Kamera szabályzat | Villa Medicina

The Camera Regulations enter into force:
Budapest, on September 14, 2020

1. Purpose of the policy

The purpose of these regulations (hereinafter: “Regulations“) is to ensure that Pro Gyno-Med Kft., as a data controller and as an employer (hereinafter: “Institution“), the electronic image monitoring system installed at its headquarters is used by the affected persons (including the Institution European Union and Hungarian law regarding the right to informational self-determination of employees and persons in a legal relationship with the Institution for other work purposes, hereinafter: “Employees“; as well as patients and other visitors visiting the Institution, such as persons affected by camera surveillance, hereinafter collectively: “Data Subjects” applies in accordance with regulations, transparently, with full respect for the constitutional and personal rights of the Data Subjects.

The regulation also aims to define in detail the data management rules related to the operation of the surveillance camera system, in particular:

the rules regarding data recording,
regulations for the use of recorded data,
the order of data transmission and access rights,
the data deletion obligation.

2. Scope of the policy

The territorial scope of these regulations covers the areas of VILLA MEDICINA monitored by cameras.

The personal scope of these regulations covers persons in a legal relationship for employment at the VILLA MEDICINA institution, as well as patients and natural persons visiting the Institution.

The material scope of these regulations covers all data management and data processing that applies to data recorded by the Institute’s cameras.

3. The purpose of camera surveillance

The purpose of camera surveillance is to protect the security of the building used by the Institution and the assets, equipment, technical items, and valuables of the building used by the Institution and affected by the surveillance, to protect their value and condition, as well as to protect and ensure the life, physical integrity and property of the persons staying in the monitored area, prevention of unlawful actions, detection of detected violations, and proof within the framework of official or court proceedings.

The camera system operated for these purposes is a safety technology solution that serves to prevent accidents, as well as illegal acts involving damage, as well as to detect detected violations and prove them in the framework of official or court proceedings.

The scope of the processed data: the likeness of the persons concerned, the behavior affected by the surveillance, as well as the data that can be obtained with the camera image (place of stay, time of stay).

4. The regulations to be considered

Member State or EU legislation considered when preparing the regulations:

CXII of 2011 on the right to information self-determination and freedom of information. law, (hereinafter: Infotv.)
CXXXIII of 2005 law on personal and property protection, as well as the rules of private detective activity (hereinafter: Szvtv.)
Act I of 2012 on the Labor Code (hereinafter Mt.)
Regulation No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as on the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR)
Information from the National Data Protection and Freedom of Information Authority on the basic requirements for data management in the workplace
Recommendation of the National Data Protection and Freedom of Information Authority on the basic requirements of the electronic monitoring system used in the workplace

5. Interpretative provisions

Surveillance camera system: The surveillance camera system: the devices and solutions that, by placing and operating cameras, enable the remote monitoring of the area, the taking of images with the cameras, the storage of the recordings, and the transmission of data.

Area: An area within the jurisdiction of the Institution that can be identified in the real estate register as a plot of land used by the Institution (or as an operational area within it).

Personal data: Article 4 GDPR. “personal data”: any information relating to an identified or identifiable natural person (“data subject”); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.

Data controller: GDPR Article 4.2 “data management”: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use , communication by means of transmission, distribution or other means of making available, coordination or connection, restriction, deletion or destruction.

Data management: GDPR Article 4.2 “data management”: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use , communication by means of transmission, distribution or other means of making available, coordination or connection, restriction, deletion or destruction.

Data transmission: Data transmission – Infotv. Data transfer according to Section 3.11: making the data available to a specific third party.

Data deletion: Data deletion – Infotv. Data erasure according to Section 3.13: rendering the data unrecognizable in such a way that its recovery is no longer possible.

Data destruction: Data destruction – Infotv. Data deletion according to Section 3.16: complete physical destruction of the data carrier containing the data.

Data processor: Data processor – Infotv. Data processor according to § 3, point 18: the natural or legal person or organization without legal personality who processes data on the basis of a contract, including a contract concluded under the provisions of the law.

6. The area surveillance camera system

6.1 Structure of the system

The area surveillance camera system consists of the following parts:

from the cameras placed in the area,
from the central monitoring and recording room with the necessary tools and technical solutions.

6.2. Cameras placed in the area

A camera may be placed and operated in the area only in accordance with the provisions of these regulations and in accordance with the decision to place the camera. The cameras can therefore be placed in the place specified by the regulations in such a way that they are suitable for monitoring the area included in the regulations.

The inspection service decides on the exact location of the cameras, considering the visibility of the area to be monitored. In justified cases, you can make a proposal to the head of the Institution for the placement of several cameras to accurately monitor a given area.

The cameras must be placed in a clearly visible location. Information on the fact of the operation of the posted cameras must be posted at all monitored locations.

The information must include at least:

the location of the cameras,
the order of data management.

The information must be placed in such a way that the information becomes visible to persons wishing to enter the area before the observation. The information must be displayed in a clearly visible place or places.

In the surveillance system, cameras with technical certificates suitable for the purpose of surveillance must be used.

7. Information

CXXXIII of 2005 on the rules for the protection of persons and assets, as well as private detective activities. in accordance with the provisions of Article 28, paragraph (2) point c) of the Act, the Institution places a warning sign on the fact that an electronic surveillance system is operating in the given area for third parties who wish to enter the building. Employees are informed in accordance with the Data Protection and Data Management Regulations.

8. The central room

The central monitoring and recording and data management room of the area surveillance camera system is located in the premises of the Institution provided for this purpose.

The images transmitted by the external cameras:

the possibility of continuous monitoring is provided by a monitor,
the images are recorded on a central storage unit (server).

9. Viewing recordings

The surveillance system used by the Institution can be used for direct observation (live image), only employees employed in the position according to these regulations have the right to direct observation, and only to the extent necessary for the performance of their duties. The monitor for viewing and possibly reviewing the images must be placed in such a way that during the broadcast of the images they cannot be seen by persons outside the scope of authorization.

10. Operationg order of the system

10.1. The purpose of operating the system

Monitoring of employees may be carried out in accordance with § 9 and § 11 of the Labor Code. Infotv must be observed during operation. the provisions of § 4.

The primary purpose of the operation of the area surveillance camera system is the Szvtv. Define. The Szvtv. enables the use of the electronic monitoring system in four cases:

a) protection of human life, physical integrity, personal freedom,
b) storage of dangerous substances,
c) protection of business, payment, banking and securities secrets,
d) asset protection

The Institution is the Szvtv. You may act in accordance with § 26, paragraph (1) when guarding your facilities, except that pursuant to paragraph (2), you may not use an electronic surveillance system in public areas either.

10.2. Owner and operator of the system

The territorial surveillance camera system is the property of the Institution. The unit and personnel determined by the Institution are authorized to use, manage and operate the system.

10.3. Operation of the Surveillance camera system

Images transmitted by the surveillance camera system:

are constantly monitored;
are monitored regularly.

Duration of monitoring: Monday-Friday, from 8:00 a.m. to 7:00 p.m.

are occasionally observed
they are not monitored.

Recording the images of the surveillance camera system:

happens continuously – 24 hours a day,
happens regularly.

Duration of recording: Monday-Friday, from 8:00 a.m. to 7:00 p.m.

The purpose of recording the images is that, if necessary, they can be used as evidence in individual proceedings.

10.4. Viewing recorded footage

Reviewing the images recorded by the CCTV system:

regurarly
if possible
the day after the picture is taken,
takes place at the time of the event giving rise to the review.

It must be isolated on the viewed recordings:

the parts of the recordings that contain an exceptional occurrence (i.e. a reason for the processing of the recordings, the initiation or initiation of proceedings),
recordings that do not contain an exceptional occurrence.

The area supervisor is obliged to:

In the case of recordings of an incident, the area supervisor must, within two working days of the recording of the images, sounds and images and sounds:

to initiate the procedure that falls within the scope of his duties,
in the case of procedures falling within the competence of another body or authority (e.g., police), to initiate the initiation of the procedure.

12. Data management related to the area surveillance camera system

12.1. Footage recorded by the camera system as personal data

Recordings recorded in the area surveillance camera system are considered personal data, therefore the data management rules defined in the Information Act and these regulations must be enforced.

12.2 Principles of data management

The main principles of data management:

personal data can only be processed for specific purposes, in order to exercise rights and fulfill obligations,
during data management, the collection and handling of data must be fair and legal,
personal data can only be processed to the extent necessary to achieve the purpose.

The purpose of processing personal data on the part of those entitled to control:

a) protection of human life, physical integrity, personal freedom,
b) storage of dangerous substances,
c) protection of business, payment, banking and securities secrets,
d) asset protection

12.3. Legal basis for data management

The legal basis for the data management of those entitled to control is the Szvtv. It is defined by § 26, paragraph (1) and § 30.

12.4. Limitations of data management

Recordings recorded by the area surveillance camera as personal data in the area affected by the recording:

in proceedings initiated due to a committed crime,
in proceedings initiated due to a violation of the rules,
it can be used in proceedings initiated by the person in the recording in order to exercise his rights.

The footage recorded by the area surveillance camera must be issued as evidence:

at the request of the authorized body in court or other official proceedings, or
in an official procedure, to request the acting authority (within the framework of domestic legal aid), if the requesting body justified its request in accordance with the law.

The justification is appropriate if it contains:

the basic legal reference establishing the authority of the requesting body,
the subject of the procedure,
the file number of the procedure,
the fact to be proven by the recorded recording.

The request must be refused if:

the justification of the request is not adequate,
if the recorded image, sound, and image and sound recording are not suitable for proving the fact specified in the request.

12.5. Time content of data management, deletion of data

The General Data Protection Regulation. during data processing, personal data can only be processed for the time necessary to achieve the purpose.

Data management period for recordings that do not contain extraordinary events

Recordings that do not contain extraordinary events can be processed for three working days after recording, after which they must be deleted immediately.

Time content of data management of recordings containing extraordinary events

The data processing time of recordings containing extraordinary events may not exceed 30 days. Data management may last longer than 3 working days after the recording, if during the procedure initiated by the supervision, the person entitled to initiate the procedure has informed the supervision of the fact of the initiation of the procedure within 3 working days after the recording.

If data has been forwarded to the body conducting the procedure or to a private individual in a procedure initiated to exercise their rights, the data must be deleted.

Extension of the data management period upon request

The person whose right or legitimate interest is affected by the recording of the image, sound, or image and sound recording, or other personal data, within three working days from the recording of the image, sound, image and sound recording, or other personal data by proving your right or legitimate interest, you can request that the data is not destroyed or deleted by its manager. At the request of a court or other authority, the recorded image, sound, image and sound recording, as well as other personal data must be sent to the court or authority immediately. If an inquiry is not made within 30 days of the request not to be destroyed, the recorded image, sound, and image and sound recording, as well as other personal data, must be destroyed or deleted. Information on data transfer to the person included in the recorded recording is free of charge.

12.6. Right of inspection

On the part of those entitled to control, it must be ensured for the private individuals concerned that the person in the recording can view the recording made of him/her during the time available for data management, typically within 3 working days of the recording of the recorded image, sound, and image and sound. The data subject has his rights in accordance with Article III of the General Data Protection Regulation. can practice according to the provisions of chapter.

13. Data security

On the part of those entitled to control, the protection of the personal data of those concerned must be ensured. The protection must cover private secrets and the circumstances of private life, so that they do not come to the knowledge of an unauthorized person.

The data must be protected in particular:

unauthorizied access
the unauthorized change,
unlawful transmission,
unlawful disclosure,
unlawful deletion or destruction, as well as
against accidental destruction and damage.

14. Organizational measures

14.1. Persons

The person authorized to check may be in the central room of the area surveillance camera system.

The recordings recorded by the area surveillance camera system can only be managed by a specific person, the person authorized to check.

The person designated in these regulations is entitled to:

to monitor the images transmitted by the cameras, as well as
to review the images recorded by the camera system,
to separate recorded recordings and recording parts according to extraordinary and non-extraordinary events,
to save the data,
for data transmission,
for data deletion.

Only persons who are entrusted with data management or who have the right to access may enter the central room. They must prove their access rights.

Only the person performing personal and asset protection activities is entitled to see the recorded image, sound, image and sound recording, as well as other personal data, for whom this is necessary to enforce their obligations arising from the contract and is indispensable in order to prevent or interrupt the illegal act. The name of the person handling the recorded image, sound, and image and sound recording, as well as personal data, or the person carrying out personal and property protection activities entitled to access it for other reasons, as well as the reason and time of access to the data, must be recorded in a protocol.

14.2. Operational safety

Those authorized to check regularly, but at least at the beginning of the working day, check the operation of the system. During operation, it is necessary to ensure that the data is continuously backed up to a separate device.

Devices suitable for serving the system and other data carriers – except for legal data transmission – cannot be taken out of the central room.

Compliance with data protection regulations must also be ensured when IT devices are maintained. Maintenance and repairs may only be carried out in the presence of an authorized person.

Strangers may stay in the central room only in the presence of those authorized to check.

In the presence of strangers, the review of the recordings must be interrupted, if it is not possible to exclude the possibility of the review data being read by strangers in any other way.

An operational diary must be kept about the operation and the stay of strangers in the central room.

14.3 Data transfer

Data may only be forwarded in the cases specified in these regulations – and in the legislation. The data is transferred to a data carrier provided by the representative of the body or authority authorized for the procedure.

15. Technical measures

Uninterruptible power source

By providing an uninterrupted power source, it is necessary to ensure that the system can operate continuously and that malfunctions do not occur due to power outages.

IT protection

The management of data files must be organized in such a way that their content can be reconstructed in the event of partial or total destruction. At least one backup of the original data files must be made so that the original data is still available in case of destruction or damage of one of them. In the computer system operating the IT system enabling data recording of the area surveillance camera system, it must be ensured that:

access can be done with a personal code,
data management events are automatically logged.

Identification of data carrier

Only registered data carriers can be used in the system so that the location and destruction of the managed data can be tracked. Apart from data transmission, only a storage space that is not separated from the computer can be used as a data carrier.

16. Other data security measures

The central room of the area surveillance camera system:

the building is protected by an alarm,

The data stored in the central room is protected by:

the room can be locked.

17. Obligation to keep records

Records must be kept in connection with the operation of the area surveillance camera system:

about the deployed cameras and the area they monitor (camera register),
about the daily monitoring of the system status (operational log),
about the observations carried out in the system (observation log, as part of the operation log),
about reviewing and saving the recordings recorded in the system (as part of the review log, operation log),
about the data carriers used to store the recordings in the system (data carrier register, as part of the operation log),
about making a copy of the data stored in the system (data copy log, as part of the operation log),
about data transfer (as part of data transfer log, operation log)
on the destruction of recordings,
about the data protection incident (in a separate register).

17.1 Camera records

Camera records must include at least:

the location of the cameras,
the number of cameras used,
the area covered by the cameras.

17.2 Operating log

During the operation of the system, an operational log must be kept on regular, daily checks of the system’s condition, as well as on the presence of strangers in the central room. The operation log contains:

a) data relating to the system status check:
- the exact date of the inspection,
- a note on the status of certain elements of the system,
- the action taken in case of improper operation of the system,
- the name of the person performing the inspection,
b) data on the stay of strangers staying in the central premises:
- the time of entry and departure,
- the name and position of the entrant,
- reason for entry, activity performed.

17.3 Observation log

In the case of surveillance in a central room of footage broadcast by the surveillance camera system, the data relating to the surveillance must be recorded in the surveillance log. The monitoring log must include:

the day of the observation,
the start and end time of the observation,
extraordinary events that have occurred,
the initiated measures,
name of the observer.

17.4 Look back log

In the case of viewing the footage recorded by the surveillance camera system in a central room, the data relating to the viewing and the saving of image details of extraordinary events must be recorded in a log.

The lookback log should include:

the day of looking back
the data necessary to identify the viewed recordings: camera number, the start and end time of the recorded image, sound, and image and sound recording,
extraordinary events that have occurred,
extraordinary events that have occurred,
the initiated measures,
data for saving recording parts containing extraordinary events (save location)

17.5 Register of data carriers

The data carrier register must contain:

identification data of the data carrier used,
the start and end time of using the data carrier for data recording,
after the application, the storage location of the data carrier,
data on the destruction of the data carrier.

17.6 Data copy log

The data copying log must contain the following from recorded recordings, recorded image, sound, and image and sound recording parts:

the date of making the copy,
identification data of copied recorded images, sounds, and image and sound recordings,
the reason for making a copy,
the identifier of the copy data carrier, the place of storage,
the name of the copy maker.

17.7. Data transfer log

The data transfer register must be kept annually and the register must be kept for 5 years.

The register must include:

when the data transfer took place,
to whom, to which body, authority, private individual, the recordings were forwarded,
for what purpose the data was transferred,
what was the legal basis for data transfer.

17.8 Record of destruction of recordings

Records must be kept of the destruction of recordings. The register must include:

the date of destruction,
the data necessary to identify the destroyed data, /e.g.: camera number and numbers, the date of the recorded recordings (from to) /,
the reason for the destruction (within 3 working days or other)
method of destruction,
the name of the person performing the destruction.

17.9 Incident record