Privacy Notice for CCTV Surveillance
Effective from 13 July 2026
1. Data Controller
Qstock Oy
Business ID: 2811591-8
Kansankatu 53 T 3
90100 Oulu, Finland
2. Name of the Register
Qstock CCTV Surveillance Register
3. Contact Person for Data Protection Matters
Binta Jabbi
binta.jabbi@qstock.fi
+358 40 456 4113
4. Legal Basis and Purpose of Processing Personal Data
The processing of personal data collected through CCTV surveillance is based on the legitimate interests of the Data Controller or a third party.
The legitimate interest for operating CCTV surveillance may include one or more of the following purposes:
- Ensuring the safety and security of the event, its visitors, employees, and other persons present on the premises.
- Protecting the legal rights and interests of customers, employees, and visitors.
- Protecting the Data Controller’s property against burglary, theft, vandalism, or other criminal activity.
- Investigating criminal offences, accidents, security incidents, and property damage.
5. Sources of Personal Data
A CCTV surveillance system has been installed in the Data Controller’s premises and other areas under its control.
The register contains video recordings of individuals moving within areas covered by CCTV surveillance. Information on the date and time of the recording is also stored in connection with the footage.
CCTV surveillance is clearly indicated through signage within the monitored areas.
6. Disclosure of Personal Data
Personal data may be disclosed to third parties acting on behalf of the Data Controller when necessary for the provision of services or the performance of duties assigned by the Data Controller. Such tasks may include, for example:
- Security services
- CCTV system maintenance and support
- Other services requiring access to personal data for legitimate operational purposes
These third parties may process personal data only to the extent necessary for providing the agreed service and may not use the data for any other purpose.
Personal data may also be disclosed to law enforcement authorities when required by law or upon a lawful request.
Personal data collected through CCTV surveillance is not transferred outside the European Union (EU) or the European Economic Area (EEA).
7. Data Protection Principles and Retention Period
The CCTV surveillance system and recorded footage are located within facilities controlled by the Data Controller.
Access to the register is granted only to designated responsible persons and specifically authorized personnel acting on behalf of the Data Controller whose duties require access to the information. Such persons are subject to a statutory or contractual obligation of confidentiality and have received appropriate training.
All communications between browsers and server environments are encrypted, and access to recording systems and applications is restricted through user access controls.
Recorded data is generally retained for 14 days. However, if a recording is required for investigating an incident related to the purposes described in Section 4, the relevant footage may be retained for as long as necessary to complete the investigation.
8. Rights of the Data Subject
Under the General Data Protection Regulation (GDPR), data subjects have certain rights. Depending on the circumstances, these may include the right to:
- Obtain confirmation as to whether personal data concerning them is being processed and information about the scope of such processing.
- Obtain a copy of personal data concerning them.
- Request the rectification of inaccurate personal data or completion of incomplete data.
- Request the deletion of personal data and exercise the right to be forgotten.
- Request the restriction of processing under certain conditions.
- Object to the processing of personal data where processing is based on legitimate interests.
- Withdraw consent at any time if the processing is based on consent.
These rights may be limited by applicable legislation, including the privacy rights of other individuals. For example, access may be restricted to recordings containing other identifiable persons or information subject to the Data Controller’s trade secrets or confidentiality obligations.
To protect the privacy of third parties, the Data Controller will not provide copies of footage containing other identifiable individuals.
Requests for access are typically fulfilled by allowing the data subject to view the relevant footage at the Data Controller’s premises or another mutually agreed location.
To exercise their rights, data subjects must submit a written request to the contact person responsible for data protection matters. The Data Controller may request proof of identity before processing the request.
The Data Controller will respond within one month as required by the GDPR. If a request is particularly complex or if multiple requests are submitted, the response period may be extended by up to two additional months, in which case the data subject will be informed accordingly.
Data subjects also have the right to lodge a complaint with the supervisory authority regarding the processing of their personal data.
In Finland, complaints can be submitted to the Office of the Data Protection Ombudsman. Further information is available on the website of the Data Protection Ombudsman: www.tietosuoja.fi.