COVID-19: Restaurants and cafés are encouraged to register visiting guests

On September 7 2020, the Government held a press conference on COVID-19, in which Minister of Health Magnus Heunicke requested that restaurants and cafés offer their visiting guests the possibility to register their contact information. A request that aims to increase contact tracing as the number of people infected with covid-19 is increasing, but at the same time raises some data protection law issues for you as a restaurateur or café owner.
News
GDPR

The spread of COVID-19 has recently been alarmingly high, especially in and around the metropolitan area and in Odense. For that reason, the government has now implemented some new measures to limit the outbreak. Magnus Heunicke encouraged restaurants and cafés to implement a voluntary scheme, in which visiting guests can register for contact tracing.

What GDPR issues does this voluntary scheme raise?

Even if you as a business owner want to make a difference and help prevent the spread of COVID-19 by e.g., encourage your guests to register, there are a number of different legal GDPR issues that you must pay special attention to.

Registration must be voluntary

It must be the individual guest’s choice whether he or she wishes to register his or her information. Additionally, it must be voluntary – that is, there must be no inconvenience to the guest in rejecting registration of the information.

Inform about the purpose

Be sure to make it clear to guests what is being recorded, what it will be used for and how long the information will be stored. If, for example, you use an online booking system, you should write if the information from the booking can be used for contact tracing. If you already have a privacy policy, it will be relevant to add a section about the registration herein.

Register no more, than what is needed

This will usually include name, contact information and the period in which the guest has stayed at the restaurant or café. Depending on the size of the room, you can as a restaurateur or café owner register, where the person has been sitting in the room, as this information can be relevant and helpful in contact tracing.

If restaurants and cafés want to introduce such a voluntary scheme, Lund Elmer Sandager recommends that simple and predefined forms are prepared, which only contain name, address, telephone number and time. If you want to register the location of the guest in the restaurant or café, this can happen through your booking system when you assign the guest table, if such a solution is technically possible.

Pay attention to the information

Make sure that unauthorized people do not gain access to the information being recorded.

Do not use the information for anything else

The information can only be used for contact tracing as needed – and not for e.g., marketing or other purposes.

Delete the information continuously

When the information is no longer relevant for contact tracing, it must be deleted. In the light of COVID.19, it must therefore be assumed at the moment, that restaurants and cafés are probably not allowed to store guests’ personal information for longer than 14 days, as there is a 14-day incubation period for coronavirus, according to the authorities. 

Do you, as a business owner, need advice in how to handle the registration of guests, or do you need help to prepare a registration scheme that complies with all applicable rules, please do not hesitate to contact Lund Elmer Sandager’s specialist in GDPR and IT law, Associated Partner, Attorney Torsten Hylleberg.

Contact
Torsten Hylleberg
Partner
Attorney

Related news

See all news
News

The Danish Data Protection Agency focuses on the processing of personal data in online competitions

In a recent case, the Danish Data Protection Agency has decided on a company’s processing and transfer of personal data in connection with offering competitions and questionnaires online.
GDPR
News

European Data Protection Agencies increase focus on cookie solutions and the use of Google Analytics

The Danish Data Protection Agency and other European data protection agencies currently have a strong focus on whether companies’ cookie solutions comply with the rules in the GDPR. It includes e.g. solutions within Google Analytics and IAB’s standard solution for cookies and advertisements, Transparency and Consent Framework (TCF), where there are many indications that Danish companies may prepare for alternative solutions.
GDPR
News

Lund Elmer Sandager strengthens its partnership with two new partners from its own ranks

It is a great pleasure that Attorney Sebastian Rungby and Attorney Torsten Hylleberg will both take up the roles as partners in Lund Elmer Sandager with retroactive effect from 1 January 2022.
GDPR
News

The Danish Data Protection Agency propose for large GDPR fines

During the summer of 2021, the Danish Data Protection Agency has imposed fines on three public authorities and two private companies in the range of DKK 150,000 – 600,000 for violating the GDPR legislation. The new size of the fines emphasizes the importance of companies ensuring an adequate level of security when processing personal data.
GDPR
News

New Standard Contractual Clauses for transfers of personal data outside the EU/EEA

On 4 June 2021, the European Commission issued new Standard Contractual Clauses (“SCC”) for use in the transfer of personal data outside the EU/EEA, which e.g. may be for a (sub) data processor in the United States.
GDPR
News

The Danish Data Protection Agency fines job agency for GDPR breach

The Danish Data Protection Agency (In Danish: Datatilsynet) states that companies must avoid deleting personal data if the right for access is requested.
GDPR