Camera Policy

1.1. The Controller conducts photo and video recording using an electronic surveillance system for the protection of property, the protection of human life and physical integrity, and to support the investigation of complaints and inquiries. The Controller has a legitimate interest in ensuring that these protective functions and the support of complaint handling are continuously guaranteed. This legitimate interest of the Controller takes precedence over any potential restrictions on the Data Subjects.

1.2. The recordings are stored and retained for a maximum of 30 (thirty) days from the time of recording, based on the Controller’s relevant internal policy and the legitimate interest assessment conducted.

1.3. Summary table of data processing:

Scope of Personal Data Processed	Legal Basis for Processing	Purpose of Processing
- Photo and video footage - Date and time of recording	Legitimate interest of the Controller (GDPR Article 6(1)(f))	Protection of the Controller's property, protection of human life and physical integrity, support for the investigation of complaints and inquiries.

1.4. Information regarding specific camera groups:

Camera Location	Camera View (Observed Area)	Purpose of Data Processing
Front Counter	Gelato counter, entrance doors, front guest area	Asset protection, safety of life/limb, complaint investigation support
Front Counter	Pastry counter, cashier, front and middle guest area, coffee counter	Asset protection, safety of life/limb, complaint investigation support
Inner Counter	Front and middle guest area, coffee counter, cashier	Asset protection, safety of life/limb, complaint investigation support
Inner Counter	Rear guest area, serving cabinet	Asset protection, safety of life/limb, complaint investigation support
Rear Sink	Rear sink area	Asset protection, safety of life/limb, complaint investigation support
Kitchen	Kitchen	Asset protection, safety of life/limb, complaint investigation support

 

2.1. The Controller DOES NOT ENGAGE a data processor for the operation of the electronic surveillance system.

2.2. The data may be accessed by the Company’s employees in order to perform their duties and to the extent necessary for such performance.

2.3. The Company releases data to third parties only based on legal authorization (e.g., police request) or with the explicit consent of the Data Subject.

3.1. The Controller protects personal data particularly against unauthorized access, alteration, disclosure, deletion, damage, or destruction.

3.2. The recording of personal data and its continuous overwriting after the retention period expires takes place in a protected IT environment.

4.1. Access to recordings is restricted solely to the Company’s authorized employees for asset protection and security purposes.

4.2. The name of the person viewing the recorded image or personal data, or otherwise authorized to access it, as well as the reason and time of access, must be recorded in a log. An electronic register containing this data in a verifiable manner also qualifies as a log. (Security Services Act § 31)

5.1. No automated decision-making, including profiling, takes place during data processing.

6.1. The Data Subject may request from the Controller:
a) access to personal data concerning them,
b) rectification of their personal data, and
c) deletion of their personal data (except for mandatory processing) or restriction of processing.

6.2. Right of Access: The Data Subject is entitled to receive feedback from the Controller as to whether their personal data is being processed and, if so, to access the personal data.
Any person whose right or legitimate interest is affected by the photo/video recording may, within 30 (thirty) days of the recording, request that the data not be destroyed or deleted by proving their right or legitimate interest.
Upon request by a court or other authority, the recorded footage must be sent to the court or authority without delay. If no official request is received within thirty days of the request for non-destruction, the footage must be destroyed/deleted.

6.3. Right to Rectification: The right to rectification is not interpretable in the context of the electronic surveillance system.

6.4. Right to Erasure: The Data Subject is entitled to request the deletion of personal data if:
a) the data is no longer necessary for the purpose collected;
b) the Data Subject objects to the processing and there is no overriding legitimate ground;
c) the data has been unlawfully processed.
Note: Data recorded by the system cannot be deleted within the retention period (30 days) due to the nature of the system unless specific legal conditions are met.

6.5. Right to Restriction of Processing: The Data Subject may request restriction if:
a) the accuracy of data is contested;
b) the processing is unlawful and the Data Subject opposes erasure;
c) the Controller no longer needs the data, but the Data Subject requires it for legal claims.

6.6. Right to Data Portability: Not applicable to the electronic surveillance system.

6.7. Right to Object: The Data Subject has the right to object at any time to the processing of their personal data based on legitimate interest.

7.1. You may lodge a complaint with the Company, the National Authority for Data Protection and Freedom of Information (NAIH), or turn to a court.

7.2. Controller Contact Details:

• Name: Hello Pink Kft.
• Address: 1051 Budapest, Hercegprímás utca 6.
• Representative: Bernadett Brunner, Managing Director
• E-mail: office (at) hellopink.hu

7.3. Authority Contact Details (NAIH):

• Address: 1055 Budapest, Falk Miksa utca 9-11.
• Mailing address: 1363 Budapest, Pf.: 9.
• E-mail: ugyfelszolgalat@naih.hu
• Website: https://naih.hu