GDPR & Privacy Policy

CCTV

1. Introduction and Purpose

This policy sets out the rules and procedures for the use of Closed Circuit Television (CCTV) at Merton Group UK Ltd premises, primarily our warehouse and operational sites.

The use of CCTV involves the processing of personal data (video images of identifiable individuals) and is therefore subject to UK data protection legislation. This policy ensures we comply with our legal obligations, maintain a secure working environment, and protect the privacy rights of all staff, visitors, and contractors.

  • System Type: Digital Video Recording (DVR/NVR) System.
  • Data Captured: Video images only. No audio is recorded.

2. Lawful Basis and Legitimate Interests

Our use of CCTV is primarily based on the Legitimate Interests of the company, which we have balanced against the privacy rights of individuals (employees, visitors, etc.). We rely on CCTV for the following specified, explicit, and legitimate purposes:

  • Crime Prevention & Detection: To deter, prevent, and detect criminal activity, including theft of company assets (stock, equipment) and personal property.
  • Health and Safety: To monitor safety compliance in high-risk areas (e.g., loading bays, forklift traffic areas) and to assist in investigating health and safety incidents and accidents.
  • Security: To control and monitor the entry and exit of vehicles and personnel, and to protect the integrity of the premises.
  • Dispute Resolution: To provide accurate records for the investigation of internal disciplinary matters, disputes, or complaints.

The use of CCTV for general, routine monitoring of employee performance or productivity is not a stated purpose of this system and will only be used for employee monitoring if it is a necessary, proportionate, and pre-warned part of a specific investigation (e.g., suspected theft).

3. Transparency and Notice

3.1 Signage:

Clear, visible, and legible signs will be placed at all entrances to the premises and in all monitored areas to notify people that CCTV is in operation. The signs will include:

  • The fact that recording is taking place.
  • The purpose of the recording (e.g., “For Security and Health & Safety Purposes”).
  • The name of the Data Controller.
  • Contact details for the Data Protection Lead for further information.

3.2 Location of Cameras:

Cameras are located to cover high-risk or common areas such as:

  • Warehouse perimeters, entrances, and exits.
  • Loading/unloading bays and vehicle parking areas.
  • High-value stock storage areas.
  • Communal areas (e.g., corridors, reception).

Cameras are not located in areas where there is a high expectation of privacy, such as toilets, changing rooms, or private offices. 

4. Access, Security, and Storage

4.1 Data Minimisation and Retention

  • Video-Only: The system captures video only to ensure data collection is limited to what is strictly necessary for the stated purpose.
  • Retention Period: Footage will be stored for a maximum period of 30 days. After this period, the recordings will be automatically and securely overwritten or deleted unless they have been flagged for a specific, ongoing investigation.

4.2 Security and Access Controls

Access to the live feeds and stored recordings is strictly limited to the minimum number of authorised personnel.

The system and stored footage will be protected by:

  • Strong, unique passwords and/or multi-factor authentication.
  • The recording equipment (DVR/NVR) will be stored in a locked, secure area with restricted access.
  • Access attempts will be logged and regularly audited.

5. Data Subject Rights (Access Requests)

Under UK GDPR, individuals have the right to access the personal data held about them. This includes footage recorded by the CCTV system.

5.1 Subject Access Request (SAR) Procedure

An individual (staff member, contractor, or visitor – not member of the public) wishing to obtain a copy of footage that features them must submit a written request to [email protected].

  • We will respond to the request within one calendar month (or as legally extended).
  • To comply with the privacy rights of others, footage provided will be edited/redacted (blurred/masked) to obscure the images of any identifiable third parties who are not relevant to the request.
  • The requesting individual must provide sufficient detail (date, time, location) to help locate the specific footage.

5.2 Disclosure to Third Parties

Footage will only be disclosed to external third parties where legally required or justified, such as:

  • The Police or other law enforcement agencies for the prevention or detection of crime.
  • Insurance companies in connection with a claim or investigation, following legal advice.
  • Relevant regulatory bodies (e.g., Health & Safety Executive, Information Commissioner’s Office – ICO).

6. Responsibilities and Non-Compliance

6.1 Data Protection Lead (DPL)

The DPL is responsible for:

  • Ensuring the system is used solely for the stated purposes.
  • Managing all Subject Access Requests and disclosures to third parties.
  • Conducting periodic reviews of this policy and the necessity of the CCTV system.
  • Ensuring all authorised users receive appropriate training.

6.2 Penalties for Misuse

Any deliberate misuse of the CCTV system, unauthorised access, viewing, or sharing of footage by an employee will be treated as a serious disciplinary matter, which may result in dismissal.