1. Context and Controller
As Eurojust collects and further processes personal data with the use of a CCTV monitoring system for security and safety purposes, such processing is subject to Regulation (EU) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
Collection and processing of personal data via CCTV system for security and safety purposes are under the responsibility of the Controller, who is the Head of Security Unit and can be contacted at firstname.lastname@example.org.
2. What personal information do we collect, for what purpose, under which legal basis and through which technical means?
a) Legal basis
The legal basis for the processing operations on personal data is:
- Articles 3 to 5 of the Seat Agreement concluded between the Kingdom of the Netherlands and Eurojust of 15 March 2006, in relation to inviolability, protection and special services to the Eurojust Headquarters;
- Rec. (22) of the Regulation 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data: ‘Processing of personal data for the performance of tasks carried out in the public interest by the Union institutions and bodies includes the processing of personal data necessary for the management and functioning of those institutions and bodies’;
- Articles 5(1)(a) of the Regulation 2018/1725, where processing is necessary for performance of tasks in the public interest assigned by Union legislation, as well as Articles 33 and 91 of the same Regulation;
- Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust) (‘Eurojust Regulation'), in particular Articles 30 and 72; and
- College decision 2016-4 adopting the revised security rules of Eurojust, College decision 2016-24 amending the Security Rules of Eurojust.
b) Purpose of the processing
The security- and safety-related systems protect the Eurojust building and key Eurojust assets, i.e. persons working and visiting Eurojust, physical assets, and information. The CCTV is one of these systems. It processes personal data for the following purposes:
- ensuring that only authorized persons enter the Eurojust premises and the specific security zones within;
- detecting any attempt of an unauthorised person to enter security zones;
- keeping a temporary record of access events to investigate potential security and safety incidents;
- monitoring main evacuation routes to ensure that they are at all times clear and accessible;
- investigating security and safety incidents;
- monitoring access to and areas containing critical technical infrastructure (e.g. data centres) and safety installations; and
- investigating system malfunctions.
CCTV is not used for monitoring/assessing/checking the work/behaviour of Eurojust post-holders.
c) Technical means
Your personal data is collected when you enter Eurojust premises. The CCTV records activity at the fenced exterior of the plot, access points, parking and the public areas. It also covers specific locations as part of the emergency evacuation routes in the physically protected areas. The information is processed by Eurojust post-holders and transferred to isolated secure systems (as described in point 4.) under the responsibility of the Controller.
d) Types of personal data
Images collected and further processed concern personal and vehicle activity in the control areas.
3. Who has access to your personal data and to whom is it disclosed?
For the purpose detailed above, access to your personal data is given to the following persons:
- duly authorised Eurojust post-holders in the Security Unit; and
- duly authorised (outsourced) security guards operating Eurojust security systems.
It may also be disclosed to the security services of other European institutions or to security, judicial, or law enforcement authorities of EU Member States for the purpose of ongoing inquiries or to investigate or prosecute criminal offences.
4. How do we protect and safeguard your information?
Appropriate technical and organisational measures are in place to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be processed. These measures notably prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and any other unlawful forms of processing.
The main measures are as follows:
- The system is segregated from the rest of the building and Eurojust ICT infrastructure. It is placed in a standalone ICT network, which is not connected to the internet or any other internal network.
- The data processing capabilities are installed in specially protected areas. Access to such areas is given only to duly authorised personnel.
- All the personnel having access to the CCTV system have signed confidentiality undertakings.
5. How can you verify, modify or delete your information?
You have the right to access, rectify or erase or restrict the processing of your personal data or, where applicable, the right to object to processing or the right to data portability in line with Regulation (EU) 2018/1725.
Any such request should be directed to the Controller by using the email address email@example.com, and by explicitly specifying your request.
6. How long do we keep your personal data?
Your personal data is automatically deleted after 14 days.
7. Contact information
In case of queries regarding the processing of personal data, the Eurojust Data Protection Officer can be contacted via the email address firstname.lastname@example.org.