CCTV Policy

 

Responsible Department: Human Resources	Date Established: 18/05/18
Responsible Executive: HR Director/ Retail Operations	Date Last Revised: 23/11/2023

 

TABLE OF CONTENTS

1. INTRODUCTION

2. SCOPE

3. DEFINITIONS

4. CONTROLLER AND PROCESSORS

5. PERSONAL DATA COLLECTED

6. PURPOSES AND LAWFUL BASIS FOR COLLECTING PERSONAL DATA

7. RECIPIENTS OF PERSONAL DATA

8. DATA STORAGE AND RETENTION

9. DATA SUBJECT RIGHTS

10. DATA SECURITY

 

1. INTRODUCTION

This document sets forth the Privacy Policy (“the Policy”) governing the use of personal data captured through the use of CCTV cameras by Hudson.

We have tried to keep this policy as simple and plain as possible. However, if any part is unclear to you, contact us at [email protected] and we will respond to your query  in due time and clarify any doubt you may have.

 

2. SCOPE

This Policy applies to Personal Data (as defined herein) captured through CCTV cameras operated by Hudson at its premises at any time. This policy outlines why we use CCTV, how we will use recorded CCTV footage and how we will process data recorded by CCTV cameras in order to ensure that we are compliant with the Data Protection Act, Chapter 586 of the Laws of Malta as well as the GDPR data protection law and best practice at all times. This policy also explains the procedure to be followed in relation to data access requests in respect of personal data captured by the CCTV surveillance systems operated by Hudson.

The policy applies to all Hudson staff and employees as well as to all Hudson customers or other persons who may, from time to time, and for whatever purpose, enter the Premises for any reason whatsoever.

 

3. DEFINITIONS

“Applicable Law”	Shall mean the relevant data protection and privacy law, including GDPR (as defined herein) to which the Controller (and the Processors) are subject, and any guidance or statutory codes of practice issued by the relevant Privacy Authority/ies;
“Controller”	Shall mean a Hudson entity as identified in Section 4 below;
“GDPR”	Shall mean General Data Protection Regulation, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Data Subject”	Shall mean a natural person resident in the European Economic Area who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. For purposes of this Policy, Data Subject shall be restricted to any current and former Hudson employees (as defined herein);
“Employee”	Shall mean all employees working at all levels and grades, temporary workers, contractors, home-workers, part-time and fixed-term employees, casual and agency staff and other workers within Hudson Group (as defined herein);
“Hudson”	Shall mean Hudson Holdings LTD or any subsidiary thereof and together Hudson and its subsidiaries “Hudson Group”;
“Employment agreement”	Shall mean the agreement that the Employer and the Employee have concluded establishing the terms of the employment relationship;
“Personal Data”	Shall mean any information relating to an identified or identifiable natural person as defined by the Applicable Privacy Law and including the categories of data listed in this Policy that the Controller (and the Processors) process;
“Processing” or “Processed”	Shall mean any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data as defined in the Applicable Privacy Law;
“Processor”	Shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
“Sensitive Personal Data”	Shall mean Personal Data that reveals a natural person’s race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, any information that concerns a natural person’s sex life or health, or information relating to the commission of a criminal offense.
“Visitor/s”	Shall mean any customers at retail outlets operated by any member of the Hudson Group or any other physical persons visiting Hudson Group premises who are not employees.
“You/Your”	Shall mean the Employee or Visitor.

 

4. CONTROLLER AND PROCESSORS

4.1       For Employees the Controller is the Hudson entity with which you have a contract/ entity which engages you being either:-

(i)         Hudson Holdings Limited (C37866), company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: [email protected] or +356 2147 2790; or

(ii)        Hudson Malta Sales Limited (C32438), a company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: [email protected] or +356 2147 2790.

(iii)       BD International Group Limited (C61540) a company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: [email protected] or +356 2147 2790.

            For Visitors the Controller is Hudson Malta Sales Limited (C32438), a company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: [email protected] or +356 2147 2790.

4.2       The Processors are:

(i)         Unitech Limited (C71125), company incorporated in Malta with offices at G09, New Industrial Park, Valletta Road, Ghaxaq, Malta with the limitation of data processing activities related to support and maintenance of CCTV systems. This Processor is reachable at: [email protected] or +356 27883388; and

(ii)        W.S Gauci Limited (Securevision) (C94424), company incorporated in Malta with offices at Securevision, Wignacourt Street, Birkirkara, Malta with the limitation of data processing activities related to support and maintenance of CCTV Systems. This Processor is reachable at: [email protected] or +356 21444398.

 

5. PERSONAL DATA COLLECTED

Hudson collects personal data through CCTV equipment installed at retail outlets operated by it as well as at its head office. CCTV monitors are operated 24 hours a day and this data is continuously recorded. Camera locations are chosen to minimise viewing of spaces not relevant to the legitimate purpose of the monitoring.

 

6. PURPOSES AND LAWFUL BASIS FOR COLLECTING PERSONAL DATA

The legal basis for our CCTV surveillance systems is the safeguarding of the legitimate interests of Hudson, its personnel, and its property. The key objectives of our CCTV surveillance systems are:

• To detect, prevent and reduce the incidence of crime or unwanted behavior on our premises;
• To reduce and/or intercept incidences of vandalism and damage to the Premises or personal property;
• To enhance the feeling of personal safety and security; and
• To enable the identification and subsequent apprehension and prosecution of offenders in relation to crimes committed within the proximity of our premises.
• After-the-fact investigation of crimes committed against the company or its staff.
• After-the-fact investigation of suspected breaches by staff of the Company’s policies and procedures.
• After-the-fact investigation of the circumstances surrounding any incident or injury at the Company’s premises.

We may further process personal data where we are under a legal obligation to do so such as when we are requested so provide CCTV footage to the relevant authorities including the Malta Police Force and the Occupational Health and Safety Authority.

 

7. RECIPIENTS OF PERSONAL DATA

7.1       CCTV footage may be shared:-

1. between the undertakings forming part of the Hudson Group;
2. with the Processors as identified above.
3. when required by law, regulation or order of the court or other competent authority.
4. With our insurers or legal advisors.

7.2       No CCTV footage is transferred outside of the European Economic Area (EEA) or to international organizations.

7.3       Hudson Group does not sell, trade or otherwise transfer Personal Data to any third party other than the above.

 

8. DATA STORAGE AND RETENTION

8.1       CCTV footage in electronic format is stored on the Video recorders and in the internal server, accessible through folders protected by access control system;

8.2 Personal data is not kept for a period longer than is necessary, having regard to the purposes for which they are processed.

Retention period for each category of data are identified below.

Location of CCTV Equipment	Envisaged retention period
Retail Outlets	15 days
Head Office	15 days
Warehouses	15 days

In the case of a verification or investigation such CCTV footage shall be retained until the satisfactory conclusion of such verification or investigation thereof.

 

9. DATA SUBJECT RIGHTS

9.1 As a Data Subject you have extensive rights when it comes to the processing of your Personal Data.

Your rights, listed below, may be enforced by contacting the Controller (or the Processor, if your request is related to one of the data processing activities conducted by the Processors) by email, by post or by phone using the contact details provided above.

You are guaranteed a response within 30 days from the date of receipt of your enquiry.

If your request is particularly complex or we need to process an extraordinary number of simultaneous requests, Controller’s reply may take longer but will be provided no later than 2 months from the date of receipt of the enquiry. This reply will also include details explaining the reason for the delay in our response.

Such requests will not incur any fee, except when the requests are manifestly unfounded or excessive, in particular because of their repetitive character. In this case a reasonable fee will be charged, taking into account the administrative costs of providing the information or communication or taking the action requested. In this case, we may also refuse to act on the request after having explained our position;

Should we have reasonable doubts concerning your identity when making the request above, we may require additional information, necessary to confirm your identity.

9.2       Access

You may obtain confirmation from us as to whether or not your Personal Data is being processed including access to any CCTV footage in which You may feature provided that this request for access shall be subject to Hudson’s compliance with its GDPR obligations in relation to third parties. Any requests must be limited to a particular date and time period and Hudson shall only disclose such footage after due verification of the identity of the Data Subject.

9.3       Deletion (“the right to be forgotten”)

You have the right to request that the CCTV footage be erased in case:

(i)         Such footage is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

(ii)        Processing is based on legitimate interests and You have objected to processing and there is no other overriding legitimate ground for processing;

(iv)       You believe that your Personal Data has been unlawfully processed;

(v)        Your Personal Data has to be erased in order to ensure compliance with any legal obligations arising from any legislation enacted within the European Union or in Malta.

9.4       Restriction

You have the right to request a restriction on the processing of the CCTV footage in case:

(i)         The processing of the CCTV footage is unlawful, and you oppose the erasure of your Personal Data and request the restriction of its use instead;

(ii)        Hudson no longer needs the CCTV footage for the purposes of the processing;

(iv)       Hudson no longer needs the CCTV footage, but is required by you to retain the data for the establishment, exercise or defence of legal claims;

(v)        You have objected to processing (as specified in detail below), pending the verification whether our legitimate grounds override yours.

When you restrict processing, your personal data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

In case you have obtained restriction of processing as per above, we will inform you before the restriction of processing is lifted.

9.5       Right to Object

You have the right to object to the processing of CCTV footage featuring your Personal Data on grounds relating to your personal circumstances unless we have compelling legitimate grounds that override the rights and interest of the Data Subject.

9.6       Data Portability

You enjoy a right to data portability with respect to your Personal Data held by Hudson and Hudson hereby binds itself to provide such Personal Data, in a structured, commonly used and machine-readable format.

9.7       Complaint

In addition to the above, and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC), competent Supervisory Authority for the Controller in Malta, if you deem it necessary to do so.

The complaint may be submitted online through this link (subject to change): https://idpc.org.mt/en/Pages/contact/complaints.aspx

 

10. DATA SECURITY

10.1     Hudson takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of Personal Data, whether in electronic or tangible, hard copy form. These measures include:

(i) Secure storage; and

(ii) Access control.

10.2     Hudson takes reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. For this purpose, Hudson follows good practice policies and procedures.