CCTV POLICY

Tiffany Investments Ltd / MIM Services Ltd: CCTV Policy

CONTENTS

____________________________________________________________

About this policy
1. We, Tiffany Investments Ltd / MIM Services Ltd, use CCTV cameras to view and record individuals on and around our premises in order to maintain a safe environment for staff and visitors. However, we recognize that the images of individuals recorded by CCTV cameras are personal data which must be processed in accordance with data protection legislation.
2. The purpose of this policy is to:
  1. outline why and how we will use CCTV, and how we will process data recorded by CCTV cameras.
  2. ensure that the legal rights of staff, relating to their personal data, are recognized and respected.
  3. assist staff in complying with their own legal obligations when working with personal data. In certain circumstances, misuse of information generated by CCTV or other surveillance systems could constitute a criminal offence.
  4. explain how to make a subject access request in respect of personal data created by CCTV.
3. This policy does not form part of any contract of employment or other contract to provide services, and we may amend it at any time.
4. A breach of this policy may, in appropriate circumstances, be treated as a disciplinary matter. Following investigation, a breach of this policy may be regarded as misconduct leading to disciplinary action, up to and including dismissal.
Who does this policy apply to?
1. This policy applies to all employees, officers, consultants, self-employed contractors, casual workers, agency workers, volunteers, and interns. It also applies to anyone visiting our premises or using our vehicles.
Who is responsible for this policy?
1. The General Manager has overall responsibility for the effective operation of this policy. The General Manager has delegated responsibility for overseeing its implementation to the Data Protection Officer (DPO). Questions about the content of this policy or suggestions for change should be reported to the DPO.
2. Any questions you may have about the day-to-day application of this policy should be referred to the DPO in the first instance at [email protected] .
3. This policy is reviewed annually. We, Tiffany Investments Ltd / MIM Services Ltd, will also review the ongoing use of existing CCTV cameras in the workplace at least every twelve [12] months to ensure that their use remains necessary and appropriate, and that any surveillance system is continuing to address the needs that justified its introduction.
Definitions
1. For the purposes of this policy, the following terms have the following meanings:

CCTV: means fixed and domed cameras designed to capture and record images of individuals and property.
Data: is information, which is stored electronically, or in certain paper-based filing systems. In respect of CCTV, this generally means video images. It may also include static pictures such as printed screen shots.
Data subjects: means all living individuals about whom we hold personal information as a result of the operation of our CCTV (or other surveillance systems).
Personal data: means data relating to a living individual who can be identified from that data (or other data in our possession). This will include video images of identifiable individuals.
Data controllers: are the people who, or organizations which, determine the manner in which any personal data is processed. They are responsible for establishing practices and policies to ensure compliance with the law. We are the data controller of all personal data used in our business for our own commercial purposes.
Data users: are those of our employees whose work involves processing personal data. This will include those whose duties are to operate CCTV cameras and other surveillance systems to record, monitor, store, retrieve and delete images. Data users must protect the data they handle in accordance with this policy and our Data Protection Policy.
Data processors: are any person or organization that is not a data user (or other employee of a data controller) that processes data on our behalf and in accordance with our instructions (for example, a supplier which handles data on our behalf).
Processing: is any activity which involves the use of data. It includes obtaining, recording or holding data, or carrying out any operation on the data including organizing, amending, retrieving, using, disclosing or destroying it. Processing also includes transferring personal data to third parties.
Surveillance systems: means any devices or systems designed to monitor or record images of individuals or information relating to individuals. The term includes CCTV systems as well as any technology that may be introduced in the future such as automatic number plate recognition (ANPR), body worn cameras, unmanned aerial systems and any other systems that capture information of identifiable individuals or information relating to identifiable individuals.

Reasons for the use of CCTV
1. We currently use CCTV as outlined below. We believe that such use is necessary for legitimate business purposes, including:
  1. to prevent crime and protect buildings and assets from damage, disruption, vandalism and other crime;
  2. for the personal safety of staff, visitors and other members of the public and to act as a deterrent against crime;
  3. to support law enforcement bodies in the prevention, detection and prosecution of crime;
  4. to assist in day-to-day management, including ensuring the health and safety of staff and others;
  5. to assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings;
  6. to assist in the defense of any civil litigation, including employment tribunal proceedings;
  7. To ensure no unauthorized persons enter into a dangerous area.
  8. To check on the behavior and working practices of outside contractors.
  9. To monitor traffic flow around the building, and unauthorized/dangerous parking.

This list is not exhaustive and other purposes may be or become relevant.

Monitoring
1. CCTV monitors the exterior of the building and both the main entrance and secondary exits 24 hours a day, and this data is continuously recorded. All cameras are used in all building common areas only, more specifically:

Basement: around the Ice Rink and until the façade of the shops, and one camera inside the security control room.
Ground floor and first floor: cameras in the public hallways and until shops’ façade.
Emergency stairs, main building entrances and outside the lifts.
Inside compactor rooms, in all parking areas and parking main entrances and exits.
In all service corridors.

Camera locations are chosen to minimize viewing of spaces not relevant to the legitimate purpose of the monitoring. All CCTV cameras focus on MYMALL premises. As far as practically possible, CCTV cameras will not focus on private homes, gardens, or other areas of private property.
Surveillance systems will not be used to record sound.
Images are monitored by authorized personnel 24 hours a day, every day of the year.
Staff using surveillance systems are given appropriate training to ensure they understand and observe the legal requirements related to the processing of relevant data.

How we will operate any CCTV
1. Where CCTV cameras are placed in the workplace, we will ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. Such signs will contain details of the organization operating the system, the purpose for using the surveillance system and whom to contact for further information, where these things are not obvious to those being monitored.
2. Live feeds from CCTV cameras will only be monitored where this is reasonably necessary, for example to protect health and safety.
3. We will ensure that live feeds from cameras and recorded images are only viewed by approved members of staff whose role requires them to have access to such data. This may include HR staff involved with disciplinary or grievance matters. Recorded images will only be viewed in designated, secured offices.
Use of data gathered by CCTV
1. In order to ensure that the rights of individuals recorded by the CCTV system are protected, we will ensure that data gathered from CCTV cameras is stored in a way that maintains its integrity and security. This may include encrypting the data, where it is possible to do so.
2. We may engage data processors to process data on our behalf. We will ensure reasonable contractual safeguards are in place to protect the security and integrity of the data.
Retention and erasure of data gathered by CCTV
1. Data recorded by the CCTV system will be stored on the hard discs of NVR (Network Video Recorder) and DVR (Digital Video Recorder) devices, which are kept in the server room inside the control room. These devices have codes which are exclusively accessible to the security manager. When an incident occurs, the CCTV footage is cut by the security guard supervisor and stored in the PC located inside the control room. Data from CCTV cameras will not be retained indefinitely but will be permanently deleted once there is no reason to retain the recorded information. We will maintain a comprehensive log of when data is deleted. Once erased, the data cannot be retrieved.

Exactly how long images will be retained for will vary according to the purpose for which they are being recorded. For example, where images are being recorded for crime prevention purposes, data will be kept long enough only for incidents to come to light. For other incidents, recorded images will be kept for no longer than 10 years. Regular, daily CCTV footage is automatically deleted after 10-20 days.

At the end of their useful life, all images stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs will be disposed of as confidential waste. Any still photographs and hard copy prints will be disposed of as confidential waste.

Use of additional surveillance systems
1. Prior to introducing any new surveillance system, including placing a new CCTV camera in any workplace location, we will carefully consider if they are appropriate by carrying out a privacy impact assessment (PIA).
2. A PIA is intended to assist us in deciding whether new surveillance cameras are necessary and proportionate in the circumstances and whether they should be used at all or whether any limitations should be placed on their use.
3. Any PIA will consider the nature of the problem that we are seeking to address at that time and whether the surveillance camera is likely to be an effective solution, or whether a better solution exists. In particular, we will consider the effect a surveillance camera will have on individuals and therefore whether its use is a proportionate response to the problem identified.
4. No surveillance cameras will be placed in areas where there is an expectation of privacy (for example, in rest rooms or changing rooms).
Covert monitoring
1. We will never engage in covert monitoring or surveillance (that is, where individuals are unaware that the monitoring or surveillance is taking place) unless, in highly exceptional circumstances, there are reasonable grounds to suspect that criminal activity or extremely serious malpractice is taking place and, after suitable consideration, we reasonably believe there is no less intrusive way to tackle the issue.
2. In the unlikely event that covert monitoring is considered to be justified, it will only be carried out with the express authorization of Data Protection Officer (DPO). The decision to carry out covert monitoring will be fully documented and will set out how the decision to use covert means was reached and by whom. The risk of intrusion on innocent workers will always be a primary consideration in reaching any such decision.
3. Only limited numbers of people will be involved in any covert monitoring.
4. Covert monitoring will only be carried out for a limited and reasonable period of time consistent with the objective of making the recording and will only relate to the specific suspected illegal or unauthorized activity.
Requests for disclosure
1. We may share data with our insurance company and/or our lawyers and/or the police, where we consider that this is reasonably necessary for any of the legitimate purposes set out above in 5.1.
2. No images from our CCTV cameras will be disclosed to any other third party, without express permission being given by the DPO. Data will not normally be released unless satisfactory evidence that is required for legal proceedings or under a court order has been produced.
3. In other appropriate circumstances, we may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
4. We will maintain a record of all disclosures of CCTV footage.
5. No images from CCTV will ever be posted online or disclosed to the media.
Subject access requests
1. Data subjects may make a request for disclosure of their personal information, and this may include CCTV images (data subject access request). A data subject access request is subject to the statutory conditions from time to time in place and should be made in writing at [email protected], in accordance with our Privacy Notice, which is available on our website [add link] OR from the DPO.
2. In order for us to locate relevant footage, any requests for copies of recorded CCTV images must include the date and time of the recording, the location where the footage was captured and, if necessary, information identifying the individual.
3. We reserve the right to obscure images of third parties when disclosing CCTV data as part of a subject access request, where we consider it necessary to do so.
Complaints
1. You have the right to make a complaint at any time to the Data Protection Commissioner’s Office, the Republic of Cyprus’ supervisory authority for data protection issues, at:

1 Iasonos Street,

1082 Nicosia, Cyprus

Tel.: +357 22 818 456

Fax: +357 22 304565

E-mail: [email protected]

If any member of staff has any concerns about our use of CCTV, they should contact the Data Protection Officer (DPO) in the first instance by sending an email to [email protected]

Requests to prevent processing
1. We recognize that, in rare circumstances, individuals may have a legal right to object to processing and in certain circumstances to prevent automated decision making (see Articles 21 and 22 of the General Data Protection Regulation (EC) 2016/679 (GDPR)). For further information regarding this, please contact the DPO at [email protected]

– END OF DOCUMENT –

Cookie	Type	Duration	Description
cookielawinfo-checkbox-necessary	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
PHPSESSID	persistent	1 year	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	persistent	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	persistent	1 year	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
_ga	persistent	1 year	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat_gtag	persistent	1 year	Identification code of website for tracking visits.
_gid	persistent	1 year	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_hjid	persistent	1 year	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	persistent	1 year	This cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate Heatmaps, Funnels, Recordings, etc.
has_recent_activity	persistent	1 year	This cookie is used to signal to the code repository website if the user has browsed other website resources during the current session.
tk_ai	persistent	1 year	Gathers information for our own, first party analytics tool about how our services are used. A collection of internal metrics for user activity, used to improve user experience.
tk_lr	persistent	1 year	This cookie is set by JetPack plugin on sites using WooCommerce. This is a referral cookie used for analyzing referrer behavior for Jetpack
tk_or	persistent	1 year	This cookie is set by JetPack plugin on sites using WooCommerce. This is a referral cookie used for analyzing referrer behavior for Jetpack
tk_qs	persistent	1 year	Gathers information for our own, first party analytics tool about how our services are used. A collection of internal metrics for user activity, used to improve user experience.
tk_r3d	persistent	1 year	The cookie is installed by JetPack. Used for the internal metrics fo user activities to improve user experience

Cookie	Type	Duration	Description
_fbp	persistent	1 year	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	persistent	1 year	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.

CCTV POLICY

Opening Hours & Public Holidays

Shops:

Entertainment:

Dining:

cafes:

Public HOLIDAYS

Easter holidays

Stay up to date with our
latest news & updates.

Shops:

Entertainment:

Dining:

cafes:

Public HOLIDAYs

1/5 - SHOPS ARE CLOSED, DINING & ENTERTAINMENT IS OPEN

eASTER PERIOD:

3/5 & 4/5 - SHOPS CLOSE AT 6PM
5/5 - MYMALL IS CLOSED ( EASTER SUNDAY)
6/5 - SHOPS ARE CLOSED - DINING & ENTERTAINMENT IS OPEN

CCTV POLICY

Opening Hours & Public Holidays

Shops:

Entertainment:

Dining:

cafes:

Public HOLIDAYS

Easter holidays

Stay up to date with our latest news & updates.

Shops:

Entertainment:

Dining:

cafes:

Public HOLIDAYs 1/5 - SHOPS ARE CLOSED, DINING & ENTERTAINMENT IS OPEN

eASTER PERIOD:3/5 & 4/5 - SHOPS CLOSE AT 6PM 5/5 - MYMALL IS CLOSED ( EASTER SUNDAY)6/5 - SHOPS ARE CLOSED - DINING & ENTERTAINMENT IS OPEN

Stay up to date with our
latest news & updates.

Public HOLIDAYs

1/5 - SHOPS ARE CLOSED, DINING & ENTERTAINMENT IS OPEN

eASTER PERIOD:

3/5 & 4/5 - SHOPS CLOSE AT 6PM
5/5 - MYMALL IS CLOSED ( EASTER SUNDAY)
6/5 - SHOPS ARE CLOSED - DINING & ENTERTAINMENT IS OPEN