between the copyright holder and the licensee end-user.
The Laws of Georgia consider two types of license agreements. Those are exclusive licenses and conventional licenses. Generally, in most cases with end-user license agreements there are situations when conventional agreements are entered.
First of all, what should be noted is that the license agreement, even with the end-user, should be entered in writing. It is a mandatory requirement under the Laws of Georgia. In writing does not mean that the parties will have to sign the hard copy and send it to the counterpart. The agreement can be signed in any type of writing form, which allows identification of the signatories.
There is no requirement that the end-user agreement is governed by the Laws of Georgia. The parties are free to choose governing law. What should be kept in mind is that any provisions contradicting general “over-imperative” principles of the Laws of Georgia should prevail over the agreement.
In case of entering into the end-user agreement the important issue which should be taken into consideration is personal data processing as the copyright holder or licensor receives access to the personal data of end-users or a personal data of employees of end-user.
The following personal data protection regulations must be taken into consideration in relation to end-user license agreements:
- Privacy notice:
Privacy notice is a consent of a data subject on processing of his / her personal data. In most cases it is either an annex of the license agreement or a part of the license agreement. The end-user should be properly informed which data of the data subject will be processed. Generally, such personal data includes a name, surname, email, place of work, or any other data allowing identification of the data subject.
Data processing is allowed in cases when there is a legitimate basis for data processing. It means that data processing is necessary for a specific purpose, which cannot be achieved without processing the personal data.
The data subject should be properly notified if the data is shared and the extent of this sharing. The data subject should be informed, who the data controller is, and whether the personal data should be transferred abroad and kept abroad etc.
- Trans-border Transfer of Personal Data
The detailed regulation on obtaining the State Inspector consent on trans-border transfer of personal data has been recently adopted in Georgia 1.
For a cross-border data transfer consent of personal data subject is required. In certain cases consent of the personal inspector's service is also necessary. The State Inspector has adopted a “white-list” of countries with adequate guarantees of personal data protection. Those are mostly the countries of EU. Transfer of personal data to white-list countries does not require consent of the State Inspector service Among them are not CIS countries and the USA.
The term of receipt of the consent from the State Inspector is 2 months and requires filing the following information to the local regulatory:
- an agreement between a data subject and an applicant;
- excerpt (certificate of incorporation) from an entrepreneur or legal entity's registry of an applicant and a data controller (apostilled and translated into Georgian if prepared offshore);
- apostilled and translated power of attorney in case the application is submitted through a proxy;
- a document providing information on a business activity carried out by a data controller, e.g., Articles of Association. The copy of the document should be apostilled and translated into Georgian;
- an agreement between a data controller and a data processor, if an applicant is a data processor - a person carrying out data processing for a data controller;
- data Subject's consent on a cross border transfer of personal data;
- any other information on personal data protection guarantees, such as a personal data protection policy;
- an application should be submitted in a form pre-approved by the State Inspector Service. All foreign language documents attached to the application should be translated into Georgian.
Footnote
1. Decree #07 of the State Inspector from 23 July 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
