1.    Definition, purpose and scope

1.1. This policy describes the terms and conditions of the video surveillance system’s installation and operation, through cameras, of the company “PENETRON HELLAS ADVANCED WATERPROOFING AND PROTECTION SYSTEMS S. A.” (with the trade name “PENETRON HELLAS S.A.) and sets out the security measures taken to protect the privacy, personal data and other fundamental rights and legal interests of natural persons recorded by the company's cameras.
1.2. The video surveillance systems are defined as the systems that are permanently installed in a place, operate continuously or at regular intervals and are able to receive and transmit an image and/or audio signal from this place to a limited number of projection screens and/or of recording machines (where cameras can connect with the screen or the recording machine either directly or through network/Internet).
1.3. This policy is not applicable to teleconferencing and videoconferencing systems, to audio-visual recordings of events (e.g. conferences, seminars, social events), to video recording for the company's social media, to image and/or audio capture with cameras or mobile phones.
1.4. Our company uses a video surveillance system for the serve of its legal interest, which consists in the protection and the safety of persons who are legally in the monitored areas (staff, visitors, clients), as well as of office premises, goods, assets and company and employees information.
1.5. The video surveillance system receives image data of the persons, who are present in the monitoring areas, and therefore, proceeds with the processing of personal data. Our company, as data controller, has all the requirements that are provided in the institutional framework for the protection of personal data, namely the Regulation (EU) 2016/679 (hereinafter “GDPR”), the Greek Law No 4624/2019 and the Directives of the Hellenic Data Protection Authority (HDPA) and they set out the types of data collected, the purpose of collection and the rights of subjects regarding their data and how they can exercise them.

2.    Areas under video surveillance

2.1. In the areas under video surveillance, there are cameras which surveil every movement at the entrances/exits and offices interior. A privacy-friendly technology system has been installed and the installation points have been carefully selected to ensure that the surveillance is limited, as far as possible, to the areas, which are strictly necessary for the intended purposes.
2.2. Our company’s cameras are not installed in open spaces and no images are taken from outside public areas, streets, sidewalks or neighbouring buildings. Furthermore, there is no video-surveillance system installed in strictly private areas, where the installation is forbidden, as the hard core of privacy is affected and there are heightened expectations of privacy protection, such as the employees’ rest area, the kitchen, the toilets. The surveillance within the company’s premises is limited to the minimum possible, in such a way that the persons, generally affected, by the processing are those who enter our company's offices.
2.3. The system is not used for the supervision and the evaluation of employees and of their productivity inside the offices and their work spaces. In addition to the entrances and exits, image data are taken, only, from specific areas, where high security is required, such as loading ramps, server rooms, accounting rooms, areas where critical company’s files are stored, and the cameras focus only on the protected asset.
2.4. The cameras installed are fixed and they do not have the ability of rotation and focus, only in the exceptional case of immediate prevention of an emergency situation and only in the necessary shooting area. They do not also transmit data via the Internet (web cameras) and do not receive or process audio data.  
2.5. The video surveillance system operates twenty-four (24) hours a day, seven (7) days a week. The operation of the cameras, during working and non-working hours, ensures a highly protection of our company's facilities and office areas, as well as of our staff and visitors (e.g. prevention and proof of criminal acts, such as theft, assault, vandalism and early detection of malicious acts), especially, during the night, when the risks are increased.

3.    Video surveillance data

3.1. The video surveillance system consists of twenty-four (24) fixed cameras, which operate on a 24- hour basis. The cameras record the movement in the monitored area together with the date and time. The image from the cameras is available in real time to the authorized personnel charged with the security of the area. No audio data shall be recorded.
3.2. Moreover, our company has installed an Access Control system at the entrances/exits of its facilities, where the employees’ access is granted through the use of an individual digital work card. The system is informed, through the card, in real time about the employee's working hours, i.e. the date and time of entry or exit from the controlled area.  
3.3. In all circumstances, the data collected through the system are not used by the employer to monitor and supervise the work of the employees or to evaluate their behaviour and their productivity (article 27 L.4624/2019).

4.    Receivers

4.1.  The cameras of the system are connected to a network, which is protected from unauthorised access, through the use of passwords. The access to the system and to the data collected, both real-time images and recorded material, is only available to the competent, authorised personnel of our company, consisting of a small number of clearly defined persons. The authorized receivers can, also, have access to the video surveillance system via remote connection (via laptops or mobile phones). Our company sets out the rights of access, which depend on the job position of each authorised person, in order to ensure that each of them has access only to data related to their tasks.
4.2.  The data of the video surveillance system is not disclosed or transmitted to third parties, unless there is an explicit consent of the subject depicted in the relevant records. The Article 9 of Directive 1/2011 (HDPA) establishes the following exceptions to the above rule: (a) transmission of data to the competent judicial, public prosecutor and police authorities, when they lawfully request them in the exercise of their duties; (b) transmission of data to the competent judicial, public prosecutor and police authorities, when the data constitute evidence of the commission of a criminal offence in the supervised areas; (c) transmission of data constituting evidence to the person depicted in the records as victim or perpetrator of the criminal offence.
4.3. Our company uses external partners/processors of personal data to provide technical support services as regards security systems, access control, CCTV, fire safety and firefighting services. The processing of personal data by the above persons includes the control of the internal and external circuits of the system, as well as the backups of surveillance control and recording software. The external partners/processors undertake by a written contract with our company, to comply with the legal framework for the protection of personal data and with this policy, in order to ensure the confidentiality and security of the processing. System operators shall be informed about the purposes of the processing of the collected data and shall be prohibited from recording areas where processing is not permitted.
4.4.  Any breach of personal data, collected by our company's video surveillance system, is recorded in the Incident Log and the relevant department of the company is informed as soon as possible.

5.    Data retention period

5.1.   The taped video material is saved in our company’s secured archive, for a period of fifteen (15) days, after which it is automatically deleted. In the event of an incident (e.g. theft, harassment, vandalism) against our company and its goods, the data, relating to this incident, is isolated and kept in a separate file for a further period of thirty (30) days. If the incident involves a third party, the data is stored for three (3) months.
5.2. The cases of criminal acts, security breaches, requests from police and prosecution authorities, where the video data constitute evidence and, therefore, is kept in a separate file until the end of the criminal proceedings, are excepted from the limited storage time.
5.3. The access to the saved data, which are collected from the video surveillance system, is strictly limited to a small number of authorised and specially trained operators.

6.    System operation & data protection policy

6.1.  The video surveillance system has been installed and operates in accordance with the principle of proportionality, following a substantial evaluation of the necessity of the specific processing, in relation to the risk that our company aims to deal with and to the extent of the impact on the privacy of the persons concerned. Our company, considering the security of the premises, employees, visitors and their property, from criminal acts and weighing the interests at stake, has concluded that the existing video surveillance system is absolutely necessary and appropriate for the level pursued of security and protection and cannot be achieved by milder means.
6.2.  The company, as data controller, has taken all the appropriate organizational and technical measures for the confidentiality of data and their protection from any kind of unlawful processing: it ensures the safety of the recorded material, the prevention of its disclosure and its secure transmission to the legal receivers, the control of access to the data storage files, as well as the selection of the appropriate personnel for the handling of the system. Our company's primary concern is to comply with the legislation on personal data protection (as defined in Article 1 paragraph 5 of this policy), and, for this reason, provides continuous training to authorized personnel in the proper handling of the system and the data collected, in accordance with the principles governing the processing of personal data (Article 5 GDPR).

7.    Rights of data subjects

7.1. The data subject has the rights, provided for in the GDPR to the protection of personal data. Firstly, each data subject has the right of access to the processing data, concerning him/her. This means that he/she may, at any time, submit a written request, on a specific form, which is issued by the competent department. The request shall contain the data subject's identity, the legal reason of the demand, as well as the time, the location and any other conditions of the particular video recording, in order to isolate the disputed part of the recording. If both parties agree, it may be sufficient the mere viewing of the disputed part of the video recording. In the case of delivering a copy of the disputed part of the video, where third persons are depicted, either consent is required or the face covering of these persons by editing techniques.
7.2. Moreover, the data subject has the right to object, namely to raise objections at any time to the processing of his/her image data and to demand the erasure or the blocking of the data. If our company ascertains that the request for objection is lawful and reasonable and none of the exceptions, provided for in Article 17 of GDPR (e.g. reasons of public interest, legal claims, etc.) is applied, it will immediately proceed to the deletion or blocking of the data and will adjust the operation of the system, in such a way that similar unlawful processing would be avoided in the future.
7.3. Data subjects have, also, all the rights laid down in the applicable legislation on personal data: the right to rectification, restriction, portability and erasure of the data concerning them. Any of the above rights shall be exercised with a written claim to the competent department of the company, including all the details of the video part at issue, as set out in paragraph 7.1 of this policy.
7.4. The claims of the data subjects, as well as any relevant questions or comments about their rights provided for in this policy, should be submitted in person at our company's offices (50 Thrakomakedononon Av., Acharnes, Attica, Greece) or sent by e-mail to info@penetron.gr.  Our company undertakes to respond to any request or question within a period of fifteen (15) days.
7.5. If the data subject considers that the company violates the fundamental rights and principles of protection of his/her personal data and privacy, as being established in EU and national legislation, and that he/she cannot be satisfied by the competent department of our company, the data subject has the right to lodge a complaint to the competent supervisory authority, namely the Hellenic Data Protection Authority (    1-3 Kifissias Av., Athens, Greece, tel. 2106475600, https://www.dpa.gr/el/polites/katagelia_stin_arxi ).
7.6. In addition, the data subject has the right to take any legal action needed through the competent courts for his/her satisfaction, if the supervisory authority does not examine his/her complaint or does not inform him/her of the progress or outcome of his/her case, within a term of three (3) months.

8.    Notification of video surveillance system and future amendments of this policy

8.1. At the main entrance of the company's buildings, in a prominent place, it is posted a conspicuous sign that informs of the existence of video surveillance system, with the aim of persons and property protection and safety. The sign indicates the name of the person responsible for the processing and the company's website (https://www.penetron.gr), where this policy is posted, in order to inform the data subjects of their rights.
8.2. This information policy is provided in hard copy to company’s employees, who sign an acknowledgement of receipt form.
8.3 The company intends to revise this policy periodically, in accordance with any changes in its policies and practices, always, complying with the legislation of personal data. Last revision date: 07/03/2024

  • You are here:  
  • Home
  • VIDEO SURVEILLANCE POLICY