PARIS – Video surveillance cameras

Istituto Marangoni SAS wishes to inform you about the data it collects and how it uses the video surveillance system at its Paris school, in order to ensure the protection of your fundamental rights and freedoms as a visitor, particularly with regard to the confidentiality and security of data processing.

The data controller is Istituto Marangoni SAS - 15 Rue Boissière, 75116 Paris, France, email address: privacy@istitutomarangoni.com (hereinafter referred to as the "data controller" or simply the "controller").

The data controller has appointed a data protection officer (DPO), who can be contacted at the following email address: dpo@istitutomarangoni.com

The data controller collects and stores the following data:

• Images taken from the video surveillance cameras installed at the above-mentioned schools.

Data is collected at the time of recording by the video surveillance system.

The data controller uses your data for the following purposes:

• To ensure the safety of work, people on-site and the protection of company property through the video surveillance system;
• If necessary, to protect its rights before the authorities.

For the purposes described above, the processing of your data is carried out in the legitimate interest of the controller, in order to ensure the safety of students and staff at its schools and to protect its assets (Article 6(1)(f) of the GDPR).

N.B. The controller does not monitor professional activity: the positioning of the cameras has been specifically designed to avoid capturing sensitive and irrelevant areas, such as workstations, and therefore to prevent any form of monitoring of employees' professional activities.

The CCTV cameras are on 24 hours a day, 365 days a year and retain images for a period of 72 hours from recording, after which they are automatically overwritten.

N.B. If, in the event of a dispute, it becomes necessary to establish, exercise, or defend the controller's rights, the retention period for the collected data, for the aforementioned purposes, may be extended due to the possibility that it may be necessary to prepare elements for a legal defence during this period. In this case, the data will be retained only until the conclusion of the dispute.

The controller processes the images captured by the cameras electronically, through authorised personnel who are permitted to carry out operations such as collection, use, recording, consultation, storage, deletion, retrieval, communication, and restriction.

The images are stored in the cloud on the online platform provided by Cisco Meraki, acting as an external data processor, and can only be accessed by individuals who are authorised and designated by the data controller.

Access to the cloud platform by authorised parties is also technically protected through strong authentication requirements and logical access control measures that prevent access by unauthorised users.

Only those authorised and specifically appointed by Istituto Marangoni may access your data and, therefore, the images captured by the cameras.

Access to the data by the above-mentioned parties, however, may only take place when strictly necessary for the pursuit of the above-mentioned purposes.

Where strictly necessary to ensure the safety of work and persons on the premises or to protect the company's assets, the data may be shared with the competent authorities as autonomous data controllers.

In addition, in the event of a request for assistance to the provider Cisco Meraki by Istituto Marangoni to resolve issues related to the cloud platform, the provider may be granted access to the images for a period of time strictly necessary to resolve the issue.

In any event, the data in question will not be disseminated and, therefore, will not be brought to the attention of unspecified persons.

The images captured by the cameras are stored on the servers of the provider Cisco Meraki, located within the European Economic Area (EEA). If it becomes necessary to use entities located outside the EEA for technical and/or operational reasons, data processing will be regulated in accordance with the provisions of the GDPR. Accordingly, all necessary precautions will be taken to ensure data protection, in line with Articles 46 et seq. of the GDPR (for example, through mechanisms such as the "Data Privacy Framework").

The use of video surveillance cameras is necessary to guarantee the safety of the persons concerned and to protect the company assets of the data controller. Therefore, the provision of data for the above-mentioned purposes is necessary. Failure to provide the data will make it impossible to access the controller's premises.

In accordance with the provisions of the GDPR, in relation to the processing in question, the data controller guarantees the following rights:

• Right of access [Article 15 GDPR] (right to obtain confirmation of the existence or non-existence of the data subject's personal data and a copy thereof in intelligible form)
• Right to erasure [Article 17 GDPR] (right to erasure of data of data subjects.

Note: should it prove impossible to proceed with the erasure of data by virtue of the above, the controller will inform the data subjects of the reasons why it is impossible to do so);

• Right to restriction of processing [Article 18 GDPR] (right to obtain restriction of processing, e.g., if the accuracy of the data is contested or in case of unlawful processing);
• Right not to be subjected to automated decision-making [Article 22 GDPR] (right not to be subjected to a decision based solely on automated processing that produces legal effects or similarly significantly affects data subjects).

These rights may be exercised in writing by sending an email to dpo@istitutomarangoni.com or privacy@istitutomarangoni.com

During these same interactions, additional information about the processing of personal data may be requested at any time. It should also be noted that the exercise of one's rights must not prejudice and/or infringe the rights and freedoms of others.

The controller undertakes to respond to requests within one (1) month, except in the case of particularly complex requests, for which the response time may be extended to up to three (3) months. In any event, the controller will explain the reason for the delay within one (1) month of the request.

The outcome of the request will be provided in writing (at the request of the data subject) or electronically (and, in this case, free of charge). The controller specifies that a possible contribution may be requested from the data subject if your requests are manifestly unfounded, excessive or repetitive: in this regard, the controller will keep track of the requests.

The controller, in accordance with Article 19 of the GDPR, undertakes to inform the recipients to whom the data subject's personal data have been disclosed of any rectification, erasure or restriction of processing requested by the data subject, where possible.

You also have the right to object to processing based on legitimate interest (Article 6(1)(f), EU Regulation), by contacting the controller at the contact details given in the previous paragraph.

If you believe that your rights have been compromised or violated, or that the processing of your data is in violation of applicable laws, you have the right to file a complaint with the French Data Protection Authority on the following website: https://www.cnil.fr/fr/agir/saisir-la-cnil.

This notice is subject to change. Any substantial changes will be communicated by email or via our institutional website.