Rotterdam School of Management B.V. (hereinafter RSM B.V.) uses cameras and thus closed-circuit television (CCTV) as part of its policy to promote safety and protect personal and school property within the Bayle building. By applying CCTV, RSM B.V. processes personal data since it captures imagery of people in the building. Therefore, the General Data Protection Regulation (GDPR) applies to the usage of cameras. This policy provides the framework within which CCTV capturing takes place within RSM B.V., to ensure integrity, judiciousness, and effectiveness in the application of this policy.

This policy applies to all RSM B.V. personnel in the use of authorized security cameras and their video monitoring and recording systems. Security cameras may be installed in situations and placed where the security of either people or property would be enhanced. Cameras will be limited to uses that do not violate the reasonable expectation of privacy. When appropriate, the cameras may be placed inside and outside the Bayle building. Within RSM B.V., in principle no covert cameras will be used, unless there is a legitimate interest to do so and there are no other measures that may help to solve the issue.

Within this policy, the following terms are capitalized. The following definitions apply:

CCTV

Closed-circuit television: surveillance using cameras;

Data Subject

The person of whom Personal Data is processed. In the context of RSM B.V., this could be employees, clients, or visitors;

EDO

Executive Director Operations: Member of the Executive Board, responsible for all operations-departments: Finance, HR, ICT, Facilities, Reception & Catering;

Executive Board

The statutory directors of RSM B.V.;

GDPR

The General Data Protection Regulation (EU 2016/679);

Personal Data

Any information relating to an identified or identifiable natural person;

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means;

RSM B.V.

Rotterdam School of Management B.V.;

System Administrator

A Staff Member of RSM B.V. possessing extensive rights in IT systems in connection with their administrative duties and their position;

TRA

Targeted Recording Access: The act of accessing the Video Recordings to investigate an incident and/or unpermitted behaviour;

Video Recordings

The result of CCTV, the actual stored recorded imagery, which may include Personal Data;

Written/in Writing

In the form of a letter or a document, or by other digital means of communication (in accordance with article 6:227a of Dutch Civil Law).

  1. CCTV within the Bayle building is used as a mean to protect people and property, as well as to prevent fraud and theft, and to record incidents:
    1. In order to protect the safety and health of one or more natural persons, targeted recordings of the Data Subjects will be made, to the extent necessary for these purposes;
    2. In order to secure the access to buildings and grounds, targeted recordings of the access roads and entrances will be made, to the extent necessary for these purposes;
    3. In order to monitor and secure goods in the building or on the grounds, targeted recordings of these goods will be made, to the extent necessary for this purpose;
    4. In order to be able to record incidents, targeted recordings of parts of the building or grounds where the incidents tend to occur will be recorded, to the extent necessary for these purposes.
  2. It is not permitted to place cameras in areas where Data Subjects should reasonably find themselves undisturbed, including but not limited to toilets, showers, and changing rooms.

  1. The Executive Board is responsible for the Processing of Personal Data and therefore for the CCTV. The CCTV is carried out on the basis of RSM B.V.’s legitimate interest.
  2. The CCTV is carried out by the System Administrators, but TRA can only occur after explicit Written permission from the EDO. The Executive Board reserves the exclusive right to take decisions with regards to any covert cameras.
  3. The technical management of the CCTV is carried out by the System Administrators. The CCTV is secured using generally accepted industry standards.
  4. In the event of an incident, the System Administrators immediately report this to the EDO. In case an incident is reported to the System Administrators by a Data Subject, this will be immediately reported to the EDO.
  5. The EDO ensures a logbook is kept of the actual TRA of the CCTV.

  1. Processing Video Recordings using CCTV also includes the TRA, as well as the storage of the Video Recordings and the Personal Data on CD/DVD or any other form of data storage.
  2. TRA of Personal Data recorded by the CCTV may take place to detect unpermitted behaviour and/or further investigate unpermitted behaviour, but only in case there is a reasonable presumption or suspicion of unpermitted behaviour by one or more Data Subjects.
  3. Authorized to initiate TRA, and thus to Process Personal Data, are:
    1. The System Administrators after explicit Written permission from the EDO, for the goals as described in Article 2;
    2. Investigating (police) officers, prosecutors, or judges, but only on a legal basis, and if necessary for the proper performance of their legal duty;
    3. The examination board, in accordance with Article 11, sub 5;
    4. Others, in case:
      1. The Data Subject has explicitly consented to the Processing of his/her Personal Data;
      2. The Processing is necessary for the fulfilment of a legal obligation;
      3. The Processing is necessary for the fulfilment of a vital interest of the Data Subject (such as an urgent medical necessity);
      4. The Processing occurs for historical, statistical or scientific purposes. This may only occur on the condition that the Executive Board accepts responsibility for ensuring the Personal Data is used for these purposes only.
  4. The following Personal Data may be processed:
    1. Video Recordings of the building and grounds, and people and property located thereon, which fall under responsibility of the Executive Board in accordance with Article 3, sub 1;
    2. Data related to the time, the date and the place on which the Video Recordings were made.

The room in which the CCTV is recorded and in which TRA can take place, is accessible to authorized personnel 24 hours a day, and is protected against intrusion and vandalism.

  1. Video Recordings are only issued to third parties, including but not limited to investigating (police) officers, prosecutors, or judges, on the basis of a Written request, claim, and/or on the basis of a legal ground.
  2. Such a request or claim is immediately submitted to the EDO.
  3. The EDO can immediately decide on this request or claim orally, and/or with a Written confirmation (afterwards).
  4. The Video Recordings are provided on CD/DVD or using another form of data storage. The CD/DVD or other form of data storage is marked with a unique ID. The issuance and the ID are registered by the EDO.
  5. The third party must identify him/herself in advance to the EDO, before the Video Recordings are transferred.
  6. The third party will sign for receipt.

  1. An overview of cameras will be kept in Annex 1. Annex 1 will be made available to the Executive Board, System Administrators, and the RSM B.V. Employee Council. It will only be made available to others upon request, and only after obtaining explicit Written permission from the EDO.
  2. New cameras may be installed at the request of the Executive Board.
  3. The Executive Board must make a proper Written assessment of the interests and rights of the Data Subjects versus the interests of RSM B.V. This assessment must be made available to the RSM B.V. Employee Council.
  4. The RSM B.V. Employee Council will be asked for approval before the placement of cameras may occur.
  5. After approval from the RSM B.V. Employee Council has been received, the Executive Board may install the cameras. The installation will be recorded in Writing and added to Annex 1.

  1. In exceptional circumstances, the Executive Board may decide to place temporary hidden cameras in the building or on the grounds, but only if it can be demonstrated that other means have not led to the desired result. The provisions from Article 7 do not apply under these circumstances.
  2. The provision of Article 2, sub 2, remain in force with regards to the covert cameras.
  3. In case covert cameras are used in the workplace, there must be a reasonable suspicion with regards to one or more employees. A minimum of 2 members of the Executive Board will be informed of the use of covert cameras. A condition for the use of covert cameras is that the concerned employee or employees are informed upfront about which behaviour is tolerated, and warned that unpermitted behaviour will be sanctioned.

  1. Every particularity or irregularity that is discovered, will immediately be reported to the EDO.
  2. A report of all incidents that occurred, all TRAs that took place, and their findings and potential consequences, if any, will be, at least once a year, issued to the Executive Board.
  3. The information necessary for this report, is collected by the System Administrators in conjunction with the EDO. With this report, the EDO also provides an overview of names of involved System Administrators.

  1. The CCTV and the resulting Video Recordings, including the Personal Data on them, will only be used for the goals as described in Article 2, sub 1, and may only be accessed on the basis of Article 4, sub 3.
  2. The fact that CCTV is taking place within the building and on the grounds of RSM B.V., is clearly indicated using signs on the entrance door to the Bayle Building.
  3. By publishing this policy on the RSM website, employees, clients, and visitors are informed about the purposes of the CCTV, the fact that recordings are made, and the circumstances and conditions under which TRA may take place.
  4. The Video Recordings are saved for a maximum of 4 weeks after they have been captured.
  5. If the Video Recordings and the following TRA have resulted in a case to resolve an incident or discipline unpermitted behaviour, the Video Recordings and the Personal Data on them will be retained for as long as necessary in the context of the case.
  6. Unauthorized personnel do not have access to the CCTV.
  7. The EDO, as well as any representative from a group mentioned in Article 4, sub 3, who in the performance of their duties have access to the Data on the Recordings, will handle the Recordings and the Data on them confidentially and with integrity, in particular with regards to the privacy of the Data Subjects on them.

  1. During written tests, CCTV takes place with the aim of checking for incidents and recording irregularities. This CCTV is governed by the EUR CCTV Policy, not by the RSM B.V. CCTV Policy.
  2. The fact that CCTV is taking place during the written tests, is clearly indicated using signs on the entrance door to test location.
  3. The Video Recordings captured during the written tests, will be deleted within 24 hours after the test results have been finalized. The finalization of the results will immediately be reported by the RSM B.V. Registrar to the Operational Administrator (Operationeel Beheerder) of the EUR.
  4. If the Video Recordings and the following TRA have resulted in a case to resolve an incident or discipline unpermitted behaviour, the Video Recordings and the Personal Data on them will be retained for as long as necessary in the context of the case.
  5. The examination board may request TRA of the Video Recordings if it has a realistic indication that an irregularity occurred during a written test, or may watch the live Recording of the CCTV in case it has a realistic indication that an irregularity will occur during a test.
  6. In the annual report of the examination board, it provides to the Executive Board insight into all incidents that occurred, all TRAs that took place, and their findings and potential consequences. With this report, the examination board also provides an overview of names of involved System Administrators.

  1. Complaints regarding the CCTV, the TRA procedure, and/or personnel involved in the CCTV and TRA procedure, must be submitted to the EDO in Writing.
  2. The EDO will respond within 4 weeks after the date of receipt of a Written complaint.
  3. A Data Subject may exercise their rights under GDPR, using this link (the link will transfer to the EUR privacy platform).
  4. RSM B.V. will respond within 30 days to all requests to exercise a right under GDPR.

  1. In case Data Subjects, System Administrators, or any others that gain access to the Recordings on the basis of Article 4, sub 3, behave in conflict with the general applicable values and norms, or in conflict with the interests of RSM B.V., the Executive Board will be informed.
  2. Depending on the nature and severity of the violation as mentioned in Articles 4, sub 2 and/or Article 13, sub 1, the Director HR and/or Legal Affairs may be informed and/or consulted, and disciplinary sanctions and/or labour law sanctions may be taken against Data Subjects.
  3. In the event of any unlawful acts, RSM B.V. will also report this to the EUR security and the police.

This policy will be published on the RSM website.

The RSM B.V. Employee Council has the right of approval with regards to this policy.

  1. In cases not covered by this policy, the EDO decides.
  2. This policy will be evaluated yearly, starting in January 2021, by the Executive Board and the RSM B.V. Employee Council.
  3. This policy enters into force on 1 January 2020.