Privacy Notice on Processing of Personal Data and the Use of CCTV Systems

1.Controller:

Cardlink S.A., 41-45 Marinou Antypa Str., GR- 14121, Heraklio, Athens Greece tel.: +30 210 630 3000

2. Purpose of processing and legal basis:
We use a surveillance system for the purpose of protecting persons and goods. Processing is necessary for the purposes of legal interests that we seek as controller (Article 6, par. 1.f of the GDPR).

3. Analysis of legal interests
Our legitimate interest is to protect our space and the goods found in it from illegal acts, such as theft. The same applies to the safety of life, physical integrity, health and property of our staff and third parties legally located in the supervised area. We only collect image data and restrict recording to sites where we have assessed that there is an increased likelihood of committing illegal acts e.g. theft, such as at our cash registers and entrance, without focusing on places where the privacy of the persons whose image is taken may be excessively restricted, including their right to respect personal data.

4. Recipients
The material is only accessible by our competent/authorized personnel in charge of the security of the site. This material shall not be transmitted to third parties, without the consent of the subject, except in the following cases: (a) to the competent judicial, prosecutorial and police authorities where it contains information necessary for the investigation of a criminal offence involving persons or goods of the controller, (b) to the competent judicial, prosecutorial and police authorities when requesting data, lawfully, in the performance of their duties, and (c) to the victim or perpetrator of a criminal offence, in the case of data which may constitute evidence of the act.

5. Retention time
We keep the data up to fifteen (15) days after which they are automatically deleted. In the event that we find an incident during this time, we isolate part of the video and keep it for up to one (1) month, with a view to investigating the incident and initiating legal proceedings to defend our legal interests, while if the incident concerns a third party we will keep the video for up to three (3) months more.

6. Rights of data subjects
Data subjects have the following rights:

  • Right of access: you have the right to know if we are editing your image and, if applicable, to obtain a copy of it.
  • Right of restriction: you have the right to ask us to restrict processing, such as not to delete data that you consider necessary to establish, exercise or support legal claims.
  • Right to object: you have the right to object to processing.
  • Right of deletion: you have the right to request that we delete your data.

To exercise any of the above rights you can contact the Data Protection Department at the email dataprotection@cardlink.gr and in case you want to contact the Data Protection Officer (DPO), Ms Eleni Angloupa, at the email: dpo@cardlink.gr, telephone: +30 211 106 9711 or send a letter to our postal address or by submitting the request to us in person, to the address of the company. To review a request related to your image, you should tell us when approximately you were in camera range and give us an image of yourself to make it easier for us to locate your own data and hide the data of third parties depicted.  Alternatively, we give you the opportunity to come to our facilities to show you the images you appear in. We also note that the exercise of a right of objection or deletion does not entail the immediate deletion of data or the modification of the processing. In any case, we will reply in detail as soon as possible, within the deadlines set by the GDPR.

7. Right to submit a complaint
If you consider that the processing of your data violates Regulation (EU) 2016/679, you have the right to submit a complaint to a supervisory authority.
The supervisory authority responsible for Greece is the Data Protection Authority, Kifisias 1-3, 115 23, Athens – Greece, https://www.dpa.gr/, tel: + 30 2106475600.