LONDON - Video surveillance Cameras

Istituto Marangoni Limited would like to inform you of what data it collects and how it uses the video surveillance system in its schools located in London, in order to ensure that your fundamental rights and freedoms as a visitor are respected, with particular reference to the confidentiality and security with which the data is processed.

The data controller is Istituto Marangoni Limited - 30 Fashion St, London E1 6PX, United Kindgdom, email address: privacy@istitutomarangoni.com (hereinafter, 'Data Controller' or just 'Controller').

The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following e-mail address: dpo@istitutomarangoni.com

The Data Controller collects and stores your following data:

• Images taken from the video surveillance cameras installed at the above-mentioned schools.

Data are collected at the time of recording by the video surveillance system.

The Data Controller uses your data for the following purposes:

• Ensuring the safety of work, people on the premises and the protection of company assets through the video surveillance system;
• If necessary, protect one's rights before the authorities.

For the purposes described above, the processing of your data is carried out to exercise the legitimate interest of the Data Controller, to ensure the safety of students and staff at its schools as well as to protect its corporate assets (Art. 6(1)(f) GDPR).

N.B. The Data Controller does not carry out any monitoring of work activity: the positioning of the cameras has been specially arranged in order to avoid filming sensitive and irrelevant areas such as, by way of example, workstations and, therefore, in order to avoid any type of control concerning the work activity of employees.

Video surveillance cameras are switched on 24 hours a day, 365 days a year and retain images for a period of 72 hours from the time of recording, after which they are automatically overwritten.

N.B. If, in the event of litigation, it is necessary to ascertain, exercise or defend the rights of the Data Controller, the period of retention of the data collected, for the above-mentioned purposes, may be extended due to the possibility that it may be necessary to prepare defensive elements within this timeframe. In this case, the data will only be kept until the conclusion of the litigation.

The Data Controller processes the images taken by the cameras by computerised means by means of personnel authorised to carry out operations of collection, use, recording, consultation, storage, deletion, extraction, communication and restriction.

The cameras are closed circuit and the images are saved on a hard disk located inside the server room.

The server room is locked, stored with appropriate security measures, and access to the images is restricted to authorised and appointed personnel only.

Only those authorised and specifically appointed by Istituto Marangoni may access your data and, therefore, the images captured by the cameras.

Access to the data by the above-mentioned parties, however, may only take place when strictly necessary for the pursuit of the above-mentioned purposes.

Where strictly necessary to ensure the safety of work and persons on the premises or to protect the company's assets, the data may be shared with the competent authorities as autonomous data controllers.

In addition, in the event of a request for support from the Data Controller to the supplier S.R.C. Security Systems - appointed as the Data Processor by Istituto Marangoni - to resolve any problems relating to the video surveillance system, the supplier itself may be allowed access to the images for a period of time strictly necessary to resolve the problem.

In any case, the data in question will not be disseminated and, therefore, will not be made known to unspecified persons.

The images taken by the cameras reside on a hard disk located in the server room at the school. Therefore, images are not routinely transferred to other countries.

However, in the event of extraction of the images in case of need, they may be stored on Microsoft's One Drive cloud for the time strictly necessary to fulfil the purpose. In that case, the images might reside on Microsoft's servers and thus possibly outside the European Economic Area (EEA)

In the latter case, data processing will be regulated in accordance with the provisions of the GDPR, therefore, all necessary precautions will be taken in order to guarantee data protection, pursuant to Articles 46 et seq. of the GDPR (e.g. the so-called 'Data Privacy Framework').

The use of video surveillance cameras is necessary to guarantee the safety of the persons concerned and to protect the company assets of the Data Controller. Therefore, the provision of data for the above-mentioned purposes is necessary. Failure to provide the data will make it impossible to access the Controller's premises.

According to the provisions of the GDPR, in connection with the processing in question, the Data Controller guarantees the following rights:

• Right of access [Art. 15 GDPR] (right to obtain confirmation of the existence or non-existence of the data subject's personal data and a copy thereof in intelligible form)
• Right to erasure [Art. 17 GDPR] (right to erasure of data of data subjects.

Note: should it prove impossible to proceed with the deletion of data by virtue of the above, the Data Controller will inform the data subjects of the reasons why it is impossible to do so);

• Right to restriction of processing [Art. 18 GDPR] (right to obtain restriction of processing, e.g. if the accuracy of the data is contested or in case of unlawful processing);
• Right not to be subjected to automated decision-making [Article 22 GDPR] (right not to be subjected to a decision based solely on automated processing that produces legal effects or similarly significantly affects data subjects).

These rights may be exercised in writing by sending an e-mail todpo@istitutomarangoni.com or . privacy@istitutomarangoni.com

At the same contacts, further information on the processing of personal data may be requested at any time. It should also be noted that the exercise of one's rights must not prejudice and/or infringe the rights and freedoms of others.

The Data Controller undertakes to reply to requests within a period of one (1) month, except in the case of particularly complex requests, for which it may take up to three (3) months. In any event, the Data Controller shall explain the reason for the wait within one (1) month of the request.

The outcome of the request will be provided in writing (at the request of the data subject) or electronically (and, in this case, free of charge). The Data Controller specifies that a possible contribution may be requested from the data subject if your requests are manifestly unfounded, excessive or repetitive: in this regard, the Data Controller will keep track of the requests.

The Data Controller, in accordance with Article 19 of the GDPR, undertakes to inform the recipients to whom the data subject's personal data have been disclosed of any rectification, erasure or restriction of processing requested by the data subject, where possible.

You also have the right to object to processing based on legitimate interest (Art. 6(1)(f), EU Regulation), by contacting the Controller at the contact details given in the previous paragraph.

Should you consider that your rights have been compromised or infringed, or that the processing of your data is contrary to the legislation in force, you have the right to lodge a complaint with the Italian Data Protection Authority at the following web address: https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/.

This notice is subject to change. Any substantial changes will be communicated by e-mail or via our institutional website