Gép és Daru

Camera rules

Privacy Policy on the Operation of the Camera System

This Privacy Policy on the operation of the camera system (hereinafter: Policy) was prepared in accordance with the provisions of the General Data Protection Regulation – GDPR and Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Info Act). The Data Controller is committed to protecting the personal data of its employees, partners, and visitors to its premises. The Data Controller treats personal data confidentially and takes all security, technical, and organizational measures that guarantee the security of the data.

Data Controller’s Details

  • Name of Data Controller: GD Gép és Daru Rakodástechnikai Gépgyártó és Kereskedelmi Kft.
  • Registered Office: 1119 Budapest, Kelenvölgyi határsor 5.
  • Company Registration Number: 01-09-693138
  • Contact: gd@gepesdaru.hu, +36 76 555 222
  • Data Protection Officer: Zsófia Kissné Lázár (GD Gép és Daru Kft., lazarzs@gepesdaru.hu, +36 30 206 0722)

Purpose of Data Processing, Scope of Data Subjects

The Data Controller operates a camera surveillance system at its Budapest and Lajosmizse premises for property protection purposes for a duration of 0-24 hours. The camera surveillance system provides continuous monitoring (live feed) on one hand, and records and stores the footage on the other. The primary purpose of the camera surveillance system is the detection of property-related infringements, catching the perpetrator in the act, and preventing, investigating, and proving such infringing acts, as well as ensuring personal and operational security, and monitoring compliance with occupational safety rules. The installation of cameras and the management of recordings serve exclusively to protect the property elements of the Data Controller and the personal security of natural persons. The Data Controller does not use cameras in places where observation may violate human dignity, especially in dressing rooms, washrooms, and toilets. In the areas monitored by cameras (entrances, parking lots, transit areas), highly visible informational signs warn those entering. Information on the exact location of the cameras and the areas or objects they monitor is contained in Annex 1. The use of the camera surveillance system is justified because there is significant stock movement at the premises, and high-value property elements are located there. The data subjects are natural persons entering or leaving the Data Controller’s premises. Entering natural persons include employees, business partners, delivery personnel, staff of inspecting authorities, and other visitors.

Legal Basis for Data Processing

The processing of personal data recorded by the camera surveillance system is necessary for the enforcement of the legitimate interests of the Data Controller, for security and property protection reasons, based on Article 6(1)(f) of the GDPR. The making of recordings does not involve a disproportionate and unnecessary restriction on the interests, fundamental rights, and freedoms of the data subjects. The legitimate interest is property and personal protection.

Scope of Processed Personal Data

The processed personal data consists of recordings of the facial image, likeness, movement, and behavior of natural persons entering the Data Controller’s premises. The camera system does not record audio.

Retention Period of Processed Data

The recordings made by the camera surveillance system are stored by the Data Controller for 30 days, after which the system automatically deletes the recordings, unless the Data Controller uses them in an evidentiary procedure.

Persons Authorized to Access the Data

The Managing Director is authorized to view the live feed of the camera surveillance system. The Managing Director, the Deputy Managing Director, and the System Administrator are authorized to view the recordings of the camera surveillance system and to save the recordings to a data carrier. Authorities may also access the recordings if they are conducting an investigation. The reviewing of recorded footage is done alongside the drafting of a viewing protocol (Annex 2). The protocol drafted about the reviewing or viewing must record the name of the person performing the reviewing/viewing, the name of the data subject if present, the reason and time of the reviewing/viewing, and the protocol must be signed by those present during the reviewing/viewing. The reviewing and viewing of recorded camera footage may solely occur for the purposes of clarifying and uncovering the facts in the event of infringing acts (e.g., unauthorized entry, theft, vandalism, or other damage), detecting irregularities, preventing infringements, and catching or identifying the perpetrator. The recordings will only be used if there is a suspicion of the commission of a crime, a misdemeanor, or a breach of an obligation arising from an employment relationship.

Data Transfer

The Data Controller does not transfer the recordings made by the camera surveillance system either within the European Union or to a third country. Data transfer can exclusively be fulfilled within Hungary to the extent necessary for authorities and other organizations (e.g., police, occupational safety authority, legal representative). The Data Controller does not transfer the data to any other person or body.

Rights of Data Subjects

Based on the data subject’s right to information, the Data Controller takes measures through the publication of this Policy to ensure that all information concerning the processing of personal data, as defined by Article 13 of the GDPR, is available to the data subject. Data subjects may request access to, rectification, erasure, or restriction of processing of their personal data processed by the Data Controller, and may object to the processing of such personal data. Data subjects may submit their requests regarding their rights in writing or electronically, addressed to the Data Controller. If the data subject submitted the request electronically, the Data Controller will provide the information electronically, unless the data subject requests otherwise. The Data Controller will decide on the request within 30 days of its receipt at the latest, and will inform the data subject of the measures taken in response to the request, or, if no measure is taken, the reasons for this, and the possibility of filing a complaint with the supervisory authority or seeking judicial remedy. The deadline for action may be extended by an additional two months if necessary, taking into account the complexity of the request and the number of requests. The Data Controller will inform the applicant of the extension of the deadline, indicating the reasons. The Data Controller will decide on the fulfillability of data subject requests for viewing or copying within 3 working days of receipt. The data subject may only view recordings from the times they were present in the area monitored by the camera, may only view the recordings of those cameras through which their image was recorded, and only to the extent consistent with the provisions of the GDPR. Regarding viewing, the rules laid down in the previous paragraph must also be appropriately applied to requests for copies. The requested information and measures are provided free of charge. If the data subject’s request is clearly unfounded or excessive, the Data Controller may charge a fee or refuse to take the action.

Based on the data subject’s right of access, after verifying their identity, the data subject has the right to receive confirmation from the Data Controller as to whether their personal data is being processed. The right to view the recordings or to request a copy shall not adversely affect the rights and freedoms of others. In order to enforce the right to the protection of the personal data of other data subjects appearing on the recording, in cases where a person other than the requesting data subject appears on the recording, the data subject may only receive a copy or view the recording with the other persons masked out. Under the right to rectification, the data subject may request the Data Controller to complete or correct inaccurate or incomplete personal data concerning them.

Under the right to erasure, the Data Controller, at the request of the data subject or without a separate request, shall without delay erase the recordings and other personal data concerning the data subject if the personal data is no longer necessary for the purpose for which it was collected or otherwise processed, the data subject objects to the processing and there are no overriding legitimate grounds for the processing, the personal data has been unlawfully processed, or the personal data must be erased to comply with a legal obligation in Union or Member State law applicable to the Data Controller.

The data cannot be erased if it is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation under Union or Member State law, or for the performance of a task carried out in the public interest, based on a public interest in the area of public health, or for the establishment, exercise, or defense of legal claims.

Based on the right to restriction of processing, the data subject has the right to obtain from the Data Controller restriction of processing upon reasoned request if the data subject contests the accuracy of the personal data (while the Data Controller verifies the accuracy of the data), the processing is unlawful and the data subject opposes the erasure of the data, the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims, or the data subject has objected to the processing (pending the verification of the request regarding the objection).

During the period of restriction, personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims.

The data subject may object to the processing if they believe that the Data Controller would not process their personal data properly. In this case, the Data Controller must demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. If the data subject objects to the processing of their personal data, the Data Controller informs them of the legitimate interest serving as the legal basis for processing, and that the processing is necessary for property protection purposes, which, as a compelling legitimate ground related to the enforcement of legal claims, justifies the processing, or is related to the establishment, exercise, or defense of legal claims. The data subject may request the Data Controller to hand over their personal data (right to data portability). The data subject has the right to receive their data processed by the Data Controller, and also has the right to transmit it to another Data Controller – or to have the Data Controller transmit it upon request, provided the processing is based exclusively on the data subject’s consent or on a contract and the processing is carried out by automated means.

Data Security

The Data Controller takes all necessary technical and organizational measures to guarantee the security of the data subjects’ personal data, including the prevention of unauthorized access, data loss, and data damage. The Data Controller securely stores the recorded footage on its own server.

Legal Remedy

If the data subject wishes to file a complaint regarding the processing of their personal data, they should contact the Data Controller at one of the following contact details:

  • Registered Office: 1119 Budapest, Kelenvölgyi határsor 5.
  • Email address: gd@gepesdaru.hu

Anyone who suffers a grievance regarding the processing of personal data may file a complaint with the National Authority for Data Protection and Freedom of Information. The authority’s contact details:

  • E-mail: ugyfelszolgalat@naih.hu
  • Phone: +36-1-391-1400
  • Postal address: 1363 Budapest, P.O. Box: 9. Website: www.naih.hu

Anyone whose rights as a data subject have been infringed upon during the exercise thereof or during the processing of their personal data may initiate civil litigation against the Data Controller. The adjudication of the lawsuit falls within the jurisdiction of the regional court. The proceedings may be initiated before the regional court of the data subject’s domicile or place of residence. If an infringement is established, the data subject may claim compensation and restitution for non-material damages, and the court may order the Data Controller to fulfill the exercise of the data subject’s rights.

Definitions

  • Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Data controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • Data processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Annex 1 – Camera locations and monitored areas – Lajosmizse

Office Building:

  • Indoor: Ground floor – 1 pc (Entrance and the stairs)
  • Indoor: 1st floor – 2 pcs (Corridor and the stair landing between GF and 1st floor)
  • Indoor: 2nd floor – 2 pcs (Full length of the corridor)
  • Indoor: Paint shop – 1 pc (Located in the corner next to the left entrance and monitors the entire paint shop)
  • Outdoor: At the rear entrance – 2 pcs (Yard)
  • Outdoor: Old chimney – 2 pcs (Yard)
  • Outdoor: At the upper entrance – 1 pc (Yard)
  • Outdoor: Paint storage – 3 pcs (Yard)
  • Outdoor: Compressor house – 3 pcs (Yard)

Parts Manufacturing:

  • Indoor: Old horizontal workshop – 1 pc (Workshop)
  • Indoor: Shot blasting – 1 pc (Workshop)
  • Indoor: Machining workshop – 2 pcs (Workshop)
  • Indoor: Forklift entrance – 1 pc (Workshop)
  • Indoor: Detergent storage – 1 pc (Workshop)
  • Outdoor: Parts manufacturing personnel entrance – 1 pc (Yard)

Structural Manufacturing:

  • Indoor: In the 4 corners of the building – 4 pcs (Workshop)
  • Outdoor: At the corner towards parts manufacturing – 1 pc (Yard)

Assembly:

  • Indoor: Aluminum workshop – 1 pc (Workshop)
  • Indoor: Switchgear room, at the door of the compressor house – 1 pc (Workshop)
  • Indoor: In the SW corner of the assembly workshop – 1 pc (Workshop)
  • Outdoor: At the SE corner of the building – 2 pcs (Yard)
  • Outdoor: Steel storage – 2 pcs (Yard)

Total: 36 pcs

Annex 2 – Sample Protocol on Reviewing Recordings

  • Protocol number:
  • Date:
  • Location:
  • Recording details:
  • Start time of viewing the recording:
  • End time of viewing the recording:
  • Present (name, position):
  • Detailed description of circumstances justifying the viewing of the recording (and other personal data): 
  • Conclusions drawn during the viewing:
  • Name of the minute-taker:
  • Signature of the minute-taker: