Video cameras

1. These Rules regulate video surveillance by cameras installed at Nemenčinė Cultural Centre and processing and administration of video data.

2. Video surveillance and processing are carried out in accordance with the Law on Legal Protection of Personal Data of the Republic of Lithuania, Regulation (EU) 2016/679 (GDPR), and related implementing legal acts.

3. Terms used in these Rules:

3.1. data subject means a natural person captured by cameras whose identity can be established from the recorded image (face, height, etc.);

3.2. data recipient means a natural or legal person, authority, agency, or other body to whom personal data captured by cameras are disclosed;

3.3. video surveillance means processing of video data related to a natural person using an automated surveillance system;

3.4. video surveillance system means recording devices and cameras;

3.5. other terms correspond to terms used in applicable personal data legislation and GDPR.

Data controller and processor: Nemenčinė Cultural Centre, legal entity code 303024707, address Švenčionių g. 12, Nemenčinė, Vilnius district.

4. The purpose is to ensure protection of assets managed by ownership or other legal basis and safety of employees and visitors.

5. Surveillance is carried out in territories and premises defined in the annex to these Rules.

6. Cameras are installed so surveillance does not cover a larger area than necessary. Camera view must not include residential premises, private territory or entrances thereto, nor areas where an absolute expectation of privacy exists (changing rooms, rest rooms, bathrooms, toilets).

7. Video data may not be used for purposes unrelated to the purpose defined in paragraph 4.

8. Rights of the controller:

8.1. to adopt internal legal acts regulating surveillance;

8.2. to decide on provision of video data to data subjects and/or third parties;

8.3. to appoint a person or unit responsible for video data protection;

8.4. to appoint an employee responsible for technical maintenance and data control.

9. Duties of the controller:

9.1. to ensure compliance with GDPR and other legal acts regulating personal data processing;

9.2. to implement rights of data subjects in accordance with GDPR and these Rules;

9.3. to ensure data security by organizational and technical measures;

9.4. to ensure informing data subjects about surveillance in the Centre's territory.

10. Functions of the controller:

10.1. defines purpose and scope of surveillance;

10.2. organizes implementation of surveillance system;

10.3. informs data subjects about surveillance;

10.4. where necessary, provides extracts of video data to data subjects;

10.5. analyses technological, methodological, and organizational issues and takes required decisions;

10.6. provides methodological assistance to employees;

10.7. performs other functions necessary to implement rights and duties defined in paragraphs 8-9.

11. Rights of the processor:

11.1. to require compliance with data security requirements from persons granted access to surveillance equipment and personal data;

11.2. to submit proposals for improving technical and software means.

12. Duties of the processor:

12.1. to ensure access is granted only to authorized persons;

12.2. to ensure data processing complies with GDPR and other legal acts;

12.3. to ensure monitored scope is not wider than defined by these Rules;

12.4. to ensure data provided to data subjects correspond to processed data;

12.5. to protect data against accidental or unlawful destruction, alteration, or disclosure.

13. Functions of the processor:

13.1. coordinates recording actions;

13.2. implements technical security measures, including access to data only from the Centre's internal network;

13.3. ensures access rights are granted only to persons authorized by the controller.

14. To ensure data security, organizational and technical security measures are implemented, including procedures for granting, revoking, and changing access rights and authorizations:

14.1. access protection, management, and control are ensured;

14.2. access is granted only upon signed commitment to protect personal data:

14.2.1. employees must sign confidentiality commitments;

14.2.2. processors and maintenance provider employees must sign commitments to protect data secrecy;

14.3. access to data may be granted only to employees requiring data for assigned functions;

14.4. only actions authorized for the processor may be performed;

14.5. passwords must be unique, at least 6 characters, confidential, and changed at least every two months;

14.6. protection against unauthorized access to internal network is ensured;

14.7. physical security of equipment storing data is ensured;

14.8. protection against malware is ensured by installed and updated network/antivirus safeguards;

14.9. access rights and authorizations are granted, revoked, and changed by Director's order;

14.10. execution of such orders is ensured by processor appointed by Director's order;

14.11. access rights are revoked after employment termination or function changes when access is no longer needed;

14.12. data collected during surveillance are stored for 10 calendar days and then automatically deleted, except where recordings may contain evidence of violations or unlawful acts (until completion of relevant investigation/proceedings);

14.13. data may be provided to investigation bodies, prosecutors, or courts as evidence or in other cases provided by law.

15. Use of video data for other purposes is allowed only with written permission of the Director and in compliance with data protection legislation.

16. After identity verification, a data subject has the right to receive information about processing of related video data and a copy of the relevant recording if stored.

17. A request must specify scope of requested data. If recording includes other persons, request must also indicate purpose of use and legal basis.

18. The processor responds within 3 working days whether related data are stored; if stored, data are copied to media provided by the data subject.

19. Requested data are provided no later than within 10 calendar days from request date.

20. The processor refuses to provide data when:

20.1. disclosure of recording containing identifiable other persons would violate their rights;

20.2. other legal circumstances apply under personal data legislation and related legal acts.

21. Employees with access rights who notice security breaches must immediately inform the Director.

22. After evaluating risk factors, impact, damage, and consequences, the Director proposes measures needed to eliminate the breach and its consequences.

23. In cases provided by GDPR, the Director immediately notifies the data subject and/or supervisory authority.

24. Employees and other authorized persons must comply with these Rules, core personal data processing requirements, and confidentiality/security requirements established by law and GDPR. Violations incur liability under legal acts.