CCTV Policy

POLICY
on the processing of personal data
through the video surveillance system

I. PURPOSE OF THE POLICY:

  • This policy serves to raise awareness and inform data subjects (employees, patients, third parties/visitors, etc.) regarding the processing of their personal data through the CCTV video surveillance system (Closed-Circuit Television) installed in the premises/areas of the Integrative Medicine Clinic of the same name, managed by QUANTICA 720 LIFETECH SRL.
  • Specifically, this policy establishes:
  1. A unified set of objectives, principles, and rules governing the use of the video surveillance system for the following purposes:
    1. Ensuring the safety, security, and integrity of the data subjects and guaranteeing their rights under and in the spirit of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, by QUANTICA 720 LIFETECH SRL as Data Controller;
    2. Ensuring security and perimeter protection, in accordance with applicable law and the legitimate interests of QUANTICA 720 LIFETECH SRL;
  2. The responsibilities for the administration and operation of video surveillance systems, as well as for the preparation, review, and approval of the documents related to these activities.
    The CCTV Policy describes the principles, rules, and practices followed by QUANTICA 720 LIFETECH SRL and all persons it interacts with regarding the administration and use of the video surveillance system.
    Furthermore, this policy describes the organizational measures implemented by the Controller to protect personal data, privacy, and other fundamental rights of natural persons.

II. SCOPE OF APPLICATION:

The policy applies to or in connection with video surveillance activities. It shall be applied, within their respective competencies, by:

  1. the management of QUANTICA 720 LIFETECH SRL;
  2. personnel with duties in their Job Description related to reviewing DVR/NVR recordings, as applicable;
  3. personnel responsible for the maintenance of the surveillance system;
  4. other persons within QUANTICA 720 LIFETECH SRL designated with the authority to view CCTV recordings.  

III. CONDITIONS OF LEGITIMACY

QUANTICA 720 LIFETECH SRL processes personal data through CCTV systems installed in these facilities, in compliance with the legal provisions in the field.

  1. Normative references:
    1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;
    2. Law no. 190/2018 on measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
    3. Law no. 333 of 8 July 2003 on the Guarding of Objectives, Goods, Values and the Protection of Persons, with subsequent amendments and additions, together with the Methodological Norms for its application;
    4. Decision of the National Supervisory Authority for Personal Data Processing (hereinafter ANSPDCP) no. 174/2018 regarding the list of operations for which a data protection impact assessment is mandatory (Art. 1, letter c);
    5. Guidelines of the European Data Protection Supervisor on video surveillance, published on 17 March 2010, Brussels.
  2. Use of the video system:
    1. The use of the CCTV system within the Integrative Medicine Clinic is necessary not only for the proper management and operation of the Controller (QUANTICA 720 LIFETECH SRL) but especially for security and guarding control, as described in Section V, point 1, below.
    2. It is important to mention that the Operator’s development is based on the management’s intention to clearly define the extent to which strategies and specific courses of action are followed, while ensuring the integrity and security of data subjects and of the premises where specific activities take place.
    3. The CCTV system installed at the Integrative Medicine Clinic contributes to achieving these objectives.
  3. Transparency:
    1. Each employee of the QUANTICA 720 LIFETECH Integrative Medicine Clinic is aware of the CCTV system installed at this location (entrances to the Clinic and Reception are monitored) and has been informed accordingly throughout their employment.
    2. Likewise, every patient/visitor/third party (collaborators, service providers, representatives of contractual partners, etc.) within the Clinic has the fundamental right to know how the CCTV system operates and for what purposes it is used in relation to their person.
    3. If the data collected through the CCTV system could affect the privacy of data subjects accessing the Clinic, they have the right to intervene regarding their personal data, except where the facts or actions captured by the system violate the law or the Operator’s Internal Regulations.
  4. Periodic reviews: An annual review will be carried out by the structures responsible for ensuring security and will reassess:
    1. the necessity of maintaining the systems in use;
    2. the fulfillment of the declared purposes;
    3. possible suitable alternatives to the CCTV systems;
    4. whether this Policy still complies with Regulation (EU) 2016/679, i.e., whether it remains up to date.

IV. MONITORED AREAS

  • Through the CCTV systems, the following may be monitored:
    • Access routes to the Clinic;
    • The Reception area of the Integrative Medicine Clinic;
  • Recording devices are placed in secured, locked areas to minimize the risk of theft of storage media.
  • Areas with a high expectation of privacy, such as toilets or changing rooms, are not monitored.
  • Exceptionally, in cases of justified security needs or essential management requirements of the Operator, video cameras may be installed in such places (excluding those that would reveal personal intimacy), but only after a Data Protection Impact Assessment and prior consultation of the Data Protection Officer (DPO) or, if applicable, ANSPDCP.

V. PERSONAL DATA COLLECTED THROUGH VIDEO SURVEILLANCE

  1. Purpose of video surveillance:
    1. The CCTV system monitors access to the premises of the Integrative Medicine Clinic managed by the Operator and the Reception area, ensuring the safety, security, and integrity of the data subjects and the assets inside the video-monitored premises.
    2. The main purpose of the video surveillance system is to deter, detect, document, prevent, or delay any attempt of unauthorized access to the premises or protected area.
    3. In addition, the system helps prevent, detect, and document potential thefts of equipment or property owned by the Operator and/or prevent, detect, and investigate risks and threats to the employees working at the monitored site.
  2. Purpose limitation:
    1. The video surveillance system is not used for purposes other than those mentioned above. However, in the event of a labor dispute, legally obtained DVR/NVR recordings may be used to ascertain and establish the truth.
    2. The system may also serve as an investigative or evidentiary tool in internal investigations or disciplinary procedures, especially in cases of physical security incidents or observed criminal behavior (in cases of criminal activity, relevant recordings will be provided to law enforcement authorities, in compliance with legal provisions).
  3. Special categories of data:
    1. Generally, the CCTV system does not capture (e.g., through selective focus or orientation) or process images (e.g., through indexing or profiling) that would reveal “special categories of data” (e.g., a person’s health status).
  4. Description and technical specifications of the systems:
    1. The installed video surveillance system is static. It records images and is equipped with motion sensors. It can record any movement detected by cameras within the monitored perimeter, along with date, time, and location.
    2. All cameras operate 24 hours a day, 7 days a week.
    3. The image quality allows for recognition of those passing through the monitored area. Trained staff must respect privacy settings and access rights.
    4. There is no interconnection with other surveillance systems, and no audio is recorded.
    5. Access to the space housing the recording and storage equipment is strictly limited to personnel specifically authorized by management.
  5. Benefits of the surveillance systems:
    1. Improved control and security in monitored areas;
    2. Restricted access of unauthorized individuals (outside the Clinic’s working hours);
    3. Reduction of losses caused by unforeseen events and/or identification of those responsible for such incidents;
    4. Achievement of QUANTICA 720 LIFETECH SRL’s legitimate interest in protecting its image and documenting matters that would otherwise be impossible to evidence.

VII. PRIVACY AND INFORMATION SECURITY PROTECTION

To ensure the security of the video system and enhance privacy protection, the following technical and organizational measures have been implemented:

  1. recording storage equipment (servers) is located in secured areas protected by physical and mechanical security measures;
  2. access rights are granted based on the “need-to-know” principle and only for resources necessary to perform assigned duties;
  3. only management, upon recommendation from the designated system administrator, may grant, modify, or revoke user access rights, in accordance with the “need-to-know” principle;
  4. the system administrator maintains an updated list of all individuals with access rights to the video surveillance system, specifying type and level of access;
  5. external personnel authorized for CCTV maintenance (when applicable) must sign a confidentiality agreement;
  6. the Data Protection Officer (DPO) of QUANTICA 720 LIFETECH SRL will be consulted prior to purchasing or installing any new video surveillance system or component;
  7. Periodic checks are performed on system access, with documented analysis of the legality of access.

VIII. ACCESS TO AND DISCLOSURE OF PERSONAL DATA

  1. Access rights:
    1. Access to stored images and/or the technical infrastructure of the surveillance systems is limited to a small number of individuals, determined by their Job Description and based on the Operator’s management decision.
    2. Access to classified information is granted individually, based on the necessity to perform specific duties involving such information.
    3. QUANTICA 720 LIFETECH SRL imposes limits on staff authorized to view live footage. Real-time viewing serves only for guarding and protecting employees accessing the Clinic’s premises. Any other real-time viewing requires access rights and must be logged in an Access Record Register.
    4. Viewing of recordings is permitted only to personnel specifically authorized by management.
    5. Playback of recorded footage (DVR/NVR) will be done only for justified reasons, such as those explicitly provided by law or in case of security incidents, by specially authorized staff.
    6. Copying, downloading, deleting, disseminating, or modifying any recorded material is prohibited unless expressly authorized by management and the data subject is informed beforehand, except where otherwise provided by law.
  2. Training:
    1. All personnel with access rights receive initial specialized training in personal data protection.
    2. This procedure is part of the ongoing training and guidance program for all users with access rights and CCTV operational responsibilities.
    3. The CCTV system administrator ensures all staff involved in its operation are trained and informed on all functional, operational, and administrative aspects.
  3. Disclosure of personal data:
    1. Any disclosure of personal data to third parties will be documented and carefully analyzed regarding both the necessity of communication and compatibility between the requested and original processing purposes.
    2. In such cases, the Data Protection Officer (DPO) will be consulted. Each disclosure must be recorded by the system administrator in a Register of Records.
    3. QUANTICA 720 LIFETECH SRL is obliged to provide video recordings to law enforcement authorities upon written request when a possible unlawful act has been recorded. Following disclosure, unless otherwise provided by law, the data subject will be informed about the recipients and purpose of the disclosed video footage.
    4. In exceptional cases, with the above safeguards respected, access to DVR/NVR recordings may be granted to the Disciplinary Committee during an internal investigation, provided the information is relevant to investigating a disciplinary offense affecting the rights, freedoms, or legitimate interests of the Operator.
    5. Any breach of security regarding the video surveillance system is recorded in the Security Incident Register, and the DPO of QUANTICA 720 LIFETECH SRL is informed as soon as possible.

IX. STORAGE PERIOD

  • The retention period for DVR/NVR recordings is proportional to the purpose for which the CCTV system is used. Recordings are stored for a maximum of 30 days, after which they are automatically deleted in the order they were recorded.
  • In the event of a security incident or a criminal investigation, the retention period for relevant recordings may exceed the normal limit depending on the investigation’s duration.
  • Data and image retention is thoroughly documented, and the need for retention is periodically reviewed.

X. CONTROL MECHANISMS OVER THE VIDEO SURVEILLANCE SYSTEM

  • The DVR/NVR is secured with an administrator password and automatic data encryption, along with other conventional security systems (e.g., lockout after incorrect password attempts). Physical inspections occur annually.
  • Periodic change of access passwords to the surveillance system:
    • When a person is granted access rights to the DVR/NVR, a personal user profile is created, allowing them to log in to view recordings.
    • When their access is revoked (e.g., when leaving employment with QUANTICA 720 LIFETECH SRL), the user profile will be deleted.
    • This ensures that the individual no longer has access to the administrator password used to manage the video surveillance cameras.

XI. RIGHTS OF THE DATA SUBJECT

  1. QUANTICA 720 LIFETECH SRL guarantees the observance of the rights of data subjects in accordance with Regulation (EU) 2016/679 and the national legislation in force.
    1. Informing the data subjects:
      1. The primary information of data subjects within the Integrative Medicine Clinic is carried out clearly, consistently, and permanently through an appropriate sign, such as a pictogram, with adequate visibility and a strategically placed location in the monitored area, so as to signal the existence of surveillance cameras and to communicate essential information in accordance with Article 14 of Regulation (EU) 2016/679.
      2. Data subjects are informed about the existence of the video surveillance systems and the Controller through the corresponding Information Notice, which includes the purpose of the processing and identifies QUANTICA 720 LIFETECH SRL as the Data Controller.
      3. The Data Protection Officer (DPO) shall ensure that all notices are updated so that they correspond to the existing reality.
    2. Exercising the rights of access, intervention, and objection:
      1. Throughout the entire data storage period, data subjects have the right to access the personal data concerning them and held by QUANTICA 720 LIFETECH SRL, to request intervention (deletion/update/rectification/anonymization), or to object to the processing, in accordance with the law.
      2. Any Request to exercise a right under Regulation (EU) 2016/679 resulting from the use of the video surveillance system must be addressed to QUANTICA 720 LIFETECH SRL, and a copy of it sent to the Data Protection Officer (DPO).
      3. The response to a request for access, intervention, or objection shall be provided within a maximum of 30 days. If this deadline cannot be met, the data subject will be informed of the reason for the delay and of the procedure that will be followed to resolve the request.
      4. The recordings provided based on an Access Request will be clear, as far as possible, provided that the rights of third parties are not affected (the data subject will be able to view only their own image; images of other persons appearing in the recording will be edited so that recognition and/or identification are not possible).
      5. In the case of such a request, the data subject is required to identify themselves beyond any doubt (by presenting an identity document when attending the viewing), and to specify the date, time, location, and circumstances under which they were recorded by the CCTV system.
      6. The right of access may be refused where legal exceptions apply.
      7. The need to restrict access may also arise where it is necessary to protect the rights and freedoms of third parties — for example, if other individuals appear in the images and their consent cannot be obtained, or if their non-relevant personal data cannot be removed through image editing.

Edition 1 / 2025

Revision annual

What our patients say about Quantica720° services
Monica Davidescu, Actrita
Dr. Florentina Stanciulescu, Pediatru
Matthew Cross - Speaker, Athlete, Author
Andreea Radulescu, Specialist PR
Cristina Aly, Corporate Account Manager - Productie Publicitara
Lia Bolte - Antreprenor, Facilitator Retreat
Luke Lewis, Antreprenor Imobiliare
Madalina Dinica, Economist
Radu Oprisan, Ofiter de Presa FC Voluntari
Alexandra Popescu, Actrita
Floarea Pantazi, Pensionara
Andreea Avanu, Life Coach