SECOND-LEVEL INFORMATION
REGARDING THE PROCESSING OF PERSONAL DATA
THROUGH A VIDEO SURVEILLANCE SYSTEM

The company “XENOS PACKAGING SA,” with VAT number 999125860 and GEMI number 038795705000, falls under the jurisdiction of the Thessaloniki Tax Office (FAE THESSALONIKI) and is headquartered in Thessaloniki, BIPETH Sindos (Postal Code: 57022), email: [email protected].

We use a surveillance system to protect individuals and assets. The processing is necessary for the purposes of our legitimate interests as the Data Controller (Article 6(1)(f) GDPR).

3.1. Our legitimate interest is based on the need to protect our facilities and assets from illegal activities such as vandalism and theft. This also applies to the safety of our staff, as well as third-party visitors legally present in the monitored areas.

3.2. The recording system operates 24/7.

3.3. We only collect video data, recording and storing it for a specific period. The surveillance system operates only in internal and external areas of our premises where warning signs are placed. Specifically, the recording (from the external camera) begins before the entrance gate, without focusing on areas that might excessively infringe upon individuals’ privacy rights. The reach of internal cameras is clearly marked with signs at the entrance to the production area of the factories, indicating the exact location of each camera. Recording is limited to areas where we assess a heightened likelihood of illegal actions (e.g., theft) and areas containing electromechanical equipment for the protection of both the equipment and its operators.

3.4. We strictly adhere to the principle of proportionality in the operation of the video surveillance system, especially in workspaces. For this reason:
(a) The system is not used to evaluate employees’ performance but to protect their health and safety when operating electromechanical equipment. Real-time monitoring allows for immediate intervention in case of safety incidents.
(b) Camera placement and data collection are determined to ensure the data collected is strictly necessary for the aforementioned purpose, without infringing on individuals’ fundamental rights in monitored areas.

3.5. The closed-circuit television (CCTV) cameras do not have zoom capabilities and do not collect audio data.

4.1. Access to the CCTV system’s recordings is restricted to a designated team. The recorded material is accessible only by the Data Controller’s management and external contractors bound by data processing agreements under Article 28 GDPR, responsible for the security and safety of the premises.

4.2. The transmission of CCTV data to third parties is generally allowed only after informing you, provided the conditions set by European and Greek data protection laws are met. This material may be transferred to third parties in the following cases: (a) to competent judicial, prosecutorial, or police authorities when necessary for investigating a criminal act concerning persons or assets of the Data Controller, (b) to competent judicial, prosecutorial, or police authorities when lawfully requested, and (c) to the victim or perpetrator of a criminal act, if the data may serve as evidence of the act.
ης.

4.3. Your data will not be transferred to third countries outside the European Economic Area (EEA).

We retain CCTV data for twelve (12) days, after which it is automatically deleted. If an incident is detected during this time, we isolate part of the video and keep it for up to one (1) more month to investigate the incident and initiate legal proceedings to protect our legitimate interests. If the incident involves a third party, we may retain the video for up to three (3) additional months.

As data subjects, you have the following rights concerning this CCTV processing:

• Right of Access: You have the right to know if we process your image, and if so, to obtain a copy.
• Right to Restriction: You can request that we restrict processing, such as preventing the deletion of data you consider necessary for establishing, exercising, or defending legal claims.
• Right to Object: You have the right to object to the processing.
• Right to Erasure: You have the right to request the deletion of your data.You can exercise your rights by sending an email to [email protected], mailing us, or submitting your request in person at our offices. If you wish to request access to your image, please specify when you were within camera range and provide a picture of yourself to help us identify your data and obscure the data of other individuals in the footage. Alternatively, we can invite you to our premises to view the images. We emphasize that exercising your right to object or request deletion does not automatically result in the immediate deletion of data or modification of processing. We will respond as soon as possible within GDPR deadlines.

The Data Controller maintains a record of CCTV data requests at its offices. This record includes (a) the technical specifications of the cameras, (b) a diagram showing the camera locations, and (c) the area where CCTV data is stored.

The company reserves the right to amend and update this Notice at any time without prior notice. You will be informed of any changes as soon as possible. If you have any questions or concerns regarding this Notice or the protection of your personal data, you can contact the Data Protection Officer (DPO) at: [email protected].

If you believe the processing of your data violates Regulation (EU) 2016/679, you have the right to file a complaint with a supervisory authority. The competent authority in Greece is the Hellenic Data Protection Authority, Kifisias 1-3, 115 23, Athens, https://www.dpa.gr, Tel. 2106475600.

Last Modified: September 2024