Rules on video data processing

UAB BALTISCHES HAUS

RULES ON VIDEO DATA PROCESSING

Last updated: 19/02/2025

 

I. GENERAL PROVISIONS

  1. The Rules on Video Data Processing (the Rules) set out the conditions and basic principles of video data processing by UAB “BALTISCHES HAUS”, legal entity code 111543781, registered office address Bokšto St. 6, Vilnius, Lithuania (the Company), as a data controller, the rights and obligations of the persons responsible for video surveillance, and other provisions related to video data processing by the Company.
  2. In carrying out video surveillance, the Company shall be guided by the Law on Legal Protection of Personal Data of the Republic of Lithuania, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC, as well as by other legal acts regulating personal data protection.
  3. Terms used in these Rules:
    • LLPPD means the Law on Legal Protection of Personal Data of the Republic of Lithuania;
    • Personal Data means any information relating to a natural person, the data subject, who is identified or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Personal data shall not include anonymous data which cannot be linked to a specific data subject by means accessible to the Company and/or third parties;
    • Personal Identification Document means a personal passport, identity card, certificate of temporary or permanent residence permit in the Republic of Lithuania;
    • Responsible Persons:
  • Employees of the Company (Digital Development Manager, Building Systems Specialist) or other persons appointed by the Manager, who are assigned to supervise the video surveillance in the premises and land plots owned by the Company or other places where the Company’s video surveillance cameras are installed, to enforce the compliance with these Rules, to apply the measures to ensure the lawful video surveillance, and to be responsible for the implementation of measures;
  • Employees of the Company (Leasing Project Managers, Customer Service Specialist, Marketing Project Manager) who are assigned to regularly inspect the facilities/parts of the Company’s properties assigned to them with the help of CCTV cameras, in order to record damage to the Company’s property in a timely manner, and to transmit the necessary information to the employees of the Company responsible for the investigation of the incident (the relevant Operations Project Manager, the Lawyer of the Company);
  • Employees of the Company (Operations Project Managers) who are assigned to collect information on the circumstances, causes of injuries/accidents that occurred at the objects of the Company assigned to them (reviewing the necessary video recordings and/or submitting them to the lawyer of the Company for the investigation of the incident);
    • Data Protection Officer means a competent person appointed by the Manager and responsible for the supervision of the Company’s compliance with the Regulation and other legislation governing the protection of Personal Data and advising the Company on such compliance;
    • Data Subject means a natural person whose Personal Data is controlled and/or processed by the Company;
    • Data Controller means UAB Baltisches Haus, legal entity code 111543781, registered office address Bokšto g. 6, Vilnius, which is the entity that determines the purposes and means of processing Personal Data;
    • Data Processor means a legal or natural person who processes Personal Data for the purposes and in accordance with the procedure specified by the Data Controller.
    • Inspectorate means the State Data Protection Inspectorate of the Republic of Lithuania;
    • Regulation means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
    • Rules means these Rules on Video Data Processing and their Annexes, as amended and supplemented from time to time;
    • Manager means a natural person who has entered into an employment or similar contract with the Company and who, in accordance with the incorporation documents of the Company, has the right to represent the Company and to take decisions on behalf of the Company;
    • Video Data means Video Data captured by video surveillance equipment and containing Personal Data;
    • Video Surveillance Recording means Video Data captured by video surveillance equipment, which shall be stored by the Company in an appropriate format and location and shall be destroyed after the expiry of the time limits set out in the Rules;
    • Video Surveillance and Recording Equipment means the technical video surveillance and recording equipment used by the Company to fulfil the purposes set out in the Rules;
    • Video Surveillance System means a computer system designed for remote viewing of Video Data, reviewing and managing Video Surveillance Recordings, access to which is restricted to Responsible Persons.

 

II. MAIN CONDITIONS FOR THE PROCESSING OF VIDEO DATA

 

  1. The processing of Video Data must be lawful and fair, for the explicit purposes defined in the Rules.
  2. Video Surveillance and Recording Equipment may only be used for the purposes set out in the Rules.
  3. The processing of Personal Data must not be excessive and the processing of Video Data must be carried out to the extent necessary to achieve the purposes set out.
  4. Video Surveillance Recordings may not be disclosed or transferred to third parties who are not authorized to access them.
  5. Data Subjects shall be informed by visual means about the video surveillance carried out by the Company (e.g. information about the video surveillance of the premises or the territory shall be prominently displayed in a prominent place before entering the field of video recording).
  6. Monitors transmitting Video Data in real time may only be monitored by the relevant Responsible Persons and security personnel physically guarding the object (part of the object). Video Surveillance Recordings may be viewed by Responsible Persons and other Company personnel involved in the investigation of the incident (Lawyer) and only if the Video Surveillance Recordings are necessary for the purposes set out in the Rules.
  7. Video Surveillance Recordings may also be made available to interested parties involved in the incident, e.g. law enforcement authorities and officials, insurance companies, legal advisors. In these cases, the data will only be provided after verification of the existence of a legal basis for the provision of the data and in accordance with the provisions of other legislation on the protection of personal data.
  8. Where the maintenance and other servicing of video surveillance and/or recording equipment requires the involvement of a video surveillance and recording equipment supervisor, then an account is created which has limited capabilities.

 

 III. PROCEDURES FOR STORAGE AND DESTRUCTION OF VIDEO DATA

 

  1. Video surveillance shall be carried out 24 hours a day, 7 days a week.
  2. Terms of storage of Video Data:
    • Video Surveillance Recordings shall be stored for 21 days. In exceptional cases where Video Surveillance Recordings are or may be used as evidence in pre-trial and judicial proceedings, the storage period shall be extended for the duration of the investigation or legal proceedings.
  1. Procedure for the destruction of Video Data:
    • Video recordings shall be automatically destroyed by recording a new video;
    • The video recording shall be destroyed in such a way that it is not possible to retrieve the destroyed information or part of the video content.

 

IV. PURPOSES AND LEGAL BASIS FOR THE VIDEO DATA MONITORING

 

  1. The video surveillance is carried out for the following purposes:
    • Protection and security against law violations in the premises and/or territory managed by the Company (protection of the property of the Company and its customers);
    • Identification of the person(s) involved in the law violations on the premises and/or territory managed by the Company, identification of the vehicles involved in the damage to the property on the premises and/or territory managed by the Company;
    • Investigation of the law violations committed on the premises and/or on the territory of the Company and the circumstances thereof.
  2. The processing of Video Data for the purposes set out in the Rules shall be carried out on the basis of the legitimate interest set out in Article 6(1)(f) of the Regulation.

 

V. OBLIGATIONS OF THE PERSON RESPONSIBLE FOR MONITORING VIDEO DATA

 

  1. The person responsible for the monitoring of Video Data by means of Video Surveillance shall:
    • Comply with these Rules and the requirements set out therein;
    • Be responsible for the proper execution of the Video Surveillance Recordings;
    • Not disclose, lose or transmit the Video Surveillance Recordings to third parties who are not authorized to access them;
    • Not use information made available or known to him/her in the performance of his/her duties and functions as a Responsible Person for personal gain and interest;
    • Record violations of security measures;
    • Ensure that no hard disk is left in the Video Surveillance and Recording Equipment when it is handed over for repair;
    • Comply with the instructions for the use of the Video Surveillance Equipment provided by the Video Surveillance and Recording Equipment Supervisor.

 

VI. AREA OF VIDEO DATA MONITORING

 

  1. The monitoring of Video Data and the related processing of Personal Data shall be organized in such a way that no more than the strictly necessary area (premises, part of premises) is included in the field of Video Data monitoring.
  2. Video Surveillance Equipment (cameras) must be installed and adapted for use in such a way as to prevent unauthorized use of these cameras (e.g. mechanical or automatic unauthorized redirection to another surveillance field).
  3. Areas that are intended for the private use of employees (e.g. toilets, changing rooms, etc.) shall not be monitored.

 

VII. MEASURES INTENDED TO PROTECT VIDEO DATA FROM ACCIDENTAL OR ILLEGAL DESTRUCTION, ALTERATION, DISCLOSURE, AS WELL AS FROM ANY OTHER ILLEGAL PROCESSING

 

  1. The room where the Video Data is monitored shall be protected by appropriate security measures. The level of protection of Personal Data shall be kept up to date.
  2. No unauthorized persons shall have access to the premises where the Video Surveillance and Recording Equipment (monitors) is installed.
  3. The Company shall use only certified software.
  4. The technical condition of the Video Surveillance and Recording Equipment (including computer equipment) shall be continuously supervised.
  5. Maintenance and troubleshooting of the Video Surveillance and Recording Equipment shall be carried out or arranged by the Digital Development Manager/Building Systems Specialist of the Company.
  6. Software access to the Video Data and Video Surveillance Recordings shall be restricted. Access shall be provided using a personal, secure password.
  7. Access to the premises where the Video Surveillance Recordings are stored shall be restricted to an extent sufficient to prevent unauthorized persons from entering the premises.
  8. The responsible employees of the Company who have authorized access to the Video Data shall inform the Digital Development Manager or the Head of the Company if they notice any breaches of security of the Video Data (acts or omissions that may cause or result in a threat to the security of Personal Data). After assessing the risk factors, the degree of impact, the damage and the consequences of the breach of the security of Video Data, the Digital Development Manager or the Head of the Company shall decide on a case-by-case basis on the measures necessary to remedy the breach of the security of the Video Data and its consequences.

 

VIII. PROCEDURE FOR IMPLEMENTING THE DATA SUBJECT’S RIGHTS

 

  1. Rights of the Data Subject:
    • To be aware of the processing of his/her Personal Data;
    • To have access to his/her Personal Data and to obtain a copy of the Personal Data processed in accordance with the procedure set out in the Rules;
    • To request the erasure of his/her Personal Data in accordance with the procedure set out in the Rules;
    • To transfer his/her Personal Data (request to receive his/her Personal Data in a standard, computer-readable and interoperable format and/or to transmit it to another Data Controller);
    • To lodge a complaint with the Inspectorate;
    • To seek redress in court for unlawful processing of Personal Data.
  2. Evidence of the receipt, assessment and implementation of requests by Data Subjects to exercise their rights shall be kept by the Company.
  3. Submission of the request:
    • The Company shall only exercise the rights of Data Subjects upon receipt of a written request from the Data Subject for the exercise of a specific right and only after having verified the identity of the Data Subject;
    • The Data Subject shall submit a written request to the Company for the exercise of the Data Subject’s rights, identifying himself/herself in the request and signing it, by visiting the Company’s registered office, by regular mail or by e-mail. The Company shall not accept such requests by telephone;
    • The request may be submitted by the Data Subjects’ representatives, legal representatives (e.g. a parent who is the representative of his/her incapacitated minor children, or the minor’s guardian (custodian), who has provided a document confirming the right of representation), or by a person who has a notarised power of attorney of the Data Subject with legal capacity, in accordance with the procedure established by the law.

 

  1. Identification of Data Subjects (and their representatives):
    • In order to exercise the rights of Data Subjects, the Data Subject must be properly identified. Upon arrival at the registered office of the Company or at any other address provided by the Company, the Data Subject shall be identified by the Personal Identification Document provided. Once the identity of the Data Subject has been verified on the basis of the Personal Identification Document, the Company shall return this document to the Data Subject. The employee shall carefully compare the image, name and surname of the Personal Identification Document and the Data Subject. In case of reasonable suspicion as to the identity of the Data Subject, another Personal Identification Document shall be requested for identification purposes, and in the event of failure to provide such a document, or failure to identify the person making the request, it shall be deemed impossible to establish the identity of the Data Subject, and the Data Subject’s request (if already made) shall not be fulfilled by promptly notifying the Data Subject in writing thereof;
    • Where the request is made by regular mail, the identity of the Data Subject shall be deemed to have been established if the original signed request for the exercise of the Data Subject’s rights is accompanied by an original notarised copy of the Personal Identity Document of the Data Subject. In the absence of such a copy, it shall be deemed impossible to establish the identity of the Data Subject and the Data Subject’s request shall not be fulfilled by promptly notifying the Data Subject in writing by mail;
    • If the Data Subject applies by email, the request must be accompanied by a copy of the Personal Identification Document signed with a qualified electronic signature. A certified copy of the Personal Identification Document may not be required by the Company if the Data Subject is applying by email to an email address with which the Data Subject has previously communicated with the Company. If the identity of the Data Subject cannot be established, the request of the Data Subject shall not be fulfilled by promptly notifying the Data Subject in writing by email;
    • When a representative, a legal representative, makes a request through all the channels provided for in this Article, the request must be accompanied by the details of the Data Subject represented and the representative; with regard to representatives, the procedures set out in the Rules for the identification of Data Subjects and the consequences of the impossibility of identification shall apply;
    • A copy of the Personal Identification Document received together with the request of the Data Subject by regular mail and e-mail, the request of the Data Subject and the documents on the implementation of the request shall be kept by the Company during the execution of the request and for 2 years after the execution of the request, and thereafter shall be destroyed according to the procedure set out in the Rules.
  1. Procedure for implementing the request concerning the rights of the Data Subject:
    • Requests from Data Subjects shall be implemented or denied, stating the reasons for the denial, within 30 calendar days from the date of the submission of the request that complies with the Rules and Regulation. This time limit may be extended by a further 60 calendar days with prior notice to the Data Subject if the request concerns a substantial amount of Personal Data. The response shall be provided to the Data Subject in the same form in which the request was made, unless the Data Subject requests to exercise the rights electronically;
    • Requests from Data Subjects shall be fulfilled and Personal Data shall be provided free of charge once per calendar year;
    • A request for the exercise of the Data Subject’s rights shall be deemed to be unfounded where the request does not specify the specific right sought to be exercised and to what extent, or any other necessary information required for the request as set out in the Rules or the Regulation;
    • A request for the exercise of the Data Subject’s rights shall be deemed to be made in abuse of the right if the request is made more than once per calendar year, for the exercise of the same right to the same extent, after the Company has duly fulfilled the previous request and without any substantial change in the Company’s processing of Personal Data relevant to the Data Subject since the date of the last request;
    • In the event of a request that is unfounded or made in abuse of the right, the Company shall be entitled to claim from the Data Subject reimbursement for the implementation of the request. The amount of the reimbursement shall not exceed the costs incurred by the Company in implementing the request of the Data Subject;
    • The Data Protection Officer shall document the receipt of requests from Data Subjects, the steps taken to implement the request and shall notify the Data Subject once the request of the Data Subject has been implemented;
    • When implementing the request of the Data Subject, the Company is prohibited from disclosing information that is a trade secret of the Company;
    • The implementation of requests from Data Subjects shall be organised and carried out by the Data Protection Officer or another person authorised by the Manager.

 

  1. Right to access your Personal Data:
    • Requests for access to the Personal Data of other persons shall not be executed, except in the case of a request by a representative, a legal representative (e.g. a parent who is the representative of his/her incapacitated minor children, or the minor’s guardian (custodian), who has provided a document confirming the right of representation), or by submitting a power of attorney certified by a notary public, in accordance with the procedure set out in the Rules;
    • The Data Subject may only request access to his/her Personal Data and obtain information on the sources and nature of the data collected, on the purpose for which it is processed, on the recipients of the data, and on the retention period of the data;
    • Upon receipt of a request for access to one’s own Personal Data and after having ascertained the identity of the Data Subject, the Data Protection Officer shall contact the Responsible Person or the Manager for the purpose of searching for the Video Data of the Data Subject who has made the request among the Video Surveillance Recordings held by the Company, which shall be reviewed by the Responsible Person, the Manager, or, on the Manager’s behalf, by the Data Protection Officer personally. The person who has reviewed the Video Recordings shall assess the compliance of the scope of the request of the Data Subject with the Regulation and, if the request of the Data Subject complies with the provisions of the Regulation and these Rules, prepare and submit a response to the Data Protection Officer for submission to the Data Subject.
    • The response to the Data Subject regarding the processing of his/her Personal Data shall contain at least the following information: confirmation of the processing of the Personal Data; the purposes of the processing; the categories of data; the categories of recipients; the retention period; the right to erasure; the right to lodge a complaint with the Inspectorate; the sources of the data; the information on Automated Decision-Making or Profiling; the transfer of Personal Data outside the EEA and the technical and organisational security measures applied;
    • The Data Subject may request a copy of the Personal Data. Upon receipt of a request for a copy of the Personal Data, the actual Personal Data (other than categories of Personal Data) shall be provided to the Data Subject in a computer-readable format on a physical storage medium. This data shall be collected from the Video Surveillance System of the Company in accordance with the information contained in the records of the Personal Data processing activities concerning the processed Personal Data of the relevant group of Data Subjects and the location of its storage;
    • In exercising the right of the Data Subject to access his/her Video Data, the right to privacy of third parties shall be ensured, i.e. when the Data Subject accesses the Video Surveillance Recording, if the Video Surveillance Recording shows other identifiable persons or other information that may violate the privacy of third parties (e.g., license plate number of a vehicle), these images shall be retouched or otherwise de-identified with respect to the third parties.

 

  1. Right to request erasure of Personal Data:
    • The Data Subject may request the erasure of all or certain of his/her Video Data processed by the Company (the right to be forgotten), or the suspension of the processing, where the Company is processing the Video Data in a manner that is not in accordance with the LLPPD, the Regulation and other legal acts:
      • If the Data Subject, having accessed his/her Personal Data, determines that his/her Personal Data is being processed unlawfully and fraudulently and contacts the Data Controller himself/herself or through his/her authorised representative, the Data Controller shall immediately, and at the latest within 5 working days, verify the lawfulness and fairness of the processing of the Personal Data of the Data Subject, free of charge, and shall immediately destroy the unlawfully and fraudulently collected Personal Data or suspend the processing of such Personal Data, with the exception of the storage of the Personal Data;
      • The Data Controller, having suspended the processing of the Personal Data of the Data Subject at the request of the Data Subject or his/her authorised representative, shall keep the Personal Data for which processing has been suspended until their destruction (at the request of the Data Subject or after the expiration of the data storage period). Further processing operations on such Personal Data may be carried out only for the purpose of proving the circumstances which led to the suspension of the processing operations or if necessary to protect the rights or legitimate interests of third parties;
      • The Data Controller shall notify the Data Subject or his/her authorised representative without delay, and at the latest within 5 working days, of the destruction or suspension of the processing of the Personal Data of the Data Subject carried out, or not carried out, at the request of the Data Subject;
      • The destruction or suspension of the processing of the Personal Data of the Data Subject shall be carried out on the basis of documents confirming the identity of the Data Subject and his/her Personal Data, at the request of the Data Subject or his/her authorised representative;
      • The Data Controller shall inform the data recipients without delay, and at the latest within 5 working days, of the destruction of the Personal Data of the Data Subject at the request of the Data Subject or of his/her authorised representative, and the suspension of the processing of the Personal Data, unless it would be impossible or excessively difficult to provide such information (due to the large number of Data Subjects, the length of the data period, or the unreasonable costs). In such a case, the Inspectorate shall be notified without delay.

 

  1. Data Subjects may contact the Company by e-mail at duomenuapsauga@balthaus.eu in order to exercise the rights set out above or in relation to other issues related to the processing of their personal data.

 

IX. FINAL PROVISIONS

 

  1. These Rules shall enter into force upon their approval.
  1. Employees who are authorised to process Video Data or who become aware of Video Data in the course of their duties shall comply with these Rules, the main requirements for the processing of Personal Data, and the confidentiality and security requirements of the LLPPD and these Rules. Employees who violate these Rules and/or the LLPPD shall be liable in accordance with the procedure established by law.

 

____________________

This Website uses mandatory cookies to ensure the basic functions of the Website. Other cookies are not automatically set unless you agree with them.
Please visit our Privacy Policy for more information.
More

These cookies are essential for the basic functions of the Website and cannot be disabled.

These cookies help us to understand how you use the Website. The data collected by these cookies does not directly identify you.