VIDEO SURVEILLANCE POLICY

Version no. 1 applicable from 08 April 2021

This procedure is applicable to the operator: the company TEILOR S.R.L., a Romanian limited liability company, with its registered office located in Romania, Arges County, Pitesti Municipality, Smeurei Street, no. 54, registered with the Trade Register Office attached to Arges Court of Law under the no. J3/1681/2003, European unique identifier (EUID) ROONRC.J3/1681/2003, unique registration code (CUI) RO 15997524 (marketing name Teilor).

NORMATIVE REFERENCES AND RIGHTFULNESS CONDITIONS

(a) Law no. 333 of 8 July 2003 on the protection of objectives, assets, values and the protection of people, with its subsequent modifications and additions;

(b) Decision no. 301 of 11 April 2012 for the approval of the practical rules of Law no. 333/2003 on the protection of objectives, assets, values and the protection of people

(c) European Union Regulation no. 2016/679 (GDPR) on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR);

d) Company Organization and Operation Rules;

e) Job descriptions.

FIELD

■ The policy applies in the context of video surveillance activity. The use of the video surveillance system is necessary to ensure the physical security of the spaces, according to the special legislation applicable in the field, in relation to public authorities, according to the applicable legal rules in the field, for security and safeguard control.

■ The video surveillance policy describes the video system and the safeguards it takes to protect personal data, privacy and other fundamental rights and legitimate interests of the people filmed by video surveillance cameras.

CONTENT AND PURPOSE OF THE PROCEDURE.

■ This Policy sets out:

a) A unitary set of rules regulating the implementation and use of the video surveillance system for the purpose of ensuring the security of people and assets, the security and protection of property, real estate, values, while respecting the legal obligations incumbent under the GDPR and the security measures adopted for the protection of personal data, the protection of privacy, legitimate interests and the guarantee of the fundamental rights of data subjects.

b) Responsibilities for the administration and operation of the video surveillance system, as well as those for the preparation, approval and admission of documents related to these activities.

■ The video surveillance policy is available on www.teilor.com

■ The existing video system was installed following risk analysis, attaching the protection and security plans.

■ A periodic review will be undertaken by the security structures and will review: (i) the need to keep the system in use; (ii) the fulfilment of the stated purpose; (iii) possible appropriate alternatives to the system and (iv) if this Policy continues to comply with the National Law and European Union Regulation No. 2016/679 (GDPR) or not.

■ The company uses video surveillance systems for security and access control purposes. With the help of these system we control access to real estate, ensure the security of property and the safety of people - employees, customers and/or visitors, as well as property and information owned.

The video surveillance system complements other security measures, such as the access control system, being part of the security policy measures, and helps prevent, combat and, where appropriate, investigate unauthorized physical access, including unauthorized access to secure spaces.

In addition, the video surveillance system helps prevent, detect and investigate thefts of equipment or goods or to prevent, detect and investigate risks and threats to staff employed.

Furthermore, the system may constitute a means of investigating or obtaining information for internal investigations or disciplinary procedures, including in situations where a security incident occurs or a criminal behaviour is observed (in exceptional circumstances the footage may be transferred to the investigation bodies as part of a disciplinary or criminal investigation).

SUPERVISED AREAS

■ The video surveillance system supervises

- access areas and spaces for employees and visitors;

- common spaces,

The location of the cameras has been carefully revised to ensure that the monitoring of areas of no interest for the intended purpose is limited as far as possible.

■ Areas where there is a high level of expectation for privacy are not monitored.

PERSONAL DATA COLLECTED BY VIDEO SURVEILLANCE

Special Data

The video system is not intended to capture (e.g. by focusing or selective orientation) or to process images (e.g. indexing, profiling) that reveal “special categories of data”.

We do not intend to use the surveillance system on an ad hoc basis, i.e. on a temporary basis, by circumstance.

Description and technical specifications of the system

The system can record any movement detected by the cameras installed in the supervised area, along with the date, time and location.

All cameras are functional 24 hours, 7 days a week.

When necessary, the quality of the images allows the recognition of people passing through the cameras’ area of action. Specially trained operators must comply with confidentiality settings and access rights.

Benefits of the surveillance system: (i) increasing the control, within the supervised area, of entries and exists; (ii) restricting access of foreign persons; (iii) eliminating losses caused by unforeseen events; (iv) complying with the regulations and legislation in force for the objectives at risk.

PROTECTION OF PRIVACY AND SECURITY OF INFORMATION

In order to protect the security of the video surveillance system and to increase the protection of privacy, the following technical and organizational measures have been introduced:

^ limiting the video storage time in accordance with the security requirements;

^ Storage media (servers on which recorded images are stored) are located in secure spaces, protected by physical security measures;

^ all users with rights of access have signed privacy declarations, obliging themselves to comply with the legal provisions in the field;

^ the right of access is granted to users based on the need to know, only for those resources that are strictly necessary for the performance of their service duties;

^ all staff members who have access to the surveillance system (both external and internal) sign confidentiality agreements.

Only the system administrator, appointed for this purpose by the operator, has the right to grant, modify or cancel the right of access of users, in accordance with the general procedure of access to databases. It keeps an up-to-date list of all people who have the right to access the video surveillance system, specifying the type of access.

ACCESS TO PERSONAL DATA AND THEIR DISCLOSURE

Rights of access

■ Access to stored images and/or the technical architecture of the video surveillance system is limited to a small number of people and is determined by the tasks specified in the job description (for what purpose and what type of access). In particular, limits are imposed on persons entitled:

- To watch the footage filmed in real time: the images that are played in real time are accessible to the managers assigned to carry out the surveillance activity;

-To watch the recording of the footage: the viewing of the recorded images will be done in justified cases, such as cases expressly provided by law and security incidents, by specially designated persons;

- To copy, download, delete or modify any footage.

Training

■ All staff with rights of access receive initial training in the field of data protection. This procedure will be integrated into the training and guidance programme, for all users with rights of access and tasks in the operation of the video surveillance system.

■ The service administrator will ensure that all subordinate personnel, if any, involved in the operation of the video surveillance system, are trained and informed about all functional, operational and administrative aspects of this activity.

Privacy measures

■ Following training, each participant signs a privacy statement.

Disclosure of personal data

■ Any activity of disclosing personal data to third parties will be documented and subjected to a rigorous analysis of the need for communication, and on the other hand the compatibility between the purpose for which communication is made and the purpose for which this data was originally collected for processing (security and access control). Any disclosure situation will be recorded by the system administrator in a Disclosure Case Record.

■ The company has the obligation to make available to the judicial bodies, at their written request, the footages containing criminal deeds.

■ The video surveillance system is not used to verify attendance or performance evaluation at the workplace. In exceptional cases, but in compliance with the guarantees described above, access to the Disciplinary Committee may be granted, in the context of a disciplinary investigation, provided that the information helps to investigate a crime or disciplinary misconduct likely to prejudice the rights and freedoms of a person.

■ Any security breach regarding video cameras is specified in the investigation register.

STORAGE DURATION

■ The duration of data storage obtained through the video surveillance system is proportional to the purpose for which the data are processed, so that the images (captured by the video system) are stored for a period not exceeding 30 days, after which they are deleted by the automatic procedure in the order in which they were recorded. In the event of a security incident, the duration of relevant footage storage may exceed normal limits depending on the time required to investigate the security incident. Storage is rigorously documented and the need for storage is regularly reviewed.

■ If the storage time exceeds the term provided by this policy, it will be recorded in the register of foorage exceeding the storage time, managed by the system administrator.

THE RIGHTS OF DATA SUBJECTS

■ The rights of the data subjects are respected, according to the law. All people involved in the video surveillance activity and those responsible for the management of footage will comply with the law and internal procedures.

Informing the data subjects

^ The primary information of the data subjects is made clearly and permanently, through an adequate sign, with sufficient visibility and located in the monitored area, so as to signal the existence of surveillance cameras, but also to communicate essential information on personal data processing.

^ The data subjects are warned about the existence of the video surveillance system which also includes the processing purpose and identifies the collected filmed data operator.

Exercising the rights of access, intervention and opposition

^ During the entire period of personal data storage, the data subjects have the right to access the personal data concerning them, to request intervention (deletion/update/rectification/ anonymization, as well as other legal rights) or to oppose to the processing, according to the law.

^ Any request to access, rectify, block and/or delete personal data as a result of the use of video cameras must be made in writing to: gdpr@teilor.com or to the address of the registered office of the operator, mentioned in the introductory part.

^ The answer to the request for access, intervention or opposition will be provided within the legal term. If this deadline cannot be met, the data subject will be informed of the reason for postponing the reply and will also be informed of the procedure to be followed for resolving the request.

^ There is the possibility of denying the right of access in the situation where the exceptions provided by law apply. The need to restrict access may also be imposed if there is an obligation to protect the rights and freedoms of third parties, for example if other people appear in the images and there is no possibility to obtain their consent or irrelevant personal data cannot be extracted by image editing.

This Policy may be modified unilaterally by posting a revised version from time to time on the website.

According to the Regulation of the European Union no. 2016/679 (GDPR) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the data subjects enjoy certain rights regarding personal data. This is supplemented by the existing GDPR Policy available on www.teilor.com.