Information on the processing of personal data through a video surveillance system (CCTV)

You are here:
  1. Home
  2. Corporate Governance & Compliance Function
  3. Information on the processing of personal data through a video surveillance system (CCTV)

1. Data controller:

The data controller is the company "CRÉDIT AGRICOLE LIFE INSURANCE SINGLE MEMBER S.A." (hereinafter: the "Company") based in Athens, 25 Filellinon Street, Postcode: 10557, with email address: custserv@ca-life.gr

2. Purpose of processing and legal basis:

We use a surveillance system for the purpose of protecting persons and property. Processing is necessary for the purposes of legitimate interests pursued by us as the controller (Article 6, par. 1, f of the GDPR).

3. Analysis of legitimate interests

Our legitimate interest consists of the need to protect our premises and the goods located therein from illegal acts, such as theft. The same applies to the safety of life, physical integrity, health and property of our staff and third parties who are legally present in the monitored area. We only collect image data and limit recording to areas where we have assessed that there is an increased likelihood of illegal acts being committed, e.g. theft, such as at the entrance/exit of our offices, without focusing on areas where the privacy of the persons being filmed may be unduly restricted, including their right to respect for personal data.

4. Recipients

The stored material is accessible only to our competent/authorised personnel who are responsible for the security of the premises. This material is not disclosed to third parties, except in the following cases:
a) to our external partners in the context of system installation and maintenance, who act as Data Processors, have been informed and committed in advance to maintain the confidentiality of your data, are aware of and follow our instructions regarding the processing of personal data and take all appropriate measures to protect it,
b) to the competent judicial, prosecuting and police authorities when it includes information necessary for the investigation of a criminal offence involving persons or property of the data controller, as well as when they request data, lawfully, in the exercise of their duties,
c) to the victim or perpetrator of a criminal offence, when it concerns data that may constitute evidence of the offence
d) to the data subject, in the event of exercising the right of access to an image/video fragment depicting him/her, and provided that the lawfulness of the transfer is examined.

5. Retention period

We retain data for forty-eight (48) hours. If we detect an incident during this period, we isolate part of the video and retain it for up to one (1) month longer, for the purpose of investigating the incident and initiating legal proceedings to defend our legitimate interests, while if the incident involves a third party, we will retain the video for up to three (3) months.

6. Rights of data subjects

Data subjects have the following rights:
• Right of access: you have the right to know whether we are processing your image and, if so, to receive a copy of it.
• Right to restriction: you have the right to ask us to restrict processing, for example, not to delete data that you consider necessary for the establishment, exercise or defense of legal claims.
• Right to object: you have the right to object to the processing.
• Right to erasure: you have the right to request that we erase your data.

You can exercise your rights by sending an email to dpo@ca-life.gr or a letter to our postal address or by submitting your request in person at the above address of the Company. In order for us to examine a request related to your image, you must specify approximately when you were within the range of the cameras and provide us with a picture of yourself to help us locate your data and hide the data of other persons depicted. Alternatively, we give you the option of visiting our premises so that we can show you the images in which you appear. We also note that exercising your right to object or erasure does not imply the immediate erasure of data or modification of processing. In any case, we will respond to you in detail as soon as possible, within the deadlines set by the GDPR.
Our response to your request will take place within one (1) month of receipt and will not incur any cost to you. The deadline above may be extended for a period of two (2) additional months due to the complexity or number of requests, in which case you will be informed of the extension and the reasons for it as soon as possible and no later than one month after receipt of the request.

7. Right to lodge a complaint

If you believe that the processing of your data violates Regulation (EU) 2016/679, you have the right to lodge a complaint with a supervisory authority.
The competent supervisory authority for Greece is the Data Protection Authority, Kifissias 1-3, 115 23, Athens, https://www.dpa.gr/, tel. 2106475600.