Data protection
Privacy notice of the camera surveillance register of construction sites
1. Controller
GRK Infra Oyj (business ID 0533768-1)
Address: Jaakonkatu 2, 01620 Vantaa
Phone: +358 10 321 4110
Email: tietosuoja@grk.fi
2. The name of the register
Camera surveillance register of construction sites
3. Purposes and legal grounds to processing personal data
The controller processes the personal data of data subjects in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (2016/679) and national data protection legislation.
The controller processes personal data on the basis of the legitimate interest of the controller and a third party (such as the contractor of the controller on whose behalf the work is carried out on the site) in accordance with Article 6 of the EU General Data Protection Regulation (2016/679). The processing of personal data for the purposes described below is legitimate, and the controller may also establish, defend and pursue legal claims based on its legitimate interest.
The controller processes personal data for the following purposes:
- Creating and ensuring a safe working environment for people working, visiting and staying on construction sites
- Protecting the property of the controller and its clients
- Ensuring the legal protection of persons working on and visiting sites
- Ensuring that only persons authorised to have access are allowed on the sites
- Preventing, detecting and investigating criminal, dangerous and abusive incidents
4. Categories of personal data processed
The register contains personal data on the following data subjects:
- Employees of the controller: persons directly employed by the controller, such as construction workers, supervisors and other site personnel working on the site.
- Subcontractors’ employees, agency workers, sole traders and the similar: persons working on the site for the controller but not employed by the controller.
- Visitors and visitors on site: persons who visit or stay on site for reasons other than work, such as representatives of the contractor, safety inspectors, journalists and other stakeholder representatives.
- Delivery and maintenance workers: persons carrying out deliveries or maintenance work on site, such as drivers of transport companies or maintenance workers.
- Casual bystranders: persons who do not belong to the above categories but who may be caught on CCTV cameras.
The personal data processed include:
- Video recordings
- Person’s behaviour and actions
- Time and place data
- Identifiable data
- Vehicle registration data
5. Regular sources of personal data
The main data source for the register and the personal data processed is the CCTV system. If access control systems or other identification systems are used on the site, these may serve as additional sources. For example, the use of access cards may provide information on the time and location of a person’s presence on the site. In some cases, the information provided by the CCTV system may be combined with manually collected data, such as observations by security staff or other data collected at the site.
6. Disclosure and transfer of personal data
In connection with the technical implementation of the camera surveillance and for security and surveillance tasks at construction sites, the controller uses reliable service providers who process personal data on behalf of the controller under a data processing agreement between the controller and each service provider, as required by applicable data protection legislation. The service providers will process the personal data under the responsibility of the controller in accordance with the data processing agreement and the controller’s written instructions.
Video records may be disclosed to other companies belonging to the same group as the controller, insurance companies, law enforcement authorities, legal advisors and, in individual cases, to courts and parties to legal proceedings. The transfer may be based on a legitimate interest of the controller or on legal obligations.
In principle, personal data will not be transferred outside the European Union or the European Economic Area. However, personal data may be transferred outside the European Union or the European Economic Area if this is necessary for the operation and maintenance of the information systems. Any transfer of personal data will always be carried out in accordance with the applicable data protection legislation.
7. Retention of personal data
As a rule, video recordings are retained for about 1-2 weeks. They are automatically deleted as new footage is added to the disk space on top of old footage.
If the video recordings are required for the preparation, presentation or defence of a legal claim, these recordings will be retained for the necessary period of time in accordance with the case in question. In such cases, the video recordings will be retained until the controller has formally transmitted them to the authorities conducting the criminal investigation or until the completion of the internal investigation carried out by the controller and any related legal measures.
8. Protection and security of personal data
The controller has provided its employees and service providers with binding written instructions and provisions on the processing of personal data and data protection, which they have undertaken to comply with.
The security of information systems is adequately ensured, including through encryption and other technical safeguards.
We regularly review our personal data processing activities and the systems and devices used in them, including assessing the risks inherent in our personal data processing activities, for example when new technologies are introduced.
9. Automated processing of personal data and profiling
The controller does not use automated decision-making, such as automated profiling, as part of its personal data processing activities.
10. Rights of the data subject
The data subject has rights under the EU General Data Protection Regulation.
| Right | Description |
| Right of access to personal data | The data subject has the right to obtain confirmation from the controller that personal data concerning him or her are or are not being processed. If personal data are processed, the data subject has the right of access. |
| Right to request rectification, erasure or restriction of processing | The data subject has the right to request the controller to rectify inaccurate data concerning him or her and to erase any personal data concerning him or her on the grounds provided by law. |
| Right to object | The data subject has the right to object to the processing of his or her personal data on grounds relating to his or her particular situation, where the controller processes the personal data on the basis of a legitimate interest. |
| Right to file a complaint to the supervisory authority | Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to submit a complaint to a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach has occurred, if he or she considers that the processing of personal data concerning him or her infringes the GDPR. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact details and instructions can be found at www.tietosuoja.fi. |
Before executing the request, the controller has the right and the obligation to verify the identity of the person making the request, which is why the controller must be able to identify the person making the request in an appropriate manner.
If the request is clearly unjustified or unreasonable, the controller may either charge a reasonable fee based on administrative costs for carrying out the requested action or refuse to carry out the requested action.
11. Further information
The controller may update this privacy notice from time to time. This privacy notice was last updated on 16 May 2024.