The Manitowoc Company, Inc.

Transcription

1 The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0

2 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational Issues PART 4 - Specific Data Protection Policies and Procedure 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0

3 PART 1 Policy Statement 22FitzPatrick & Associates 4/5/04 2 Proprietary Material Version 4.0

4 PART 1 Policy Statement Introduction This policy deals with the roles and responsibilities of each company or location within The Manitowoc Company, Inc. ( Manitowoc ), and its respective staff with regard to the processing of personal data. Manitowoc is committed to compliance with all applicable data protection laws in the countries in which we do business and in which our employees hold citizenship. When the personal data on non-us employees is held, stored, maintained, processed, shared, and/or accessed in the US, Manitowoc will treat the personal data in accordance with the relevant laws. The personal data of US citizens is not subject to federal or state mandated data protection laws equal to those of the country-specific laws outside the US or the European Union Directive on Protection of Personal Data. However, the personal data of US citizens will be held in strict confidence and will be protected under the guidelines of this policy and Manitowoc s internal standards. For the purpose of this policy, the terms data privacy and data protection will be used interchangeably. Policy on Personal Data Manitowoc is committed to ensuring that employee personal data is processed in accordance with all worldwide data protection legislation in the countries in which we do business and in which our employees hold citizenship. It is also important to recognise that Manitowoc is bound by the legislation adopted in each specific country, as well as, the requirements of the EU Directive on Personal Data Privacy for all locations within the member countries of the European Union (EU). In most cases, the country-specific Data Protection Acts within the member countries incorporate the requirements of the Directive. However, if country-specific laws do not include a certain requirement and the Directive does, the Directive will take precedence. If there is a difference between country-specific laws and the Directive, the stricter of the two will be followed. Manitowoc has put in place systems of work and procedures to ensure that all departments within it comply with the data privacy laws and the EU Directive. Manitowoc aims to provide all employees with sufficient information, instruction and training as is necessary in order for them to identify personal data and process it appropriately. All Manitowoc employees should be fully aware of this policy and ensure that they comply with its directions. Competent resources, knowledgeable in the data protection laws, will be made available to all employees whenever the need arises. All employees have access to personal data in one way or another (e.g. access to the worldwide telephone directory and system) and should be familiar enough with the data privacy laws and the EU Directive (where applicable), to ensure compliance with such laws. This policy will be reviewed at regular intervals and revised when appropriate to reflect legislative changes, the introduction of new codes, and best practices. 33FitzPatrick & Associates 4/5/04 3 Proprietary Material Version 4.0

5 PART 2 Processing Personal Data 44FitzPatrick & Associates 4/5/04 4 Proprietary Material Version 4.0

6 PART 2 Processing Personal Data What is personal data? Personal data is any piece of information that can identify or is identifiable to an individual: from the data; or from that data and other information which is in the possession of or is likely to come into the possession of the data controller. Individuals about whom personal data is kept are known as data subjects. When Manitowoc collects, processes, accesses or transports data it is called a data controller. Particular rules apply to the processing of sensitive data which is a subset of personal data. Sensitive data relates to the racial or ethnic origin of the data subject, his political opinions, religious beliefs, trade union memberships, physical or mental health, sexual life or criminal offences. Sensitive data cannot be accessed and/or transported out of the country. It cannot be stored in the global HR system or any other system located out of country of origination. What is processing? You (and Manitowoc) will process personal data when you collect, record, process, hold or use personal data. All of the following activities, whether manual and/or electronic, constitute the processing of personal data: obtaining, organising, adapting or retrieving data; consulting with someone on the content of data or otherwise using it; disclosing data by transmitting it, disseminating it or otherwise making it available; and combining the data with other data, erasing or destroying it. How may I process personal data? Personal data must be processed in accordance with the data protection laws and the eight Data Protection Principles. These state that personal data must be: processed fairly and lawfully, meaning the data is absolutely mandatory for the management of the employment relationship; obtained for a specified and lawful purpose and processed compatibly with that purpose; adequate, relevant and not excessive for the purpose for which it is processed; accurate and up to date; kept no longer than necessary; processed in accordance with the rights of the data subject; 55FitzPatrick & Associates 4/5/04 5 Proprietary Material Version 4.0

7 subject to appropriate security measures; and only transferred outside of the country of origination if the country to which it is transferred has an adequate level of protection and the data subject has provided prior unambiguous written consent. Adequate level of protection is defined by the data protection authorities in each country and at the EU level. Do the laws only apply to computer records? The data privacy laws cover the processing of automated data (i.e. data kept on computer) and manual data (i.e. data kept on paper) where such data is held in a relevant filing system (see procedure on Manual Records in Part 4). A relevant filing system is a set of information about individuals that is structured either: by reference to the individual (either by name or by an individual s code); or by reference to criteria relating to individuals (e.g. age, type of job, holidays); such that specific information about an individual is readily available. This definition is widely drafted and it is difficult to envisage a useful filing system containing information about individuals that would not be covered by data privacy laws. 66FitzPatrick & Associates 4/5/04 6 Proprietary Material Version 4.0

8 PART 3 Organisational Issues 77FitzPatrick & Associates 4/5/04 7 Proprietary Material Version 4.0

9 PART 3 Organisational Issues Manitowoc has a duty to process personal data in accordance with the data privacy laws. Therefore, each employee who processes personal data must familiarise himself with the organisational requirements regarding data protection. Management Responsibility Management is responsible for ensuring the following: explaining to employees and all management team members the importance of data protection and compliance with all relevant data protection laws; providing employees and management with adequate training, information, instruction and supervision to ensure personal data is processed in accordance with the applicable data privacy laws. Since it is unrealistic to expect all employees to be experts in the laws in all relevant countries, documentation and resources will be made available; assuming overall responsibility for compliance with the data privacy laws; selecting someone to be responsible for ensuring compliance with the data privacy laws; ensuring that suitable contracts are in place with third parties engaged to process personal data on behalf of Manitowoc ( data processors ) (including situations where the data processor is another company within the Manitowoc group of companies); and maintaining a record of how personal data is kept and processed and notifying the Data Protection Commissioner in each relevant country and at the EU level in accordance with the data privacy laws. Employee Responsibility. Employees should: be aware of the issues regarding data protection; consider the rights of data subjects who may be affected by their actions; process personal data in accordance with this policy and any other instructions given to them from time to time; and report any data subject access requests or other questions regarding data protection to the relevant body, such as the internal data protection officer, compliance officer, or designated person. 88FitzPatrick & Associates 4/5/04 8 Proprietary Material Version 4.0

10 PART 4 Specific Data Protection Policies and Procedures 99FitzPatrick & Associates 4/5/04 9 Proprietary Material Version 4.0

11 PART 4 Specific Data Protection Policies and Procedures 1. Processing Personal Data 2. Information, Instruction and Supervision 3. Competence for Tasks and Training 4. Monitoring the Use of Personal Data 5. Handling and Storing Personal Data and Data Security 6. Processing Data Subject Access Requests 7. Manual Records 8. Sensitive Personal Data 9. Employee Data 10. Personal Data other than Employee Data 11. Disposal of data 12. Use of CCTV 1010FitzPatrick & Associates 4/5/04 10 Proprietary Material Version 4.0

12 1. Processing Personal Data 1.1 All personal data should be processed in accordance with the applicable data privacy laws and this policy. 1.2 Personal data is any piece of information that is identifiable to an individual or can identify an individual. It includes employee data. It does not include data relating to a company or organisation, although any data relating to individuals within companies or organisations is included. 1.3 Examples of personal data are employee details, including employment records (see section on Employee Data), names and addresses and other information related to individuals including supplier details, any third party data and any recorded information (in accordance with local laws) including any recorded telephone conversations or CCTV images. 1.4 Employees should assume that whatever they do with personal data will be considered to involve processing it in accordance with the data privacy laws and should therefore only process personal data: if they have explicit written consent to do so; or if it is necessary to fulfil a contractual obligation (of which the employee has consented in writing). Please see Part 2 for a more detailed explanation of data processing under the data privacy laws. 1.5 If paragraph 1.4 is not satisfied, employees should contact the Data Protection Officer before processing personal data. FitzPatrick & Associates Vs

13 2. Information, Instruction and Supervision 2.1 A copy of Manitowoc s Data Protection Policy will be kept at each Manitowoc site around the world. 2.2 Data protection advice is available from the Data Protection Officer who will arrange for advice from external advisers if necessary. 2.3 All new staff, particularly those with access to employee or other personnel records, should be trained on Manitowoc s policy and the data protection laws as soon as possible after they are hired. Upon completion of the training, all employees will be asked to sign the associated data privacy documentation. The level of training for each individual member or employee will depend on the level of access and responsibility for processing personal data. Please also see section 3 on Competence for Tasks and Training. FitzPatrick & Associates Vs

14 3. Competence for Tasks and Training 3.1 Manitowoc recognises that staff members are integral to supporting the effective and efficient operation of the company. The continuing success of Manitowoc depends on the quality of its employees. Manitowoc therefore encourages training and development of its employees so that all data subjects can anticipate that their personal data will be processed in accordance with the data privacy laws. 3.2 In the first instance, employees will receive an on the job orientation into Manitowoc. The orientation will cover data protection, if relevant to the position. 3.3 All new employees who are identified as requiring particular training in relation to data protection issues will undertake a probationary period under the supervision of an experienced employee until they achieve the standards and efficiency required of a Manitowoc employee. Additional training on data protection issues may be provided as appropriate. 4. Monitoring the Use of Personal Data 4.1 Manitowoc is committed to ensuring that this Data Protection Policy is put into practice and that appropriate working practices are being followed. To this end, the following steps will be taken: All employees who deal with personal data are expected to be aware of data protection issues and to work towards continuous improvement of the proper processing of personal data; Employees who handle personal data on a regular basis or who process sensitive or other confidential personal data will be more closely monitored; All employees must evaluate the personal data they hold is being processed in accordance with this policy. Employees should ensure that inaccurate, excessive or out of date data is disposed of in accordance with this policy Legally mandated audits may be carried out by authorised Manitowoc representatives and/or data protection authorities; and The Data Protection Officer of each country, where applicable by law, shall submit to company management a report on, amongst other things, the level of compliance with or variance from good data protection practices. The Vice President of Human Resources and Administration s staff will consider what steps, if any, are necessary in order to improve data protection performance. 4.2 The Data Protection Officer of each country, where applicable by law, will be responsible for recording and assigning an external expert to investigate any complaints regarding the processing of personal data in order to see what improvements can be made to prevent recurrences of policy violations. The results of such investigations will be reported to the Data Protection Officer who will be responsible for arranging for any improvements to be carried out. The record should contain the following information: the name of the individual making the complaint; FitzPatrick & Associates Vs

15 the date of the complaint; the nature of the complaint; and the action, if any, taken as a result of the complaint. FitzPatrick & Associates Vs

16 5. Handling and Storing Personal Data and Data Security 5.1 Manitowoc should take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of personal data. Manual records should be kept secure by the use of locked cabinets and rooms. Access to such records should be restricted. Where a manual record is in constant use, appropriate security measures should be taken. These could include securing such records whenever leaving the desk area, and during lunch breaks and after office hours. Computer files should be password protected at a minimum at initial login, and logout must occur whenever vacating the desk area where the computer is located. Fax machines that send and receive personal data should be in secure areas where access is made available only to those with a relevant and legal business need to know, who have been granted access rights to personal data based on their responsibilities. 5.2 These foregoing measures should guard against accidental loss, destruction of, or damage to personal data. The measures taken should be commensurate with the harm that would be caused by such accidental loss, destruction or damage. Therefore, particular care should be taken of records containing sensitive data, such as any employment records. 5.3 Personal data should be stored in a manner that enables it to be processed in accordance with the data privacy laws. Files should indicate what information they contain and should be readily accessible (provided appropriate security measures are taken) to enable data subject access requests to be handled in accordance with this policy (see section 6 regarding Processing Data Subject Access Requests). 5.4 Manitowoc should ensure that staff who handles personal data are adequately trained and monitored. 5.5 Manitowoc should ensure that passwords and physical security measures are in place to guard against unauthorised disclosures. 5.6 Particular care should be taken of sensitive data in the home country and security measures should reflect the importance of keeping such sensitive data secure (see section 8 covering Sensitive Data). Under no circumstances should sensitive data be made accessible in any format to any individual outside of the home country or to anyone unauthorised to access the data. 5.7 All security policies and procedures should be regularly monitored and reviewed to ensure that they are keeping data secure. Where policies and procedures are found to be inadequate, prompt and appropriate action should be taken in order to rectify such inadequacies. This should include a review of the security arrangements and the submission of options to rectify such inadequacies. 5.8 Where personal data needs to be deleted or destroyed, adequate measures should be taken to ensure that such data is properly and securely disposed of. This includes the destruction of files and back up files, and the physical destruction of manual files. Particular care should be taken of the destruction of manual sensitive data (written records) and this may include shredding or giving it to specialist contractors. FitzPatrick & Associates Vs

17 6. Processing Data Subject Access Requests 6.1 A data subject access request is any written request from a data subject that indicates that the person wants to know what information is kept about him or her. 6.2 All staff need to be trained to recognise a data subject access request. All data subject access requests shall be passed to the Data Protection Officer for processing. 6.3 Data subject access requests must be complied with promptly, and in within the timeframes defined by local data privacy laws and/or the EU Directive. Exceptions can be made if the individual responsible for providing the information to the requestor is out of the office for any period of time. If all reasonable measures have been taken and the time frames cannot be met, the requestor and the person responsible for processing the request must agree on an alternate date for complying with the request. 6.4 Generally, Manitowoc will not charge a fee for processing a data subject access request. However, a fee, not to exceed 10 (including VAT) is allowed in the UK. 6.5 Manitowoc will establish a standard response letter to deal with various subject access requests. 6.6 When a written data subject access request is received, provided the data subject has paid the fee, if any, the individual should: be told whether Manitowoc or a third party is processing the individual s personal data; be given a description of: (a) the personal data; (b) the purposes for which it is being processed; (c) those people and organisations who the personal data may be disclosed to; and (d) be provided with a copy of the information in an intelligible form. 6.7 All personal data relating to an individual should be examined to confirm that it is data held within a relevant filing system. The person handling the data, the relevant data protection authority, or a Works Council representative nominated by the full Works Council may do this examination. 6.8 Internal data subject access requests (i.e. data subject access requests from Manitowoc employees) will be treated as being of equal importance to external data subject access requests. 6.9 When Manitowoc receives a data subject access request that refers to another individual, Manitowoc shall use reasonable endeavours, including contact by telephone, and a letter to any known contact point of the other individual to contact such individual to obtain his/her written consent. No information will be disseminated without the explicit consent of the data subject. Manitowoc will not divulge any personal data to another individual (who has not previously been approved to have such information) without the explicit consent of the data subject. This has particular relevance when the individual requesting the information is a FitzPatrick & Associates Vs

18 third party such as a financial institution, mortgage lender, and verification of employment beyond the confirmation of time worked, etc.) In responding to data subject access requests, the Data Protection Officer will ensure information relating to an individual, other than the data subject who is making the request, is not disclosed unless: the other individual has consented to such disclosure, in which case written evidence of this must be obtained and kept; it is reasonable under the circumstances to comply with such request without any consent. This may be the case only when the information is already available to the public or if related to a possible criminal activity or to ensure the safety of the country; or the request for information comes from a court of law pertaining to a potential legal or criminal case, or from a governmental office in an official capacity related to a legal requirement In considering what is reasonable, the Data Protection Officer should consider: any confidentiality owed to the other individual; the steps taken to get consent; if the individual concerned can give consent; and any express refusal by such individual to give consent (in this case, personal data cannot be made available, unless mandated by law) Where copies of the information are requested, due regard may be given to the amount of effort that would be required to copy the information. If the effort is disproportionate due to the sheer size or magnitude of the data, Manitowoc may inform the data subject that copies will not be provided, but information will be given by other means such as by telephone, or by inviting the data subject to come to Manitowoc s premises to view the files All data subject access requests shall be recorded. The record shall contain the following details: the name of the person making the request; the date of the request; the method by which the request was made (e.g. , letter); and the nature of the request (i.e. a request for all information or a request in relation to a specific piece of information) Where Manitowoc has previously responded to a data subject access request, Manitowoc is not obliged to answer a subsequent similar request by that individual until a period of 3-6 months (depending on local law) has elapsed. This period may vary on the circumstances of the request. Any variation of such period should be referred to the Data Protection Officer for approval. FitzPatrick & Associates Vs

19 6.15 All personal data should be stored in a manner that enables the Data Protection Officer to provide a data subject with details of such personal data promptly, and in any event within the time period provided for by the privacy laws (see section 5 on Handling and Storing Personal Data and Data Security). FitzPatrick & Associates Vs

20 7. Manual Records 7.1 Manual data means personal data in a written form that is recorded as part of a relevant filing system or with the intention that it should form part of such a system. 7.2 A relevant filing system is any set of information relating to individuals that is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible. For example, this will include employment records and records relating to customers. 7.3 Periodically all written records containing personal data should be reviewed and a listing kept of all such personal data records. 7.4 Manual records containing personal data should be reviewed in order to ensure that the data contained within them is accurate, not excessive, up to date and adequate for their purpose. All files should be reviewed at a minimum every two years. FitzPatrick & Associates Vs

21 8. Sensitive Data 8.1 Sensitive personal data includes all information relating to an individual which deals with: the racial or ethnic origin of the data subject; his political opinions; his religious beliefs; his trade union membership; his physical or mental health or conditions; his sexual orientation; the commission or alleged commission by him of any offence; and any proceedings for any offence committed or alleged to have been committed by him. Normal practice within Manitowoc is not to collect this information unless required by local law. 8.2 Particular care should be taken of sensitive personal data, and all staff who have access to such sensitive data shall take particular care to process it properly and in accordance with the privacy laws. Employees should make sure that they obtain the explicit consent of an individual before processing sensitive data relating to them. All sensitive personal data should be stored with adequate security measures to prevent unauthorised disclosure. Such measures should include lockable cabinets and password protection of automated data, at a minimum. Sensitive personal data may not be stored in a global system or made accessible outside of the country of origination. If a foreign national from one country is hired by another country, access to sensitive personal data is not allowed unless the data subject has given explicit written consent or the sensitive data is needed by law to protect the interest of the country. 8.3 All requests by external bodies, agencies or individuals for access to sensitive personal data shall be processed by the Data/Protection Officer. All such requests shall be recorded by such persons in an appropriate system. The record should state who made the request, when they made it, what the request was and to whom it related. FitzPatrick & Associates Vs

22 9. Employee Data 9.1 All employee data has the potential to be personal data covered by the data privacy laws. 9.2 All employment records, including application forms, interview notes, sickness notes, annual leave records, promotion and appraisal notes, training records, disciplinary and dismissal notes and reports, references (whether confidential or otherwise and whether given or received) and general personnel file notes must be processed in accordance with the data privacy laws. 9.3 All recruitment advertisements must contain information that enables applicants to identify Manitowoc. 9.4 The interview notes about all applications should be written with the knowledge that these will amount to personal data under the data privacy laws. All interview notes should therefore be a fair and accurate representation of the interview. Any opinions expressed should be included in a manner that recognises that they may be disclosable at a later date. 9.5 Where an individual candidate is interviewed but Manitowoc wishes to offer the individual employment other than in the position that the individual has applied for, care must be taken to ensure that the individual has consented to his personal data being used for this purpose. 9.6 Where an individual candidate makes an application to Manitowoc, that applicant s details may be shared with other companies within the Manitowoc group of companies per the specific informed consent of the applicant. This consent can be obtained at the time the application and or resume/cv is submitted, and can easily be obtained when recruitment is done online. 9.7 Any decision to shortlist or bypass candidates at a particular time, where such decisionmaking is made in writing, should be done in a manner that is fair and lawful. 9.8 Newly appointed staff should be informed what information will be kept about them, where the information is obtained from, how it will be used and if it will be disclosed to anyone. 9.9 If any sensitive personal data is intended to be used in the home country, the employee should be notified and first give his explicit consent to such use Personnel records and all written information regarding an employee should be set out in a manner that contemplates that it may be disclosable as personal data under the data privacy laws. All records should therefore be clear and fair, and where opinions are expressed, these should be shown to be such All disciplinary actions, commentary, and reports (including reports relating to a dismissal of an individual) should be written in a manner that is fair and accurate All employee records should be regularly reviewed to ensure that they are accurate, not excessive, up to date and adequate for their purpose. An employee should be able to request a copy of his/her basic record to identify any inaccuracies When employee records are maintained for business analysis, personal data should be limited to that necessary to satisfy the purpose for which the records are kept. Whenever possible, such data should be anonymised. FitzPatrick & Associates Vs

23 Retention of Records 9.14 Sickness records are likely to include sensitive, as well as personal data and such records should only be held if the explicit consent of each employee is obtained or if one of the other conditions for processing sensitive data is satisfied. Sickness records, if needed, will be held locally and not shared or transferred outside of the home country without the explicit consent of the employee Proper security standards should be applied to prevent unauthorised access or accidental loss or destruction of employment records. This could include establishing access controls and passwords to employment records and paying particular attention to the use of s. However, monitoring of usage is subject to the protection of data privacy laws and internet scanning and tracking laws (not applicable to US citizens) The following rules are defined by the European Union and should be followed, unless country-specific laws have different regulations: application form duration of employment references received 1 year payroll and tax information 6 years sickness records 3 years annual leave records 2 years unpaid leave/special leave records 3 years annual appraisal/assessment records 5 years records relating to promotion, transfer, training, disciplinary matters references given/information to enable reference to be provided summary of record of service; eg name, position held, dates of employment 1 year from end of employment 5 years from reference/end of employment 7 years from end of employment records relating to accident or injury 10 years The above retention times may be varied depending upon Manitowoc s intended use of the information and whether the data subject has consented to extended retention periods. Manitowoc should take into account any specific needs it may have when retaining records for a particular employee or group of employees. Where legal provisions require records to be kept for a set time, Manitowoc is obliged to comply with such requirements Manitowoc should not retain records for longer than the standard retention times unless there is a justifiable legal reason for doing so, or unless the employee has given Manitowoc authorisation to do so. Please also refer to the section 11 on the Disposal of Data. FitzPatrick & Associates Vs

24 Records that are no longer needed should be disposed of in a proper and secure manner. Paper records should be disposed of securely and computer records should be deleted so that the computer system does not retain a copy and no backup systems or files retain a copy. Please also see section 5 on Handling and Storing Personal Data and Data Security Manitowoc is aware that its data protection duties to former employees are no less than to current employees. All requests for references or other information about former employees should be dealt with in accordance with this policy. If an employee leaves Manitowoc, Manitowoc will explain how it treats such requests and will obtain the leaving employee s consent to any disclosures Manitowoc intends to make. FitzPatrick & Associates Vs

25 10. Personal Data other than Employee Data 10.1 All personal data held by Manitowoc has the potential to be personal data covered by the data privacy laws. The fact that Manitowoc requires specific items of personal information to meet statutory obligations does not mean that the company can ignore the data privacy laws All Manitowoc records containing personal data, details relating to individuals who are suppliers and file notes referring to individuals (whether employees of Manitowoc, customers, members of the public or otherwise) should be processed in accordance with the data privacy laws whenever they are stored in a relevant filing system (manual and/or electronic) Manitowoc should not retain personal data other than employee data for longer than the standard retention times unless there is a justifiable legal reason for doing so. Please also refer to the procedure on the Disposal of Data (Section 11). FitzPatrick & Associates Vs

26 11. Disposal of Data 11.1 All personal data held by Manitowoc should be retained only as long as is necessary for its proper processing. Please see procedures on Employee Data (Section 9) and Personal Data other than Employee Data (Section 10) All personal data should be periodically reviewed and should be assessed to ensure that inaccurate, excessive and out of date data is destroyed. The destruction and disposal of data should be carried out in accordance with the procedures on Handling and Storing Personal Data and Data Security Each year each [department] should send to the Data Protection Officer a personal data audit notice. This notice should confirm that all personal data held by the [department] has been assessed in accordance with this data protection policy and that inaccurate, excessive and outof-date personal data has been properly disposed of. FitzPatrick & Associates Vs

27 12. Use of CCTV 12.1 Closed Circuit Television (CCTV) systems process personal data. Manitowoc should ensure that all personal data recorded by such systems are processed in accordance with this policy. All employees (excluding US citizens) must be informed of the use of CCTV A record should be kept of all CCTV systems in operation by Manitowoc. The record should contain: what cameras are kept and where; the purpose for the CCTV system. This should include an assessment of the process and the reasons for installation of the system; and confirmation that the CCTV system has been notified to the Information Commissioner, as required by local law CCTV equipment should be sited so that it only records that information which is necessary for the purpose of the scheme. Care should be taken to ensure that images are not taken of domestic areas or, if they are, that Manitowoc restricts this so far as possible All zones covered by CCTV should have signs displayed indicating that persons are entering a CCTV zone. Such signs should be visible and legible The signs should indicate: Manitowoc s name; the purpose of the system (see below); and contact details. For example, a sign could say Images are monitored for security, crime prevention and public safety. Please contact [Manitowoc] within or on [telephone number] for more information CCTV images must not be retained longer than necessary. Images filmed at a depot should only be kept for the period of time a contract is in place or it is clear no crime has been committed The use of CCTV in Germany is subject to the restrictions under the Labour Management Act and is subject to the Co-determination Laws. FitzPatrick & Associates Vs