VIDEO SURVEILLANCE POLICY AT INA GROUP SITES MANAGED BY INA, d.d.
(1) This Video Surveillance Policy at INA Group sites managed by INA, d.d. (hereinafter: Video Surveillance Policy) refers to all video surveillance systems set up and operating in the facilities/premises at INA, d.d. sites (hereinafter: INA), as well as to all video surveillance systems operating in the facilities / premises of INA Group companies managed by INA, d.d. (hereinafter: Affiliated company)
(2) INA and the relevant Affiliated Company use video surveillance system in the facilities/premises at the sites of INA and the relevant Affiliated Company throughout the Republic of Croatia with the objective of protecting the facilities and other related assets owned by INA, i.e. by the relevant Affiliated Company, and persons: employees, other staff, suppliers, business partners, customers and visitors, as well as all other persons arriving to, moving about and using the abovementioned assets. In order to achieve these objectives, video surveillance systems are used to reconstruct and investigate security incidents (including the possible malfunctions that may indicate potential security incidents), potential hazards or unauthorized access to protected areas.
(3) INA is an independent video surveillance controller on the premises owned by INA, i.e. INA and the relevant Affiliated Company are considered joint video surveillance controllers on the premises owned by the relevant Affiliated Company.
(4) In order to ensure the proper functioning of video surveillance at certain INA Group locations (where possible), live feed may be transmitted to the MOL Group’s security operations center. In relation to the stated purpose, MOL Plc. as a parent company is the joint controller of personal data.
(5) The processing of personal data by means of video surveillance is based on applicable regulations governing financial operations (Act on Protection of Monetary Institutions) and the legitimate interest of protecting persons and assets, achieved by controlling entry and exit from the site, as referred to in paragraph 2 of this section, and reducing the exposure of the persons referred to in the same paragraph to the risk of robbery, burglary, violence, theft, work-related irregularities and similar occurrences. The analysis of the legitimate interest of the controller and data subjects (balancing test) has shown that regarding video surveillance, the legal, economic and other interests of the data controller prevail over the interests of data subjects.
2 LEGAL BASIS AND INFORMING
(1) The processing of personal data by means of video surveillance is carried out in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (“General Data Protection Regulation”), the Act on the Implementation of the General Data Protection Regulation, the Act on Protection of Monetary Institutions and other applicable regulations used for regulating the subject area, as well as in accordance with the internal documents valid in the relevant companies of INA Group. Each video surveillance system is designed and installed in accordance with the provisions of the Private Protection Act, the Occupational Health and Safety Act and the Regulation on the Conditions and Methods of Implementing Technical Security Measures.
(2) In relation to data processing for the purpose of ensuring the proper functioning of the video surveillance system within the INA Group, a live feed shall be transmitted to MOL Plc. group security operations center. Data processing for this purpose is based on legitimate interest. In addition, the legitimate interest means ensuring the proper functioning of the video surveillance system in order to ensure the interests of MOL Group companies in protecting persons and assets, as well as to ensure the possibility of complying with the legal obligation of the video surveillance system (where applicable).
(3) For each of the video surveillance locations, a risk analysis is performed, i.e. the assessment of the impact that video surveillance installation would have on employees and all other natural persons referred to in section 1, paragraph 2 over whom the video surveillance is carried out.
(4) INA as the controller, i.e. INA and the relevant Affiliated Company as joint controllers, shall inform all data subjects that video surveillance is performed, using a special notice at the location where video surveillance has been set up.
(5) INA business partners, which provide services at INA sites as part of the service station partnership management system or in another way, shall inform their employees about the collection of their personal data by means of video surveillance at a particular site. They shall also:
• take action to prevent any misuse of such personal data;
• act in accordance with the applicable regulations governing the processing and protection of personal data.
(6) A special notice shall be placed in all facilities or premises where video surveillance has been set up. The video surveillance notice is made in accordance with the best applicable business practices at the time, in a format which is visible and transparent with regard to the data subjects and shall, along with the symbol or image of the video surveillance camera, contain at least the following brief information in Croatian and English:
• Contact information of the data controller (one or several),
• contact information of the data protection officer that data subjects can address,
• General information on video surveillance (whether video surveillance is carried out continuously, recording retention period and other relevant information),
• Concise information on the purpose and legal basis of data processing,
• Brief information on data subject rights,
• Information on where more details can be found regarding data processing by means of video surveillance and exercising data subject rights (at the service station/reception of the building, on the website – where it is also possible to use a QR code for easier access to information, etc.).
(7) The notice that a certain location is under video surveillance when referring to more information on the processing of personal data by means of video surveillance and the manner of exercising data subject rights shall refer to the Information on the processing of personal data by means of video surveillance published on INA’s website .
(8) The notice that the location is under video surveillance must be placed in such a way that the data subject sees it when entering the perimeter of the area under surveillance at the latest.
(9) Upon entry into the perimeter or facility/room under video surveillance, where the Notice referred to in paragraph 6 of this section is placed, all persons referred to in section 1, paragraph 2 shall be deemed to have been informed on the processing of personal data by means of video surveillance.
3 RIGHT OF ACCESS AND DATA PROTECTION
(1) Video surveillance equipment (cameras, recorders, routers) is part of the INA business network, but it is a part of separate, virtually partitioned network segment (VLAN). For access purposes, access lists are created and placed on the router of each site. The access list precisely states the employees who have access to the video surveillance equipment. The access list is kept in INA Corporate Security.
(2) Access to and management of video surveillance devices is handled by employees of INA Corporate Security who compile an access list for video surveillance systems. Downloading video surveillance recordings from video recorders and/or storage devices can only be done by INA Corporate Security employees and persons authorized by them. INA Corporate Security employees may assign the right of access to video surveillance recordings, for the purposes of performing their duties, to employees of the contractual security service, managers and employees at the individual sites where video surveillance has been set up. The right of access to video recordings may also be assigned to the employees of the company in charge of the of the video surveillance system maintenance.
(3) In relation to the live feed, the right of access to video recordings (without storage) is assigned to the group security operations center located in MOL Plc. Furthermore, in case of emergencies and circumstances that may affect the normal functioning of the INA Group Security Operations Center, all activities of regular management of the video surveillance system shall be taken over by the MOL Group Security Operations Center.
(4) All video recordings must be clearly identified (marked) by date, time and place of origin, including a unique way of marking individual cameras.
(5) INA has set up an event log system for keeping records of access to video surveillance recordings, which will show the time and place of access as well as the identification of the person who accessed the data.
(6) Video recordings on video recorders and/or storage devices are stored in accordance with the legally prescribed deadlines, up to a maximum of 30 days, depending on the capacity of the recorder or data storage device, after which they are automatically deleted. In cases where the Act on the Protection of Monetary Institutions forms the legal basis for video surveillance, video recordings must be kept for a minimum of 168 hours from the moment the recording was made and cannot be deleted during that period.
(7) In the event that certain recordings are necessary for the purposes of establishing or defending legal claims in court, administrative, arbitration or other equivalent proceedings, INA Corporate Security will put away the subject recordings and store them until the proceedings are completed.
(8) All videos are the property of INA, d.d. and the relevant Affiliated Company and therefore are considered a business secret. INA, d.d. and the affiliated company will not submit video recordings or make them available to unauthorized persons in any manner and in any form. Such actions are strictly prohibited.
4 COOPERATION WITH PUBLIC AUTHORITIES, EXERCISE OF DATA SUBJECT RIGHTS
(1) Public authorities, in relation to the performance of activities within the scope of their competence stipulated by law and under the conditions prescribed by law, have the right of access and right to the delivery of the video surveillance recordings. INA Corporate Security is in charge of cooperation with public authorities. In case of doubt or other relevant issues, INA Corporate Security will contact INA Legal Affairs and, if necessary, INA Data Protection Officer.
(2) Data subjects have the right to request the exercise of their rights prescribed by the General Data Protection Regulation, as described in detail in the Information on the processing of personal data by means of video surveillance, published on INA’s website.
(3) The request for exercising rights is referred to the Data Protection Officer. In the event that the request for exercising the rights of the data subjects is delivered to INA Corporate Security, the request shall be forwarded to the INA Data Protection Officer as soon as possible.
(4) The Data Protection Officer will take over the request and, in cooperation with all the relevant organizational units, coordinate the exercise of rights, i.e. communicate to the data subjects why it is not possible to exercise a certain right in a specific case.
(5) INA Data Protection Officer, as well as other persons involved in the procedure described in this section, are obliged to comply with the applicable internal rules of INA Group regarding personal data protection and the exercise of data subject rights while taking action on the data subjects’ requests.
5 LAWFUL USE OF VIDEO SURVEILLANCE
(1) Video surveillance systems can be used solely for the purpose of protecting people and assets, as defined in this Policy. The use of video surveillance must be in accordance with all applicable regulations, especially the Act on Protection of Monetary Institutions, the Occupational Health and Safety Act, the General Data Protection Regulation and the Act on the Implementation of the General Data Protection Regulation. Any use of video surveillance which does not comply with the aforementioned shall be considered unauthorized and unlawful use of video surveillance and is strictly prohibited as such.
6 PROCEDURE IN CASE OF PERSONAL DATA BREACH
(1) In the event that a certain person notices a possible personal data breach, they will notify the competent responsible person/manager or employee authorized for personal data protection without delay, and they shall inform the INA Data Protection Officer thereof without undue delay.
(2) Further procedure is regulated by the applicable internal rules laid down in the Plan of Action in Case of Personal Data Breach.
Zagreb, December 2022