This privacy notice is intended to provide information about how Hermes Airports Ltd (“Hermes”) collects and processes personal data about you captured by the closed-circuit television (“CCTV”) surveillance systems at Larnaka and Pafos International Airports (the “Airports”). 


1. Organization responsible for processing your personal data

Video surveillance is controlled by Hermes, a company registered in Cyprus with company number HE152453 and registered office at 6650 Larnaka International Airport, Cyprus, who is the Data Controller of your personal data pursuant to EU General Data Protection Regulation 679/2016 (“GDPR”) and Cyprus law 125(I)/2018. 

Please see below the contact details of the Data Protection Officer of Hermes:

Head Office, POBox 43027, 
6650 Larnaka International Airport, 
Larnaka, Cyprus
Email address:
Tel.: +357 24742132

2. Information processed

When you use the Airports, Hermes may collect static or moving imagery and meta data such as vehicle plate data, via the surveillance system (“Surveillance Data”). There is no sound or voice being recorded.  


3. Purposes of processing  
Hermes uses Surveillance Data for the following purposes:

  • To identify suspicious actions, prevent crime and protect premises and assets from damage, disruption, vandalism and other crime;    

  • To ensure the required coordination with responsible governmental authorities for the prevention of illegal and/or unlawful acts at the Airports;

  • For the personal safety of staff, stakeholders, passengers, airlines, visitors and other members of the public and to act as a deterrent against crime;

  • To support and assist law enforcement bodies in the prevention, detection and prosecution of crime;  

  • Meet obligations under contract or applicable laws in respect of airport security, aviation safety, and health and safety; 

  • For the investigation of legal or other claims or allegations;

  • In response to a data subject request; 

  • For performing car park services at the Airports; and

  • To run its business and optimize operational capability,

together the “Purposes”. 

4. Areas of processing

The Airports are classified as critical infrastructure by the Republic of Cyprus and for this reason CCTV is necessary in order to contribute to the application of an effective airport terminal security program and to enhance the passengers’ and staff’s feeling of security and safety. CCTV provides the Airports’ operations and security centres with a general overview of what's happening throughout the Airports’ facilities. Individuals are only identified if it is necessary to meet any of the Purposes. 

Surveillance Data collected inside the terminal building covers the passenger journey, starting at the entrance of the terminal of each Airport and ending when boarding the aircraft for departing passengers, or starting when passengers disembark the aircraft and ending when exiting the terminal for arriving passengers. Passenger baggage that is dropped off at the check-in counters is also being monitored by CCTV for the Purposes.  

Moreover, the airport car park area is being monitored for the Purposes. Surveillance Data collected at this location involves the car park entry and exit points (enables Automatic Number Plate Recognition (ANPR), and the parking and drop off/pick up areas located near the entrance to the terminal of each Airport. 

On airside, parts of the apron and manoeuvring areas are being monitored for the Purposes. Surveillance Data collected on airside covers activity around the aircraft parking stands including the aircraft turnaround process and in the manoeuvring area. 

Also, all airside entry and exit points and the security screening points are being monitored for the Purposes. 

No Surveillance Data is collected in areas where an individual would expect privacy, for example the rest room areas.  


5. Information notices   

Individuals are being informed of the surveillance activity taking place at the Airports with clearly visible signage installed in prominent spots.


6. Lawful basis  

The processing is lawful under Articles 6.1.c and 6.1.f of the GDPR. The processing of Surveillance Data is necessary for:

  • compliance with a legal obligation to which the data controller is subject.

  • the purposes of the legitimate interests pursued by the data controller who uses video surveillance equipment for the purposes of airport security, aviation/personal safety, crime prevention, protection of airport premises and operational capability optimization.


7. Access to Surveillance Data  

  • Surveillance Data can only be accessed by CCTV operators and authorised employees of the Data Controller. 

  • An access / footage release application and authorization process is in place for third parties requesting access to Surveillance Data. 


8. Retention period 

Under normal circumstances, Surveillance Data is retained for fourteen (14) days and then deleted permanently through an automated system process. Surveillance Data may be extracted prior to the expiration of the retention period for the Purposes and in accordance with the applicable Surveillance Systems Installation and Data Processing Policy of the Data Controller.

9. Data Transfers

Hermes may share Surveillance Data with competent judicial and law enforcement authorities. Hermes may also share CCTV surveillance footage with its stakeholders on occasion where it considers it necessary to pursue a Purpose.  
Hermes requires all third parties to respect the security of your personal data and to process it in accordance with applicable law. 
Hermes does not to authorise third parties to use the video footage for their own purposes and only permist them to process it for specified purposes and in accordance with the Data Controller’s instructions.


10. Individuals’ rights - how to exercise them

As a data subject, under the GDPR and applicable legislation you will have the right to, where appropriate: 

  • Access your personal data by making a subject access request 

  • Rectification, erasure or restriction of your information

  • Object to the processing of your information 

If you wish to exercise any of these rights, please send an email to

You will not have to pay a fee to exercise any of your rights. However, Hermes may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. 

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We aim to respond to any request for information promptly, and in any event within the legally required time limits (currently thirty (30) days).


11. Complaints

If you are unsatisfied with our response or handling or your personal information, you also have the right to make a complaint to the Commissioner for Personal Data Protection, the Cyprus supervisory authority for data protection issues. We would, however, appreciate the chance to address your concerns before you approach the Commissioner, so please contact us in the first instance.


12. Security of personal data

Hermes is committed to protecting your personal data and uses several security technologies, controls and procedures to help protect your personal data from unauthorised access, use or disclosure. Hermes keeps your data on video and computer systems that are limited in access and physically kept in access-controlled facilities.


13. Regular updates of the CCTV Privacy Notice

This Privacy Notice will be regularly reviewed and updated to reflect any changes to the processing activity.