Privacy Notice for the Operation of CCTV in Greece (PN-002)
Privacy Notice for the Operation of CCTV in Greece (PN-002)
In Heads (hereinafter referred to as the “Company” or “we”) we consider Data Protection an integral part of our operational business principles and are committed in respecting your privacy and complying with all applicable laws on data protection, including the General Data Protection Regulation (GDPR), ensuring that personal data is:
- processed lawfully, fairly and in a transparent manner in relation to data subjects (GDPR- “lawfulness, fairness and transparency” principle of processing personal data);
- collected for specified, explicit and legitimate purposes and not further processed in any manner that is incompatible with those purposes (GDPR “purpose limitation” principle of processing personal data);
- adequate, relevant and limited to what is absolutely necessary for the purposes for which they are processed (GDPR “data minimization” principle of processing personal data);
- accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (GDPR “accuracy” principle of processing personal data);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organizational measures required by applicable data protection legislation in order to safeguard the rights and freedoms of data subjects (GDPR “storage limitation” principle of processing personal data);
- processed in a manner that ensures appropriate security of the personal data (including when applicable, anonymization or pseudonymization), including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical and organizational measures (GDPR “integrity and confidentiality” principle of processing personal data);
- transferred to a third country, outside the European Economic Area, or international organization, only when adequate level of protection is ensured to safeguard the rights and freedoms of data subjects.
Purpose and lawfulness of data processing
We operate a Closed-Circuit Television (CCTV) system and in this context process your personal data for no other purpose than to ensure the security of our premises, employees, and assets, including information located or stored on the premises. It is set to prevent, deter and if necessary, detect and investigate unauthorized physical access, including unauthorized access to secure, protected rooms, Information Technology (IT) infrastructure and operational information, as well as prevent, deter and if necessary, detect and investigate theft of equipment or assets. The legal basis for this is our legitimate interest in ensuring physical and information security.
The CCTV system is established in all Company premises in Greece. The cameras are installed indoors, at the entrance, fire exit doors and back off-street windows where an increased likelihood for unauthorized entry exists and are placed and focused in such a manner that only people who want to access the premises are filmed. In addition, a CCTV camera is installed within the server room, at the entrance door and focused in such a manner that only people who enter the server room are filmed.
The CCTV camera installed in the server room operates 24/7, whereas the CCTV cameras in the remaining positions only film during out of business hours.
What personal data do we process?
The Company collects and processes images caught on the cameras. No sound/voice is recorded.
What are the recipients of your personal data?
Within the Company, access to your personal data is provided to employees of Heads responsible for the safety of the facilities.
Outside the Company, the data is not transmitted to any third parties, unless an illegal act is performed, in which case, data may be transmitted to competent authorities (police, judicial etc.) that investigate the relevant act, or the victim/penetrator of a criminal act, when such data constitute evidence.
How long do we process your personal data for?
The Company maintains the images captured by the CCTV system for fifteen (15) calendar days, after which they are automatically deleted.
If an incident takes place during this time, we will isolate the relevant part of the recording and in order to investigate it and initiate any relevant legal actions, we will keep it:
- for another one (1) calendar month, when the incident concerns the Company alone, or
- for another three (3) calendar months, when the incident concerns any third party.
Your rights
Right to be informed | You have the right to be informed about the collection and use of your personal data. |
Right of Access | You have the right to view, request a copy or access your personal data being processed in a concise, easily understood, transparent and easily accessible form. |
Right to Rectification | Modification of the CCTV footage is not allowed. |
Right to be Forgotten / Right to Erasure | You have the right to request your personal data be deleted, without any delay; however, deletion of the CCTV footage is not allowed, unless processing is unlawful. |
Right to Restriction | You have the right to request the restriction or suppression of processing of your personal data, subject to exemptions set by certain laws. |
Right to Object | You have the right to object to the processing of your personal data, unless the Company demonstrates compelling legitimate grounds for processing, which override your interests, rights, and freedoms. |
Right to Portability | You have the right to ask for your personal data to be transferred to another Controller or be provided to them. The data must be provided in a structured, commonly used, machine-readable electronic format. |
The Company will satisfy your request based on the conditions set out in the law. Exercising your rights as granted by law does not necessarily imply that it will be fully satisfied, especially when other compelling legal provisions exist. In case we cannot fulfil a request of yours, we will inform you, accordingly, providing you with a relevant justification.
How can you exercise your rights?
If you have any question or concern regarding this Privacy Notice and your personal data processing by the Company, you may contact dpo@heads-research.com. For a more efficient handling of your request, please provide us with the date and location (camera range) of the CCTV footage your request is linked to and a picture of you so we can easier identify your data and mask any other parties’ relevant data.
We will respond to your request within fifteen (15) calendar days of receipt, a calendar month maximum; if an extension to this timeline is necessary for us to respond to your request, we will inform you accordingly, providing you with a relevant justification for the extension required.
In any case, if you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).
Last updated: 16-Oct-2023
Get in touch with us or find an office closest to you.
