CCTV Policy

Policy on the processing of personal data by video surveillance systems

I. PURPOSE OF THE POLICY

This policy serves to raise awareness and inform individuals, either employees or third parties (collaborators / service providers / representatives of contractual partners, etc.) regarding the processing of their personal data through CCTV (Closed Circuit Television) surveillance systems installed at the infrastructures / locations managed by SMART SOFT SERV SRL.  

In concrete terms, this policy sets out:

a) A uniform set of objectives, principles and rules governing the use of video surveillance systems for the following purposes:

1. Ensuring the security, i.e. the safekeeping and supervision of data subjects (employees, third parties¹ ) and guaranteeing their rights based on and in the spirit of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC by SMART SOFT SERV SRL, as Personal Data Controller;

2. Ensuring the security and integrity of the assets, goods/IT equipment/materials - used in the specific activities of SMART SOFT SERV SRL, in accordance with the legislation in the field in conjunction with the legitimate interests of SMART SOFT SERV SRL;

b) Responsibilities for the management and operation of video surveillance systems, as well as for the preparation, endorsement and approval of documents related to these activities.

The CCTV Policy describes the principles, rules and practices followed by SMART SOFT SERV SRL and all persons with whom this company interacts in connection with the administration and use of video surveillance systems installed at its premises.  

At the same time, this Policy describes the organizational measures implemented by the Operator in order to protect the personal data, privacy and other fundamental rights of individuals.

II. SCOPE

The policy applies to or in relation to video-surveillance activity. The Policy shall be applied, as appropriate to the powers, by:

1. SMART SOFT SERV SRL;

2. staff with duties in the Job File concerning the follow-up of records, where appropriate;

3. other persons within the company SMART SOFT SERV SRL designated with powers to view CCTV system recordings.  

III. CONDITIONS OF LEGITIMACY

SMART SOFT SERV SRL processes personal data by means of CCTV systems installed at its premises, in compliance with the relevant legal provisions.

a) Normative references:

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

2. Law No. 190/2018 on measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

3. Law no. 333 of July 8, 2003 on the guarding of objectives, goods, valuables and protection of persons, with subsequent amendments and additions together with the Methodological Norms for the application of Law no. 333/2003;

4. Decision of the National Supervisory Authority for Personal Data Processing (hereinafter referred to as ANSPDCP) No 174/2018 on the list of operations for which it is mandatory to conduct a personal data protection impact assessment (Art. 1, lit. c)

5. European Data Protection Supervisor Guidelines on video-surveillance, published March 17, 2010, Brussels.

b) Using the video system:

The use of CCTV systems at the premises/premises belonging to SMART SOFT SERV SRL is necessary not only for the proper administration and functioning of the Operator, but in particular for the security and guarding control described in section V, point (a) below.

It is important to note that the development of the Operator is based on the intention of the company's management to clearly establish the extent to which SMART SOFT SERV SRL strategies and concrete directions of action are respected and, at the same time, to ensure the integrity and security of the persons concerned and the premises where specific activities are carried out.

The CCTV systems installed in the company's premises contribute to these objectives.

c) Transparency:

Each employee of SMART SOFT SERV SRL is aware of the existence of CCTV systems installed at the company's premises (in Mures, Cluj and Brasov counties) where they carry out their specific activity and has been informed about it throughout the entire course of employment.  

Also, every third person (collaborator / service provider / representative of contractual partners, etc. on the premises managed by the company) has the fundamental right to know how the CCTV system in question operates and the purposes for which it is used in relation to his/her person.

If the data collected through the CCTV system may infringe the privacy of the data subjects (employees, collaborators / service providers / representatives of contractual partners, etc.) who access the SMART SOFT SERV SRL locations, they have the right to intervene on their own data, unless the facts or actions captured by the system contravene the law or the Operator's Internal Regulations.

d) Periodic reviews: A periodic review will be undertaken annually by the structures responsible for ensuring security and will review:

1. the need to keep systems in use;

2. fulfill the stated purposes;

3. possible suitable alternatives to CCTV systems;

4. whether this Policy still complies with the provisions of Regulation (EU) 2016/679, i.e. whether it is up to date.

IV. SUPERVISED AREAS

CCTV systems shall be used for surveillance as appropriate:

a). Headquarters in Mures County - access for persons through the entrance gate to the inner courtyard (and then to the entrance door to the premises);  

b). Cluj county headquarters - the 2 access entrances to the headquarters;

c). Headquarters in Brasov County - the 2 access entrances to the headquarters.  

Recording devices shall be located in well-protected, adequately secured and locked premises in order to eliminate as far as possible the possibility of theft of storage media.

Areas where there is a high level of expectation of privacy are not monitored, such as toilets, changing rooms, lunch rooms, etc.  

Exceptionally, in the case of duly justified security or essential management needs of the Operator, cameras may be installed in such locations, except in locations involving the disclosure of privacy, but only after a Risk Impact Assessment has been carried out and the Data Protection Officer or, where appropriate, the ANSPDCP has been informed.

V. PERSONAL DATA COLLECTED THROUGH VIDEO-SURVEILLANCE

a) Purpose of video surveillance:

SMART SOFT SERV SRL uses video surveillance systems for the purpose of employee security, guarding and protection of assets, IT equipment, materials used in the specific activity of the company.  

These systems are used to control access to the premises and locations owned by the company, to ensure the security of goods, IT equipment and materials found in these locations, as well as the safety of persons (*employees of SMART SOFT SERV SRL, *collaborators/service providers/representatives of contractual partners/other persons), as well as of information held in these areas.  

Video surveillance systems help to prevent, combat and in certain situations, investigate unauthorized physical access to employee premises and rooms where confidential information may be accessed.  

Moreover, video surveillance systems help to prevent, detect or investigate the theft of IT equipment/other exposed goods owned by the company.  

b) Purpose limitation:

Video-surveillance systems shall not be used for purposes other than those specified in the previous paragraph. However, if a possible case arises in connection with an employment law dispute, the recordings from DVRs, retrieved in accordance with the legal provisions, may be used to find out and establish the truth.

Video surveillance systems can also be a means of investigation or a means of obtaining information for internal investigations or disciplinary proceedings, especially in situations where a physical security incident occurs or criminal behavior is observed (in case of criminality, the recordings that can help to find out and establish the truth will be transferred to the criminal investigation bodies, subject to specific legal provisions in this regard).

c) Special categories of data:

CCTV systems installed are not intended to capture (e.g. by selective focusing or targeting) or process (e.g. indexing, profiling) images that reveal 'special categories of data' (e.g. revealing the health status of a person).

d) Description and technical specifications of the systems:

Conventionally, installed video surveillance systems are static systems (equipped with UniFi G5Bullet cameras). They record images and are equipped with motion sensors. The systems can record any motion detected by the cameras installed in the perimeters under surveillance, along with the date, time and location. All cameras are operational 24 hours a day, 7 days a week.

The quality of the captured images may allow the recognition of those passing through the cameras' range of action. Specially trained personnel must respect privacy settings and access rights.  

No inter-connection with other surveillance systems and no audio recording. Access to the premises where the recording and storage equipment of the video surveillance systems is located is strictly limited to personnel specifically designated by the management of SMART SOFT SERV SRL.

e) Benefits of the surveillance system:

1. Increased control and security in the perimeters/areas/spaces under surveillance;

2. Restricting access to foreigners;

3. Eliminate losses caused by possible unforeseen events and/or identify those that have led to such losses;

4. Realization of the legitimate interest of SMART SOFT SERV SRL, to protect the image of the company and to document any aspects that would be impossible to document in a different way.

VI. PRIVACY AND INFORMATION SECURITY

The following technical and organizational measures have been implemented to protect the security of the installed video systems and to enhance privacy protection:

the equipment for storing the recorded images (the servers on which the recorded images are stored) are located in secure premises, protected by mechanical and physical security measures;

The right of access is granted to users on a "need-to-know" basis, and only for those resources that are strictly necessary for the fulfillment of the service tasks;

only the management of the Operator, upon the recommendations of the person designated with the administration of the CCTV system in the company, has the right to grant, modify or withdraw the right of access of a user, according to the "need-to-know" principle;

the system administrator shall keep a permanently updated list of all persons having right of access to the video surveillance systems, specifying the type and level of access;

external persons authorized to maintain the CCTV system (where applicable) will sign a confidentiality agreement;

the SMART SOFT SERV SRL data protection officer will be consulted prior to the purchase or installation of any new video surveillance system/element;

Periodically, a check of access to the computer system and a documented analysis in relation to the legality of the accesses takes place.

VII. ACCESS TO AND DISCLOSURE OF PERSONAL DATA

a) Access rights:  

Access to the stored images and/or the technical architecture of the video surveillance systems is limited to a limited number of persons and is determined by the duties specified in the Job Description (for what purpose and type of access), based on the Operator's management decision.

With regard to the need-to-know principle, access to classified information shall be granted, on a case-by-case basis, only to persons who, in the performance of their official duties, need to work with or have access to such information.

SMART SOFT SERV SRL imposes limits on the personnel who have the right to view the recorded material in real time. The purpose of viewing in real time is exclusively for the security and protection of employees, assets, IT equipment/material used in the specific activity of the company.

Any other real-time viewing is done on the basis of a right of access and with the processing being recorded in an Access Log.

The viewing of the images is accessible to personnel designated by the management of the Operator.  

Viewing of the recorded images will be done in justified cases, such as cases expressly provided for by law and security incidents, by specially authorized personnel.

The copying, downloading, deletion, dissemination or modification of any recorded material is prohibited except with the consent of the Operator's management and prior notice to the data subject, except in cases specifically provided by law.

b) Instructaj:

All members of staff with access rights shall receive specific initial training in personal data protection. This procedure will be integrated into the training and guidance program for all users with access rights and responsibilities in the operation of video surveillance systems.

The administrator(s) of the video surveillance system(s) shall ensure that all personnel involved in the operation of the system(s) are trained and briefed on all functional, operational and administrative aspects of the system(s).

c) Disclosure of personal data:

Any activity of disclosure of personal data to third parties will be documented and subject to a rigorous analysis of the necessity of the disclosure on the one hand, and on the other hand, the compatibility between the purpose for which the disclosure is requested and the purpose for which the data were originally processed.  

In such cases, the Data Protection Officer will be consulted. Any situation of disclosure will be recorded by the system administrator in a Log Book.

SMART SOFT SERV SRL is obliged to make available to the investigative bodies, upon their written request, video recordings in which the possible commission of acts contrary to the law is captured. Following the disclosure and unless otherwise provided for by law, the Operator shall inform the data subject of the destination and recipients of the video recordings concerning him/her.

In exceptional cases, but subject to the safeguards described above, access to records may be granted to the Disciplinary Board in the framework of an internal disciplinary investigation, provided that the information is conclusive to the investigation of a disciplinary misconduct which may prejudice the rights and freedoms of a person or the legitimate interests of the Operator.

Any breach of security with regard to the video surveillance system is indicated in the Security Incident Log and the SMART SOFT SERV SRL data protection officer is informed about it as soon as possible.

VIII. STORAGE PERIOD

The storage period of the recordings on the servers is proportional to the purpose for which the CCTV systems are used. Images shall be stored for a maximum period of 30 days, after which they shall be automatically deleted in the order in which they were recorded.

In the event of a security incident or a criminal investigation, the duration of storage of the relevant recordings may exceed the normal limit depending on the time needed for the investigation.  

The retention storage of data and images is rigorously documented and the need for retention is regularly reviewed.

IX. CONTROL TOOLS OVER THE VIDEO SURVEILLANCE SYSTEM

The registration equipment is secured with administrator password and automatic encryption methods, as well as other classic security systems (e.g. blocking the wrong password).  

They are physically checked annually at the periodic roadworthiness inspection.  

Change passwords to the surveillance system periodically:

When a person is granted access to the records, a user profile will be created for that person, which they will only be able to access personally, and with which they will be able to log in to view the records.  

When that person will be restricted access to the recordings (for example, if he/she will no longer be an employee of SMART SOFT SERV SRL), the user profile will be deleted. Thus, by the above-mentioned method, the person will never again have access to the administrator password through which the video surveillance cameras are managed.

X. RIGHTS OF THE DATA SUBJECT

SMART SOFT SERV SRL guarantees to respect the rights of data subjects in accordance with Regulation (EU) 2016/679 and national legislation in force.

a) Informing the data subjects:

The primary information to data subjects shall be provided clearly, constantly and permanently by means of an appropriate sign, such as an icon, with adequate visibility and strategic localization of the area under surveillance, so as to signal the existence of the surveillance cameras, but also to communicate essential information in accordance with Art. 14 of Regulation (EU) 2016/679.

The data subjects are made aware of the existence of the video surveillance system and of the controller by means of appropriate Information Notices, which include the purpose of the processing and identify SMART SOFT SERV SRL as the Controller of personal data.

The person responsible for data protection will ensure that the information is kept up to date so that it corresponds to the existing reality.

b) Exercise of rights of access, intervention and opposition:

Throughout the period of storage of personal data, data subjects have the right of access to personal data concerning them and in the possession of SMART SOFT SERV SRL, to request intervention (deletion / update / rectification / anonymization) or to object to processing, in accordance with the law.

Any Request to exercise a right under Regulation (EU) 2016/679 as a result of the use of video surveillance systems must be addressed to SMART SOFT SERV SRL and a copy of it must be sent to the person in charge of data protection.

The reply to the request for access, intervention or objection shall be given within a maximum of 30 days, and if this deadline cannot be met, the data subject shall be informed of the reason for the postponement of the reply, and shall also be informed of the procedure to be followed for the resolution of the request.

The recordings provided on the basis of the Access Request will be clear, as far as possible, provided that the rights of third parties are not prejudiced (the data subject will only be able to view his/her own image, the images of other persons who may appear in the recording will be edited so that it is not possible to recognize and/or identify them).

In the case of such a request, the data subject is obliged to identify himself/herself beyond any suspicion (show ID when participating in the viewing), to mention the date, time, location and circumstances of the CCTV recording.

The right of access may be refused where the exceptions provided by law apply.

The need to restrict access may also arise where there is an obligation to protect the rights and freedoms of third persons, for example if other persons are included in the images and it is not possible to obtain their consent or if irrelevant personal data cannot be extracted by editing the images.

‍