Video Surveillance Policy
Version 1.0 Date: 01/01/2025 Document: Video Surveillance Policy
This privacy notice is issued by the undersigned (hereinafter referred to as the Company or Data Controller), whose contact details are provided in the header and in section 1. As the Data Controller responsible for the collection of personal data through the video surveillance system, it complies with the provisions of the Swiss Federal Act on Data Protection (“Art. 19 FADP and Art. 13 DPO”) and the guidelines issued by the Federal Data Protection and Information Commissioner.
Data Controller
The Data Controller is the entity that determines the purposes for processing personal data and, after collecting them, “uses” them in compliance with the principles established by the new Federal Act on Data Protection (nFADP).
Specifically, the Data Controller of your personal data is:
GEHRI RIVESTIMENTI SA
Via Chiosso 12, CH-6948 Porza
(hereinafter individually and generically referred to as the “Data Controller”).
Data Controller’s contact email: info@gehri.swiss
The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following email address: dpo@gehri.swiss
Attached to this privacy notice is “Annex A”, which provides a comprehensive explanation of the implemented systems, the technology used, the configuration, the security measures adopted, the operational procedures for data processing, the authorized external providers, the internal personnel assigned to interact with video footage, and the impact assessment conducted to safeguard the rights of the data subjects.
Category of Personal Data Subject to Processing
The personal data collected – or otherwise acquired in accordance with applicable legal and contractual provisions – will be processed pursuant to Article 5 of the new Federal Act on Data Protection (nFADP) and in compliance with confidentiality obligations.
The personal data collected and processed through the video surveillance system consist of images of clients, visitors, employees, and any other individuals (hereinafter referred to as “data subjects”) captured in real time and recorded by the cameras located at the premises of the Data Controller (hereinafter referred to as “facilities”).
The capture and recording of voices, sounds, and any other “noise” are excluded.
Data Protection – Recipients of Personal Data and Disclosure
In accordance with Article 6 of the new Federal Act on Data Protection (nFADP), and in order to ensure that your data is processed as fairly and transparently as possible, you should be aware that:
- Your personal data is processed and stored by the Data Controller or by Data Processors acting on behalf of the Controller; the processing and storage of the data are carried out electronically, with archives located at the company’s premises.
- At the Data Controller’s premises, your personal data may be processed by individuals expressly authorized by the Data Controller, according to the organizational needs of the Controller and in full compliance with the principles of the FADP.
- All processing is carried out in accordance with Articles 6 and 8 of the new Federal Act on Data Protection (nFADP), and through the adoption of appropriate security and organizational measures as outlined in Chapter 1 of the DPO Ordinance.
- The duration of the processing, in compliance with the principles of lawfulness, purpose limitation, and data minimization, is defined for a period not exceeding the achievement of the purposes for which the data is collected and processed, and in accordance with the mandatory timeframes prescribed by law.
Specifically, access to personal data in the form of “video images” is exclusively granted to:
a) To internal personnel designated, appointed, and properly trained by the Data Controller;
b) To authorized and appointed external processors responsible for surveillance and/or maintenance of the systems installed at the facilities;
c) To competent authorities for compliance with legal obligations and/or directives issued by public bodies.
Purpose and Objectives of Data Processing and Data Retention Period
Video images recorded through the video surveillance systems are processed in full compliance with applicable law for the following purposes, legal bases, and data retention periods:
| PROCESSING PURPOSE | LEGAL BASIS | DATA RETENTION PERIOD | |
| 1 | Purpose 1:
The data will be processed exclusively for the purpose of protecting movable property. This includes persuasive prevention of potential vandalism, damage, and theft, as well as the reconstruction of the event. |
7 actual days (unless extended retention is required, for example, by request of judicial or law enforcement authorities). Only in cases of suspected or evident damage or criminal activity, the extracted footage—upon explicit request by the individual who filed a report or complaint—may be retained for up to 15 days while awaiting a formal request from the competent authority. Once the retention period has expired, the images are automatically and irreversibly deleted. |
| Legal Basis:
Overriding interest of the Data Controller. | ||
| 2 | Purpose 2:
The data will be processed for the purpose of ensuring the safety and well-being of employees, clients, and suppliers. | |
| Legal Basis:
Overriding interest of the Data Controller. | ||
| 3 | Purpose 3:
The data will be processed to prevent and detect unlawful and unauthorized access to company premises. | |
| Legal Basis:
Overriding Interest of the Data Controller. | ||
| 4 | Purpose 4:
Data may be processed for investigative needs of the Judicial Authority or Police Forces in accordance with applicable federal law. | |
| The Legal Basis:
Execution of a law. | ||
> The employer must protect the health and personality of the employee (Art. 328 CO) and Art. 30 nLPD. It is emphasized that all systems used are in no way employed as tools for monitoring the work activity of employees, technical-administrative staff, or anyone operating in any capacity within the company structure.
Transfer of Personal Data Outside the Confederation
Personal data is not transferred outside the territory of the Confederation.
Data Retention Periods
Video footage is stored on digital and electronic media for the period strictly necessary to achieve the purposes described under the relevant section, which is generally 7 days. However, based on specific needs, the retention period may be extended up to a maximum of 15 days, unless further retention is required by law, by orders from competent authorities, or for the establishment, exercise, or defense of legal claims. At the end of the retention period, the data is deleted through automatic overwriting.
Rights of the Data Subject
The Data Subject is guaranteed the following rights, which may be exercised at any time by submitting a written request to the contact details of the Data Controller listed below, in case they believe they have been recorded by the video surveillance system, which is necessary to achieve the purposes previously described:
- To request confirmation as to whether or not data concerning them is being processed and to access such data, receiving clarification regarding the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom the data may be disclosed, the retention period, and the existence of automated decision-making processes.
- If their personal data is incomplete or inaccurate, to request its rectification at any time and, if applicable, to be informed about the rectification process. Provided it does not involve disproportionate effort, recipients will also be informed of the rectification of personal data.
- To have the right to request the deletion of personal data processed by the Data Controller, as well as to request its restriction to what is necessary for the purpose of processing.
- To have the right to lodge a complaint with the Federal Data Protection Officer.
- To object, in whole or in part, for legitimate reasons, to the processing.
- To exercise their rights under the nLPD by writing to the Data Controller’s email address: info@gehri.swiss.
Current Version, Changes and Updates
In order to ensure that our Privacy Notice is always compliant with applicable legal provisions, we reserve the right to make changes at any time and keep it continuously updated.
It is also the responsibility of the Data Controller to publish the updated Privacy Notice on the website gehri.swiss and to make it available upon specific request.
Last Updated: 01/01/2025