Terms of operation of the video surveillance system

General information on the exercise of data subjects' rights under the GDPR

Α) CONDITIONS OF OPERATION OF VIDEO SURVEILLANCE SYSTEM AT THE PREMISES OF THE OFFICE

The sole proprietorship with the name of Paraskevi Arvaniti, Notary Public of Samos, which is located in the town of Samos (Themistocles Sofouli Street 157, P.C. 83100, tel. 22730-28699) (hereinafter referred to as the "Company"), hereby informs you, in its capacity as controller, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR") and the relevant provisions of the Greek legislation on the protection of personal data, as applicable, of the type of personal data it collects, the source of their collection, the reason for their collection and processing, any recipients, the time of their retention, any transfer outside the E. EU, as well as your rights in relation to your data and how you can exercise them..

PURPOSE OF PROCESSING AND LEGAL BASIS

We use a surveillance system in the offices of the Company's headquarters for the purpose of protecting persons and property. The processing is necessary for purposes of legitimate interests pursued by us as the controller (Art. 1. f General Regulation (EU) 2016/679, hereinafter referred to as GDPR). Our legitimate interest consists in the need to protect our premises and the goods located therein from unlawful acts, such as, but not limited to, theft. The same applies to the security of the life, physical integrity, health and property of our staff and third parties lawfully present in the guarded premises. For this reason, we limit the taking of images in areas where we have assessed that there is an increased likelihood of committing illegal acts, e.g. theft, namely in the corridor passing through the entrance and reception area for clients, the area of the technological infrastructure of the office and at both entrances to the office, without focusing on areas where the privacy of the persons whose image is taken may be unduly restricted, including their right to respect for personal data, such as the three offices of the Company. The employees' workplaces (three independent rooms - offices) are not monitored by any video surveillance system in order to safeguard the protection of employees' personal data from any processing and to ensure their privacy. The video surveillance system does not record any sound. Public areas outside the premises of the Merchant shall not be monitored except for the part of the pavement outside, which cannot be isolated from the field of view of the camera.

TYPE OF DATA AND CATEGORIES OF DATA SUBJECTS

We only collect image data of our employees and third parties, customers and visitors, who are lawfully present in the monitored area.

RECIPIENTS

The material held is accessible only by our competent/authorised personnel and our data controller. This material is not transmitted to third parties, except in the following cases: a) to the competent judicial, prosecutorial and police authorities when it contains data necessary for the investigation of a criminal offence involving persons or property of the controller, b) to the competent judicial, prosecutorial and police authorities when they request data lawfully in the exercise of their duties, and c) to the victim or perpetrator of a criminal offence, when it concerns data which may constitute evidence of a criminal offence.

DATA RETENTION PERIOD

We keep the data for fourteen (14) days, after which it is automatically deleted. This time limit is shorter than the reasonable maximum retention period set by the Hellenic Data Protection Authority in its 1/2011 directive. In the event that we detect an incident during this period, we will isolate part of the video and keep it for up to one (1) more month, in order to investigate the incident and initiate legal proceedings to defend our legal interests, while if the incident concerns a third party we will keep the video for up to three (3) more months.

RIGHTS OF DATA SUBJECTS

Data subjects have the following rights:

• Right of access: you have the right to know whether we are processing your image and, if so, to receive a copy of it.

• Right to restriction: you have the right to ask us to restrict processing, such as not deleting data that you consider necessary for the establishment, exercise or maintenance of legal claims.

• Right to object: you have the right to object to processing.

• Right to erasure: you have the right to request that we delete your data.

You can exercise your rights by sending an e-mail via the contact form on our website (https://samos-notary.gr/contact) or a letter to our postal address or by submitting the request to us in person, at our business address [157 Themistocles Sofouli Street, P.C. 83100, Samos]. Please note that in case of reasonable doubt as to the identity of the data subject, we may request additional information to confirm the identity.

In order for us to process a request related to your image, you will need to tell us approximately when you were in range of the cameras and provide us with an image of you to help us identify your data and hide the data of third party subjects. Alternatively, we give you the option of coming to our premises to show you the images in which you appear. We also point out that exercising the right to object or erasure does not imply the immediate deletion of data or the modification of processing. In any case, we will reply to you in detail as soon as possible, within the time limits set by the GDPR.

RIGHT TO SUBMIT A COMPLAINT

If you consider that the processing of your data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Greece is the Hellenic Data Protection Authority, Kifissias 1-3, 115 23, Athens, Greece, https://www.dpa.gr/, tel. 2106475600.

B) GENERAL INFORMATION ON THE EXERCISE OF DATA SUBJECTS' RIGHTS UNDER THE GDPR

What is the data subject's right under the GDPR?

An employee, customer or supplier, if he or she is a person whose personal data is processed by the controller, has a number of rights in relation to the processing of the data, such as access to his or her data, correction of inaccurate or incomplete data, erasure or objection to the processing.

How is the right exercised?

It is exercised by submitting a written request to the controller, including by electronic means.

Can a fee be imposed and if so, under what conditions?

In principle, the exercise of rights is carried out free of charge. However, if the data subject's requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may impose a reasonable fee, taking into account the administrative costs of providing the information or of communicating or performing the requested action. The controller shall bear the burden of proving that the request is manifestly unfounded or excessive.

What are the obligations of the small and medium-sized enterprise as controller?

The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication in the context of Articles 15 to 22 and Article 34 relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular where the information is specifically addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. Where requested by the data subject, the information may be provided orally, provided that the identity of the data subject can be proven by other means.

When does the small and medium-sized enterprise has to respond (time limits and possibility of extension)?

The controller shall provide the data subject with information on the action taken at his or her request without delay and in any event within one month of receipt of the request. That period may be extended by a further two months, if necessary, taking into account the complexity of the request and the number of requests. The controller shall inform the data subject of that extension within one month of receipt of the request and of the reasons for the delay. If the controller fails to act on the data subject's request, the controller shall inform the data subject, without delay and at the latest within one month of receipt of the request, of the reasons for the failure to act and of the possibility of lodging a complaint with a supervisory authority and bringing a judicial remedy.

When is the request considered complex?

When it cannot be answered directly by the DPO, but additional actions are required on his/her part to satisfy it, such as in particular when further investigation by the HC is needed or when other bodies are involved in order to answer and process it.

Can additional information be requested from the data subject (in particular for identification purposes)?

Where the controller has reasonable doubts as to the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

What applies when the applicant is a minor?

These rights are exercised by the person exercising parental responsibility over the minor.

When does the small and medium-sized enterprise not have an obligation to satisfy the right?

• When it cannot verify the identity of the person making the request

• If the data subject's requests are manifestly unfounded or excessive, in particular because of their repetitive nature

• Where the legal requirements for exercising and/or satisfying the right to exercise and/or satisfy it are not met

What happens if the right is not satisfied? Further rights of subjects.

If the DPO rejects the request to satisfy the right, the data subject may lodge a complaint with the supervisory authority and pursue a judicial remedy. The competent supervisory authority for Greece is the Hellenic Data Protection Authority, Kifissia 1-3, 115 23, Athens, https://www.dpa.gr/, tel. 2106475600.