The data controller of the CCTV is QUALCO Information Systems Single Member Societe Anonyme and distinctive title “QUALCO”, with registered offices in Athens, Greece 66, Kifissias Ave 15125 Marousi, with VAT number: 094503426 and General Electronic Commercial Registry number 2916401000 (hereinafter “QUALCO”), T: +30 210 6198903, E: info@qualco.eu
2.1. Video surveillance systems are those systems which are permanently installed and having the ability to record and/or transmit images and/or sound to projection screens or recording devices (where cameras can be connected to the display or recording equipment either directly or via network/internet).
The most common case of a video surveillance system is the closed-circuit television system.
2.2. The video surveillance system receives images of natural persons and therefore processes personal data. QUALCO acting as the Data Controller has all the obligations arising from the institutional framework on data protection, data protection legislation, such as the obligation to comply with data subjects’ rights, the obligation to respect the confidentiality and security of processing.
2.3. This policy describes the video surveillance system of QUALCO and sets out the measures taken to protect personal data, the right to privacy and other fundamental rights and interests of natural persons filmed by the video surveillance cameras of QUALCO.
3.1. All video-surveillance systems installed and managed by QUALCO within and around its premises located in Athens. The system comprises of a number of fixed cameras without voice recording. The cameras are placed on the perimeter of the buildings and record the outside of the buildings and the entrance areas.
3.2. The policy applies to:
3.3. Please note that this policy does not include:
4.1. In view of the current regulatory framework, this policy aims to document the rules and procedures in place to process the video-surveillance images in accordance with the EDPS guidelines for CCTV, the CCTV guidelines issued by the Hellenic Data Protection Authority (HDPA) and GDPR Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data.
4.2. In the context of the GDPR Regulation requirements, the Company has executed Data Protection Impact Assessment in accordance with the Data Protection Impact Assessment Policy of QUALCO. The report resulting from this study has been sent to the company and the Facilities department, which has drawn up a plan for the implementation of the actions it prescribes.
5.1. The CCTV system is owned by QUALCO SA and it is managed by QUALCO SA and its appointed agents. Under current data protection legislation QUALCO SA operates as data controller for the images/videos produced by the CCTV system.
5.2. The Facility Manager has been designated as the person responsible for the overall management and operation of the CCTV system, including activities relating to installations, recording, reviewing, monitoring, and ensuring compliance with this policy.
5.3. Signs are placed at pedestrian and vehicular entrances in order to inform staff, visitors and members of the public that CCTV is in operation. The signage indicates that the system is managed by QUALCO.
5.4. Cameras are sited to ensure that they cover QUALCO premises as far as possible. Cameras are installed throughout the QUALCO’s sites including roadways, car parks, buildings, and licensed premises within buildings and externally in vulnerable public-facing areas.
5.5. Cameras are not sited to focus on private residential areas and cameras situated in QUALCO external areas are focused on entrances and communal areas. Where cameras overlook residential areas, privacy screens will be fitted.
5.5. The CCTV system is operational and is capable of being monitored for 24 hours a day, every day of the year.
5.6. Cameras are monitored in the Security Control Room, which is a secure area, staffed 24 hours a day.
5.7. Images are recorded centrally on servers located securely in the QUALCO Data Centers and are viewable in Security Service areas by authorized security staff. Additional staff may be authorized by the Facility Manager to monitor cameras cited within their own areas of responsibility on a view-only basis.
5.8. The cameras installed provide images that are of suitable quality for the specified purposes for which they are installed, and all cameras are checked daily to ensure that the images remain fit for purpose and that the date and time stamp recorded on the images is accurate.
5.9. The use of covert cameras is restricted.
5.10. The CCTV system is subject to a Data Protection Impact Assessment. Any proposed new CCTV installation is subject to a Data Protection Impact Assessment.
6.1. Privacy
QUALCO will ensure that any personal information collected, retained, and released through its CCTV systems is managed in accordance with the GDPR Regulation. Staff will respect the privacy of individuals when using CCTV, maintain confidentiality over what they observe, and comply with QUALCO's Privacy Policy when dealing with personal information. Staff will not use CCTV systems to view individual’s private property unless there is an approved purpose to do so.
6.2. Purposes of CCTV
QUALCO uses CCTV systems and processes personal data for the following purposes:
The CCTV system will be used to observe QUALCO’s premises and areas under surveillance in order to identify incidents requiring a response. Any response should be proportionate to the incident being witnessed.
QUALCO seeks to operate its CCTV system in a manner that is consistent with respect for the individual’s privacy.
Any modification to the camera type or position must be approved by the Data Protection Officer and the Information Security Director.
The use of the CCTV system will be conducted in a professional, ethical and legal manner and any diversion of the use of CCTV security technologies for other purposes is prohibited by this policy.
The CCTV will not be used for monitoring employee performance.
The CCTV will not be used to monitor public areas.
6.3 Compliance with Data Protection Legislation
In its administration of its CCTV system, QUALCO complies with the General Data Protection Regulation (GDPR) and the Greek L.4624/2019.
Due regard is given to the data protection principles embodied in GDPR. These principles require that personal data shall be:
6.4 Notification
A resume of this CCTV Policy will be available through the QUALCO website.
A copy of this CCTV Policy will be provided on request to staff and visitors.
The location of CCTV cameras will also be indicated and adequate signage will be placed at each location in which a CCTV camera(s) is sited to indicate that CCTV is in operation.
Signage shall include the name and contact details of the data controller as well as the specific
purpose(s) for which the CCTV camera is in place in each location.
Appropriate locations for signage will include:
6.5 Retention
CCTV footage and CCTV data will be retained for seven (7) days in accordance with QUALCO’s Data Retention Policy, except where the image identifies an issue and is retained specifically in the context of an investigation/prosecution of that issue.
Where the purpose of the collection requires CCTV footage or CCTV data to be retained for a longer period or where there is a legal requirement to do so, QUALCO will remove personal information contained within such footage or data unless it is required for the purpose of the retention of the footage.
The images/recordings will be stored in a secure environment.
6.7 Access of CCTV information
Access will be restricted to authorized personnel. Supervising the access and maintenance of the CCTV System is the responsibility of the Facility Manager.
Any ongoing arrangements for access to CCTV systems or release of CCTV: footage/data to third parties must be formalized in writing and to be approved by the Data Protection Officer and the Information Security Director.
In certain circumstances, the recordings may also be viewed by other individuals in order to achieve the objectives set out above. When CCTV recordings are being viewed, access will be limited to authorized individuals on a need-to-know basis:
6.8 Security of CCTV
Security measures will include physical, technological and administrative means.
These include ensuring only authorized persons have access to the CCTV software, restricting permissions to those needed to perform their duties, and annual reviews of access rights.
6.9 Staff Training
Staff authorized to access the CCTV system will be trained to comply with this policy. Staff will understand that all information relating to the CCTV images must be handled securely.
Staff will receive appropriate training to enable them to identify and handle different requests according to regulations.
Staff misuse of surveillance system information will lead to disciplinary proceedings.
Complaints concerning this CCTV should be made in writing to the Facility Manager at: erotani@qualco.eu
All concerns relating to the protection of your personal data and/or the exercise of your GDPR rights should be addressed to the QUALCO DPO Despina Spatha at dpo@qualco.eu
The QUALCO' s usage of CCTV and the content of this policy shall be reviewed every two years by the Facility Manager in collaboration with the Data Protection Officer with reference to the relevant legislation or guidance in effect at the time. Further reviews will take place as required.
CCTV Administration Procedure