Information about
operating cameras

CYBERJUMP RO S.R.L., Romanian legal entity, with registered office in Romania, Bucharest, Calea Floreasca nr. 55, Etaj 2, spațiul 07, Sector 1, registered with the Trade Register attached to the Bucharest District Court under No. J40/21715/2021, tax number 45342755 (hereinafter referred to as the “Data Controller“) operates an electronic surveillance system (the “Surveillance System“) on the premises of Cyberjump Trampoline Park.

In view of and compliance with Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”) you are informed as follows:

WHEREAS:

I. The interest shown by the Company in the prevention of criminal and administrative infringements, ensuring the security of employees and the material and intellectual values of the Company, the prevention of accidents on the premises of the trampoline park;

II. The requirement to inform the Company’s employees in accordance with the legal provisions;

The Company shall implement a set of rules for using the video surveillance system.

A. REGULATORY REFERENCES AND LEGITIMACY REQUIREMENTS

  1. Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, hereinafter referred to as “GDPR“;
  2. Law No. 333 of July 8th, 2003 on the protection of objectives, assets, values and protection of individuals, including subsequent amendments and completions;
  3. Decision No. 301 of April 11th, 2012 for the approval of the Methodological Norms of Law No. 333/2003 on the protection of objectives, assets, values and protection of individuals;
  4. Order No. 52 of April 18th, 2002 on the approval of the Minimum Security Requirements for the processing of personal data;
  5. ANSPDCP (National Authority for the Supervision of Personal Data Processing) Decision No. 52 of May 31st, 2012 on the processing of personal data using video surveillance means;
  6. Instructions from the European Data Protection Supervisor on video surveillance, published March 17th, 2010, Brussels;

B. THE NECESSITY FOR A VIDEO SURVENILLANCE SYSTEM 

  1. The use of the video surveillance system is necessary for the proper management and operation of the Company, in particular, for the control of security and guarding in order to prevent accidents and damage to the Company’s equipment and to support the security policy provided by the above-mentioned regulations;
  2. The video surveillance procedure describes the video surveillance system of the Company and the protection measures taken by the Company to protect the personal data, privacy and other fundamental rights as well as the legitimate interests of the individuals captured on cameras;
  3. The Company cannot otherwise ensure the security and protection of the employees and property and visitors;
  4. The video surveillance system helps to prevent, detect and investigate any theft of equipment or goods owned by the Company or to prevent, detect and investigate risks and threats against the employees working on the supervised premises;
  5. With the help of this system, the access on the premises is controlled and the security of the goods and the security of the individuals – employees of the Company, customers, as well as of the owned property and information;
  6. The video surveillance system shall not be used for any purpose other than those notified, it shall not be used for monitoring the employees’ activity or for timekeeping;
  7. The system provides a means of investigating or obtaining information for circumstances in which a physical security incident occurs or criminal behavior is spotted, the images can be transferred to the investigative bodies during a disciplinary or criminal investigation.


C. PROCEDURE CONTENT & PURPOSE

This procedure sets out: 

  1. A uniform set of rules governing the implementation and use of the video surveillance system in order to ensure the security of individuals and property, real estate, valuables and raw materials that are used in the manufacture of products sold by the Company, while complying with the Company’s GDPR obligations and the security measures adopted for personal data protection, the protection of privacy, the protection of the legitimate interests and to guarantee the fundamental rights of the data subjects;
  2. The responsibilities regarding the management and operation of the video surveillance system, as well as those regarding the preparation, endorsement and approval of the documents related to these activities. 
  • The existing video surveillance system was installed following a risk assessment;
  • A routine review shall be performed annually by the structures responsible for ensuring security and the need to keep the system in use shall be reconsidered, fulfilling the stated purpose; The Company uses the video surveillance system for security and access control purposes;
  • It is ensured that there is a legitimate interest in the implementation of the video surveillance system;
  • The alternatives were discussed and it was concluded that the use of the video surveillance system is necessary and proportionate to the objectives pursued by the Employer.

 The Company uses the surveillance system to ensure the safety, security and control of access and proper use of equipment. The surveillance system helps control the access to the trampoline park and ensures the safety and security of the equipment and the park, staff and visitors. The video surveillance system helps prevent, deter, manage and, if necessary, investigate security and safety incidents, potential threats or unauthorized physical access, including unauthorized access to secure buildings and protected rooms, IT infrastructure or to existing research equipment.

The system shall not be used for purposes other than those mentioned above. For example, it shall not be used to monitor employee attendance. The system shall not be used as an investigative tool for purposes other than those described above, except in the case of a physical security incident or a criminal offense.

The video records may be submitted to investigative bodies during an official disciplinary or criminal investigation.

 

1. PURPOSE & PRINCIPLES OF USE OF THE VIDEO SURVEILLANCE CAMERAS

1.1 The Data Controller shall use personal data in any image or recording of images and sound made with the help of surveillance cameras in the Cyberjump Trampoline Park for the following purposes: 

  • to protect the life and physical safety of visitors and the Company’s employees (“Data Subjects“), to monitor compliance with safety rules;
  • to protect (against theft and burglary) the property, the equipment and endowments of Cyberjump Trampoline Park, the property of individuals, visitors and employees, i.e. the detection and prevention of violations, finding the perpetrator in the act of committing an offence and evidence thereto;
  • to monitor the operation of Cyberjump Trampoline Park.

 1.2 The use of cameras as a means for personal data processing is useful and necessary, appropriate and proportionate to the intended purposes.

 1.3 The use of the cameras does not violate human dignity and respects the principle of proper processing. The position of the cameras has been carefully revised to ensure that the monitoring of areas not of interest for the intended purpose is limited, as much as possible. The Company’s video surveillance system is not intended to capture (for example, by selective focusing or orientation) or to process images (e.g., indexing, profiling) that reveal special categories of data.

 1.4 Benefits of the supervisory system: 

  • Increasing control in the supervised area, entrances and exits;
  • Restricting the access of intruders;
  • Elimination of losses caused by unforeseen events.

2. THE LEGAL BASIS OF THE PROCESSING

2.1 Only individuals expressing their consent to use the cameras and who agree to the terms and conditions set forth in this policy shall be allowed in Cyberjump Trampoline Park.

2.2 The initial information of the data subjects is made in a clear and permanent manner, by means of adequate panels/boards/signs, with sufficient visibility and located in the supervised area, so as to signal the existence of surveillance cameras, but also to communicate essential information on personal data processing.

2.3 A copy of this policy shall be provided upon request to any interested person.

3. DATA PROCESSING DURATION, SECURITY MEASURES AND DATA TRANSMISSION

3.1 The Data Controller shall destroy or delete the images recorded by the cameras after 30 days (“Retention period“).

 3.2 The storage period of the data obtained through the video surveillance system is proportional to the purpose for which the data is processed, so that: 

  • The images captured by the video surveillance system of Cyberjump are stored for a period not exceeding 30 days, after which they are automatically deleted in the order in which they were recorded. 
  • In the event of a security incident, the retention period of the relevant footage may exceed normal limits depending on the time required to further investigate the security incident. Retention shall be rigorously documented and the need for retention shall be regularly reviewed.

4. DATA SUBJECT RIGHTS

 

The Company warrants to ensure the observance of the data subject rights according to GDPR. All persons involved in the video surveillance activity and those responsible for the management of the captured images shall observe the data subject rights.

5. NOTIFICATION OF DATA SUBJECT

5.1 The initial information of the data subjects is made in a clear and permanent manner, by means of adequate panels/boards/signs, with sufficient visibility and located in the supervised area, so as to signal the existence of surveillance cameras, but also to communicate essential information on personal data processing

5.2 A copy of this policy shall be provided upon request to any interested person.

5.3 The Data Controller shall not transfer the recordings of visitors and employees to third parties.

6. ACCESS TO AND DISCLOSURE OF PERSONAL DATA

6.1 The Data Controller shall ensure the security of the data processed and shall take any and all reasonable steps to ensure that the personal data of visitors and employees are securely protected. Access to stored images and/or the technical architecture of the video surveillance system is limited to a small number of people and shall be granted according to the responsibilities specified in the Company’s internal decisions (for what purpose and what type of access). Image and sound recordings are stored in a locked place on a password-protected computer, saved on a hard disk, ensuring data security.

 6.2 In particular, the Company imposes restrictions regarding the persons authorized: 

  • to watch real-time footage: Real-time footage is accessible to designated supervisors;
  • to watch the footage recording: viewing the recorded images shall be done in justified cases, such as expressly provided by law and security incidents, by the specially designated persons;
  • to copy, download, delete or edit any footage.

 6.3 The right of access during the storage period extends to viewing and reviewing the camera footage.

 6.4 The name of the person handling the recorded images or sound recordings or who, for any other reason, is authorized to access them in accordance with this policy, the reason for access and the time of access shall be recorded by protocol.

7. PRIVACY PROTECTION & INFORMATION SECURITY

In order to protect the security of the video surveillance system and to increase the degree of privacy protection, the following technical and organizational measures have been implemented: 

  1. Limiting the storage time of the captured recordings, in accordance with the security requirements;
  2. The storage media (servers on which the recorded images are stored) are located in secure spaces, protected by physical security measures;
  3. All users with authorized to access the recordings have undertaken to comply with the applicable legal provisions;
  4. The access permission is granted to users on a need-to-know basis, only for those resources that are strictly required for duties performance;
  5. Only the system administrator, appointed for this purpose by the Data Controller, is authorized to grant, modify or cancel the access right of the users, according to the general procedure of database access. The system administrator shall keep a constantly updated list of all persons are authorized to access the video surveillance system, specifying the type of access;
  6. The DPO/Data Protection Officer shall be consulted prior to the purchase or set-up of any new video surveillance system.

8. INSTRUCTIONS

  • All staff members with access rights shall receive initial training in the field of data protection. This procedure shall be integrated in the training and guidance program, for all users with the right of access and duties regarding the video surveillance system operation;
  • The person in charge shall ensure that all subordinate personnel involved in the video surveillance system operation are trained and informed of all functional, operational and administrative aspects of this activity.

9. CONFIDENTIALITY MEASURES

After the training session, each participant shall execute a privacy statement.

10. DISCLOSURE OF PERSONAL DATA

10.1 Any activity of disclosing personal data to third parties shall be documented and subjected to a rigorous assessment regarding on the one hand the need for communication, and on the other hand the compatibility between the purpose for which the communication is made and the processing purpose for which this data was initially collected (security and access control).

 10.2 The Company has the obligation to make available to the legal bodies, upon written request, the video recordings regarding the commission of criminal offences.

 10.3 Adding an identification mark to restrict further data processing permanently or for a limited period of time.

11. POSITIONING OF SURVEILLANCE CAMERAS, MONITORED AREAS

11.The surveillance system consists of surveillance cameras positioned on the supporting structure of the ceiling of Cyberjump Trampoline Park, whose angle of view and position are shown in the layout plan at the end of this policy. 

11.2 The purpose of installing surveillance cameras in the office area is to monitor the handling of cash and office movements..

11.3 The area monitored by the surveillance cameras is the premises legally and exclusively operated by the Data Controller.

11.4 The Data Controller shall not carry out surveillance activities in rooms where this could harm human dignity, in particular, in locker rooms, toilets, lavatories, but also in areas where employees spend their breaks. Exceptions to this rule are periods when the entire playground area, including no-go areas, is monitored. These periods are public holidays, days outside business hours when no one is legally on the premises.

12. DESCRIPTION AND TECHNICAL SYSTEM SPECIFICATIONS

12.1 The cameras are fixed devices with fixed optics that only perform remote surveillance.

12.2 The cameras are not suitable for close-up recording of individuals or activities. The cameras of the electronic surveillance system predominantly record the guests and visitors of Cyberjump Trampoline Park.

12.3 Conventionally, the video surveillance system is a static system. It has image recording function and is equipped with motion sensors. The system can record any movement detected by the cameras positioned in the monitored area, along with the date, time and location.

12.4 All rooms are operational 24/7.

12.5 When required, the quality of the images shall allow the recognition of those who pass through the camera action area.

12.6 For greater security of data processing that can be obtained from video surveillance system, the cameras are fixed (without zoom function), so the user cannot change the perimeter / purpose of surveillance, specially trained operators must observe the privacy settings and access rights.

12.7 There is no interconnection with other systems and no sound is recorded, no state-of-the-art technology or intelligent video surveillance is used.

 

13. RIGHTS OF THE DATA SUBJECT – EXERCISE OF THE RIGHTS OF ACCESS, INTERVENTION AND OPPOSITION

13.1 Throughout the period of storage of personal data, the data subjects have the right to access the personal data concerning them held by the Company, to request intervention (deletion/update/rectification/anonymization) or to oppose the processing, according to the law.

 13.2 Any request to access, rectify, block and/or delete personal data as a result of the use of video cameras should be addressed to the Company.

 13.3 The answer to the request for access, intervention or opposition shall be provided within 15 calendar days. If this deadline cannot be met, the data subject shall be informed regarding the postponement reason, and also on the procedure to be followed for resolving the request.

 13.4 If the data subject expressly requests, he or she may be granted the right to view the recorded images concerning him or her or a copy thereof. The images provided shall be clear, to the extent possible, provided that they do not prejudice the rights of third parties (the data subject shall only be able to view his own image, the images of other persons who may appear in the recording shall be edited so that their recognition/identification is not possible).

 13.5 In the case of such a request, the data subject is obliged to identify himself beyond any suspicion (to present the identity document when participating in the viewing), to mention the date, time, location and circumstances in which he was recorded by the surveillance cameras. The data subject shall also present a recent photo so that designated users can easily identify him/her in the captured images. The person shall only be able to view their own image, the images of the people who may appear in the recording shall be edited so that their recognition/identification is not possible.

13.6 There is a possibility of denying the right of access in case the exceptions provided by law. The information shall be provided free of charge if the data subject has not yet submitted a request for information to the Data Controller in the current year for the same data set. In other cases, a fee may be charged.

13.7 The need to restrict access may also be imposed if there is an obligation to protect the rights and freedoms of third parties, for example if other persons appear in the images and there is no possibility to obtain their consent or their image cannot be removed, by editing, irrelevant personal data.

13.8 For the purpose of monitoring the lawfulness of the transfer and informing the data subject, the Data Controller shall keep records of the transfer, including the date of the transfer of the personal data processed, the legal basis and the recipient of the transfer, the scope of the transferred personal data and other data specified in the law governing the relevant processing.

FOLLOWING THE RISK ASSESSMENT PERFORMED, THE COMPANY CONCLUDES THAT THERE IS NO ALTERNATIVE SOLUTION TO SETTING UP THE VIDEO SURVEILLANCE SYSTEM IN THE SPECIFIED AREAS AND FOR THE PURPOSE OF PREVENTING CRIME, GUARDING EMPLOYEES AND PROPERTY OR PREVENTING INJURY.

This privacy policy becomes valid on 1 June 2020.

Annex: Basic layout of camera locations