CCTV Policy

Video-Surveillance Policy of NBG Pay

NBG Pay uses a video-surveillance system to protect its premises, staff, visitors, assets and information.

Video-Surveillance Systems are those systems that are permanently installed in a premise and have the ability to capture and/or transmit video (and/or audio) to projection screens or recording equipment, such as a closed circuit television (CCTV) system.

This Policy outlines the terms of the operation of NBG Pay’s video-surveillance system and sets out the security measures to be taken in order to protect the personal data, the right to privacy and other fundamental rights and legitimate interests of the individuals whose personal data may be recorded.

  1. Who is responsible for the processing of personal data?

NBG Pay (NBG Pay S.A., registered in the General Commercial Register (G.E.M.I.) with G.E.M.I. number 164307201000, tax identification number (TIN) 801839155, FAE Athens Tax Office, and headquarters in Athens, 74 Pireos Street, P.C. 183 46) is responsible for the processing of personal data.

As a Data Controller, NBG Pay has all the obligations arising from the General Data Protection Regulation [Regulation (EU) 2016/679 (GDPR)], Law No. 4624/2019, the Directives of the Data Protection Authority (DPA) (such as Directive 1/2011 “Use of video surveillance systems for the protection of persons and property) and the relevant European Data Protection Board Directives (Guideline 3/2019 on processing of personal data through video devices).

NBG Pay has formulated this policy after confirming that the video surveillance system is absolutely necessary and the intended level of security and protection of persons and property cannot be achieved by less intrusive means.

  • What is the purpose of the processing?

NBG Pay uses the video-surveillance system for the sole purposes of security and access control in its premises.

The video-surveillance system helps to control access to NBG Pay’s building and to ensure the security of the building, the staff and visitors, as well as the security of property and information located or stored on the premises. It complements other physical security systems such as access control systems and forms part of the measures supporting NBG Pay’s broader security policies, by helping to prevent, deter and, if necessary, investigate unauthorized access, including unauthorized access to secure premises, protected rooms,  infrastructure or operational data. 

In addition, video-surveillance helps prevent, detect and investigate theft of equipment or other assets owned by NBG Pay, visitors or  staff, and threats to the safety of visitors or personnel working in the premises (e.g., fire, physical assault).

In the context of the above purposes, NBG Pay has additionally installed an access control system at the entrances/exits of the floors of its facilities, where the access of the staff is taking place with the use of a  individual card. Each employee of NBG Pay is provided with such technology card, the use of which, upon entry/exit, fills specific data in a database such as the card number, the name of the controlled area, the date and time of use and whether it is for access or exit to the controlled area. According to Law 4624/2019, the data collected through the system is not used by the employer to monitor the work of employees or to evaluate the behavior and efficiency of employees.

  • What is the legal basis for the processing?

NBG Pay uses the video-surveillance system in order to protect persons and property. The processing is necessary for the purposes of legitimate interests pursued by NBG Pay as controller (Article 6(1)(f) GDPR) and in particular for the purposes of protecting the premises, assets and persons present in the premises (e.g. theft, damage to property).

  • What personal data is processed?

For the above purposes, NBG Pay collects solely image data and specifically, digitally recorded video (not audio) and limits the surveillance to places where it has been assessed that there is an increased likelihood of committing illegal acts (e.g. theft), without focusing on places where the privacy of the persons whose image is captured may be disproportionally restricted.

In particular, in order to ensure the protection of privacy, NBG Pay has provided the following:

– The video-surveillance system does not record (zoom or pan) or conducts special processing (such as indexing of extracted data, feature analysis) to the recorded images that reveal “special categories of data”.

– Video-surveillance cameras are fixed, not capable of real-time panning and zooming.

– The video-surveillance system does not have microphones and does not receive, transmit or process audio data.

– Access to the video-surveillance data shall be strictly limited to a small number of clearly defined and specially trained operators.

– The video-surveillance system shall not be used for any other purpose. In any case, data collected by a video-surveillance system shall not be used to monitor and evaluate the work of employees or to control attendance.

– No data resulting from the capture of images from side streets and/or pavement shall be processed, nor from entrances or interiors of neighboring dwellings or buildings

– No image capture shall take place in areas where the hard core of the right to privacy is infringed, such as toilet rooms and vestibules, staff/client changing rooms and bathrooms, etc.

  • Who are the recipients of the personal data recorded;

The processing of the personal data obtained from the images recording through the video surveillance system has been entrusted by NBG Pay as the Data Controller, to the security service provider with the name “G4S Private Enterprise for the Provision of Manned Technical Security Services” and distinctive title “G4S Secure Solutions S.A.” having its registered office in Metamorfosi, Attica, at 7 Sorou Street, with Tax Identification Number 094500633 FAE Athens Tax Office, and GEMI No. 00274560100 (“G4S“), which processes the recorded data as the processor, pursuant to a signed contract, which precisely provides for the terms and obligations of the parties with regard to the processing of personal data, as defined in the GDPR, Articles 24 and 28.

Recipient of the recorded personal data is also a) the National Bank of Greece SA and b) the company with the trade name “Centrum Elektronicznych Usług Płatniczcyh eService Sp. z o.o.”, which provide implementation and technical support services for the video surveillance system and process the personal data as processors on behalf of and in accordance with the instructions of NBG Pay.

Access to the recorded material is granted solely to specifically authorised employees of NBG Pay and the processor G4S, while direct viewing is only possible for specific and authorised employees of NBG Pay and the processing company G4S. In particular, the live video is accessible to security guards who work for the security company G4S.

The employees authorised to monitor the recording system are aware of the purpose of the processing and the permitted use of the personal data recorded by the video-surveillance system, and are bound by relevant confidentiality clauses.

In any case, the personal data recorded shall not be disclosed or transmitted to third parties except with the consent of the individuals depicted in the relevant records.

Exceptionally, your data may be transmitted to public authorities as well as other third parties when required by applicable law, including, among other things, in order for NBG Pay to comply with court orders, as well as in the case of legal incidents, where competent judicial, prosecutorial, and police authorities, within the scope of their competences, lawfully request data, which are useful during the investigation and preliminary examination of the aforementioned incidents, and in any case the Data Protection Officer is immediately informed.

  • Are your personal data transferred to a third country (non-EU Member State) or to an international organisation?

Your personal data are not transferred to a third country or international organisations.

  • How can you exercise your rights?

In the context of the above processing purposes, you have the following rights:

– Right of access: you have the right to know whether we are processing your image and, if so, to receive a copy of it.

– Right to erasure: you have the right to request the erasure of your data.

– Right to object: you have the right to object to the processing of your data.

– Right to restrict processing: you have the right to request that we restrict processing.

To exercise your rights, you can send your query to dpo@globalpay.com and privacy@nbgpay.com.

In order for us to consider a request relating to your image, you will need to identify approximately when you were in range of the cameras and provide us with an image of you to help us identify your own data and hide the data of third parties depicted. Once the images of third parties have been hidden, we give you the option of coming to our premises to show you the images in which you appear.

Please note that the exercise of a right to object or erasure does not imply the immediate deletion of data or modification of processing,

We will respond to your queries free of charge without delay, and in any case within (1) one month or – under certain conditions – within two (2) months from the date we receive your request.          

In case you do not receive a response within the prescribed period or the response you received was not satisfactory or your issue has not been resolved, you may contact the Data Protection Authority – DPA (www.dpa.gr) and lodge a complaint (more information on the right to lodge a complaint with the DPA by data subjects and the ways to exercise it at the link: https://eservices.dpa.gr in accordance with the instructions of the authority at the link https://www.dpa.gr/el/polites/katagelia_stin_arxi.

  • How long are your personal data kept for?

In accordance with our PCI-DSS obligations, the recorded material is retained in a safe place for a maximum period of thirty (30) days and then the data is automatically deleted from the system. In the event of a security-related incident, the relevant recorded material is extracted from the system and retained for up to thirty (30) more days in order to investigate the incident and initiate legal proceedings to defend our legitimate interests, and if the incident involves a criminal act and prosecutions are brought, we will retain the video for up to three (3) more months.

  • Are the personal data collected used for automated decision-making, including profiling?

NBG Pay does not use your personal data to make automated decisions about you. An “automated decision” is defined as a decision that is made, without human intervention. You have the right to opt out of automated processing at any time and to request that decisions be evaluated by a natural person.

  1. Will your personal data be further processed for a purpose other than that for which the data were collected?

Your personal data will not be further processed for a purpose other than that for which they were obtained.

  1. Who can you contact with if you have any questions or complaints?

For any questions relating to the processing of your personal data, please contact us at dpo@globalpay.com and privacy@nbgpay.com.

  1. Future changes to the current policy

NBG Pay intends to periodically review this policy to reflect changes in its policies and practices. If NBG Pay amends this Policy,  the date below will be updated accordingly.

Date of Last Update: 01/09/2023

____________________