CCTV system

Effective from: 22.2.2022

I. General information

Purpose

The information below is intended to inform the public and persons entering the monitored area (i.e. potential affected data subjects) about the procedures for processing, storing and managing the records taken by the CCTV system operated in the SAFINA, a.s. premises, Vídeňská 104, 252 50 Vestec, Czech Republic, ID No.: 03214257, Tax ID No.: CZ 03214257, registered in the Commercial Register kept at the Municipal Court in Prague, Section B, Insert 20972 (hereinafter also referred to as the “Controller“), in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as “GDPR“), in particular Article 13 GDPR.

Scope

The camera system is operated and this information applies to the objects of the Controller:

  • SAFINA a.s., registered office and premises – Vídeňská 104, 252 50 Vestec,
  • all SAFINA a.s. facilities are operated in the Czech Republic.

II. Information on the processing of personal data and the operation of the CCTV system

Controller and his contact details

The controller of your personal data is SAFINA, a.s., Vídeňská 104, 252 50 Vestec, Czech Republic, ID No.: 03214257, VAT No.: CZ 03214257, registered in the Commercial Register kept at the Municipal Court in Prague, Section B, Insert 20972.

Contact details of the Controller: phone: +420 241 024 111, fax: +420 241 024 292, e-mail: info@safina.cz; gdpr@safina.cz

Legal basis for processing

Your personal data is processed by the camera system on the basis of the necessity to protect the legitimate interests of the controller and third parties in accordance with Article 6(1)(f) of the GDPR, namely:

  • ensuring the protection of the health and life of persons on the premises of the controller;
  • protection of the property of the controller, IP Vestec s.r.o. (the landlord of the premises in the premises of the controller) and other persons, especially employees of the controller and companies operating in the premises of the Controller.

The controller is fully aware of the rights of data subjects enshrined in the provisions of Act No. 89/2012 Coll., the Civil Code, as amended, relating to the conditions for the protection of privacy, personality and the human form, and also in the provisions of Act No. 262/2006 Coll., the Labor Code, as amended, regulating the covert and overt monitoring of employees at the workplace. In both cases, however, the Controller considers that the nature of its activities and the purpose of the operation of the CCTV system (see below) reasonably entitles it to interfere with the rights of the persons recorded, and thus its interests outweigh the interests and rights of the data subjects requiring protection of their personal data.

Purpose of processing

The purpose of the processing is to ensure compliance with work procedures in terms of occupational health and safety in the facilities of the Controller, where chemical and other substances are handled, as well as to protect the property of the Controller and other persons from other illegal or criminal activities.

Ensuring security in the premises of the Controller with the help of a CCTV system is really necessary with regard to the activities of the Controller. The Trustee is active in the refining of precious metals, the production of semi-finished and finished products from precious and base metals, the production of jewelry alloys for the gold, jewelry and metalworking industries, and the production of homogenizers and mixers for the glass industry, production of laboratory tools, chemical and physical analysis, electroplating, production of chemical compounds based on precious metals, purchase, processing of waste containing precious metals, etc.

The operation of the CCTV system and the related processing of personal data of the recorded persons is also carried out in order to fulfil the Controller’s obligation to the landlord IP Vestec s.r.o. , with registered office at Vídeňská 104, 252 50 Vestec, ID No.: to08271631 ensure the security (protection and security) of the premises at the same address.

The purpose of the operation of the CCTV system is therefore to prevent undesirable phenomena, in particular against entry and unauthorized stay in the building, especially in places that may be dangerous to health.

Record retention period

The camera system takes video recordings, the retention period of which usually does not exceed days14. If there is no other legal reason for keeping the records, they are destroyed. A record of a captured incident is retained for the time necessary to review the case and for legal protection.

Method of processing personal data

A camera system is an automatically operated permanent technical system that enables the acquisition and storage of video recordings from monitored locations. The content of image records may therefore include personal data of the recorded persons – their appearance and image information about their behavior and actions.

No audio recording is made by the camera system.

The quality of the footage is sufficient to identify people and recognize their activities, depending on the specific purpose and type of each individual camera. In addition, the camera system as a whole contains separate geolocations, where cameras are also placed at individual sales points of the Controller.

The camera system is in continuous operation 24 hours a day, with all of them recording continuously (or recording in case of movement in the monitored zone). Personal data is processed only by designated personnel in the given location, and usually only by on-line recording, where the evaluation of the recordings is carried out retrospectively only in crisis situations or when a malpractice is detected/verified.

The recordings from the CCTV system are continuously stored on the CCTV server in a secure room. In the event of an illegal act, copies of the recordings may be made and forwarded to law enforcement and the relevant administrative authorities.

The controller does not foresee the transfer of personal data to other countries, this will not occur. Exceptions may be foreign litigation or foreign criminal and misdemeanor proceedings.

The monitored area and the marking of the camera system

The camera system is located both on the premises and in the production area. Cameras are placed in these areas both outside and inside the buildings to capture all critical areas.

A detailed description of the camera system is not publicly available for security reasons.

The monitored area is clearly marked at all main entrances to the premises of the Controller with information signs, where all persons entering the area are aware of the fact that all activities in the monitored area can be recorded. Conversely, in order to provide a comfort and privacy zone, the Manager then clearly informs the areas inside the buildings (changing rooms, toilets etc.) on information boards that these areas are not monitored.

Processors

The security agency that oversees the entire campus, or its employees, have access to the cameras and their online monitoring, but they do not have access to their footage. The Agency is in the role of a data processor in terms of the GDPR and the Controller has a contract with this processor for the processing of personal data in accordance with the GDPR.

Possibility to transfer records outside the Controller

Under certain circumstances, the recordings made by the CCTV system, which contain personal data of the data subjects, may be handed over to law enforcement authorities (police, prosecutor’s office, court), to the court or other state or local government authorities dealing with offences on the basis of the rules laid down by law or to an insurance company. Likewise, the personal data of the data subject may be transferred to the data subject himself or herself upon his or her request for access to personal data in accordance with Article 15(1) of the GDPR. Each transfer of data is instructed by a person authorized by the Controller or responsible for the operation of the CCTV system and a record of each such transfer is made in the Controller’s operating log.

Records cannot be retained in any other way (other than the transfer or segregation of a particular record outside of the standard expiration deletion procedure for possible evidence, defense of legal claims, etc.) for any period longer than that specified above.

Security

Taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the differently likely and differently serious risks to the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk in question. For this purpose, the Controller shall carry out a data protection impact assessment (DPIA).

The Controller has taken the following technical and organizational measures:

  • limited physical access to cameras – e.g., height placement of cameras,
  • limited access to storage – physical barriers, limited number of persons with authorized access to stored records, data security – password, encryption,
  • training of authorized persons,
  • keeping records of the transmission of recordings to authorized authorities and persons.

Rights of the data subject

Each data subject, i.e. the person whose personal data is recorded by the camera system, has the following rights in relation to the Controller:

  • the right to obtain information about what personal data is being processed about the data subject,
  • request access to your personal data,
  • the right to rectification of your personal data,
  • the right to have your personal data erased,
  • the right to restrict the processing of your personal data,
  • the right to object to processing,
  • the right to the portability of your personal data,
  • the right to lodge a complaint with the Office for Personal Data Protection.

You can file a complaint with the Office for Personal Data Protection at Pplk. Sochora 27, 170 00 Prague 7, mailbox ID: qkbaa2n, e-mail: posta@uoou.cz, telephone: +420 234 665 111.