CCTV Policy

1. Controller’s details

The data controller of the CCTV is QUALCO Information Systems Single Member Societe Anonyme and distinctive title “QUALCO”, with registered offices in Athens, Greece 66, Kifissias Ave 15125 Marousi, with VAT number: 094503426 and General Electronic Commercial Registry number 2916401000 (hereinafter “QUALCO”), T: +30 210 6198903, E:


  1. Purpose

2.1. Video surveillance systems are those systems which are permanently installed and having the ability to record and/or transmit images and/or sound to projection screens or recording devices (where cameras can be connected to the display or recording equipment either directly or via network/internet).      

The most common case of a video surveillance system is the closed-circuit television system.

2.2. The video surveillance system receives images of natural persons and therefore processes personal data. QUALCO acting as the Data Controller has all the obligations arising from the institutional framework on data protection, data protection legislation, such as the obligation to comply with data subjects’ rights, the obligation to respect the confidentiality and security of processing.

2.3. This policy describes the video surveillance system of QUALCO and sets out the measures taken to protect personal data, the right to privacy and other fundamental rights and interests of natural persons filmed by the video surveillance cameras of QUALCO.


  1. Scope

3.1. All video-surveillance systems installed and managed by QUALCO within and around its premises located in Athens. The system comprises of a number of fixed cameras without voice recording. The cameras are placed on the perimeter of the buildings and record the outside of the buildings and the entrance areas.

3.2. The policy applies to:

  • All QUALCO employees (including external partners with access to QUALCO resources, employees, and interns regardless of the nature of the contract)
  • All employees in QUALCO premises
  • Any kind of visitors to the QUALCO premises

3.3. Please note that this policy does not include:

  • Operation of videoconferencing systems, recording on audiovisual material of an event (e.g. conference, hearing, seminar, social event),
  • Video recording made for the purpose of producing material or broadcasting an event in the context of QUALCO's communication policy with the press and the public
  • Capture of images and/or sound from hand-held cameras, mobile phone devices or other non-recording input control systems, which activated by a specific action of their user (e.g. intercoms), since no continuous image and/or video recording is performed.
  1. Regulatory Framework

4.1. In view of the current regulatory framework, this policy aims to document the rules and procedures in place to process the video-surveillance images in accordance with the EDPS guidelines for CCTV, the CCTV guidelines issued by the Hellenic Data Protection Authority (HDPA) and GDPR Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data.

4.2. In the context of the GDPR Regulation requirements, the Company has executed Data Protection Impact Assessment in accordance with the Data Protection Impact Assessment Policy of QUALCO. The report resulting from this study has been sent to the company and the Facilities department, which has drawn up a plan for the implementation of the actions it prescribes.


  1. CCTV Overview

5.1. The CCTV system is owned by QUALCO SA and it is managed by QUALCO SA and its appointed agents. Under current data protection legislation QUALCO SA operates as data controller for the images/videos produced by the CCTV system.

5.2. The Facility Manager has been designated as the person responsible for the overall management and operation of the CCTV system, including activities relating to installations, recording, reviewing, monitoring, and ensuring compliance with this policy.

5.3. Signs are placed at pedestrian and vehicular entrances in order to inform staff, visitors and members of the public that CCTV is in operation. The signage indicates that the system is managed by QUALCO.

5.4. Cameras are sited to ensure that they cover QUALCO premises as far as possible. Cameras are installed throughout the QUALCO’s sites including roadways, car parks, buildings, and licensed premises within buildings and externally in vulnerable public-facing areas.

5.5. Cameras are not sited to focus on private residential areas and cameras situated in QUALCO external areas are focused on entrances and communal areas. Where cameras overlook residential areas, privacy screens will be fitted.

5.5. The CCTV system is operational and is capable of being monitored for 24 hours a day, every day of the year.

5.6. Cameras are monitored in the Security Control Room, which is a secure area, staffed 24 hours a day.

5.7. Images are recorded centrally on servers located securely in the QUALCO Data Centers and are viewable in Security Service areas by authorized security staff. Additional staff may be authorized by the Facility Manager to monitor cameras cited within their own areas of responsibility on a view-only basis.

5.8. The cameras installed provide images that are of suitable quality for the specified purposes for which they are installed, and all cameras are checked daily to ensure that the images remain fit for purpose and that the date and time stamp recorded on the images is accurate.

5.9. The use of covert cameras is restricted.

5.10. The CCTV system is subject to a Data Protection Impact Assessment. Any proposed new CCTV installation is subject to a Data Protection Impact Assessment.


  1. Policy Statements

6.1. Privacy

QUALCO will ensure that any personal information collected, retained, and released through its CCTV systems is managed in accordance with the GDPR Regulation. Staff will respect the privacy of individuals when using CCTV, maintain confidentiality over what they observe, and comply with QUALCO's Privacy Policy when dealing with personal information. Staff will not use CCTV systems to view individual’s private property unless there is an approved purpose to do so.


6.2. Purposes of CCTV

QUALCO uses CCTV systems and processes personal data for the following purposes:

  • to ensure the safety of QUALCO staff, QUALCO customers, and the public using QUALCO premises
  • to support the protection and security of assets and facilities
  • to support the prevention, detection, investigation, and enforcement of offenses for which QUALCO holds enforcement powers

The CCTV system will be used to observe QUALCO’s premises and areas under surveillance in order to identify incidents requiring a response. Any response should be proportionate to the incident being witnessed.


QUALCO seeks to operate its CCTV system in a manner that is consistent with respect for the individual’s privacy.


Any modification to the camera type or position must be approved by the Data Protection Officer and the Information Security Director.


The use of the CCTV system will be conducted in a professional, ethical and legal manner and any diversion of the use of CCTV security technologies for other purposes is prohibited by this policy.

The CCTV will not be used for monitoring employee performance.

The CCTV will not be used to monitor public areas.


6.3 Compliance with Data Protection Legislation

In its administration of its CCTV system, QUALCO complies with the General Data Protection Regulation (GDPR) and the Greek L.4624/2019.

Due regard is given to the data protection principles embodied in GDPR. These principles require that personal data shall be:

  1. a) processed lawfully, fairly and in a transparent manner;
  2. b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. c) adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed;
  4. d) accurate and, where necessary, kept up to date;
  5. e) kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  6. f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. QUALCO ensures it is responsible for and able to demonstrate compliance with GDPR.


6.4 Notification

A resume of this CCTV Policy will be available through the QUALCO website.

A copy of this CCTV Policy will be provided on request to staff and visitors.

The location of CCTV cameras will also be indicated and adequate signage will be placed at each location in which a CCTV camera(s) is sited to indicate that CCTV is in operation.

Signage shall include the name and contact details of the data controller as well as the specific

purpose(s) for which the CCTV camera is in place in each location.

Appropriate locations for signage will include:

  1. at entrances to premises i.e. external doors
  2. reception area
  3. at or close to each internal camera


6.5 Retention

CCTV footage and CCTV data will be retained for seven (7) days in accordance with QUALCO’s Data Retention Policy, except where the image identifies an issue and is retained specifically in the context of an investigation/prosecution of that issue.


Where the purpose of the collection requires CCTV footage or CCTV data to be retained for a longer period or where there is a legal requirement to do so, QUALCO will remove personal information contained within such footage or data unless it is required for the purpose of the retention of the footage.

The images/recordings will be stored in a secure environment.


6.7 Access of CCTV information

Access will be restricted to authorized personnel. Supervising the access and maintenance of the CCTV System is the responsibility of the Facility Manager.


Any ongoing arrangements for access to CCTV systems or release of CCTV: footage/data to third parties must be formalized in writing and to be approved by the Data Protection Officer and the Information Security Director.


In certain circumstances, the recordings may also be viewed by other individuals in order to achieve the objectives set out above. When CCTV recordings are being viewed, access will be limited to authorized individuals on a need-to-know basis:

  • By the police where QUALCO is required by law to make a report regarding the commission of a suspected crime; or
  • Following a request by the police when a crime or suspected crime has taken place and/or when it is suspected that illegal/anti-social behavior is taking place on QUALCO property, or
  • or To individuals (or their legal representatives) subject to a court order.
  • To data subjects (or their legal representatives), pursuant to a Data Subject Access Request. Individuals submitting requests for access will be asked to provide sufficient information to enable the footage relating to them to be identified. For example, date, time and location. QUALCO will respond to requests within 30 calendar days of receiving the request in line with its Data Protection policy. QUALCO reserves the right to refuse access to CCTV footage where this would prejudice the legal rights of other individuals or jeopardise an on-going investigation. In giving a person a copy of their data, other images of other individuals will be obscured before the data is released. Where footage contains images relating to 3rd parties, QUALCO will take appropriate steps to mask and protect the identities of those individuals.

6.8 Security of CCTV

Security measures will include physical, technological and administrative means.

These include ensuring only authorized persons have access to the CCTV software, restricting permissions to those needed to perform their duties, and annual reviews of access rights.


6.9 Staff Training

Staff authorized to access the CCTV system will be trained to comply with this policy. Staff will understand that all information relating to the CCTV images must be handled securely.

Staff will receive appropriate training to enable them to identify and handle different requests according to regulations.

Staff misuse of surveillance system information will lead to disciplinary proceedings.


  1. Complaints procedure

Complaints concerning this CCTV should be made in writing to the Facility Manager at:

All concerns relating to the protection of your personal data and/or the exercise of your GDPR rights should be addressed to the QUALCO DPO Despina Spatha at


  1. Policy Review

The QUALCO' s usage of CCTV and the content of this policy shall be reviewed every two years by the Facility Manager in collaboration with the Data Protection Officer with reference to the relevant legislation or guidance in effect at the time. Further reviews will take place as required.


  1. Related Policies
1. Data Protection Policy
2. Data Retention Policy
3. Data Subjects’ Rights Policy
4. Data Protection Impact Assessment Policy


  1. Related Procedures

CCTV Administration Procedure


  1. Publish date: 20/04/2023