1. Introduction

This Privacy Notice (“Notice”) has been developed to ensure Trans Adriatic Express Limited’s (“TAE’s”) customers, site visitors, suppliers, business partners and any other interested parties (“you”) feel confident about the privacy and security of personal data. It outlines how TAE meets the obligations under EU Directive 2016/679 General Data Protection Regulation (“GDPR”), the UK GDPR and other applicable data protection and privacy legislation, as amended, revised, modified or replaced from time to time (together, the “Legislation”). Under the Legislation, ‘personal data’ is any information that identifies you, or could identify you, directly or indirectly, as an individual. To the extent TAE acts as a ‘controller’, as defined in the GDPR, we comply with the data protection principles and obligations set down in the Legislation.

Other terms such as ‘data subject’, ‘processor’ and ‘process’, when used in this Notice, have the meanings given to them in the GDPR, unless otherwise indicated.

This Notice applies to all personal data collected, processed and stored by TAE through our applications, and any related services. In particular, it applies to TAE’s processing of personal data as part of its use of CCTV recording facilities at its various shelter locations. The purpose of this Notice is to explain the procedures that are followed when dealing with personal data and how TAE collects and manages personal data in accordance with the Legislation. The procedures set out in this Notice are followed by TAE, our agents, contractors and other third parties acting on behalf of TAE.

  1. What personal data do we collect?

TAE may collect and process personal data through our use of CCTV recording hardware and software at the locations of its shelters, in order to secure installations and real estate on our telecommunications network via these CCTV monitoring facilities. That data will be collected, held, processed and disposed of in accordance with the Legislation and with this Notice in a reasonable and lawful manner.

  1. Processing personal data

Purpose

The principles of the Legislation require that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This clarity of purpose ensures that controllers, and their employees, understand why personal data are being collected and processed. The purposes for TAE’s processing of personal data via our CCTV monitoring facilities include:

  • ensuring the security of on our telecommunications network, including our real estate and installations on this real estate;
  • aiding in the prevention and detection of property destruction, vandalism, theft and other crimes; and
  • supporting the maintenance of health and safety standards on the properties.

Legal basis for processing

All processing of personal data is required to have a legal basis under the Legislation. We process your personal data through our use of CCTV monitoring facilities for the purposes set out above on the basis of our legitimate interests in doing so, such interests being protecting our real estate and installations, as well as maintaining the safety of persons in the vicinity of our property. TAE has undertaken a data protection analysis of the use of CCTV monitoring facilities for the purposes set out above on the basis of our legitimate interests and we have determined that it is genuinely in our interests to do so, that it is necessary to achieve our identified purpose(s), and that it does not have a disproportionate impact on the individuals whose personal data will be processed.

  1. How we may use your personal data

Except as set out in in this Notice, we will not disclose personal data that we collect to any parties other than those with whom we partner or are affiliated with. Except as described below, we will not sell, share, trade, rent, or give away your personal data.

We may use your personal data collected through our use of CCTV monitoring facilities in a necessary and proportionate manner to achieve the purposes set out at section 3 above. For example, in the event of an incident occurring at a location monitored by this CCTV, recordings may be reviewed by appropriate security personnel on behalf of TAE, and may be shared with law enforcement authorities, in each case in compliance with this Notice and the Legislation.

Information regarding the retention of your personal data is set out at section 6 below.

We shall not use your personal data for any other reason.

  1. Do we disclose personal data to anyone else?

Personal data may be disclosed internally in accordance with the data protection principles and this Notice. Personal data is not passed to any internal team or any individual that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed.

We shall disclose your personal data to third parties only when it is necessary as part of our business practices, when there is a legal or statutory obligation to do so, or with your consent. Categories of such third parties may include service providers, subcontractors, credit collection agencies, auditors and authorities to whom we are legally obliged to disclose personal data (e.g. law enforcement, tax authorities, etc.). In the case of personal data collected and processed through our CCTV monitoring facilities, TAE has engaged a third party (the “CCTV Services Provider”) to provide and operate the CCTV monitoring facilities on behalf of TAE pursuant to a written agreement between TAE and the CCTV Services Provider. TAE, as the controller of the personal data, will remain responsible for all processing of personal data via the CCTV monitoring facilities by the CCTV Services Provider.

Third parties that receive personal data from us must provide sufficient guarantees and satisfy us as to the measures taken to protect the personal data such parties receive and process it in accordance with the Legislation. Appropriate measures will be taken to ensure that all such disclosures or transfers of personal data to third parties will be completed in a secure manner and pursuant to contractual safeguards.

We may provide personal data, when legally obliged to do so and in response to properly made requests, for example under a court order or for the purpose of the prevention and detection of crime and the apprehension or prosecution of offenders. In particular, CCTV recording may be shared with law enforcement authorities as necessary for the investigation of incidents and/or prosecution of individuals. In the case of any such disclosure, we will do so only in accordance with the Legislation. We may also transfer data to legal counsel where this is necessary for legal claims. If there is any change in the ownership of TAE or any of its assets, we may disclose personal data to the new (or prospective) owner(s). If we do so, we will require the other party(ies) to keep all such information confidential.

  1. How long do we keep personal data?

We keep your information for as long as necessary to fulfil the purposes outlined in this Policy unless otherwise required by law. When we have no ongoing legitimate business need to process your personal data, we will either delete or irreversibly anonymise it,.

The time period for which we may retain personal data varies according to the law provisions about the use of that information. In some cases, there are legal requirements to keep personal data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain personal data no longer than is necessary for the purposes for which the data was collected or for which they are further processed. In the case of personal data collected and processed via our CCTV monitoring facilities, TAE has considered previous incidents or situations giving rise to the necessity for access to CCTV footage to achieve a purpose in determining the appropriate retention period. TAE has determined that CCTV footage containing personal data shall be retained for up to 90 days (except where country regulatory requirements dictate a shorter retention period) following initial recording, on the basis that such a retention period is reasonable, proportionate and balanced for the purposes described above. This shall apply except in situations where, the images identify an issue or an issue is otherwise brought to our attention (such as a break-in or an event of vandalism), in which case the relevant images will be retained for longer and specifically in the context of investigation of that issue.

  1. How do we protect data about you when it is transferred out of Europe?

We may transfer your personal data outside the EEA for storage and other purposes, including to our trusted third party partners. Any transfer of your personal data outside of the EEA shall be made through transfer mechanisms approved or allowed for under the Legislation and we shall take all necessary steps to ensure that there is adequate protection, as required by the Legislation. In particular, personal data may be transferred to the UK, which transfer shall be made on the basis of the European Commission’s adequacy decision in respect of the UK’s data protection regime.

TAE continues to monitor all developments regarding the legal bases for the international transfer of personal data and shall update its processes as necessary.

  1. How do we protect personal data?

We shall employ all appropriate administrative, technical, personnel, procedural, and physical measures to safeguard information against loss, theft and unauthorised use, access, destruction or modification.

  1. How can you exercise your rights in respect of personal data we hold about you?

We shall respect and vindicate all of your rights under the Legislation. These rights are as follows:

  • your right to request from us access to your personal data;
  • your right to have any incorrect personal data rectified;
  • your right to the restriction of processing concerning you or to object to processing;
  • your right to have your personal data transferred to another service provider;
  • your right to have your personal data erased (where appropriate).

Giving effect to your rights shall not affect any obligations which we may have under the Legislation.

  1. Exercising your rights and managing information

If you want to know what personal data we hold about you or exercise any of the above rights, you can do so by making your specific request to our Privacy and Data Protection team in writing to the e-mail address set out in section 12 below. We will confirm your request after validating your identity and process your request without undue delay and in any case within 30 days of receipt. If the information we hold about you is inaccurate, we request that you advise us promptly so that we can make the necessary amendments and confirm that these have been made within 30 days of receipt of your request.

If for some reason any of your rights are denied, we will provide an explanation of why this is the case.

Complaints on the use, retention and disposal of personal data can be submitted via email to: Global.DataProtection@tae.ltd

You also have the right to lodge a complaint with your national data protection supervisory Authority - https://edpb.europa.eu/about-edpb/board/members_en.

  1. Review

This Notice will be reviewed and updated annually to take into account changes in applicable laws and the experience of the Notice in practice. If we make material changes to this Notice, we may notify you by publishing this Notice on our website. We encourage you to review this Notice frequently to be informed of how we are protecting your information.

  1. Contact information

If you have questions about this Notice or our treatment of the information provided to us, please contact us at:

Name:             Global Data Protection

Address:          5th Floor, 40 Strand, London WC2N 5RW

E-mail:            Global.DataProtection@tae.ltd