Privacy Notice regarding CCTV
1. What is the purpose of this document?
Deloitte Greece Entities (hereinafter referred to as “Data Controller” or “Deloitte” or “the Firm” or “we” or “us”) are committed to protecting the privacy and security of your personal data.
This privacy notice describes the processing of your personal data through Deloitte’s CCTV system, in accordance with the General Data Protection Regulation (GDPR), national law 4624/2019, as in force, and all the applicable data protection laws and regulations. It provides information on the nature of the personal data - where personal data means any information relating to an identified or identifiable natural person (“Data Subject”) - collected by the Data Controller, the purposes of the processing and indicates your rights in relation to the data processed and who to contact for further information or to send any requests.
The CCTV (closed-circuit television) system allows the use of video cameras to monitor the interior and exterior of a property, transmitting the signal to a monitor or set of monitors. We use CCTV only when and where it is necessary and only for specific purposes, as described in section 4 below.
2. What is the identity and contact details of the Data Controller?
The Data Controller is each Deloitte Greece Entity and more specifically:
1. “Deloitte Business Solutions Societe Anonyme of Business Consultants” with the distinctive title “DELOITTE BUSINESS SOLUTIONS S.A.”;
2. “Deloitte Certified Public Accountants Societe Anonyme” with the distinctive title “DELOITTE.”;
3. “Deloitte Alexander Competence Center Single-Member Societe Anonyme of Business Consultants” with the distinctive title “DACC S.A.”;
4. “Koimtzoglou-Bakalis-Venieris-Leventis & Associates Law Partnership” (“KBVL Law Firm”).
DELOITTE BUSINESS SOLUTIONS S.A., DELOITTE. and KBVL Law Firm are based in 3a Fragkokklisias & Granikou str., Marousi, Athens, P.O. 151 25. DACC S.A. is based in Pempti and Triti 6th Industrial Area Block of Technopolis Thessaloniki, Municipality of Pylaia Chortiatis, D.E. Pylaia, P.E. Thessaloniki.
The following table contains information about the main establishment as well as the branches of each Deloitte Greece legal entity. Please refer to it, to find out which specific entity/entities is/are the Data Controller(s) in the premises you are entering.
City |
Office site |
Legal Entities |
Athens |
3a Fragkokklisias & Granikou Str., 151 25, Marousi, Athens, Greece |
DBS, DCPA, DACC, KBVL |
4-6 Gravias Str., 151 25, Marousi, Athens, Greece |
DBS, DCPA, DACC |
|
Thessaloniki |
VEPE Technopolis – Building Z2, 555 35, Pylaia, Greece |
DBS, DCPA, DACC |
Phoenix Center, 27, Georgikis Scholis Avenue, 570 01, Thermi, Thessaloniki |
DACC |
|
Heraklion |
16b Dimokratias Avenue, 555 35, Heraklion, Crete, Greece |
DBS, DCPA, DACC |
Patras |
4, 28th October str., 262 23, Patras, Greece |
DBS, DCPA, DACC |
Ioannina |
Science and Technology Park of Epirus, 451 10, Ioannina, Greece |
DACC |
3. What are the contact details of the Data Protection Officer?
The Data Protection Officer can always be contacted at the following e-mail address: DataPrivacyOfficer@deloitte.gr.
4. Which data do we collect about you and for which purposes?
The CCTV records only images and not sound. The personal data that we process is only your image for the purpose of ensuring the safety of the premises and the people. We do not record your voice or any other personal information.
Moreover, the cameras do not have zooming capabilities. The cameras are placed at the entrances and exits of Deloitte’s premises, as well as their parking spaces.
5. What is the legal basis on which we process your personal data?
The processing of your personal data collected through CCTV is based on Deloitte’s legitimate interests to ensure the security of the premises and the safety of people located therein (GDPR art. 6 par. 1f).
Deloitte aims to maintain the safety of all personnel, its premises and both Deloitte’s and personnel’s property, such as equipment and devices. We also aim to prevent any illegal actions against any persons and their property. The CCTV system is used to protect both you and Deloitte, safeguarding the security of people and property alike.
6. Who has access to your personal data and to whom is it disclosed?
Deloitte does not transfer the recorded videos to anyone outside the Firm. They are destined for internal use only and are processed by authorised personnel. The recipients, as described per office site in the table below, may have access to the recorded material, but they are bound with non-disclosure agreements. We always bind our partners with privacy agreements and confidentiality clauses.
City |
Office site |
Recipients |
Athens |
3a Fragkokklisias & Granikou Str. |
· Members of the staff of “G4S SECURITY SYSTEMS AND MONITORING SERVICES (GREECE) SA”, our subcontractor providing security services, and · “Maroussi Plaza Investment Properties S.A.” as building manager and responsible for CCTV system maintenance. |
4-6 Gravias Str., 151 25, Marousi, Athens, Greece |
· Members of the staff of “G4S SECURITY SYSTEMS AND MONITORING SERVICES (GREECE) SA”, our subcontractor providing security services. · “AK Lane S.A” as building manager and responsible for perimeter CCTV system maintenance. |
|
Thessaloniki |
VEPE Technopolis – Building Z2, 555 35, |
· Members of the staff of “G4S SECURITY SYSTEMS AND MONITORING SERVICES (GREECE) SA”, our subcontractor providing security services. |
Phoenix Center, 27, Georgikis Scholis Avenue, 570 01, Thermi, Thessaloniki |
· Members of the staff of “G4S SECURITY SYSTEMS AND MONITORING SERVICES (GREECE) SA”, our subcontractor providing security services. |
|
Heraklion |
16b Dimokratias Avenue, |
· None |
Patras |
4, 28th October str., 262 23, Patras, Greece
|
· Members of the staff of “DIAPLOUS LAND SERVICES LIMITED”, our subcontractor providing security services. |
Ioannina |
Science and Technology Park of Epirus, 451 10, |
· None |
Kindly be advised that Deloitte might be also obliged by law or by competent authorities to disclose certain scenes of recorded videos. This could happen especially if an illegal action has been recorded which we have to report, or if the judicial or other competent authorities request to review those scenes. We may also have to provide CCTV material to parties involved in an offence in case such data may constitute evidence.
7. What is the data retention period, or if not possible, the criteria used to determine it?
CCTV images are retained for fifteen (15) days and then they are securely deleted. However, Deloitte may have to retain specific recorded scenes for a longer period if it captures evidence of illegal actions. In this case, the retention period of the images may vary between 30 days and 3 months, unless the opening of a criminal case necessitates further preservation. If a court case is initiated, the images may be retained for additional time as mandated by judicial authorities or applicable law, pending the resolution of the case.
8. How do we protect and safeguard your personal data?
We have put in place appropriate security measures, including but not limited to prevent your personal data from being accidentally lost, processed, or accessed in an unauthorized way, altered or disclosed. These measures can include:
- Education and training of relevant staff to ensure they are aware of our privacy and data protection obligations when processing personal data;
- Administrative and technical controls to restrict access to personal data on a “need to know” basis;
- Technical security measures including, but not limited to: fire walls, encryption and anti-virus software;
- Physical security measures including, but not limited to: staff security badges to access our premises.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any incident that may lead to a security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
9. What are your rights and how can you exercise them?
In relation to the processing of your personal data, you have specific rights [Art. 15 to 22 of the GDPR]:
- Access: you can ask for confirmation as to whether or not a certain processing of data concerning you is in place, as well as further clarifications about the information referred to in this privacy notice;
- Erasure: you can request that your data be deleted, if they are no longer necessary for our purposes, in case of your opposition to the processing, in case of unlawful processing, or there is a legal obligation to erase them;
- Restriction: you can request that your data be processed only for the purpose of storage, with the exclusion of other processing, for the period necessary for the correction of your data, in case of unlawful processing for which you oppose the erasure, if you have to exercise your rights in court and the data stored by us may be useful to you and, finally, in the event of opposition to the processing and a review is in progress on the prevalence of our legitimate reasons over yours;
- Object: you can object at any time to the processing of your data, unless we have legitimate reasons to proceed with the processing that prevail over yours, for example for the exercise or defense of our legal claims in court;
We would like to inform you that, even though we are committed to respecting your rights, we might sometimes not be able to satisfy your requests, especially when it comes to the rights of erasure or objection to the data processing. We might have to continue the processing of your data if we are obliged to do so by law, or to comply with court decisions or other requests by competent authorities or we have overriding interests to do so, for example to defend our legal rights before the competent authorities.
To exercise these rights, you can contact us at DataPrivacyOfficer@deloitte.gr.
The time limit for Deloitte Greece to address your request is 1 month, which may be extended up to 2 further months in cases of particular complexity.
We also inform you that you have the right to lodge a complaint with the Supervisory Authority for the protection of personal data, which in Greece is the Hellenic Data Protection Authority (HDPA), by following the instructions found on the HDPA’s website.
10. Changes to this Privacy Notice
We may modify or amend this Privacy Notice from time to time at our discretion. When we make changes to this notice, we will amend the revision date at the top of this page, and such modified or amended Privacy Notice will be effective from that revision date. Kindly always refer to the QR code in the respective CCTV signages for the updated version.