2nd Level Notification on the processing of personal data through a video surveillance system

1.    Controller Details: The private company under the name «S. AND Α. MAMADAS HOTEL AND TOURIST ENTERPRISES S.A.» and the distinctive title «HOTEL PORTO» having its seat in Thessaloniki, 65 26th October Street, tel.: +30 2310 504504/ +30 2310 504500, e-mail: info@portopalace.gr.

2.    Purpose of processing and legal basis: We use a surveillance system for the purpose of protecting people and assets at our hotel. The processing is necessary for the purpose of the legitimate interests that we pursue as Controller, according to Article 6 paragraph 1 (f) GDPR.

3.    Analysis of legitimate interests: Our legitimate interest consists in the need to protect our premises and our goods, or the goods of our customers from illegal acts, including, for example, theft, vandalism, damage, etc. As a hotel, we have a legal obligation to protect the property of our customers (see articles 834 et seq. of the Civil Code), and the installation of a video surveillance system in our premises is aimed at this.

In addition, there is a legitimate interest in the protection and safety of the life, physical integrity, health and property of our staff, our customers and any third party who enters our premises. For these purposes, the video surveillance system aims to protect and secure the hotel’s facilities and infrastructure critical to its operation. Please note that we only collect image data, not audio data, and we do not use cameras with rotation (pan-and-focus cameras).

Regarding the installation of the cameras in the hotel premises, an assessment was carried out, during which the interests and fundamental rights of the data subjects and the legal interest of our hotel were weighed, limiting the placement of the cameras only to the areas and points where we assessed that there is an increased possibility of illegal acts or increased expectation of safety and protection of persons and property.

In accordance with article 17 paragraph 1) of Directive 1/2011, the installation of cameras in our hotel is limited to the areas intended to control incoming/outgoing traffic, such as the central entrance of the hotel, the reception area, the entrances/exits of the elevators and staircases and the entrance to the parking. Also, in the money storage areas (cash registers), in the property storage areas, in the equipment facilities and in the electromechanical facilities. Also, cameras have been placed in the entrance/exit areas of the elevators on the floors, but without taking an image from the corridors of the hotel or the entrances of the individual rooms. Toilet areas and vestibules, as well as common areas (gym, swimming pool) and catering areas, such as lounge area, breakfast area, restaurant, are not videotaped. Finally, cameras have been placed on the external perimeter of the building and this to the extent necessary for security and control of the hotel’s perimeter.

4.    Recipients: The material stored is accessible only by our competent/authorised personnel who are charged with the security of the space. This material shall not be transmitted to third parties, save in the following cases: a) to the competent judicial, prosecution and police authorities when it includes information necessary to investigate a criminal act involving persons or goods relating to the controller; b) to the competent judicial, prosecution and police authorities when legitimately requesting data in the performance of their duties; and c) to the victim or the perpetrator of a criminal offence, in cases of data which may constitute evidence of the act.

5.    Retention period: We retain the data referred to in this Notification for seven (7) days and, after this period has elapsed, the data are automatically deleted. If an incident comes to our attention during this period, we will isolate part of the video and retain it for one (1) further month, for the purpose of investigating the incident and institute legal proceedings to protect our legitimate interests; if the incident concerns a third party, we will retain the video for a further period of up to (3) months.

6.  Rights of Data Subjects: Data Subjects have the following rights:

•    Right of access: You have the right to be informed whether we process your image and, if so, to receive a copy of it.

•    Right to restrict processing: You have the right to request that we restrict processing, such as, for example, not to delete data which you consider necessary to establish, exercise or defend legal claims.

•    Right to object: You have the right to object to processing.

•    Right to erasure: You have the right to request the erasure of your data.

You can exercise your rights by sending an email to the address privacy@portopalace.gr or a letter to our postal address, 65 26th October Street, Thessaloniki, or by filing a request in person at our offices. For us to examine a request related to your image, you will need to advise us approximately when you were within reach of our cameras and provide us with an image of yours to enable us to locate your data and withhold the data which portray third parties. Alternatively, you may visit our premises for us to display the images in which you appear. Please note, that the exercise of your right to object or right to erasure does not entail the immediate deletion of your data or the modification of the processing. In any event we will respond in detail as soon as possible, within the time limits set forth in the GDPR.

7.    Right to lodge a complaint: Should you believe that the processing of your data infringes Regulation (EU) 2016/679, you have the right to lodge a complaint with the supervisory authority.  The competent supervisory authority for Greece is the Hellenic Data Protection Authority, 1-3 Kifisias Street, PC GR-11523, Athens, https://www.dpa.gr, tel: 2106475600.

I. What data the Data Controller collects and process and for what purposes.
Personal data include any information, in print or electronic media, relating to an identified or identifiable natural person, directly or indirectly, in combination with other information. Processing of personal data means the collection, registration, organization, storage, adaptation, alteration, retrieval, use, transmission to third parties, dissemination, association, combination, limitation, deletion and destruction of Personal Data of natural persons. The company “HOTEL PORTO” during its activities and transactions, collects and processes personal data, such as indicatively the following:

I.1. Employees/Prospective employees:
Regarding the employees of the Hotel: Information such as name and surname, father’s name, mother’s name, social security number (AMKA), gender, nationality, address, email, ID number, family status data, number and age of children, salary/benefits/bonus data, CVs, work experience, level of education, diplomas, licenses, as well as information related to employee payroll and taxation and other data required by labor or social security legislation. Processing of this data is necessary for the performance of the employment contract and the fulfillment of the company’s lawful obligations as employer. All employees of the company have been notified of a written statement for their detailed information regarding the processing of their data, the legal basis of the processing, the retention time of their data and their lawful rights. Candidates: the company maintains the following information regarding its prospective employees: name, surname, contact information, education, work experience, CV, email, nationality, family status. The company collects and processes personal data of the candidates for the evaluation of their suitability for filling a specific job position. This data is collected from the candidate upon his consent, by submitting the relevant application. In case of non-recruitment, the CV of the prospective employee is kept for a period of 2 years to cover any future jobs, after which the data is destroyed. The legal basis of the processing is the legitimate interest of the company and the consent of the candidate employee. Interns: The company collects and processes personal data of students doing their internship at the hotel, in cooperation with the educational institutions, as long as these are necessary for the performance of the internship contract and the fulfillment of the contractual and legal obligations of both parties. The legal basis of the processing is the performance of the contract and the compliance with a legal obligation of the company. The internship contract contains detailed information regarding the processing of interns’ data, the legal basis of the processing, the retention time of their data and their rights. When the internship ends, the data of the intern is deleted, except for those necessary for the defense of company’s rights before courts or in case of controls conducted by the competent bodies and authorities, in compliance with the labor legislation. Further retention and processing of the aforementioned data is only permitted if the intern expressly requests it and provides his/her consent for the purpose of future job search or for any use by him/her (for example in order to certify the completion of the internship).