Businesses' Covid-19 customer records watched closely by EU data watchdogs

Restaurants and bars that have been ordered to keep registers with customers' personal data to track Covid-19 infections are being closely monitored by data-protection authorities in Germany, Belgium and the UK.

Although the regulators' focus will be on advising businesses on their compliance with the EU's General Data Protection Regulation, and no fines have been issued yet, they can carry out audits based on consumers' complaints.

— Germany —

In Germany, which has seen about 208,000 confirmed Covid-19 infections and 9,202 deaths on a population of 83 million, some of the 16 state governments have imposed measures requiring local businesses to keep databases of customer data to help contain the virus.

In the state of Mecklenburg-Vorpommern, for example, this obligation has applied to hairdressers, beauty salons, restaurants and cafes since the end of May. Those businesses will need to keep customers' data for a four-week period.

The state data-protection authority has told businesses to keep these records on paper, since “digital records could lead to more effort in fulfilling data-protection requirements.”

In Hamburg, the watchdog said that business owners, who are responsible for compliance with the GDPR, will be in violation of the rules if they leave guests' contact details openly visible to everyone, for example at the entrance of a restaurant.

The authority hasn't issued any fines to date in cases where violations have been reported, but instead “instructed businesses to protect the names against access by unauthorized third parties,” it said in a statement.

Although a state-wide audit is impossible due to the limited staff at the authority, unannounced checks at premises can still be carried out, the watchdog added.

In Berlin, the authority has issued templates of personal-data forms, as well as additional consent documents to be filled in by visitors. The regulator said that clients aren't obliged to provide their data, and have the right to complain to the supervisory authority to exercise their rights under the GDPR.

Meanwhile, the Rhineland-Palatinate watchdog reported incidents where law enforcement authorities requested access to restaurants' data after considering that this information was needed for criminal investigations. The regulator called for legal clarity in this case, and for a balance between the seriousness of the suspected crime and data-protection laws.

“Whoever is sitting in a beer garden must not later be questioned by the police because of an entry in a [Covid-19] guest list if it's a matter of investigating an administrative offense, minor property damage or improper parking nearby,” the regulator said.

— Belgium —

Amid a new rise in Covid-19 infections, Belgium's government last week also enforced additional measures to fight the pandemic, including the need for customers to leave their personal data at restaurants or bars. The businesses need to keep this information — which can't be used for other purposes — for 14 days.

The Belgian data-protection authority, which advised the government, welcomed the decision to keep the data only for two weeks, but also voiced some concerns.

“There's a lack of clarity on some important points such as how the procedure needs to be carried out [by businesses] and what exactly happens when a customer turns out to be infected,” a spokesperson for the Belgian authority told MLex, adding that it’s also questionable whether a customer has an option to give consent to leave their data.

The latest figures show that Belgium has seen 66,662 confirmed infections, and 9,833 deaths on a population of 11.4 million people.

— UK —

In the UK, where similar rules apply, the focus will also mainly be on advising businesses, said Paul Arnold, deputy chief executive at the Information Commissioner’s Office. Arnold said the regulator “wants to help businesses to get things right first time" as they adapt to the new ways of working.

“Our focus is on supporting and enabling them to handle people's data responsibly from the outset and, while we will act where we find serious, systemic or negligent behavior, our aim is to help the thousands of businesses that are doing their best to do the right thing,” he said.

The watchdog's advice includes recommendations such as: only ask for specific information that’s needed under the government measures, be transparent, keep the data locked, don't use it for other purposes and erase it in line with government guidelines.

European consumer organization BEUC, an umbrella group representing EU organizations, said there shouldn't be a trade-off between data-protection and fighting Covid-19.

"Businesses and governments must ensure all the necessary safeguards are in place,” a BEUC spokesperson told MLex, adding that the use of consumers’ data must be transparent, confidential, not kept for longer than needed, and not used for other purposes.

National laws enforcing the measures across the EU often have a time limit, meaning that they will be in place only for the duration of the pandemic.