POLICY OF THE SECURITY ELECTRONIC MONITORING CAMERA SYSTEM OPERATING IN THE AREA OF MATTHIAS CHURCH In effect from the 15th of August 2019
1. General provisions
1.1. The Trusteeship of the Matthias Church (hereinafter referred to as “Matthias Church” OR “Data Controller”), Registered seat: 14 Országház Street, Budapest 1014; in the building under 2 Szentháromság Square, Budapest 1014 of Matthias Church has installed a security camera system in compliance with the data management rules of Section 5 of the Act CXII of 2011 on the Right to Self-determination and Freedom of Information and has entrusted the data processor indicated in point 1.3. with the processing of the data gathered.
1.3. Data Controller entrusted Zoltán Hegedűs self-employed entrepreneur as a personally contributing data processor (hereinafter referred to as: Data Processor).
1.4. The Data Controller reserves the right to unilaterally make amendments to the present Policy provided of course, that it notifies all data subjects and its contractual partners and customers etc. of the amendments in due time.
2. The scope of the processed personal data; the purpose, legal basis, place and time of the data processing activity; the name and contact details of the Data Controller
2.1. Electronic surveillance system (CCTV system) installed in the building of Matthias Church as the building concerned with the data processing activities:
The cameras are monitored continuously by the Data Processor. The image will only be recorded in a separate room at the address of Matthias Church stated above. Only the Data Controller or, at its disposal, the Data Processor is entitled to review the recorded camera images and extract the data.
The data recorder is placed in a metal-structured container so that Matthias Church can provide exclusive access to the Data Processor.
2.2. Scope of personal data processed and categories of data subjects:
The image of the people entering the building of Matthias Church (2 Szentháromság Square, Budapest 1014) can be seen in the recorded camera images. Identifiable persons may appear in the recordings made by the camera system, so the camera system can also detect the movement or certain behavior of these people.
A description and icon of the application of the electronic monitoring camera system has been posted in a place that is clearly visible and readable to third parties wishing to appear in the area, in a way that it helps to inform them as data subjects.
2.3. The purpose of the data processing activity: the protection of the building, property and security equipment of Matthias Church (2 Szentháromság Square, Budapest, 1014), the protection of human life and physical integrity, the protection of personal freedom, and the prevention of possible violations and the ability to provide proof of those.
2.4. The legal basis for data processing: Matthias Church applies CCTV system in accordance with Point a) Section (1) Article 6. of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: General Data Protection Regulation/GDPR).
2.5. The location of data processing activitt: The hard disk of the image recording equipment is located in the server room of the building of Matthias Church (2 Szentháromság Square, Budapest, 1014).
2.6. The duration of data recording and the deadline of the deletion of the data processed: 3 days / 72 hours in the absence of lawful usage of the recordings.
2.7. Representatives and contact details of the Data Controller:
Zoltán Erdész HR and Marketing Manager
Registered office: 14 Országház Street, Budapest 1014
Postal address: 14 Országház Street, Budapest 1014
Phone number: + 36-1-488-7716
Email address: firstname.lastname@example.org
dr. Csaba Szabó as Data Protection Officer (DPO)
Registered office: Apartmernt 3 1st floor of building nr. 20 Báthori Street, Budapest 1054
Mailing address: Apartmernt 3 1st floor of building nr. 20 Báthori Street, Budapest 1054
Email address: email@example.com
2.8. The use of recordings:
The Data Processor and the Data Controller have the right to access the recorded images of the cameras of the CCTV system and to view or save those recordings.
2.10. The transmission of data: in case of infringement or criminal proceedings the recorder CCTV images can be handled to the authorities and courts conducting the proceedings.
2.11. The scope of data transmitted: the recordings of relevant information made by the CCTV system saved on a data recorder and an additional register of the data recorder.
2.12. The legal basis for the transfer of data: § 261 of the Act XC of 2017 on Criminal Procedure, as well as § 75 of the Act II of 2012 on the Infringement Procedure and the Infringement Registration System.
2.13. The principles of data processing activities:
• Regarding employment relations, the law gives the employer the right to control the employee, but only in the context of employer’s employment-related conduct.
• The tools and methods used shall not violate human dignity.
• The employer respects the personal rights of the employees, informing them in advance about the manner, conditions and expected content of any restriction of those. / § 9 Section (1)-(2) of the Hungarian Act I of 2012 on the Labor Code (hereinafter referred to as: Labor Code)/
• Employees are only monitored for employment-related behaviors, and their private life is not included. /§ 11/A Section (1) of the Labor Code/
• Data Controller acts lawfully in the processing of data, as it complies with the Hungarian Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter referred to as ‘Privacy Act’) and the general provisions of the GDPR.
• The Data Controller can certify that the electronic monitoring system used by it is compatible with the purpose limitation principle and interest balance test stated in § 4 Section (1)-(2) of the Privacy Act. According to this, personal data may only be processed for a specific purpose, in order to exercise a legal right and fulfillment of an obligation.
• The employee’s consent to data processing is not required, but the employee must be informed on the data processing activity.
• In the information on the surveillance system issued to the employees, the employees are informed in advance about the fact of the camera surveillance.
• The placement of the camera surveillance shall not violate human dignity (ie. in working hours it cannot be recorded in a changing room, toilet, shower, medical room or waiting room at the place of work). If no one can be legally present in the workplace (especially outside working hours or on public holidays), the entire workplace can be observed.
• The angle of view of the camera can only focus on the area that is in line with the purpose of surveillance.
• The camera cannot be used to monitor a building or area owned by a third party.
• The employer must place a warning sign in the areas where the cameras are installed.
2.14. Security cameras operate continuously. The cameras shall not be switched off, covered or obstructed in any way!
2.15. Other data processing activities:
We inform the data subjects, our employees, the persons coming to work at the site, as well as the visitors visiting them etc., that the court, the prosecutor’s office, the investigative-, and administrative authorities, the National Data Protection and Freedom of Information Authority or other bodies authorized by the law may also contact the Data Controller in order to provide information, disclose data, transfer documents or make those available in other form regarding the data processed by the CCTV system.
The Data Controller shall disclose personal data to the authorities, provided that the authority has indicated the exact purpose and scope of the data, only to the extent strictly necessary to achieve the purposes of the request.
3. The way personal data is stored, the security of data management
3.1. The Data Controller selects and operates the IT tools used to manage personal data during the provision of the service in such a way that the processed data:
(a) is accessible to those entitled to it (availability);
b) its authenticity and authentication are ensured (authenticity of data management);
(c) its integrity can be demonstrated (data integrity);
d) is protected against unauthorized access (data confidentiality).
3.2. The Data Controller shall protect the data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage and inaccessibility resulting from changes in the technology used.
3.3. In order to protect the data files processed electronically in its various registers, the Data Controller shall ensure, by means of an appropriate technical solution, that the stored data cannot be directly linked and assigned to the data subject, unless permitted by law.
3.4. In view of the current state of the art, the Data Controller shall ensure the protection of the security of data processing activity with technical and organizational measures that provide a level of protection appropriate to the risks related to data processing activity.
3.5. During the data processing activity, the Data Controller retains:
(a) its confidentiality: the information shall be protected so that only those who have are entitled to it may have access to it;
(b) its integrity: protects the accuracy and completeness of the information and the method of processing;
(c) its availability: ensuring that, when the authorized user needs it, he or she has effective access to the information required and that the means to do so are available.
3.6. The IT system and network of the Data Controller and its partners are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer hacking and denial-of-service attacks. The operator ensures security with server-level and application-level protection procedures.
3.8. The monitor for viewing and reviewing the images is positioned so that it cannot be seen by anyone other than those authorized to it.
3.9. Surveillance and retrieval of stored images may be monitored only for the purpose of detecting and initiating measures necessary to eliminate the infringing acts. Images transmitted by the cameras cannot be recorded with any device other than the central recording unit.
3.10. Access to stored images can only be done in a secure way and in such a way that the person accessing the personal data can be identified. The review of stored images and the saving of images must be documented. Access to stored images shall be terminated immediately if the reason for authorization expires.
3.12. We inform users that electronic messages transmitted over the Internet, regardless of protocol (email, web, ftp, etc.), are vulnerable to network threats that lead to unfair activity, contract disputes, or the disclosure or modification of information. To protect against such threats, the service provider will take all precautionary measures required of it. It monitors the systems to record any security incidents and provide evidence of any security incidents. System monitoring also allows to check the effectiveness of the precautions taken.
4. The rights of the data subject:
4.1. Right to information and access
In all cases, the Data Controller shall endeavor to provide the data subjects with information on the processing of personal data in a concise, transparent, comprehensible and easily accessible form, worded in a clear and comprehensible manner.
The Data Controller processes personal data on the legal bases specified in Point 4. The data subject may request information from the Data Controller regarding the processing of his or her personal data.
Upon request, the Data Controller will provide with the following information regarding the processing of the data subject’s personal data:
(i) the purposes of the data processing;
(ii) the categories of personal data concerned;
(iii) the recipients or future recipients of the personal data processed;
(iv) the intended period for which the personal data will be stored or the criteria for determining the period;
(v) the data subject’s right to rectify, delete or restrict the processing of his or her personal data and the right to object to the processing of his or her personal data;
(vi) the right to submit a complaint with the supervisory authority;
(vii) to ask information about the source of his or her personal information if the personal information was not collected directly from the data subject; or
(viii) the fact that automated decision-making involves the processing of his or her personal data (at least the logic used and understandable information about the importance of the processing of personal data and the expected consequences for the data subject).
The Data Controller will provide the data subject with a copy of the personal data processed if he or she submits a request to that effect.
4.2. The right to rectification
The data subject has the right to ask the Data Controller to correct his or her inaccurate personal data or supplement his or her incomplete personal data without undue delay.
The data subject’s right to rectify does not extend to the Data Controller’s modification of the data recorded by the camera, but the Data Controller’s right to rectify the report on the review of the camera or the release of the camera if it contains inaccurate or incomplete personal data.
The data subject’s right to rectify does not extend to the Data Controller modifying the data recorded by the access control system.
4.3. The right of cancellation
Upon request, the Data Controller will delete the data subject’s personal data without undue delay, unless the data processing is
(i) for the purpose of exercising the right to freedom of expression and information,
(ii) for the purpose of fulfilling a legal obligation applicable to the Data Controller requiring the processing of personal data or performing a task performed in the public interest or in the exercise of a public authority conferred on the Data Controller,
(iii) on grounds of public interest in the field of public health,
(iv) for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes (where the right of erasure is likely to make such processing impossible or would seriously jeopardize it), or
(v) necessary for the submission, enforcement or defense of legal claims.
In other cases, the Data Controller will delete the data subject’s personal data without undue delay if
(i) The Data Controller does not need personal data for the purpose for which it was collected or processed,
(ii) the data subject objects to the processing for reasons related to his or her own situation and there is no overriding legitimate reason for the processing,
(iii) the Data Controller has unlawfully processed the data subject’s personal data,
(iv) the Data Controller is obliged to delete personal data in order to fulfill its legal obligation.
If the Data Controller has disclosed personal data and is obliged to delete it, it will do everything in its power to inform the data processors that the data subject has asked them to delete the links to that personal data or a copy or a duplicate of the personal data.
4.4.The right to restrict data processing
The Data Controller restricts data processing if
(i) the data subject disputes the accuracy of his or her personal information,
(ii) the processing is unlawful and the data subject objects to the deletion of his or her personal data,
(iii) the Data Controller does not need the personal data for the purpose of processing the data, but the data subject requires the restriction of the personal data in order to submit, enforce or protect legal claims, or
(iv) the data subject objects to the processing for reasons related to his or her own situation.
In the event of a restriction on data processing, the Data Controller may process personal data only with the data subject’s consent or for the purpose of submitting, enforcing or protecting legal claims or protecting the rights of another person or in the important public interest of the European Union or a Member State.
The Data Controller will inform the data subject about the release of the data management restriction before the release.
4.5. Protest against the processing of personal data
The data subject may object to the processing of his or her personal data for reasons related to his or her own situation if the processing of his or her personal data is necessary for the legitimate interests of the Data Controller or a third party.
4.6. The right to data portability
The data subject may request that the Data Controller transfers his or her personal data processed in an automated manner (not on paper) to him or her or another Data Controller designated by the data subject in respect of data management activities based on the performance of the contract or on the basis of consent.
4.7. Automated decision making in individual cases, including profiling
The data subject has the right not to be covered by a decision based solely on automated data processing, including profiling, that would have legal effect on the data subject or would similarly affect him or her.
4.8. The right to withdraw consent
The data subject has the right to withdraw his or her consent at any time in the case of consent-based data processing.
4.9. In the event of a breach of the processing of personal data
• the data subject may contact the Data Controller at the email address firstname.lastname@example.org or on the telephone number +36 1 489 0716;
• the data subject may submit a complaint to the authority (National Data Protection and Freedom of Information Authority, mailing address: 1363 Budapest, Pf.: 9., email address: email@example.com, telephone number: +36 (1) 391-1400); 9-11 Falk Miksa Street, Budapest 1055) or
• the data subject may submit a complaint to court.
Information on CCTV camera system
THE AREA IS OBSERVED WITH CAMERA SUITABLE FOR RECORDING IMAGES!
1./ The fact of data collection: in compliance with the General Data Protection Regulation of the EU Parliament and of the Council (No. 2016/679 – “GDPR”) and Act CXXXIII of 2005 (“Property Protection Act”), an electronic surveillance system operates in the private area detected by the camera’s viewing angle.
2./ Scope of the individuals concerned and the personal data processed: images of persons entering and staying in the area monitored by an electronic surveillance system capable of recording images within the scope of the camera, a conclusion derived from movement and behavior.
3./ The purpose of data processing: the safety of life and property, as well as the detection of violations, violations of rules, criminal offenses, the prevention of the perpetrator’s actions, the prevention and proof of violating acts.
4./ Legal basis for data processing: Article 6 Paragraph (1) point f) of the GDPR regulation on processing on the basis of the legitimate interest of the data controller.
5./ Duration of data processing: based on the legal authorization, the image and sound recording may be stored for 3 working days from the date of recording in the absence of use, after which it shall be immediately destroyed or deleted if its use is not necessary.
6./ Definition of the Data Controller: The Trusteeship of Matthias Church (14 Országház Street, Budapest 1014).
7./ Location and security of data storage: On the server located at the premises of the Matthias Church (2 Szentháromság Square, Budapest 1014), the security of which is provided by the Trusteeship in its internal regulations in force at any time.
8./ Persons entitled to view the recordings: The Data Controller and the data processor of the Board of the Trusteeship with entitled by a data processing contract.
9./ Legal remedies: data subjects may exercise their rights provided for in the GDPR regulation during the entire period of data processing at the following contact details: Phone number: (+ 36-1) 489-0716, E-mail: firstname.lastname@example.org, further enforcement In this case, they can also apply to the competent data protection authority (www.naih.hu, Phone number: + 361-391-1400) or to a court.https://www.facebook.com/flowboulderhungary