Notice on the Processing of Personal Data Through Video Surveillance Systems (CCTV)

Who This Notice Concerns

This Notice is addressed to natural persons entering premises managed by the Company where a video surveillance system has been installed.

The Company has posted relevant informational signs to indicate the presence of a video surveillance system in prominent locations in every building where such a CCTV installation exists.

Purpose of Processing

We use a video surveillance system in buildings of properties managed by our Company, through which the image captured by the CCTV cameras is recorded, along with the date and time of the respective recording.

The purpose of collecting and maintaining data through video surveillance systems is the prevention and deterrence of criminal acts in order to protect against crimes against life and property, such as, indicatively, break-ins, damage to property, thefts, etc., as well as the overall protection of buildings, individuals and/or the Company’s assets that visit or are present in the respective areas. The same applies to the safety of the life, physical integrity, and health of natural persons who are lawfully present within the monitored area (e.g. Company employees, external partners etc.).

Legal Basis of Processing

The above processing is necessary for the protection of our legitimate interests in our role as Data Controller, and is based on the need to safeguard the premises of the buildings under our management from unlawful and criminal acts, as well as to protect the individuals and assets located therein [Art. 6(1)(f) of the General Data Protection Regulation (EU) 2016/679, hereinafter the “GDPR”].

The installation of such a video surveillance system constitutes the most appropriate measure for achieving the aforementioned purposes, as it does not impede the fundamental rights and freedoms of natural persons and is considered a lawful, ethical, adequate, and necessary security measure for the protection of individuals present in the buildings under our management.

Personal Data We Collect

Recording through the video surveillance system is carried out 24 hours a day, and only image data is collected through it, together with the date and time of the recording.

Furthermore, image capture is limited to the entrance/exit of each building, and no footage is taken of the surrounding area or adjacent properties.

It is noted that the Company collects the aforementioned personal data through the CCTV video surveillance system, which has been installed and operates under the supervision of the contracted security companies. The personal data is stored on a server maintained and managed by the respective security company in accordance with our contractual obligations and the applicable data protection legislation.

Recipients of Your Data

The recorded material is accessible only to the authorized personnel of the companies with which we cooperate for the security of the buildings, under relevant building‑security service agreements that include strict terms governing the processing of personal data on our behalf.

This material is not disclosed to third parties, except in the following cases:

1. a) To the competent Judicial, Prosecutorial, and Police Authorities, when it contains information necessary for the investigation of a criminal act affecting individuals or assets of the Data Controller.
2. b) To the competent Judicial, Prosecutorial, and Police Authorities, when they lawfully request data in the performance of their duties.
3. c) To the victim or the perpetrator of a criminal act, when the data may constitute evidence and the video surveillance system has recorded the act in which the individual is involved as a victim or perpetrator. In such cases, only the relevant segment of the recorded footage is provided.
4. d) To Piraeus Bank, in cases where the managed properties are owned by the Bank.

Retention of Your Personal Data

We retain the personal data for fifteen (15) days, after which it is automatically deleted.

If an incident involving unlawful activity is identified, the relevant data is isolated in a separate file for the purpose of investigation and initiating legal proceedings to defend our legitimate interests, and it is kept for as long as required for the investigation and any disciplinary or judicial action related to the incident, as well as until the final completion of the judicial proceedings, should the criminal case proceed to trial.

If the incident concerns a third party, we will retain the video for up to three (3) months in order to allow sufficient time for the filing of a criminal complaint, in accordance with the provisions of the Penal Code.

Rights of Data Subjects

As data subjects, you have the following rights:

• Right of access: You have the right to be informed whether we process your image and to receive a copy of it, provided that the image has been recorded and has not been lawfully deleted as described above.
• Right to restriction of processing: You have the right to request that we restrict processing, for example by requesting that we do not delete data which you consider necessary for the establishment, exercise, or defense of legal claims (within the time limits mentioned in the previous section).
• Right to object: You have the right to object to the processing, provided the conditions of the GDPR are met and provided that the objection does not conflict with overriding legitimate interests of the Company.
• Right to erasure: You have the right to request that we delete your data, provided the conditions of the GDPR are met and provided that such deletion does not conflict with overriding legitimate interests of the Company.

Our Company has appointed a Data Protection Officer (DPO), who heads the Company’s Personal Data Protection Office.

You may exercise your rights by submitting a relevant request to the Personal Data Protection Office by post or by letter, or via e‑mail at DPOIntrumREO@gr.intrum.com. In any case, the Personal Data Protection Office will respond within the deadlines specified by the GDPR.

In any case, you retain the right to lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data is carried out in violation of the applicable legislation. For more information, you may visit the Authority’s website at www.dpa.gr.