CCTV Policy

Information on the processing of personal data through video surveillance system (Second Level Update)

1. 1. Controller

The Controller is the Société Anonyme under the name "Capo di Corfu Société Anonyme Hotel and Tourism Enterprises", which is based in Aigaleo, Attica, 6 Kifissos Avenue, Greek General Commercial Register No 899650100 and VAT No 094539435, Athens Tax Office of Commercial Companies, telephone + 302662029077 and e-mail address info-cdc@ellaresorts.com .

1. 2. Data Protection Officer

Maria Bouziou daughter of Spyridon, lawyer of Athens (Registration No ΣΔΑ 39902), e-mail address info-cdc@ellaresorts.com is appointed as Data Protection Officer.

1. 3. Processing purpose

The monitoring of the areas of the hotel unit aims at protecting the facilities and equipment in them (protection of goods), as well as the protection of natural persons residing or working within its facilities or occasionally using some of the services offered within them by the Controller (protection of natural persons).

1. 4. Legal basis of processing

The processing of personal data through the video surveillance system is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 par. 1(f) of the General Data Protection Regulation 2016/679/EU).

1. 5. Legitimate interests of the Controller

The legitimate interest of the Controller consists in the need for it to protect the facilities of its hotel unit, including the goods in it, from illegal actions, such as theft, unauthorized entry and vandalism, as well as from natural phenomena that are capable of causing damage, such as fire. Furthermore, the Controller seeks to ensure, through video surveillance, the safety, physical integrity, health and property of natural persons within the facilities of the hotel unit (employees, customers, partners, guests).

The installation of a closed video surveillance system in entrance areas is a necessary mean for the protection of the customers and the facilities of the hotel unit, as the persons and vehicles entering the hotel facilities are recorded and checked. Pursuant to the above, in the event of a suspicious or damaging incident, recourse to the recorded visual material is deemed necessary in order to prevent risk from occurring or to find any responsible persons.

The Controller collects image data exclusively from the facilities, for which it considers on grounds that they present an increased likelihood of committing illegal actions (data minimization). In addition, the Controller states that its processing of data through the video surveillance system does not extend to areas where it may unduly restrict the privacy of the persons whose image is taken.

1. 6. Addresses

The material recorded by the video surveillance system shall be accessible only to the Controller's authorized personnel. The Controller shall take all appropriate and necessary measures to ensure the safety of the area where the kept material is stored. The kept material is not disclosed, communicated or transferred to any third party, except for the following limited cases:

(A) to the competent judicial, prosecutorial and police authorities, when it includes elements necessary for the investigation of a criminal offence,

(B) to the competent judicial, prosecutorial and police authorities, when requesting legal data in the performance of their duties; and

(C) to the victim or perpetrator of a crime, when it comes to data which may be evidence of the act.

1. 7. Storage period

The Controller shall retain the personal data collected only for the necessary period to achieve the purposes of the processing (limitation of storage period). Downloads are stored for a period of seven (7) days from the moment of recording. After the above period, the downloads are automatically deleted.

In the event that during the retention period of the personal data recorded (seven days from the moment of the recording) an incident is found or disclosed, the Controller shall isolate the part of the video during which the incident in question takes place and keep it (a) for thirty (30) working days, if the incident affects the legitimate interests of the surveillance officer itself and (B) three (3) months, if the incident concerns the legitimate interests of a third party.

1. 8. Rights of data subjects

The Controller shall ensure and facilitate the exercise of the rights of data subjects. In particular, as data subjects you have the right to:

(a) receive information from the Controller regarding whether the personal data concerning you are being processed and, if so, to access them (right of access).

(B) request the deletion of personal data concerning you (right of deletion).

(C) object, at any time, to the processing of personal data concerning you (right of objection).

(d) ask the Controller to restrict the processing of personal data concerning you (for example, you may request the deletion of all your data, other than what you consider necessary for the establishment or exercise of your legitimate claims) (right of restriction).

As subjects of personal data, you are entitled to exercise the above rights by sending a message to the e-mail address info-cdc@ellaresorts.com or a letter to our aforementioned postal address.

For the effective examination of your requests, you shall, on the one hand, determine the time during which you were within the reach of the video surveillance system and, on the other hand, provide an image of you, in order to facilitate the identification of your own data and the concealment of the data of third parties depicted. Alternatively, the Controller gives you the opportunity to come to its facilities, where it will show you the images (photos or videos) in which you appear.

The Controller undertakes to satisfy the requests submitted in accordance with the above without delay and, in any case, within thirty (30) days from their submission. The Controller may extend the above deadline for the satisfaction of requests by sixty (60) more days, if it takes into account the complexity and the number of requests being processed. In any case, the Controller undertakes, within thirty (30) days from the receipt of the requests, to inform the data subjects about the possible extension granted, as well as the specific reasons for the delay of satisfaction of the respective rights.

1. 9. Right to file a complaint with a supervisory authority

In case you consider that the processing of personal data concerning you violates the provisions of the General Data Protection Regulation (EU) 2016/679, of Law 4624/2019 and the applicable legislation, you have the right to file a complaint with the competent Greek Supervisory Authority: Data Protection Authority (1-3 Kifissias Avenue P.C.: 115 23, Athens, www.dpa.gr).