Last updated: 28 July 2021
Malta International Airport plc. (“the Company”) operates a closed-circuit television (“CCTV”) surveillance system (“the CCTV System”) throughout the airport premises, including the aerodrome, terminal building, the VIP terminal, Skyparks Business Centre and car parks, primarily to ensure the safety and security of staff, clients, passengers, airlines and visitors at all times.
This policy sets out the use and management of the CCTV System in compliance with the relevant data protection and privacy laws including but not limited to the Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act, Chapter 586 of the Laws of Malta and subsidiary legislation thereto, as may be amended from time to time.
This Policy applies to all of the Company’s CCTV Systems including closed circuit television (“CCTV”), Automatic Number Plate Recognition (“ANPR”), Licence Plate Recognition cameras (“LPR”), webcams, temporary CCTV arrangements and any other system capturing images of identifiable individuals for the purpose of viewing and or recording the activities of such individuals. The Company’s CCTV System may capture images and audio recordings. CCTV recordings are monitored and retained in strict accordance with this Policy.
The CCTV System is intended to satisfy the purposes stated in section 3.1. It shall provide, when required, information and images of evidential value and, hence, produce images as clear as possible and appropriate for the purposes stated in this Policy.
The CCTV System is owned and managed by the Company and operated by the Company’s Security Services. The responsible manager is the Company’s Head of Security.
Cameras are located at strategic points throughout the precincts of the Airport, principally at the perimeters, entrance and exit points of buildings, public and non-public collection spaces and airfield. The exact location of the cameras is confidential and restricted information due to security reasons.
Signage is prominently placed at strategic points on the estate to inform staff, visitors and members of the public that a CCTV System is in operation.
1.7 Temporary CCTV Arrangements
CCTV cameras can be positioned temporarily in strategic positions in a covert way under a limited number of circumstances. Such temporary placements may only be carried out in cases of suspected specific criminal activity or where the security of Civil Aviation is likely to be compromised and shall only be conducted where informing the individual(s) concerned would seriously prejudice the reason for making the recording and where there is reasonable ground to suspect that illegal or unauthorised activity is taking place.
The placement of cameras in temporary arrangements requires the written authorisation of the Chief Executive Officer and Head of Security and, where this may involve members of staff, the Head of Human Resources.
Any authorisation to use temporary CCTV arrangements must include a justification of the need to use such methods to obtain evidence of suspected criminal activity in a specific case; an assessment of alternative methods of obtaining such evidence and a statement of how long the arrangement should remain in place. The authorisation must be reviewed every 5 days in view of whether the arrangement should continue or be ceased.
Any decision to use temporary CCTV arrangements for any reason must be fully documented and records of such decision retained securely.
1.8 Access to Recordings by the Company
Access to CCTV recordings is restricted to those who need to have access in accordance with this policy and any governing legislation.
Locations in which monitoring takes place include, but are not limited to, the Company’s Control Room, the Aerodrome Operations Room, the Emergency Operations Room, the Central Security Screening Area, the Security Office, the Car Park Kiosk, the Skyparks Business Centre Administration Office, the Office of the Head of Security, the Office of Rescue and Fire Fighting Services, the office of the head of AVSEC (Malta) as well as the offices of members of the IT services team assigned as system administrators.
Images displayed on monitors in these locations shall not visible from outside the above mentioned rooms and locations and access to them shall be strictly limited.
All staff who have access to the CCTV System are made aware of the sensitivity of handling CCTV images and recordings and are obliged to sign a confidentiality agreement. Security Services will ensure that authorised staff are fully briefed and trained in all aspects of the operational and administrative functions of the CCTV System.
Malta International Airport p.l.c., a company registered under the laws of Malta with registration number C12663 and having its registered address at Malta International Airport, Luqa, LQA 4000, Malta, is the data controller and responsible for any personal data collected, stored or processed under this Policy.
The Company has appointed a Data Protection Officer (“DPO”), Mr Heinz Lachinger, who is responsible for ensuring compliance with data protection legislation. The DPO may be contacted via email on email@example.com or via telephone on (+356) 2369 6268.
3. Processing of Personal Data
The Company’s purposes for processing of personal data through use of the CCTV System are the following:
- Ensure the safety of staff, clients, passengers, airlines and visitors
- Detect, prevent or reduce the incidence of crime
- Prevent and respond effectively to all forms of possible harassment and disorder
- Reduce the fear of crime
- Create a safer environment
- Provide emergency services assistance
- Investigate legal or insurance claims
- Employment relations, including the use of CCTV footage for disciplinary purposes
- Billing of car park services
3.2 Categories of Personal Data
For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, guests, visitors, suppliers, business partners and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Any monitoring of staff will be carried out in accordance with applicable legislation.
3.2 Lawful Basis of Processing
The Company’s legitimate interest for processing such personal data stems from the following: CCTV is used for maintaining public and aviation safety, the security of property and premises and for preventing and investigating crime and safety related incidents, it may also be used to ensure the safety of staff, clients, passengers and visitors and to ensure the quality of staff conduct and performance when carrying out work duties. The Company recognises the effect of such a CCTV System on the individual and the right to privacy and protection of personal data.
No images and information shall be stored for longer than is required for the stated purpose. CCTV recordings will be kept for the period of time that is necessary for MIA to comply with the strict security requirements of an international airport. In certain instances, the retention period of images captured by some cameras may be extended further for the purpose of civil aviation security or national security interest or according to legal obligations imposed on the Company by law. Images will be deleted once their purpose has been discharged.
3.5 Disclosures of Personal Data
The Company will share personal data with third parties only if there is a legal obligation imposed on it to do so.
3.6 Technical and Organisational Security Measures
The Company shall implement and maintain appropriate and sufficient technical and organisational security measures, taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to protect personal data against any unauthorised accidental or unlawful destruction or loss, damage, alteration, disclosure or access to personal data transmitted, stored or otherwise processed and shall be solely responsible to implement such measures.
The Company shall ensure that its staff who process personal data are aware of such technical and organisational security measures and shall ensure that such staff are bound by a duty to keep personal data confidential.
The technical and organisational security measures in this clause shall mean the particular security measures intended to protect personal data of individuals in accordance with any privacy and data protection laws.
Right of Access – Anyone who believes that they have been recorded by the CCTV System can request a copy of the recording, subject to any restrictions covered by applicable Data Protection legislation, security considerations and Freedom of Information Act.
Access requests can be lodged via the online form on www.maltairport.com/data-protection or via email to firstname.lastname@example.org or to email@example.com or by letter to:
Head of Security
c/o Malta International Airport plc.
Right to Rectification – Data subjects also have the right to request that inaccurate data be corrected or erased and to seek redress for any damage caused. Procedures are in place to ensure all such access requests are dealt with effectively and within the law.
Right to Lodge a Complaint – Data subjects have the right to lodge a complaint regarding the processing of their personal data with the supervisory authority for data protection matters. In Malta this is the Information and Data Protection Commissioner (“IDPC”), with whom a complaint can be lodged on the IDPC’s website via this link.
Right to Erasure – in certain circumstances data subjects may request the Company to delete the Personal Data that is held about them;
Right to Object – data subjects have a right to object and request that the Company ceases the processing of their personal data where the Company relies on its own, or a third party’s legitimate interest for processing personal data;
Right to Portability – data subjects may request the Company to provide personal data of the data subject in a structured, commonly used and machine-readable format. Where technically feasible, data subjects may also request that the Company transmits their personal data to a third party controller indicated by the data subjects;
Right to Restriction – data subjects have the right to request the Company to stop using their personal data in certain circumstances, including if they believe that the Company is unlawfully processing their data;
Data subjects’ rights are not absolute and the Company may not be able to entertain the above requests if it is prevented from doing so in terms of the applicable law.
Data subjects may exercise the rights indicated in this section by contacting the Company’s Data Protection Officer via email on firstname.lastname@example.org or via telephone on (+356) 2369 6268.
5. Third-Party Access to Personal Data
Access to recorded images is only granted to third parties that are eligible to it by law.
In line with the requirements of the National Civil Aviation Security Programme the Company shall grant access to recordings to Aviation Security Malta (AVSEC), the regulating body of aviation security in Malta as well as the Armed Forces of Malta (AFM), who both form part of the Ministry for Home Affairs and National Security.
Access to recorded images by third parties other than the above (i.e. Police, Malta Security Services) can be made via a dedicated form – which is accessible via this link – and is recorded accordingly by the Company. In addition, access to CCTV footage is recorded in the form of an access log in the Milestone System software.
Disclosure of CCTV recordings to third parties will only be made in accordance with the purposes of the CCTV System and in compliance with applicable Data Protection legislation.
Members of the public can address any concerns over use of the Company’s CCTV System to the Company’s Security Office, either via email at email@example.com or by telephone on (+356) 2369 6010. Alternatively, the Company’s Data Protection Officer may be contacted via email on firstname.lastname@example.org or via telephone on (+356) 2369 6268.
Company staff should address any enquiries or concerns relating to the CCTV System to their line manager in the first instance.
This policy is reviewed periodically, at least every three (3) years, and updated as necessary by the Head of Security in collaboration with the Company’s Data Protection Officer.