Privacy Notice on the processing of personal data through a video surveillance system

SLIDE DOWN


About
-

Regulation (EU) 2016/679 – GDPR | Article 13 | HDPA Directive 1/2011

Last review: February 2026

⚠ Note:  In accordance with Article 13 of the GDPR, we inform you that the Company’s premises are subject to video surveillance. Before entering the monitored areas, you have the right to be fully informed about the processing of your data. This notice supplements the visible signs (signage) that must be placed at each entrance of a monitored area.

1. CONTROLLER

Item Information
Brand Name TERNA ENERGY SINGLE MEMBER INDUSTRIAL COMMERCIAL TECHNICAL COMPANY (TERNA ENERGY S.M.S.A.), MEMBER OF MASDAR GROUP
Headquarters 85,  Mesogeion Ave., PC 11526, Athens
Telephone +30 210 6968300
Email info@terna-energy.com
Website www.terna-energy.com

2. DATA PROTECTION OFFICER (DPO)

In accordance with Article 37 of the GDPR, the Company has appointed a Data Protection Officer (DPO). For any issue related to the processing of your data or the exercise of any of your rights, please contact:

E-MAIL: dpo@terna-energy.com Postal Address: 85 Mesogeion Ave., PC 11526, Athens, tel: 2106968353

3. PURPOSE OF PROCESSING AND LEGAL BASIS

3.1 Purpose

The Company uses a closed circuit video surveillance (CCTV) system exclusively for the purpose of protecting the safety of persons and goods in its facilities. Specifically:

  • Prevention and deterrence of criminal acts (theft, vandalism, terrorist act, illegal entry).
  • Protection of the physical integrity, life and health of employees, partners and visitors who enter the company and during their stay in it.
  • Protection of the Company’s facilities, material equipment and goods
  • Investigating security incidents and supporting criminal prosecution, or any judicial or extrajudicial act, when required.

3.2 Legal basis – Legitimate Interests (Article 6 (1) (f) GDPR)

The processing is based exclusively on  the legitimate interests of Article 6 (1) (f) of the GDPR, following a balancing test in accordance with the guidelines of Articles 5 and 6 of the GDPR and the relevant instructions of the DPA.

3.3 Analysis of legitimate interests – proportionality test

What we seek: Protection of spaces, goods and people from illegal actions of third parties and ensuring a safe workplace.

Necessity: Video surveillance is a necessary and proportionate measure, as alternatives (e.g. simple human custody) do not provide an equivalent effect and entail more extensive data processing.

Weighting: The legitimate security interests prevail over the conflicting interests of the subjects, given that: (a) the processing is limited to the necessary image capture, (b) any camera in sensitive/private areas (WCs, rest areas) is avoided, (c) the data is kept for the minimum time required, (d) full information is provided through signage.

4. DATA MINIMIZATION PRINCIPLE – CAMERA LOCATION

According to the principle of data minimization (Article 5 par. 1 (c) of the GDPR) and the Instructions of the DPA:

  • Data Type: Exclusive image (video) data. No sound is received.
  • Camera Locations: Entry/exit points, parking lots, perimeter of facilities, storage areas for goods and critical equipment, where an increased risk of illegal activity is assessed.
  • Excluded areas: Sanitary facilities (WCs), canteens, staff rest areas and any other area where privacy may be excessively restricted are expressly excluded from any surveillance.
  • Angle/Range: Each camera is adjusted to cover only the absolutely necessary space, avoiding the surveillance of public or private third parties.
  • Real-Time Access: Live monitoring is conducted exclusively by authorized security personnel.

5. LABELLING OBLIGATION (INFORMATION SIGNS)

According to Directive 1/2011 of the HDPA and Article 13 of the GDPR, visible information signs (Signs) must be placed at every entrance of each supervised area, in a visible place. Each sign shall include at least:

  • The camera symbol (CCTV pictogram)
  • The identity of the Data Controller
  • The purpose of processing
  • The contact details of the DPO
  • Reference to the rights of the subject

This extended update (second layer) complements the signs and is available electronically on the Company’s website and in print upon request.

6. DATA RECIPIENTS

Video surveillance material is accessible exclusively from:

6.1 Authorized Company personnel

Competent security and facility management personnel, based on an explicit assignment and duty of confidentiality.

6.2 Custody companies – Processors (Article 28 GDPR)

External security companies that undertake the operation and control of the CCTV system on behalf of the Company. A written contract of processor is concluded with each external provider  in accordance with Article 28 of the GDPR, which guarantees an equivalent level of protection, commits the provider to act exclusively at the behest of the Company and prohibits any further use.

6.3 Principles – Exceptional transfer

The material is not transmitted to third parties, except in the following cases, based on a legal obligation (Article 6 par. 1 (c) GDPR):

  • Judicial, prosecuting and police authorities, where the material contains evidence of a criminal offence.
  • Competent authorities upon lawful request in the exercise of their duties.
  • Victim or perpetrator of a crime, only if the material may be evidence – always after covering/anonymizing any other persons depicted.

6.4 Data transfer outside the EEA

No transfer  of CCTV image data to third countries outside the European Economic Area (EEA) takes place.

7. DATA RETENTION

According to the principle of storage restriction (Article 5 par. 1 (e) GDPR) and Directive 1/2011 of the HDPA:

Occasion Shelf life
Normal operation (no incident) 15 days from download – automatic deletion
Identified Security Incident (Company) Up to 30 days from the detection – isolated file
Incident involving a third party Up to 3 months from the detection – isolated file
Pending legal proceedings / court order Until further order of a competent authority or court

After the end of each period, the data is permanently deleted with secure, irreversible procedures. A deletion record is kept for accountability reasons (Article 5 par. 2 GDPR).

8. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (ARTICLE 32 GDPR)

The Company takes and implements all necessary technical and organizational measures for the protection of video surveillance material. In particular, physical security measures of the systems, access control and recording mechanisms, encryption techniques as well as contractual protection measures, such as the conclusion of confidentiality and security agreements with any person who has authorized access to the video surveillance data, are in place.

At the same time, staff involved in the processing or management of the relevant data receive regular training on personal data protection and information security issues.

In the event of a personal data breach, an internal incident management procedure is applied, which provides for the immediate assessment and recording of the incident and, if necessary, the notification of the breach to the Personal Data Protection Authority within seventy-two (72) hours, in accordance with Article 33 of the General Data Protection Regulation (GDPR).

9. IMPACT ASSESSMENT (DPIA – ARTICLE 35 GDPR)

For video surveillance systems that involve systematic monitoring of a publicly accessible space or large-scale processing, the Company evaluates the obligation to carry out a DPIA in accordance with the HDPA list (Decision 65/2018) and the regulatory framework.

If an obligation is established, the DPIA shall be carried out before the system becomes operational and shall be updated in any material change.

10. RIGHTS OF DATA SUBJECTS

Under Articles 15–22 of the GDPR, the natural persons whose image is taken have the following rights. You can exercise them by sending a request to the DPO (email or post). The Company responds within 1 month (with the possibility of a 2-month extension for complex requests – Article 12 par. 3 GDPR). The examination of requests is free of charge (except for excessive/unfounded requests).

Right Content in the CCTV box GDPR
Access Confirm if we are processing your image + copy Article 15
Correction Not applicable (image not corrected) Article 16
Deletion Request for deletion under the conditions of Article 17 Article 17
Restriction Cessation of processing, e.g. to establish a legal claim Article 18
Portability Not applicable (basis: legitimate interests, not contract/consent) Article 20
Opposition Object to Continuation of Processing Article 21
Manual. decision No automated decision-making Article 22

10.1 Practical guidance for exercising the right of access

In order for us to consider a request for access to an image that concerns you, you must provide us:

  • Date, time, and place where you were in camera range
  • Your photo (e.g. ID/passport) so that we can track your data

Alternatively, you are given the option of

personal visit to our premises to demonstrate the relevant images in the presence of the DPO, while covering any other persons depicted.

10.2 Objection / Deletion

Exercising the right to object or delete does not entail automatic and immediate deletion. The Company examines the request, weighs any conflicting legal interests (e.g. pending criminal proceedings) and informs you in detail within the deadlines of Article 12 GDPR.

11. RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY (ARTICLE 77 GDPR)

If you consider that the processing of your data violates the GDPR or applicable law, you have the right to lodge a complaint with the competent supervisory authority:

Hellenic Data Protection Authority (HDPA) Address: 1–3 Kifisias Str., 11523, Athens Tel.: +30 210 6475600   Fax: +30 210 6475628 Email: complaints@dpa.gr

 To lodge a complaint with the Authority: Lodge a complaint with the Authority | Hellenic Data Protection Authority

Before any complaint, we encourage you to contact our DPO first for an amicable resolution.

12. UPDATE OF THIS UPDATE

This update is revised when required due to changes in legislation, supervisory authorities’ instructions or the way the CCTV system operates. The update is always posted on www.terna-energy.com website.

Current version: February 2026   |   Next scheduled review: February 2027

For any request or query please contact the DPO:

dpo@terna-energy.com

85,  Mesogeion Ave., PC 11526, Athens