About this policy
1.1 Data protection legislation provides rules which apply to the collection, use and processing of information concerning individuals. The legislation sets out the principles that the Company must follow when processing personal data about individuals. It also gives individuals certain rights in relation to personal data that is held about them. For the purposes of this Policy, data protection legislation means the General Data Protection Regulation (Regulation (EU) 2016/679) and any other applicable law or regulation governing the processing of personal data.
1.2 This Policy sets out the basis on which we will process personal data collected via the CCTV systems located in our stores in the Republic of Ireland and Northern Ireland.
1.3 Identity and Contact Details of Data Controller
1.4 For the purposes of this Policy, the “Dunnes Stores Group” comprises the following entities;
(a) Dunnes Stores Unlimited Company, with an address of 46-50 South Great George’s Street, Dublin 2, Ireland (“the Company”); and
(b) Dunnes Stores (Bangor) Limited, with an address of Milestone House, 28 Hill Street, Newry, BT34 1AR, Northern Ireland.
1.5 The Dunnes Stores Group shares centrally organised management and administrative functions with the result that personal data collected via the CCTV systems located in our stores in Northern Ireland may be processed jointly by both of the Dunnes Stores Group entities. For this reason, the Dunnes Stores Group entities have agreed that they are joint data controllers, for the purposes of this policy, in respect of any personal data collected and processed by the CCTV systems located in any of our stores in Northern Ireland. They have further agreed that the Company will undertake responsibility for compliance with the legislation in this regard.
1.6 Personal data collected via the CCTV systems located in our stores in the Republic of Ireland will only be processed by the Company, except where processing by others is mentioned in this policy. In this regard, the Company is the data controller for the purposes of this policy in relation to any personal data collected and processed by the CCTV systems located in any of our stores in the Republic of Ireland.
1.7 Any questions about the operation of this Policy or any concerns that the Policy has not been followed should be referred to [email protected].
2. Information in relation to the personal data that we may process about you
2.1 The Dunnes Stores Group have installed CCTV systems in and around their stores and offices for the purposes of;
(a) protecting the safety and security of staff, customers and other individuals who attend at our stores and offices;
(b) protecting our buildings and assets from damage, disruption, vandalism and other such crime;
(c) deterring anti-social activity in and around our stores and offices;
(d) supporting the day-to-day management of our operations, including monitoring analytics such as queue lengths, dwell times and 'hot spots';
(e) enabling the investigation of complaints and/or suspicious activity, both inside and outside of our stores and offices, including any issues that give rise to, or arise during the course of, staff disciplinary or grievance proceedings and/or investigations into criminal or potentially criminal matters by An Garda Síochána/the Police Service of Northern Ireland; and
(f) ensuring that the Dunnes Stores Group is in a position to support/defend any litigation taken by/against it, whether in connection with any investigation carried out pursuant to Clause 2.1(e) above or otherwise.
2.2 In order to meet the above objectives, the Dunnes Stores Group needs to process your personal data (i.e. your image) via its CCTV systems; without such processing, it would not be possible for you to visit or, as the case may be, work in our offices or shop in our stores.
2.3 How the CCTV systems operate
2.4 CCTV cameras have been placed inside and outside of our stores and offices. The systems use both fixed and domed cameras designed to capture and record images of individuals and property. The cameras do not pick up or record sound.
2.5 Signs are displayed at the entrance of each surveillance zone to alert individuals that their image may be recorded. The camera locations have been chosen in such a way as to minimise the viewing of spaces not relevant to the purpose of the monitoring. Cameras have not been placed in areas in which individuals might have a reasonable expectation of privacy.
2.6 CCTV monitoring usually operates 24 hours a day and data captured on cameras is continuously recorded.
2.7 Live Monitoring and Viewing of Recorded Images
2.8 Live feeds from CCTV cameras will be monitored for the purposes set out in Clause 2.1 above. Otherwise, recorded images may be spot checked or accessed where necessary to achieve the purposes set out in Clause 2.1.
2.9 Live feeds from cameras and recorded images are only viewed by approved members of staff or contractors whose role requires them to have access to such data. This may include Security staff, HR staff or members of management involved with or supporting investigations, including disciplinary or grievance matters. Recorded images will only be viewed in designated, secure offices.
2.10 Use and storage of recorded images
2.11 Images captured/recorded by the CCTV systems will only be used for the purposes set out at Clause 2.1 above, or for any other purpose(s) specifically permitted by the legislation.
2.12 Images captured/recorded by the CCTV systems will normally be stored for approximately 30 days (the exact period of retention may be a couple of days longer or shorter than this, depending on the functionality of the system in operation in the relevant office or store). We may, from time to time, need to retain CCTV footage/stills for longer than this. The circumstances in which we will do so, and the period of time for which the footage/stills will be retained is detailed further in Clause 3 below.
3. Legal basis for processing and categories of receipient
3.1 Where we process data for the purposes detailed in Clause 2.1(a) – (d) of this policy, we will only do so to the extent necessary to meet the legitimate interests of the Dunnes Stores Group (as detailed in Clause 2.1(a) - (d)).
3.2 Where we process data for the purposes detailed in Clause 2.1(e) – (f) of this policy, we will only do so to the extent necessary for the purposes of:
(a) meeting a legal obligation to which the Dunnes Stores Group is subject; or
(b) for the purposes of investigating a customer complaint (in accordance with the Company’s legitimate interest in being able to deliver a quality customer experience); or
(c) for the purposes of meeting a contractual obligation (to a member of staff or otherwise); or
(d) for the purposes of supporting/defending legal proceedings.
3.3 Where we retain data beyond the retention period set out in Clause 2.12 above, we will only do so to the extent necessary for the purposes of:
(a) satisfying the legitimate interest of the Dunnes Stores Group in being able to support/defend legal proceedings that are reasonably anticipated or in being during the retention period set out in Clause 2.11 above; or
(b) making a report to the relevant Health and Safety Authority in the case of a reportable incident or dangerous occurrence (in which case, we may be required to retain the footage/stills for a period of 10 years following the incident/accident); or
(c) satisfying the legitimate interest of the Dunnes Stores Group in being able to defend legal or HR proceedings that might be brought by an employee/former employee. In order to meet this legitimate interest, CCTV footage/stills processed in connection with an issue giving rise to, or arising in the context of, a grievance or disciplinary procedure, will be retained for a period of 14 months following the exhaustion of the relevant grievance or disciplinary process. Where the CCTV footage/stills is used in the context of a matter that gives rise to the termination of employment, the relevant footage/stills will be retained for a period of 7.5 years following termination of employment.
3.4 The CCTV footage/recorded images will only be processed by/accessible to authorised members of the Dunnes Stores Group (including members of the Security Department, IT and HR Departments and members of management who have been designated responsibility for conducting an investigation), An Garda Síochána or the Police Service of Northern Ireland or other governmental agencies or local authorities (where required by law) or the Dunnes Stores Group's nominated legal advisers (where required for the purposes of supporting/defending legal proceedings) or other parties to proceedings.
4. Processing by third parties
4.1 We may, from time to time, engage the services of third parties (“data processors”) to assist us to perform our functions or obligations, for example, we may engage an external service provider to support our CCTV systems, to assist with the interpretation/improvement of CCTV footage, etc. Where this occurs, any processing of personal data by the data processor will be in compliance with the requirements of the legislation. Any such processing will be regulated by a contract between the Company and the relevant data processor. That contract will govern the conditions under which any personal data may be processed, the security conditions attaching to the processing of the data and will require the data processor to delete or return the data to the Company upon completion or termination of the contract.
4.2 We may also, from time to time, need to seek advice from professional advisers such as lawyers and engineers. It may be necessary to share CCTV footage and/or recorded images with those professional advisers in that context. Where that CCTV footage/those recorded images contain personal data relating to you, we will only share it/them with our professional advisers where necessary for the purposes of the Company's legitimate interests, i.e. ascertaining the Company's rights and entitlements and/or the support/defence of legal proceedings.
4.3 From time to time, we may also be legally required to share footage with certain public authorities, for example, pursuant to the Litter Act, 1997. Where such a requirement arises, we will only share personal data to the extent necessary for compliance with the relevant legal obligation.
5. Your rights in relation to the personal data that we may process about you
5.1 As a data subject, you are entitled to:
(a) Obtain access to the personal data which is held about you, subject to limited exceptions;
(b) Request the rectification or erasure of the personal data held about you;
(c) Request the restriction of processing of any personal data concerning you;
(d) Object to the processing of any personal data;
(e) Exercise your right to data portability; and
(f) Lodge a complaint with a supervisory authority (e.g. the Data Protection Commission in the Republic of Ireland or the Information Commissioner’s Office in Northern Ireland).
5.2 If you wish to exercise any of rights outlined at (a) - (e) above, please contact us at [email protected].