Your cart is empty
This English section is a translation of the Greek CCTV policy text. In case of interpretation differences, the Greek source text should be used as the controlling version, unless the Company decides otherwise.
Xalkiadakis Société Anonyme Commercial and Industrial Company
CCTV System Protection Policy
Trade name: XALKIADAKIS S.A.
Registered office: 1st km Gazi - Krousonas
Effective from: 29/05/2026
Version: 1.0 - updated final version
| Field | Value |
|---|---|
| Data Controller | Xalkiadakis Société Anonyme Commercial and Industrial Company (XALKIADAKIS S.A.) |
| Contact for personal data | dpo@xalkiadakis.gr |
| Contact person / DPO | Styliani Chnaraki / dpo@xalkiadakis.gr |
| Receipt of requests for access to video footage | Security Officer of Xalkiadakis S.A. |
| Approval of extraction or disclosure of footage to authorities | Through the DPO and the Security Officer of XALKIADAKIS S.A. |
| Periodic review | Annually by the DPO, Legal Department, IT, Security Team and Internal Audit. First review: 29/05/2027, or earlier if the system or regulatory framework changes. |
This policy describes the use of video surveillance systems (CCTV) by Xalkiadakis Société Anonyme Commercial and Industrial Company (XALKIADAKIS S.A.), as well as the technical and organisational measures implemented to protect personal data, privacy and the legitimate interests of natural persons who may be recorded.
The CCTV system is used exclusively for the protection of persons and goods, the security of facilities, the prevention and investigation of security incidents, and the protection of the Company’s property.
This policy does not cover and does not permit audio recording, sound recording or audio transmission. It also does not permit the use of the system for employee performance monitoring, monitoring of work behaviour or attendance control.
XALKIADAKIS S.A. applies Regulation (EU) 2016/679 (GDPR), Greek data protection legislation, and the relevant guidelines and decisions of the competent supervisory authority.
The processing is based on the Company’s legitimate interest in protecting persons, facilities, goods and information. Before the use or extension of the system, the necessity and proportionality of the processing are assessed, as well as the availability of less intrusive alternative measures.
This policy is made available to interested persons and competent authorities upon request, while the basic information is provided through visible notices in the areas under video surveillance.
The policy is reviewed annually by the DPO, Legal Department, IT, Security Team and Internal Audit, or earlier if there is a material change in the CCTV system, the scope of surveillance or the applicable regulatory framework. The first review is scheduled for 29/05/2027, or earlier if the system or regulatory framework changes.
This policy applies to all XALKIADAKIS S.A. facilities where a CCTV system operates, in particular the following categories of areas:
Cameras are installed only at points where monitoring is necessary and proportionate for the security purpose. Indicative coverage zones include:
Cameras do not operate in areas where there is a high expectation of privacy, such as changing rooms, sanitary facilities, staff rest areas or areas used exclusively for office work, unless there is a specific, documented and proportionate security need, following prior assessment and notification of the DPO.
Installation points are periodically reviewed so that the coverage of areas not related to the purposes of this policy remains the minimum possible.
The CCTV system records digital images from the monitored zones, as well as related technical metadata, such as date, time and capture point. Where required for security reasons, the image quality may allow the identification of persons within the covered zone.
The cameras operate on a 24/7 basis and provide both live viewing and image recording. No audio recording is carried out. The technology used consists of IP/network cameras, with local storage per store or facility.
Remote access is permitted only to the Security Team and is performed through a secure connection, with appropriate access control mechanisms.
The Company does not use the CCTV system to capture or further process images revealing special categories of personal data, nor does it apply intelligent video analytics, biometric identification, facial recognition or mass data mining technologies.
The CCTV system is used exclusively for security and protection purposes. In particular, it contributes to:
The system is not used for productivity monitoring, employee evaluation, attendance control or human resources decision-making. By exception, CCTV footage may be used in the context of an internal investigation or disciplinary procedure only where the incident is directly connected with physical security or the protection of goods and the principles of necessity, proportionality and minimisation are observed.
Access to live images and recorded footage is restricted to a small number of clearly defined persons, based on the need-to-know principle and their official duties.
| Role | Indicative scope of access | Restrictions |
|---|---|---|
| Security Officer | Approval of access, viewing, extraction and disclosure of footage where required. | Each action must be documented and linked to a specific incident or lawful request. |
| Security Team | Live viewing, remote access and search of footage for security reasons. | Access is performed through a secure connection, with credentials and periodic user review. |
| Store Manager | View-only access to the CCTV of the relevant store, where required for the immediate management of a security incident. | No extraction, copying, disclosure, deletion or alteration of footage is permitted without approval through the DPO and the Security Officer. |
| DPO / data protection contact | Involvement in the management of data subject requests, incidents and compliance checks. | No operational access to the footage, unless required for a specific request or audit. |
The extraction or disclosure of video footage is permitted only where necessary for a specific security incident, for the establishment, exercise or support of legal claims, or following a lawful request by a competent authority.
Each extraction of footage is approved through the DPO and the Security Officer of XALKIADAKIS S.A. and is documented in a register, which includes at least: date, requester, purpose, time period of footage, capture point, legal basis, approving person, recipient and method of disclosure or storage.
Disclosure to police, prosecutorial, judicial or other competent authorities is carried out only where there is a legal basis or lawful request. The DPO and the Security Officer are involved in the approval and documentation process, especially where the disclosure may affect the rights of data subjects or third parties.
Extracted footage is stored securely, limited to the strictly necessary time and spatial scope, and deleted when the purpose of retention ceases, unless longer retention is required by law or by an active investigation process.
At minimum, the following measures are applied to protect the CCTV system and personal data:
Training of personnel who have access to the system or are involved in request management.
Local storage per store or facility with appropriate physical and logical security.
Recording and documentation of actions involving extraction, disclosure and extended retention of footage.
Notification or involvement of the DPO before any material extension or change of the CCTV system.
Any security breach incident involving the CCTV system is recorded, assessed and handled in accordance with the internal personal data incident management procedure.
Recorded video footage is retained for up to seven (7) days. After this period has elapsed, the footage is automatically deleted through an overwrite process, unless further retention is required for a specific security incident or lawful procedure.
In the event of a security incident, the relevant extract may be retained for a longer period only to the extent necessary for the investigation, documentation or exercise of legal rights. Extended retention is documented and reviewed periodically.
The Company applies a multi-layered notice approach. Information signs containing the basic information on the processing are posted at visible points before entry into, or within, the areas under video surveillance.
The information signs include at least the existence of CCTV, the identity of the Data Controller, the purpose, the legal basis, the retention period, contact details for exercising rights and a reference to the full notice.
The full policy is made available to interested persons through the corporate website, through the QR code on the relevant information signs and upon request at dpo@xalkiadakis.gr.
Natural persons who may be recorded by the CCTV system have the rights provided under the GDPR, in particular the rights to information, access, restriction of processing, objection and, where applicable, erasure. Requests are submitted to dpo@xalkiadakis.gr.
Requests are managed by the DPO. The Company sends an acknowledgement of receipt within 48 working hours from receipt of the request. The substantive response is provided within one (1) month, with the possibility of extension where permitted by the applicable framework.
To search for relevant footage, the requester must provide sufficient identification details and specify, to the extent possible, the date, time, location and circumstances of the possible recording. A recent photograph may also be requested, exclusively for the purpose of locating the requester in the footage.
Access to footage may be limited or refused where required to protect the rights of third parties, avoid obstruction of an investigation, ensure facility security or for another lawful reason. Where third parties appear in the footage, appropriate masking techniques are applied, where feasible and proportionate.
Every data subject has the right to contact the Company at dpo@xalkiadakis.gr regarding any matter relating to processing through CCTV. They also have the right to lodge a complaint with the competent data protection supervisory authority, if they consider that the processing infringes the applicable framework.
ATTENTION - THIS AREA IS UNDER VIDEO SURVEILLANCEData Controller: Xalkiadakis Société Anonyme Commercial and Industrial Company (XALKIADAKIS S.A.)Purpose: Protection of persons, facilities and goods.Legal basis: Legitimate interest for security reasons.Retention period: Up to 7 days, unless further retention is required due to a security incident or lawful procedure.Exercise of rights / information: dpo@xalkiadakis.grFull notice: corporate website / QR code on the information signs.
The following template is used to document every extraction, disclosure or extended retention of video footage:
The following notice template is added as an appendix to the policy.
Your cart is empty
