INFORMATION ON CAMERA MONITORING 

VISITORS

Sephora s.r.o., with registered office at Rybná 682/14, Staré Město, 110 00 Prague 1, Czech Republic, ID No.: 264 91 788, registered in the Commercial Register kept at the Municipal Court in Prague, Section C, Insert 85605 (“Sephora”), hereby informs you that it is monitoring the premises of its establishments, incl. selected parts of its headquarters (HQ) at Rybná 682/14, Staré Město, 110 00 Prague 1 (“Sephora premises”), by means of a camera system with recording in order to protect the property and health of third parties (customers, suppliers, visitors to the premises / HQ and other third parties accessing the Sephora premises and for the purpose of enforcing any claims of Sephora arising from the business activities carried out and for the protection of persons on the Sephora premises (“Monitoring”). 

Access to the records taken within the Monitoring is only used in the event of a security incident within Sephora premises (theft, personal injury, work accident or similar situations).

For more information on Monitoring, please visit the Sephora website or contact Sephora at e-mail privacy@sephora.cz.

INFORMATION ON THE PROCESSING OF VISITORS’ PERSONAL DATA 
IN CONNECTION WITH THE OPERATION OF THE CCTV SYSTEM

The following information is provided to ensure that you are fully and transparently informed about the processing of your personal data, including special categories of personal data, by the controller of such data, in accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).

1. Identity and contact details of the Controller:

   Sephora s.r.o., with its registered office at Rybná 682/14, Staré Město, 110 00 Prague 1, Czech Republic, ID No.: 264 91 788, registered in the Commercial Register kept at the Municipal Court in Prague, Section C, Insert 85605

   e-mail: privacy@sephora.cz

   mail: Rybná 682/14, Staré Město, 110 00 Prague 1, Czech Republic

   (“We” or “Controller”)

   We are committed to protecting the privacy and personal data of individuals whose personal data we come into contact with. Below is information regarding the processing, in particular the collection, disclosure and other use of personal data relating to third parties in connection with Monitoring.

2. Data Protection Officer.

   The Sephora Group has appointed Mgr. Jakub Málek as its Data Protection Officer (DPO), who can be contacted at malek@plegal.cz.

3. Personal data processed about you by the Controller:

   The data we process about you is generated automatically by the camera system recording on the Sephora premises. Although the primary purpose of the Monitoring is not to process the personal data of third parties, it is not possible to exclude the processing of such data and a certain degree of interference with your privacy given the purposes pursued (i.e. protection of property, customers and the legitimate interests of the Controller).

   Your image or video recording of your person and your activities is processed through the CCTV system in Sephora premises, including selected parts of their facilities, and selected parts of the headquarters premises (HQ). 

4. The purpose of processing your personal data and the legal basis for processing it:

   The purpose of the processing of your personal data is to protect the legitimate interests of you as third parties (customers, suppliers, visitors to Sephora premises and other third parties) and of us (Sephora), in particular, to protect the property and health of persons through the camera system of the Sephora premises and to enforce any claims arising from the business activities carried out and the protection of persons on the Sephora premises, where the processing of your personal data within the meaning of Art. 6(1)(f) of the GDPR is necessary for the purposes of the legitimate interests of the controller or a third party.

   We have assessed the adequacy of our legitimate interests in relation to your interests and the interests of third parties. We have carried out an assessment - a balancing test - of our, your and third parties’ legitimate interests to determine whether our legitimate interests are outweighed by your and third parties’ interests, considering in particular (i) the importance of the Controller’s legitimate interest, (ii) the risk to you and third parties, (iii) your expectations in the processing of personal data in relation to Monitoring and (iv) the level of security measures. We found the outcome of the balancing test to be positive and our legitimate interests to be relevant and legitimate in this case, given the nature of the Monitoring. We will monitor and evaluate all circumstances surrounding the implementation of the Monitoring on an ongoing basis.

   Should it be desirable for us to further process your personal data beyond the obligations imposed on us by law or our legitimate interests or the legitimate interests of a third party, we will always request your free written consent in advance.

5. Recipients or categories of recipients of personal data:

   Personal data is appropriately secured in accordance with the GDPR and will not be provided or disclosed to third parties except where strictly necessary to deal with a specific situation or in accordance with generally applicable regulations allowing or requiring this, for example:

• to state authorities (in particular the Office for Personal Data Protection, law enforcement authorities, the Police of the Czech Republic, prosecutors, courts) and other bodies under other legal regulations;

• to entities that provide us with services (in particular, operating CCTV, IT services, security, insurance) and with whom we have concluded the relevant contract for the processing of personal data;

• to the company Limited LP Sp. z o.o., ID No. KRS 0000730227, with its registered office at Gdansk, ul. ul. Wiosenna 58, 80‑178, Województwo pomorskie, Poland, registered in the Register of Entrepreneurs of the National Court Register, for which the registration files are kept by the District Court for Gdansk – north, VII. Commercial Division; and

• to the company SEPHORA POLSKA Sp. z o.o., ID No. 0000030761, with its registered office at Warsaw, ul. Żwirki i Wigury 16C, 02 092, Poland, registered in the Register of Entrepreneurs of the National Court Register, for which the registration files are kept by the District Court for the Capital City of Warsaw, XIII. Commercial Division.

6. Transfer of personal data abroad:

   We do not intend to transfer personal data to a third country or international organisation outside the European Union or the European Economic Area.

7. Period of storage of personal data:

   When dealing with your personal data for specific purposes, we respect the principle of storage limitation, whereby we keep your personal data only for the necessary period of time. We also respect the data minimisation principle where we only retain personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

   Recordings from CCTV systems are stored for 21 days, after which they are automatically overwritten with a new recording, unless further processing is necessary for another purpose, e.g. to deal with a specific situation, as evidence in criminal or other proceedings or to deal with an insurance situation.

8. Automated individual decision-making, including profiling

   The processing of your personal data does not involve any decision-making based solely on automated processing, including profiling, which would have legal effects on you or would affect you significantly in a similar way.

9. Your rights in relation to the processing of your personal data:

   You have the following rights in relation to the processing of your personal data by us or for us:

• the right to request access to personal data concerning you as a data subject and the right to obtain a copy of your personal data processed;

• the right to rectification of your personal data - if you find that it is incorrect or inaccurate;

• the right to erasure to the extent of the personal data voluntarily provided, i.e. in the context of the performance of contractual obligations. Conversely, you cannot request the deletion of personal data that we are obliged to collect on the basis of a legal obligation;

• the right to restriction of processing;

• the right to data portability;

• the right to object to processing based on our legitimate interests or the legitimate interests of a third party;

• the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data violates the GDPR. You can complain with the relevant supervisory authority, which is the Office for Personal Data Protection, pplk. Sochora 27, 170 00 Prague 7 (see www.uoou.cz).