Data protection

Privacy notice of the camera surveillance register of construction sites

1.   Controller

GRK Infra Oyj (business ID 0533768-1)
Address: Jaakonkatu 2, 01620 Vantaa
Phone: +358 10 321 4110
Email: tietosuoja@grk.fi

2.   The name of the register

Camera surveillance register of construction sites

3.   Purposes and legal grounds to processing personal data

This privacy notice applies to all GRK Group companies, GRK Infra Oyj, GRK Suomi Oy, GRK Sverige AB and GRK Eesti AS (hereinafter referred to as “Controller” or “GRK”).

The controller processes the personal data of data subjects in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (2016/679) and national data protection legislation.

The controller processes personal data on the basis of the legitimate interest of the controller and a third party (such as the contractor of the controller on whose behalf the work is carried out on the site) in accordance with Article 6 of the EU General Data Protection Regulation (2016/679). The processing of personal data for the purposes described below is legitimate, and the controller may also establish, defend and pursue legal claims based on its legitimate interest.

The controller processes personal data for the following purposes:

4.   Categories of personal data processed

The register contains personal data on the following data subjects:

The personal data processed include:

5.   Regular sources of personal data

The main data source for the register and the personal data processed is the CCTV system. If access control systems or other identification systems are used on the site, these may serve as additional sources. For example, the use of access cards may provide information on the time and location of a person’s presence on the site. In some cases, the information provided by the CCTV system may be combined with manually collected data, such as observations by security staff or other data collected at the site.

6.   Disclosure and transfer of personal data

In connection with the technical implementation of the camera surveillance and for security and surveillance tasks at construction sites, the controller uses reliable service providers who process personal data on behalf of the controller under a data processing agreement between the controller and each service provider, as required by applicable data protection legislation. The service providers will process the personal data under the responsibility of the controller in accordance with the data processing agreement and the controller’s written instructions.

Video records may be disclosed to other companies belonging to the same group as the controller, insurance companies, law enforcement authorities, legal advisors and, in individual cases, to courts and parties to legal proceedings. The transfer may be based on a legitimate interest of the controller or on legal obligations.

In principle, personal data will not be transferred outside the European Union or the European Economic Area. However, personal data may be transferred outside the European Union or the European Economic Area if this is necessary for the operation and maintenance of the information systems. Any transfer of personal data will always be carried out in accordance with the applicable data protection legislation.

7.   Retention of personal data

As a rule, video recordings are retained for about 1-2 weeks. They are automatically deleted as new footage is added to the disk space on top of old footage. 

If the video recordings are required for the preparation, presentation or defence of a legal claim, these recordings will be retained for the necessary period of time in accordance with the case in question. In such cases, the video recordings will be retained until the controller has formally transmitted them to the authorities conducting the criminal investigation or until the completion of the internal investigation carried out by the controller and any related legal measures.

8.   Protection and security of personal data

Access to the register of personal data is only granted to representatives of the controller who are bound by the obligation of confidentiality and who have a legitimate need to process the data of the register for the exercise of their duties.

The controller has provided its employees and service providers with binding written instructions and provisions on the processing of personal data and data protection, which they have undertaken to comply with.

The security of information systems is adequately ensured, including through encryption and other technical safeguards.

We regularly review our personal data processing activities and the systems and devices used in them, including assessing the risks inherent in our personal data processing activities, for example when new technologies are introduced.

9.   Automated processing of personal data and profiling

The controller does not use automated decision-making, such as automated profiling, as part of its personal data processing activities.

10.  Rights of the data subject

The data subject has rights under the EU General Data Protection Regulation.

RightDescription
Right of access to personal dataThe data subject has the right to obtain confirmation from the controller that personal data concerning him or her are or are not being processed. If personal data are processed, the data subject has the right of access.
Right to request rectification, erasure or restriction of processingThe data subject has the right to request the controller to rectify inaccurate data concerning him or her and to erase any personal data concerning him or her on the grounds provided by law.
Right to objectThe data subject has the right to object to the processing of his or her personal data on grounds relating to his or her particular situation, where the controller processes the personal data on the basis of a legitimate interest.
Right to file a complaint to the supervisory authorityWithout prejudice to any other administrative or judicial remedy, the data subject shall have the right to submit a complaint to a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach has occurred, if he or she considers that the processing of personal data concerning him or her infringes the GDPR. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact details and instructions can be found at www.tietosuoja.fi.

Exercising the rights

The data subject may exercise his or her rights by contacting the controller’s representative using the contact details provided in section 1. The controller will endeavour to respond to the request as soon as possible and, if necessary, provide further instructions or ask further questions about the request.

Before executing the request, the controller has the right and the obligation to verify the identity of the person making the request, which is why the controller must be able to identify the person making the request in an appropriate manner.

If the request is clearly unjustified or unreasonable, the controller may either charge a reasonable fee based on administrative costs for carrying out the requested action or refuse to carry out the requested action.

11.  Further information

For further information on the processing of personal data, please contact us using the contact details provided in section 1 of this privacy notice.

The controller may update this privacy notice from time to time. This privacy notice was last updated on 16 May 2024.