Information on the processing of personal data by a healthcare facility through CCTV systems

Dear sirs/madams,

in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “General Regulation”), inform you that our healthcare facility GENNET, s.r.o., with registered office in Prague 7, ID: 27080234, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Entry 94758, as a personal data manager (the “administrator”), processes your personal data through CCTV systems and the rights and obligations associated with them.

Personal data is considered to be all information about an identified or identifiable natural person (also referred to as the “data subject”); an identifiable natural person is a natural person that can be identified directly or indirectly, in particular by reference to a particular identifier such as name, identification number, location data, network identifier or one or more specific elements of physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.

1. Scope and purpose of processing personal data

The administrator processes personal data to the extent that it is obtained during the operation of CCTV systems. The administrator processes personal data in accordance with the valid and generally binding legal regulations of the Czech Republic and to fulfil its legal obligations. 

Your personal data obtained by CCTV systems is processed for the following purposes:

  • protection of company property;
  • the protection of the life, health, property and personal data of patients, employees and other persons present on the premises of the administrator;
  • prevention of undesirable acts and phenomena.

2 Sources of personal data

The administrator processes personal data it obtains:

  • in  connection with the operation of CCTV systems, that is, data about the subject detectable from the CCTV recording.

3. Categories of personal data and category of data subjects

The following categories of personal data are subject to processing:

  • data that can be detected from CCTV records, especially gender and appearance.

The data subjects whose data are processed by the data administrator and to whom this information is addressed are:

  • client/patient;
  • potential client/patient;
  • employee;
  • other persons present at the administrator’s premises for any reason.

4. Method of processing and protection of personal data

Personal data is processed by camera systems. Cameras only record outdoor areas adjacent to the company building, in particular the parking lot of the company, the pavement in front of the entrances, the entrances to the buildings, the entrance to the company premises as well as the interior areas open to the public, such as corridors, staircases, waiting rooms, lift and cafeteria. Areas that are generally not accessible to the public, such as surgeries, operating rooms and preoperative care units, nurses´ stations, medical wards, laboratories, sampling rooms, technical rooms and offices are not monitored. Likewise, rooms which are designed for purely private activities, such as toilets and showers, are not monitored either.

The building plan, which is complemented by precise locations of specific cameras, is attached to this document. Persons are informed about the camera system on information boards and pictograms indicating the existence of the cameras on the monitored premises and before entering them. 

5. Period of processing of personal data

The CCTV system is in continuous operation, with all cameras recording continuously. The records from CCTV systems are in compliance with applicable laws and, with regard to the purpose of the recording, maintained for 7 – 30 days.

6. Categories of recipients of personal data

The recipients of personal data of data subjects other than the administrator are:

third-party company operating the CCTV systems, the company below:

  • PCS spol. s.r.o., with registered office in Na Dvorcích 18, 140 00 Praha 4, ID: 00571024, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Entry 527
  • and the external company below:
  • EFG CZ, spol. s.r.o., with registered office in Na Jarově 4, 130 00 Praha 3, ID: 25649876, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Entry 58052
  • other entities, such as law enforcement bodies, courts or other state or local government bodies dealing with offences under the law.

7. Lessons learned about the data subject’s rights

 As a personal data administrator, you are entitled to do the following in our company:

  • request access to personal data processed by the administrator, which means the right to obtain from the administrator a confirmation whether the personal data concerning you are processed or not and, if so, you have the right to access these personal data and other information referred to in Article 15 of the General Regulation,
  • request the correction of personal data processed for you if they are inaccurate. Taking into account the purposes of processing, you may in some cases also request that incomplete personal data be supplemented,
  • request the deletion of personal data in cases covered by Article 17 of the General Regulation,
  • request the restriction of personal data processing in cases covered by Article 18 of the General Regulation,
  • obtain personal data about you that we process in an automated manner to perform a contract concluded with you in a structured, commonly used and machine-readable format, and you have the right to require the administrator to pass this information to another administrator under the conditions and limits set forth in Article 20 of the General Regulation; and
  • you have the right to object to processing within the meaning of Article 21 of the General Regulation on grounds relating to your particular situation.

If we receive your request, we will inform you about the measures taken without undue delay and, in any case, within one month after the receipt of the request. This time limit can be extended by another two months if necessary and given the complexity and number of requests. In certain cases laid down in the General Regulation, our company is not obliged to comply with the request in whole or in part. This will be the case in particular if the request is clearly unreasonable or disproportionate, in particular because it is repeated. In such cases, we may (i) impose a reasonable fee, taking into account the administrative costs associated with providing the requested information or communication or with making the requested actions, or (ii) refuse to comply with the request.

If we receive the above request, but we will have reasonable doubt as to the identity of the applicant, we may ask him/her to provide the additional information necessary to confirm his/her identity.

In addition, you have the right to contact the Office for Personal Data Protection directly if you believe that personal data are not processed in accordance with legal regulations, in the place of your habitual residence, place of employment, or where there was an alleged violation.  If, as a result of the processing of your personal data, you incurred damage other than property damage, a special law applies to the claim.

We also inform you that our company has appointed a Data Protection Officer. Contact details of the Officer: Rita Novoseletska, Na Poříčí 1047/26, 110 00 Praha 1, email: