Video Surveillance Information pursuant to Article 13 of Regulation (EU) 679/2016

video surveillance

This information is to be considered supplementary to the “simplified” notice provided through signage placed in correspondence with the surveillance cameras.

Data Controller

In accordance with Article 13 of Regulation (EU) 2016/679 (hereinafter, “GDPR“), we inform you that Nimax S.p.A. (hereinafter, the “Company” or the “Controller“), with registered office in Bologna, via dell’Arcoveggio no. 59/2, and reachable via e-mail at privacy@nimax.it, as the data controller, will collect your personal data through the video surveillance system installed at the Company’s premises.

Categories and Types of Data Processed

The personal data processed through the aforementioned video surveillance system belong to the category of common data and essentially consist of images depicting you, potentially including your face.

Purpose and Legal Basis of Processing

The images acquired through the video surveillance system will be processed for the purpose of ensuring the safety of individuals and protecting the Company’s movable and immovable assets, particularly against potential assaults, workplace accidents, thefts, robberies, damages, and acts of vandalism. The legal basis for the processing is found in the legitimate interest of the Controller pursuant to Article 6, paragraph 1, letter (f) of the GDPR, consisting of the need to ensure the safety of individuals and the protection of the Company’s movable and immovable assets.

Once acquired, your personal data may also be processed to meet any defensive needs based on the legitimate interest of the Controller under Article 6, paragraph 1, letter (f) of the GDPR in establishing, exercising, or defending a right in court, in extrajudicial settings, as well as in pre-litigation phases.

Furthermore, based on Article 6, paragraph 1, letter (c) of the GDPR, your data may be processed to the extent strictly necessary to comply with legal obligations to which the Controller is subject, including orders issued by judicial and police authorities.

Retention of Personal Data

The images acquired by the camera are stored, in compliance with the principles of data minimization and storage limitation under Article 5, paragraph 1, letters (c) and (e) of the GDPR, for a period not exceeding 72 hours and subsequently automatically deleted, except in cases of holidays or office closures, as well as when adhering to a specific investigative request from the Judicial or Police Authorities, in accordance with the provisions of the Video Surveillance Measure – April 8, 2010, of the Data Protection Authority, in light of Article 22, paragraph 4, of Legislative Decree 101/2018.

The Controller reserves the right, in any case, to retain your personal data for the time strictly necessary to fulfill legal obligations to which the Controller is subject, as well as to meet any defensive needs.

Processing Methods

Your data are processed mainly with the aid of electronic tools, in compliance with data protection regulations and in accordance with the applicable measures of the Data Protection Authority, including in particular the Video Surveillance Measure – April 8, 2010, in light of Article 22, paragraph 4, of Legislative Decree 101/2018, according to logics and procedures related to the purposes indicated above.

The system will operate 24 hours a day, seven days a week, including holidays. The device is designed to acquire your image exclusively for the purposes indicated above, in such a way as to limit the viewing angle to the area actually to be protected, with a view to proportionality and strict necessity.

Recipients

Your data may be accessed by the following subjects exclusively for the purposes described and in compliance with the rules provided by the GDPR, the Privacy Code, and the aforementioned Video Surveillance Measure – April 8, 2010:

  • Personnel specifically authorized to process personal data pursuant to Articles 29 and 32, paragraph 4 of the GDPR and 2-quaterdecies of the Privacy Code;
  • Subjects acting typically as data processors pursuant to Article 28 of the GDPR (e.g., the company in charge of maintenance services, private security institutes);
  • Competent authorities (e.g., judicial and police authorities) that have made a formal request for the acquisition of images, in order to comply with legal obligations to which the Controller is subject.

Transfer of Data Outside the EU

Your personal data will not be transferred to Third Countries.

Your Privacy Rights

As a data subject, you may, at any time, exercise the following rights by writing to privacy@nimax.it:

  • Right of access (Article 15 of the GDPR) – You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, as well as the right to receive any information relating to the same processing.
  • Right to rectification (Article 16 of the GDPR) – You have the right to obtain the rectification of your personal data if they are incomplete or inaccurate; it should be noted that, with respect to personal data collected through video surveillance systems, the right to rectification is not concretely exercisable due to the intrinsic nature of the data collected, which pertain to an objective and determined fact.
  • Right to erasure (Article 17 of the GDPR) – In certain circumstances, you have the right to obtain the erasure of your personal data present in our archives.
  • Right to restriction of processing (Article 18 of the GDPR) – Upon the occurrence of certain conditions, you have the right to obtain the restriction of the processing of your personal data.
  • Right to data portability (Article 20 of the GDPR) – In permitted cases, you have the right to obtain the transfer of your personal data to a different data controller, as well as the right to receive the data concerning you in a structured, commonly used, and machine-readable format.
  • Right to object (Article 21 of the GDPR) – You have the right to object to the processing of your personal data by providing reasons justifying the objection; the Controller reserves the right to evaluate such a request, which may not be accepted if there are compelling legitimate grounds to proceed with the processing that override your interests, rights, and freedoms.
  • Right to lodge a complaint with the Supervisory Authority (Article 77 of the GDPR) – If you believe that the processing concerning you violates data protection regulations, you may lodge a complaint with the Supervisory Authority of the Member State where you habitually reside, work, or where the alleged violation occurred.
  • Right to an effective judicial remedy (Article 79 of the GDPR)-