Privacy Notice on the processing of personal data through a video surveillance system
Regulation (EU) 2016/679 – GDPR | Article 13 | HDPA Directive 1/2011
Last review: February 2026
⚠ Note: In accordance with Article 13 of the GDPR, we inform you that the Company’s premises are subject to video surveillance. Before entering the monitored areas, you have the right to be fully informed about the processing of your data. This notice supplements the visible signs (signage) that must be placed at each entrance of a monitored area.
1. CONTROLLER
| Item | Information |
| Brand Name | TERNA ENERGY SINGLE MEMBER INDUSTRIAL COMMERCIAL TECHNICAL COMPANY (TERNA ENERGY S.M.S.A.), MEMBER OF MASDAR GROUP |
| Headquarters | 85, Mesogeion Ave., PC 11526, Athens |
| Telephone | +30 210 6968300 |
| info@terna-energy.com | |
| Website | www.terna-energy.com |
2. DATA PROTECTION OFFICER (DPO)
In accordance with Article 37 of the GDPR, the Company has appointed a Data Protection Officer (DPO). For any issue related to the processing of your data or the exercise of any of your rights, please contact:
E-MAIL: dpo@terna-energy.com Postal Address: 85 Mesogeion Ave., PC 11526, Athens, tel: 2106968353
3. PURPOSE OF PROCESSING AND LEGAL BASIS
3.1 Purpose
The Company uses a closed circuit video surveillance (CCTV) system exclusively for the purpose of protecting the safety of persons and goods in its facilities. Specifically:
3.2 Legal basis – Legitimate Interests (Article 6 (1) (f) GDPR)
The processing is based exclusively on the legitimate interests of Article 6 (1) (f) of the GDPR, following a balancing test in accordance with the guidelines of Articles 5 and 6 of the GDPR and the relevant instructions of the DPA.
3.3 Analysis of legitimate interests – proportionality test
What we seek: Protection of spaces, goods and people from illegal actions of third parties and ensuring a safe workplace.
Necessity: Video surveillance is a necessary and proportionate measure, as alternatives (e.g. simple human custody) do not provide an equivalent effect and entail more extensive data processing.
Weighting: The legitimate security interests prevail over the conflicting interests of the subjects, given that: (a) the processing is limited to the necessary image capture, (b) any camera in sensitive/private areas (WCs, rest areas) is avoided, (c) the data is kept for the minimum time required, (d) full information is provided through signage.
4. DATA MINIMIZATION PRINCIPLE – CAMERA LOCATION
According to the principle of data minimization (Article 5 par. 1 (c) of the GDPR) and the Instructions of the DPA:
5. LABELLING OBLIGATION (INFORMATION SIGNS)
According to Directive 1/2011 of the HDPA and Article 13 of the GDPR, visible information signs (Signs) must be placed at every entrance of each supervised area, in a visible place. Each sign shall include at least:
This extended update (second layer) complements the signs and is available electronically on the Company’s website and in print upon request.
6. DATA RECIPIENTS
Video surveillance material is accessible exclusively from:
6.1 Authorized Company personnel
Competent security and facility management personnel, based on an explicit assignment and duty of confidentiality.
6.2 Custody companies – Processors (Article 28 GDPR)
External security companies that undertake the operation and control of the CCTV system on behalf of the Company. A written contract of processor is concluded with each external provider in accordance with Article 28 of the GDPR, which guarantees an equivalent level of protection, commits the provider to act exclusively at the behest of the Company and prohibits any further use.
6.3 Principles – Exceptional transfer
The material is not transmitted to third parties, except in the following cases, based on a legal obligation (Article 6 par. 1 (c) GDPR):
6.4 Data transfer outside the EEA
No transfer of CCTV image data to third countries outside the European Economic Area (EEA) takes place.
7. DATA RETENTION
According to the principle of storage restriction (Article 5 par. 1 (e) GDPR) and Directive 1/2011 of the HDPA:
| Occasion | Shelf life |
| Normal operation (no incident) | 15 days from download – automatic deletion |
| Identified Security Incident (Company) | Up to 30 days from the detection – isolated file |
| Incident involving a third party | Up to 3 months from the detection – isolated file |
| Pending legal proceedings / court order | Until further order of a competent authority or court |
After the end of each period, the data is permanently deleted with secure, irreversible procedures. A deletion record is kept for accountability reasons (Article 5 par. 2 GDPR).
8. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (ARTICLE 32 GDPR)
The Company takes and implements all necessary technical and organizational measures for the protection of video surveillance material. In particular, physical security measures of the systems, access control and recording mechanisms, encryption techniques as well as contractual protection measures, such as the conclusion of confidentiality and security agreements with any person who has authorized access to the video surveillance data, are in place.
At the same time, staff involved in the processing or management of the relevant data receive regular training on personal data protection and information security issues.
In the event of a personal data breach, an internal incident management procedure is applied, which provides for the immediate assessment and recording of the incident and, if necessary, the notification of the breach to the Personal Data Protection Authority within seventy-two (72) hours, in accordance with Article 33 of the General Data Protection Regulation (GDPR).
9. IMPACT ASSESSMENT (DPIA – ARTICLE 35 GDPR)
For video surveillance systems that involve systematic monitoring of a publicly accessible space or large-scale processing, the Company evaluates the obligation to carry out a DPIA in accordance with the HDPA list (Decision 65/2018) and the regulatory framework.
If an obligation is established, the DPIA shall be carried out before the system becomes operational and shall be updated in any material change.
10. RIGHTS OF DATA SUBJECTS
Under Articles 15–22 of the GDPR, the natural persons whose image is taken have the following rights. You can exercise them by sending a request to the DPO (email or post). The Company responds within 1 month (with the possibility of a 2-month extension for complex requests – Article 12 par. 3 GDPR). The examination of requests is free of charge (except for excessive/unfounded requests).
| Right | Content in the CCTV box | GDPR |
| Access | Confirm if we are processing your image + copy | Article 15 |
| Correction | Not applicable (image not corrected) | Article 16 |
| Deletion | Request for deletion under the conditions of Article 17 | Article 17 |
| Restriction | Cessation of processing, e.g. to establish a legal claim | Article 18 |
| Portability | Not applicable (basis: legitimate interests, not contract/consent) | Article 20 |
| Opposition | Object to Continuation of Processing | Article 21 |
| Manual. decision | No automated decision-making | Article 22 |
10.1 Practical guidance for exercising the right of access
In order for us to consider a request for access to an image that concerns you, you must provide us:
Alternatively, you are given the option of
personal visit to our premises to demonstrate the relevant images in the presence of the DPO, while covering any other persons depicted.
10.2 Objection / Deletion
Exercising the right to object or delete does not entail automatic and immediate deletion. The Company examines the request, weighs any conflicting legal interests (e.g. pending criminal proceedings) and informs you in detail within the deadlines of Article 12 GDPR.
11. RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY (ARTICLE 77 GDPR)
If you consider that the processing of your data violates the GDPR or applicable law, you have the right to lodge a complaint with the competent supervisory authority:
Hellenic Data Protection Authority (HDPA) Address: 1–3 Kifisias Str., 11523, Athens Tel.: +30 210 6475600 Fax: +30 210 6475628 Email: complaints@dpa.gr
To lodge a complaint with the Authority: Lodge a complaint with the Authority | Hellenic Data Protection Authority
Before any complaint, we encourage you to contact our DPO first for an amicable resolution.
12. UPDATE OF THIS UPDATE
This update is revised when required due to changes in legislation, supervisory authorities’ instructions or the way the CCTV system operates. The update is always posted on www.terna-energy.com website.
Current version: February 2026 | Next scheduled review: February 2027
For any request or query please contact the DPO:
85, Mesogeion Ave., PC 11526, Athens