CCTV POLICY
(INFORMATION POLICY FOR THE PROCESSING OF PERSONAL DATA THROUGH VIDEO SURVEILLANCE SYSTEM)
Intro
This Information Policy on the processing of personal data through a video surveillance system (hereinafter "CCTV Policy" or “Policy”) belongs to the company under the company name "KONSTANTINOS KOULIAS ANONYMI ETAIREIA" and the distinctive title "ATLANTIS HOTEL" (hereinafter referred to as "company", or "hotel" or "we"), which by law acts as Data Controller and is based in the area of Lambi (P.C. 85300) of the municipality of Kos, Dodecanese,  with TIN 094034654.
This Policy describes important aspects concerning our processing of the data subjects’ personal data, which we receive in the context of the operation of the video surveillance system through closed-circuit television cameras (hereinafter referred to as "CCTV system") in the hotel premises where our company operates.
Thanks to this Policy, clearly documented procedures are formed for the processing of your personal data and you are informed about:
-The purpose for which the processing is carried out,
-The mode of operation of the CCTV system in use,
-The installation areas and range of the cameras,
−The retention period of the data,
-The categories of persons operating the CCTV system,
-Your rights regarding your personal data, which are processed by the operating CCTV system.
 
1. Purposes of installation and operation of CCTV system
1.1. We use a surveillance system for the purpose of security and protection of persons and goods.
1.2. The purpose of protecting persons and goods is initially justified by our legitimate interest to preserve the reputation of our hotel as a safe place to stay, taking care of the safety of life, physical integrity, health and property of persons lawfully present in it. Furthermore, our company, operating a hotel, is obliged to protect the property of its customers in accordance with applicable law (cf. Articles 834 et seq. of the Greek Civil Code, regarding the liability of hoteliers).
1.3. The company does not use the CCTV system for other purposes. The CCTV system is not used to evaluate employees’ efficiency.
 
2. How CCTV System Works
2.1. The operation of the CCTV system is justified and necessary for the purposes of the legitimate interests pursued by the company and for its compliance with its legal obligations regarding the operation of a hotel (see clause 1.2 above) with the minimal privacy impact.
2.2. We collect only image data and limit the video- surveillance to specific places where we have assessed that there is an increased likelihood of committing illegal acts (e.g. theft, such as at our cash registers, warehouses of goods and at the hotel entrance), without focusing on areas where the privacy of the persons whose image is recorded may be excessively restricted (see in particular clauses 3.1.5;  3.1.6).
2.3. Our company uses a CCTV system designed with privacy-friendly settings for the subjects entering and circulating in the area of video surveillance. This is because:
- The CCTV system does not process audio data.
- It is a static CCTV system, without the possibility of torsion and focus (zoom).
2.4. Our company uses the CCTV system in the least invasive way to the privacy of data subjects, as evidenced by the video surveillance operating conditions (camera locations, record retention time, limited access to the file), which are more specifically analyzed in section 3 hereof as well as by the fact that no special categories of data are collected.
3. Description of CCTV system used
3.1. Number and locations of cameras:
3.1.1. The cameras are installed in such an environment that they receive clear quality images to serve their installation purposes, providing the necessary information to the company.
3.1.2. Nine [9] cameras have been installed, by a specialist, in the absolutely necessary areas in relation to the intended purposes. The number and type of cameras installed is depended on the size of the installations and the increased security requirements and is limited to the processing of the absolutely necessary information.
3.1.3. The area covered by the cameras is owned by the company and public spaces are not video-surveilled (e.g., no image is taken from side streets, and/or sidewalks, nor from entrances or interiors of neighboring buildings/spaces).
3.1.4. We have posted in our hotel in every place where the video surveillance system operates an appropriate number of visible information/warning signs about the fact that the space is being video-surveilled.
3.1.5. The company has limited the image capture through the CCTV system to areas where it is assessed that there is an increased likelihood of criminal or delinquent acts and to areas containing sensitive information or assets that need increased protection, as well as to entry and exit points of our hotel facilities to control incoming/outgoing guests (e.g. entrances/exits of property and buildings,  reception, elevator and staircase entrances/exits, money storage areas, warehouse entrances, electromechanical installations, etc.).
3.1.6. The cameras do not focus on data subjects or areas where their privacy could be deemed as excessively restricted and hotel guests or guests may be unduly monitored, such as dining areas and corridors leading to hotel rooms. Such areas also mean, but not limited to, the entrances of private rooms, toilets, and areas where leisure activities take place (such as swimming pools, gyms, sports areas, changing rooms, etc.).
3.2. System’s Operation Time:
The CCTV system operates twenty-four (24) hours a day seven (7) days a week with time stamping, to ensure the intended increased protection of goods and persons. The CCTV system records the movement in the video-surveilled area in combination with the date and time.
3.3. Record Retention Period:
3.3.1. The data processed through the CCTV system are kept for a period of 15 days in view of the intended processing purposes.
3.3.2. The data is automatically deleted via the CCTV system after the above period has elapsed.
3.3.3. In special cases of criminal or delinquent acts (e.g., theft, robbery, unauthorized access to the company's premises), it is allowed to keep images of the specific incident in a separate file for 30 days, in accordance with Directive 1/2011 of the Hellenic Data Protection Authority. If the incident concerns a third party, it is allowed to keep images for 3 months, similarly in accordance with the above directive of the Hellenic Data Protection Authority.
4. Recipients
4.1. The maintained CCTV record is not transmitted to third party recipients.
This material is accessible only by our competent and authorized personnel in charge of the security of the site. Specifically, to prevent the dissemination of material to unauthorized recipients, access to the CCTV system has a special team of authorized persons-associates, properly trained and familiar with this Policy and the safe and lawful operation of the system, which consists of the CEO, the Hotel Manager, the IT Manager and the external partner responsible for the Technical Maintenance of the CCTV system, each of whom has clearly defined responsibilities.
4.2. Exceptionally, the transmission of material is allowed without the consent of the data subject, in case our company is obliged to transmit data to a competent judicial, prosecutorial, police or other competent authority under their lawful request during the exercise of their duties, or in case it constitutes evidence of a criminal act committed in the area of the operating video surveillance system and can contribute to the investigation of the incident or the identification of perpetrators.
5. Data Subject Rights
 
5.1. According to data protection law, the data subject has the following rights:
 
Right of access: the data subject has the right to know if we are processing his or her image and, if so, to receive a copy of it.
 
Right to restriction: the data subject has the right to ask us to restrict processing, such as not to delete data that he/she considers necessary for the establishment, exercise or support of his/her legal claims.
 
Right to object: the data subject has the right to object to the processing of his or her personal data.
 
Right to erasure: the data subject has the right to ask us to delete his or her data.
 
5.2 You can exercise your rights by sending an email to address “info@atlantishotel-kos.com”, or a letter to our postal address, or by submitting your request in person to the reception of our hotel at Lambi, Kos 85300, Greece. The application must contain your identity details (ID number, passport, etc.). In case of a request related to your image, it is required to determine when you were within the range of our company's cameras, as well as to provide us with a recent photo of you, which will facilitate us in specifying your data and hiding third parties depicted. Alternatively, you can come to our facilities to show to us the images in which you appear. Please note that exercising the right to object or delete does not imply the immediate deletion of data or the modification of processing. In any case, the company will respond in detail to the request as soon as possible, within the legal deadlines.
 
5.3       In case you believe that we have unjustifiably not satisfied any of your above rights or that we have proceeded to any unlawful processing of your personal data, you are entitled to file a complaint before the Hellenic Data Protection Authority, based in Athens on Leof. Kifisias 1 (PC 115 23), with contact phone 2106475600. Prior to the submission of your complaint, it is recommended to consult the official website of the Hellenic Data Protection Authority "www.dpa.gr", in order to check that your complaint can be admissibly submitted before the DPA, as detailed therein.