SSANGYONG AUTOMOTIVE IRELAND LIMITED

Data Protection Policy in relation to use of CCTV

 

 

CONTENTS

___________________________________________________________

CLAUSE

  1. Policy statement
  2. Definitions
  3. About this policy
  4. Personnel responsible
  5. Reasons for the use of CCTV
  6. Monitoring
  7. How we will operate any CCTV
  8. Use of data gathered by CCTV
  9. Retention and erasure of data gathered by CCTV
  10. Ongoing review of CCTV use
  11. Requests for disclosure
  12. Subject access requests
  13. Complaints
  14. Other rights

 

 

 

  1. Policy statement
    • SsangYong Automotive Ireland Limited (“SAIL”, “we”, “us”, or “ours”) operates a closed-circuit television (“CCTV”) surveillance system on its premises.
    • We believe that CCTV has a legitimate role to play in helping to maintain a safe and secure environment for all our staff and visitors. However, we recognise that this may raise concerns about the effect on individuals and their privacy. This policy is intended to address such concerns. Images recorded by CCTV are personal data which must be processed in accordance with data protection laws. We are committed to complying with our legal obligations and ensuring that the legal rights of staff, relating to their personal data, are recognised and respected.
    • This policy is intended to assist staff in complying with their own legal obligations when working with personal data. In certain circumstances, misuse of information generated by CCTV could constitute a criminal offence.
  2. Definitions
    • For the purposes of this policy, the following terms have the following meanings:

CCTV: means fixed and domed cameras designed to capture and record images of individuals and property.

Data: is information which is stored electronically, or in certain paper-based filing systems. In respect of CCTV, this generally means video images. It may also include static pictures such as printed screen shots.

Data subjects: means all living individuals about whom we hold personal information as a result of the operation of our CCTV.

Personal data: means data relating to a living individual who can be identified from that data (or other data in our possession). This will include video images of identifiable individuals.

Data controllers: are the people who, or organisations which, determine the manner in which any personal data is processed. They are responsible for establishing practices and policies to ensure compliance with the law. We are the data controller of all personal data used in our business for our own commercial purposes.

Data users: are those of our employees whose work involves processing personal data. This will include those whose duties are to operate CCTV cameras to record, monitor, store, retrieve and delete images. Data users must protect the data they handle in accordance with this policy.

Data processors: are any person or organisation that is not a data user (or other employee of a data controller) that processes data on our behalf and in accordance with our instructions (for example, a supplier which handles data on our behalf).

Processing: is any activity which involves the use of data. It includes obtaining, recording or holding data, or carrying out any operation on the data including organising, amending, retrieving, using, disclosing or destroying it. Processing also includes transferring personal data to third parties.

  1. About this policy
    • We currently use CCTV cameras to view and record individuals on our premises. This policy outlines why we use CCTV, how we will use CCTV and how we will process data recorded by CCTV cameras to ensure we are compliant with data protection law and best practice. This policy also explains how to make a subject access request in respect of personal data created by CCTV.
    • We recognise that information that we hold about individuals is subject to data protection legislation. The images of individuals recorded by CCTV cameras in the workplace are personal data and therefore subject to the legislation. We are committed to complying with all our legal obligations and seek to comply with best practice suggestions from the Data Protection Commission (DPC).
    • This policy covers all employees, directors and officers and may also be relevant to visiting members of the public.
    • The policy will be regularly reviewed to ensure that it meets legal requirements, relevant guidance published by the DPC and industry standards.
  2. Personnel responsible
    • The board of directors has overall responsibility for ensuring compliance with relevant legislation and the effective operation of this policy. Day-to-day operational responsibility for CCTV cameras and the storage of data recorded is the responsibility of the Country Manager.
  3. Reasons for the use of CCTV
    • We currently use CCTV as outlined below. We believe that such use is necessary for legitimate business purposes, including:
      • to protect buildings and assets from damage, disruption, vandalism and any other crime;
      • to protect our staff, contractors and visitors from any physical assault, threatening behaviour or robbery;
      • to act as a deterrent against crime;
      • to support law enforcement bodies in the prevention, detection and prosecution of crime; and
      • to provide assistance to emergency services.

This list is not exhaustive and other purposes may be or become relevant.

  1. Monitoring
    • CCTV monitors the interior and exterior of the building as well as both the main entrance and secondary exits24 hours a day and this data is continuously recorded.
    • Camera locations are chosen to minimise viewing of spaces not relevant to the legitimate purpose of the monitoring. CCTV cameras are not used in the staff canteen or any restroom within the building. As far as practically possible, CCTV cameras will not focus on private homes, gardens or other areas of private property.
    • Live video is monitored by authorised personnel during working hours only.
    • Recordings may be reviewed by authorised personnel at any time for the purposes listed in 5.1.
  2. How we will operate any CCTV
    • Where CCTV cameras are placed in the workplace, we will ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. Such signs will contain details of the organisation operating the system, the purpose for using the CCTV and who to contact for further information, where these things are not obvious to those being monitored.
    • We will ensure that live feeds from cameras and recorded images are only viewed by approved members of staff whose role requires them to have access to such data. This may include HR staff involved with disciplinary or grievance matters. Recorded images will only be viewed in designated, secure offices.
  3. Use of data gathered by CCTV
    • In order to ensure that the rights of individuals recorded by the CCTV system are protected, we will ensure that data gathered from CCTV cameras is stored in a way that maintains its integrity and security. This may include encrypting the data, where it is possible to do so.
    • Given the large amount of data generated by CCTV, we may store video footage using a cloud computing system. We will take all reasonable steps to ensure that any cloud service provider maintains the security of our information, in accordance with industry standards.
    • We may engage data processors to process data on our behalf. We will ensure reasonable contractual safeguards are in place to protect the security and integrity of the data.
  4. Retention and erasure of data gathered by CCTV
    • Data recorded by the CCTV system will be stored digitally using a cloud computing system. Data from CCTV cameras will not be retained indefinitely but will be permanently deleted once there is no reason to retain the recorded information. Exactly how long images will be retained for will vary according to the purpose for which they are being recorded. For example, where images are being recorded for crime prevention purposes, data will be kept long enough only for incidents to come to light. In all other cases, recorded images will be kept for no longer than 30 days. We will maintain a comprehensive log of when data is deleted.
    • At the end of their useful life, all images stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs will be disposed of as confidential waste. Any still photographs and hard copy prints will be disposed of as confidential waste.
  5. Ongoing review of CCTV use
    • We will ensure that the ongoing use of existing CCTV cameras in the workplace is reviewed periodically to ensure that their use remains necessary and appropriate, and that any CCTV is continuing to address the needs that justified its introduction.
  6. Requests for disclosure
    • We may share data with other group companies and other associated companies or organisations, for example shared services partners where we consider that this is reasonably necessary for any of the legitimate purposes set out above in paragraph 1.
    • No images from our CCTV cameras will be disclosed to any other third party, without express permission being given by the board of directors. Data will not normally be released unless satisfactory evidence that it is required for legal proceedings or under a court order has been produced.
    • In other appropriate circumstances, we may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
    • We will maintain a record of all disclosures of CCTV footage.
    • No images from CCTV will ever be posted online or disclosed to the media.
  7. Subject access requests
    • Data subjects may make a request for disclosure of their personal information and this may include CCTV images (data subject access request). A data subject access request is subject to the statutory conditions from time to time in place and should be made in writing.
    • In order for us to locate relevant footage, any requests for copies of recorded CCTV images must include the date and time of the recording, the location where the footage was captured and, if necessary, information identifying the individual.
    • We reserve the right to obscure images of third parties when disclosing CCTV data as part of a subject access request, where we consider it necessary to do so.
  8. Complaints
    • If any member of staff has questions about this policy or any concerns about our use of CCTV, then they should speak to their manager in the first instance.
    • Where this is not appropriate, or matters cannot be resolved informally, employees should use our formal grievance procedure.
  9. Other rights
    • In addition to the rights outlined above you also have the following rights:
      • Where your identifiable CCTV images have been accessed by, or disclosed to unauthorised persons, lost, destroyed or unlawfully processed and this may result in a high risk to your rights and freedoms, we must inform you without delay; and
      • You may complain to the Data Protection Commission (“DPC”), if you think that our processing of your identifiable CCTV images has infringed the General Data Protection Regulation.