article banner

Information on personal data processing via video surveillance system

1. Joint controllers:

  • “Grant Thornton Chartered Accountants Management Consultants S.A.”, domicile address: Katehaki Ave, 58, 115 25, Athens, Attiki, Tel. 210-7280000

  • “Grant Thornton Tax and Consulting Services S.A.”, domicile address: Katehaki Ave, 58, 115 25, Athens, Attiki, Tel. 210-7280000

2. Purpose and lawfulness of processing:

We use video surveillance systems for the purpose of protecting people and property. Processing is necessary for the purposes of the legitimate interests pursued by the controller and the employer (article 6 par. 1. F GDPR).

3. Legitimate interests

Our legitimate interests pertain to the need to protect our area and the property located there from illegal activities, such as burglary. The same applies for safety of life, physical integrity, health as well as the property items of our firm, our staff and third parties legally located in the supervised area as well as for the purpose of ensuring our sound operations. At the same time, our objective is to effectively exercise managerial rights as an employer/controller.

We only collect image related data and obtain data from the areas defined as high-risk areas. We have ensured that no image is recorded from side streets and sidewalks, except for the minimum possible street sections adjacent to our building entrances/exits. Neither do we record any images from entrances or interiors of neighboring houses, buildings, or other areas. Recording is performed on a case by case basis i) outside the perimeter of the building in the parking lots and where an entrance/exit facilitates access to the building and ii) internally in common areas of entrance and exit of the floors and in specific areas, such as the reception area, the mail collection area, the access control area or the space where the server/electromechanical equipment is located, taking into account the fact that the cameras focus on the protected property and not on the employees’ workplaces and the building’s corridors. In no case do we record images from places where there are increased expectations for the privacy of data subjects (eg. dining areas, personal hygiene areas, toilets, and their vestibules).

The points where the video surveillance system has been placed, their coverage range as well as the way the data is received and recorded indicate that the data collected through this system are appropriate and necessary in relation to the intended purpose, as mentioned above. Closed-circuit television (CCTV) cameras do not have unlimited mobility and do not collect audio data. We have selected the most "privacy friendly" technologies, i.e. systems that can encrypt stored images, blur/shade faces and alter or hide areas (mask).

The video surveillance system neither records nor collects specific categories of personal data.

The video surveillance system does not collect the data for the purpose of monitoring the employees and is not used as a criterion for monitoring and evaluating their behavior, efficiency and performance.

4. Recipients

Stared data are accessible only to the competent/authorized personnel in charge of the building security and only by means of applying a unique security code, updated at regular intervals for security reasons. The data shall not be disclosed to third parties, except: (a) to the competent judicial, prosecutorial and police authorities when the data contain information necessary for investigating a criminal offense involving persons or property of the controller, (b) to the competent judicial, prosecutorial and police authorities when requesting data, lawfully, in the course of performing their duties, and (c) to the victim or perpetrator of a crime, if the data can constitute evidence of the act.

The data collected by the surveillance system shall not be transmitted or processed in countries outside the European Economic Area (EEA).

5. Record-keeping period

We keep the records for fifteen (15) days, after which they are deleted. If during this period we identify an incident to the detriment of our personnel or property, which falls within the intended purpose, the data related to the incident are to be kept in a separate file for one (1) month to facilitate investigating the incident and initiating the legal proceedings to defend our legitimate interests. In case the incident concerns a third party - we will keep the relevant records for up to three (3) months.

6. Data subjects rights

Data subjects main rights are as follows:
• Right of access: you have the right to know if we are processing (and still maintaining) your image and, if applicable, to receive a copy.
• Right to restriction: you have the right to ask us to restrict processing, such as, for example, not to delete the data you consider necessary to establish, exercise or support legal claims.
• Right to object: you have the right to object to data processing.
• Right to erasure: you have the right to request that we delete your data.

You can exercise your rights by sending an e-mail to privacy@gr.gt.com or a relevant letter to our postal address. To enable us to consider a request related to your image, you should tell us approximately when you were within the cameras’ range and provide us with an image of you to make it easier for us to locate your personal data and conceal the images of recorded third parties. Alternatively, we provide you with the possibility to visit our facilities in person so that we can show you the recorded images in which you appear. We would also like to point out that exercising the right to object or erasure does not imply direct erasure of data or modification of the processing, as any overriding legitimate interests of the controller or third party should be taken into account. In any case, we will respond directly to you in detail as soon as possible, always within the deadlines set by Regulation (EU) 2016/679.

7. Right to lodge a complaint

Should you consider that your data processing violates Regulation (EU) 2016/679, you have the right to lodge a complaint with a supervisory authority.
The Hellenic Data Protection Authority is the competent supervisory authority for Greece and its contact details are as follows:
Address: 1-3 Kifissias, 115 23, Athens
Phone: 210-6475600
Fax: 210-6475628
E-mail for submitting a complaint: complaints@dpa.gr
Website: https://www.dpa.gr/

8. Updating the Information

This Information can may be amended and/or updated, if required, without prior notice. In any case, the latest update will be posted.

9. Contact us

Should you have any questions or concerns regarding this Information, your rights and/or the way you exercise then, kindly contact us at privacy@gr.gt.com or at the following postal address: Katechaki Ave 58, 115 25 Athens. In any case, we encourage you to review the Personal Data Protection Policy posted on our official website.