CCTV & Surveillance Policy

CCTV and Other Surveillance Systems Policy

1. About this policy

1.1 InstaVolt Limited (“InstaVolt”) uses Surveillance Systems to view and record individuals on and around our premises in order to maintain a safe environment for visitors. However, we recognise that the images of individuals recorded by Surveillance Systems are Personal Data which must be processed in accordance with data protection legislation. As a Controller, we are registered with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk) and seek to comply with its best practice suggestions.

1.2 The purpose of this policy is to:

(a) outline why and how we will use Surveillance Systems, and how we will process Personal Data recorded by Surveillance Systems;
(b) ensure that the legal rights of the public, relating to their Personal Data, are recognised and respected;
(c) explain how to make a subject access request in respect of Personal Data created by Surveillance Systems.

1.3 We recommend reading this policy in conjunction with our Privacy Notice which can also be found on our website.

2. Who does this policy apply to?

2.1 This policy applies to anyone visiting InstaVolt’s premises where Surveillance Systems have been installed.

3. Who is responsible for this policy?

3.1 InstaVolt has overall responsibility for the effective operation of this policy. We are the Controller of all Personal Data used in our business for our own commercial purposes. Our data protection team is responsible for overseeing questions in relation to this policy. If you have any questions, you can contact them at [email protected]

3.2 This policy is reviewed annually by the data protection team. It was last reviewed on 5 March 2026. We will also review the ongoing use of Surveillance Systems at least every 12 months to ensure that their use remains necessary and appropriate, and that any Surveillance System is continuing to address the needs that justified its introduction.

3.3 You have the right to make a complaint at any time to the ICO. They will expect you to have tried to resolve your concern with us first though, so please contact us in the first instance.

4. Definitions

4.1 For the purposes of this policy, the following terms have the following meanings:

  • ANPR Cameras: Automatic number plate recognition cameras.
  • CCTV: means fixed and domed cameras designed to capture and record images of individuals and property.
  • Controller: the entity which determines the manner in which any Personal Data is processed. They are responsible for establishing practices and policies to ensure compliance with the law.
  • Data Subjects: means all living individuals about whom we hold personal information as a result of the operation of our Surveillance Systems.
  • Personal Data: means data relating to a living individual who can be identified from that data (or other data in our possession). This will include video images of identifiable individuals.
  • Processing: is any activity which involves the use of Personal Data. It includes obtaining, recording or holding Personal Data, or carrying out any operation on the Personal Data including organising, amending, retrieving, using, disclosing or destroying it. Processing also includes transferring Personal Data to third parties.
  • Processor: an entity that processes Personal Data on our behalf and in accordance with our instructions (for example, a supplier which handles Personal Data on our behalf).
  • Surveillance Systems: means any devices or systems designed to monitor or record images of individuals or information relating to individuals installed by InstaVolt. The term includes CCTV as well as any technology that may be introduced in the future such as ANPR cameras, body worn cameras, unmanned aerial systems and any other systems that capture information of identifiable individuals or information relating to identifiable individuals.
  • Third-Party Surveillance Systems: means any Surveillance System installed and/or controlled by one of our third-party contractors.

5. Reasons for the use of Surveillance Systems

5.1 We rely on the lawful basis known as legitimate interest to process the Personal Data received through our Surveillance Systems.

We use our Surveillance Systems for the following purposes:

(a) For the prevention, reduction, detection and investigation of crime and other incidents;
(b) to protect buildings and assets from damage, disruption, vandalism and other crime;
(c) for the personal safety of colleagues, visitors and other members of the public;
(d) to support law enforcement bodies in the prevention, detection and prosecution of crime;
(e) the monitoring and enforcement of traffic or parking related matters which affect our business or assets;
(f) to assist in day-to-day management, including ensuring the health and safety of staff and others;
(g) For training and the investigation of suspected breaches of our policies or contractual arrangements with contractors;
(h) to assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings; and
(i) to assist in the defence of any civil litigation, including employment tribunal proceedings.

6. How we operate our Surveillance Systems

6.1 Surveillance Systems are not installed at all of our charger sites and business premises. If you want to know if it is installed at a particular charger site or business premises, please contact the privacy team via the contact details above.

6.2 Where installed, our Surveillance Systems monitor our charging sites and business premises 24 hours a day.

6.3 We ensure that our Surveillance Systems are only viewed by approved people whose roles require them to have access to such Personal Data. Access is currently given to authorised InstaVolt personnel and our approved third-party security contractors.

6.4 InstaVolt considers the impact of the Processing on individuals and their rights when installing Surveillance Systems at its charger sites or business premises. Camera locations are chosen to minimise viewing of spaces not relevant to the legitimate purpose of the monitoring. As far as practically possible, Surveillance Systems will not focus on private homes, gardens or other areas of private property.

6.5 Staff using Surveillance System are given appropriate training to ensure they understand and observe the legal requirements related to the Processing of Personal Data.

6.6 Where Surveillance Systems are placed, we ensure that signs are displayed at the surveillance zone to alert individuals that their image and audio may be recorded. The signage indicates that the system is managed by InstaVolt or our approved third-party contractor (where applicable).

7. Use and disclosure of your Personal Data

7.1 Our Surveillance Systems capture Personal Data in the form of images of individuals contained in the footage recorded by the cameras. This is known as identity data and is the only category of personal data which is processed by InstaVolt. We do not process any biometric data through our use of our Surveillance Systems.

7.2 In order to ensure that the rights of individuals recorded by our Surveillance Systems are protected, we will ensure that Personal Data gathered from Surveillance Systems are stored in a way that maintains its integrity and security. This may include encrypting the Personal Data, where it is possible to do so.

7.3 We may engage data Processors to process Personal Data on our behalf. We will ensure reasonable contractual safeguards are in place to protect the security and integrity of the Personal Data.

7.4 We may have to share Personal Data internally, for example where we consider that this is reasonably necessary for any of the legitimate purposes set out above in paragraph 5.1.

7.5 In other appropriate circumstances, we may allow law enforcement agencies to view or remove Surveillance System footage where this is required in the detection or prosecution of crime.

7.6 All images recorded by our Surveillance Systems remain the property of InstaVolt.

7.7 We have put in place security measures to prevent your Personal Data from being accessed in an unauthorised way. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to have access or there is a statutory justification to share it with them. Where we need to share it with third parties, we only do so where we are confident appropriate protections are in place.

7.8 We have procedures to deal with any suspected Personal Data breaches and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Third-Party Surveillance Systems

Some of our charger sites are monitored by third-party ANPR Cameras. These are installed by either our landlords or our approved third-party contractors and ensure our charger sites are only used by authorised vehicles for the authorised uses.

InstaVolt is not the Controller of the Third-Party Surveillance Systems and images produced by it are not monitored or recorded by InstaVolt. They are outside the terms of this policy but are covered by the third-party providers’ policies. Please see paragraph 12 below for the contact details of these third-party providers.

9. Retention and erasure of Personal Data gathered by Surveillance Systems

9.1 Personal Data recorded by Surveillance Systems is retained for up to 30 days, depending on the particular system, in accordance with standard industry practice. Where necessary, images may be retained for longer if they are required for an investigation into a crime or incident or for the purpose of a legal or regulatory matter. These images will be securely destroyed when they are no longer required in accordance with our retention policy.

9.2 In respect of the retention periods of the Third-Party Surveillance Systems, please refer to paragraph 12 below for the contact details of the relevant third parties.

10. Use of additional Surveillance Systems

10.1 Prior to introducing any new Surveillance System, including placing a new Surveillance System in any workplace location, we will carefully consider if they are appropriate by carrying out a data protection impact assessment (DPIA).

10.2 A DPIA is intended to assist us in deciding whether a new Surveillance System is necessary and proportionate in the circumstances and whether it should be used at all or whether any limitations should be placed on its use.

10.3 Any DPIA will consider the nature of the problem that we are seeking to address at that time and whether the new Surveillance System is likely to be an effective solution, or whether a better solution exists. In particular, we will consider the effect a new Surveillance System will have on individuals and therefore whether its use is a proportionate response to the problem identified.

10.4 No Surveillance System will be placed in areas where there is an expectation of privacy (for example, overlooking residential property) unless, in very exceptional circumstances, it is judged by us to be necessary to deal with very serious concerns.

11. Your legal rights

The legal rights relating to your Personal Data we process are set out in our Privacy Notice which can be found on our website. The main one concerning Surveillance Systems is your right to request copies of your images, otherwise known as a Subject Access Request.

Subject access requests

11.1 Under data protection law, you as a Data Subject may make a request for disclosure of your images contained in our Surveillance System recordings (“Subject Access Request”). A subject access request is subject to the statutory conditions from time to time in place and should be made in writing.

11.2 In order for us to locate relevant footage, any requests for copies of your images from our Surveillance Systems must include the date and time of the recording, the location where the footage was captured and if necessary, information identifying the individual.

11.3 We are required under data protection law to obscure images of third parties when disclosing footage from our Surveillance Systems as part of a subject access request, which includes the images of other people, number plates etc. If it is not possible to redact any third-party Personal Data in full, we may have to refuse your request to protect the third party’s own rights.

11.4 In accordance with the laws relating to subject access requests, we do not disclose images from our Surveillance Systems to insurance companies, solicitors or other third parties unless such parties are able to evidence that their requests come within the statutory exemptions and we are satisfied that other individuals’ rights are not at risk.

12. Third-Party Surveillance Systems queries

Queries or Subject Access Requests in respect of images captured on Third-Party Surveillance Systems should be referred to the appropriate third-party provider detailed below.

Automatic number plate recognition: Intelli-Park via [email protected]