Purpose and scope of this statement
To strengthen the security of OTG's assets, buildings, employees, guests and tenants, camera surveillance is used at OTG's hotels, shopping malls and properties. This policy only applies to camera surveillance where OTG is the data controller for the personal data that is processed. The statement describes the system, the principles for use and the security measures that have been put in place to ensure the personal security of the people who are filmed. The policy defines roles and responsibilities in the implementation and use of camera surveillance, as well as the processing of personal data that coincides with this and covers all cameras that are set up regardless of whether they are active, or even defective/fake.
The statement is based on guidelines from the European Data Protection Authority (EDPB) and the Norwegian Data Protection Authority.
Processing of personal data using camera surveillance
Description of cameras and system
Digital images without recording of sound, motion detection, 24/7 surveillance, medium to low resolution placed in entrances, hubs and places where unlivable events or accidents occur.
Areas under surveillance
OTG's hotels, shopping malls, commercial properties and entrances to rental homes can make use of camera surveillance in the following locations:
• Fire doors, escape routes, roofs, emergency exits, garage, façade, and entrance.
• Elevator, warehouse, corridors, and common areas
• Front desk, restaurant/bar, payment areas
• Exceptions at pools, gyms, and spas
• Please note that our tenants can set up their own cameras in their own rented premises. They are not covered by this statement.
Purpose of the camera surveillance
OTG uses camera surveillance to prevent and solve crime and accidents, secure OTG's and their guests / visitors' assets and assets, and maintain the safety of employees, guests, and visitors.
Purpose limitation
Camera surveillance is not used for any purpose other than those mentioned above. Camera surveillance shall not be used for the following purposes:
- For monitoring employee work or attendance
- As an investigation/analysis tool unless:
- There is suspicion of possible offences.
- The data collected can be anonymized.
Legal basis
The legal basis for the use of camera surveillance is OTG's legitimate interest. OTG must always weigh the use of camera surveillance against the privacy of those who are filmed using a balance test.
Special categories of personal data
For the purposes and justification for which OTG operates camera surveillance, Article 9 of the GDPR on special categories of personal data will not apply, even though cameras will at irregular intervals capture special categories (persons in wheelchairs, people with religious garments or symbols, T-shirts with trade union logos, etc.). The basis for this is long-standing Norwegian practice, Norway's view of the GDPR when the GDPR was introduced and the European Data Protection Board's (EDPB) guidelines.
Rights of data subjects
Information (signage)
Information about camera surveillance is provided in two cases:
- Signs in places where camera surveillance takes place.
- By this statement, which is published on the intranet and the internet.
The signs will have a size, location and a number that makes it easy to see that the area is monitored. Preferably, they are placed so that they can be easily seen where one enters the monitored area. It should be simple and understandable which areas are monitored. Inside buildings, for example, there will be a new alert if the surveillance continues in new zones or rooms.
Insight
To exercise these rights, please contact our Data Protection Officer at .
Privacy statement
For other information about the processing of personal data in OTG and associated shopping centres, hotels and other businesses that are owned by more than 50% of OTG, please refer to OTG's privacy policy, which can be found here.
Disclosure and transfer (dissemination)
Any disclosure / transfer of recordings or personal data to anyone outside the security team must be carefully assessed according to current procedures and documented. If in doubt, contact the security manager or data protection officer.
Personal data collected through camera surveillance may only be disclosed to parties other than the data controller if one of the following conditions is met:
a. the person(s) depicted agrees,
b. the disclosure is made to the police for investigation of possible criminal acts or accidents,
c. or it otherwise follows from the law that extradition can take place.
Compliance
Auditing and internal control
An annual review of the use of camera surveillance and this statement is conducted. The purpose is to assess:
- Whether there are changes in the need for the use of camera surveillance
- Whether the use of camera surveillance still fulfils the purpose
- Whether there are other alternatives that can fully or partially replace camera surveillance and are less intrusive on privacy.
In addition, cases from previous reviews are assessed, especially cases that ensure continued compliance with applicable legislation and practice.
Principles
OTG will implement privacy-friendly solutions that follow these principles:
- Blocking areas where the cameras can capture recorded data that are not relevant to the purpose of the surveillance.
- Restriction of visibility to recreational areas
- As far as possible, limit monitoring of employees
- Access to recordings is strictly access protected and is only granted to those with strictly necessary needs
- Logging of usage
- Access to live photos is in locked rooms or screened areas
- Data traffic encryption
- Time management on demand
Security
To ensure the security of the camera surveillance, including personal data, OTG has implemented adequate technical and organizational security measures. These are:
- Securing physical storage.
- Administrative measures to ensure that only personnel with strictly necessary needs have access to the system.
- All personnel with access have signed a non-disclosure agreement and completed training.
- Only the system administrator can grant, change, or remove access to the system.
- OTG shall at all times have a list of employees with access to the system.
- Logging of the use of the system.
Storage and deletion
Recordings are automatically deleted after seven days. In the event of suspicion of a criminal offence, the relevant incident is stored for up to 30 days or until the case is completed.