This post is also available in: Español
In an attempt to contain the spread of COVID-19, numerous initiatives ensure contact tracing and therefore a rapid response to possible infection. These initiatives include, for example, contact tracking and tracing measures or, in particular, recording data on clients that visit entertainment venues.
In this context, the government of the Canary Islands recently adopted a Resolution whereby all phase 1 and 2 restaurants must keep a record of the customers that use indoor areas, including the national identification numbers of those diners.
Without getting into the appropriateness or legality of this Resolution, it should be noted that, from a data protection point of view, this type of data processing should be done in line with the different guidelines published over the course of the pandemic by national and European data protection authorities and, in particular, with the Notice on the collection of personal data by establishmentspublished by the Spanish Data Protection Agency (AEPD) last July and with Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak adopted by the European Data Protection Board (EDPB) in April, both of which can be extrapolated to the case in question here.
What are the implications of customer records from a data protection perspective?
The AEPD reminds us that the application of this containment measure must be considered necessary by the health care authorities and be mandatory (so as not to lose effectiveness). In fact, if consent is considered the legal basis, in order for such consent to be understood as freely given, the refusal to provide data, such as a national identification number, could not have any negative consequence (for example, preventing entry to the establishment).
Therefore, mapping contacts and transferring data to the health care authorities would be covered — according to the AEPD — by Article 6(1)(e) of the GDPR, with the understanding that the processing is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
Furthermore, and (only) as long as the state of emergency is maintained, it will not be necessary for the regulation in question to have the status of law.
That said, it will be necessary (a) to justify that there are no other more moderate (and equally effective) measures to ensure the traceability of contacts; (ii) to apply the principle of purpose limitation and storage period; and (iii) to comply with the principle of data minimization (whereby it would be sufficient to collect the telephone number and the time and date of attendance at the venue in question).
Finally, citizens must be properly informed about the processing that will be carried out on their data prior to collection, and appropriate security measures must be implemented.
What principles must be observed when collecting this type of personal data?
One of the principles established by the General Data Protection Regulation (“GDPR”) that must govern all processing is that of data minimization, whereby only data that is adequate, relevant and limited to what is necessary should be processed.
It should be noted that when the “Radar Covid” app was created, the EDPB pointed out that data such as the name and surnames of citizens are “unnecessary for the purpose of notifying possible contacts”.
Therefore, any processing of personal data, even in the context of the current pandemic, must be limited to those data that are strictly necessary for the intended purpose, and any non-essential additional data should not be collected.
Moreover, the Resolution has been published in the context of the current state of emergency. Once this has ended on May 9 (if this is the case), the Canary Islands should use a regulation with the status of law to be able to continue applying the measure (as it is contained in a resolution).
In this case, the legal basis that restaurants could use for the collection and processing of such personal data would be compliance with a legal obligation applicable to the controller (Article 6(1)(c) of the GDPR).
Nonetheless, any similar initiatives that may emerge in an attempt to contain the spread of the pandemic must be necessary, subject to periodic review and limited not only in time but also in scope. According to the competent authorities, identification by national identification number would in any case be disproportionate.
Authors: Ana Sánchez and Jorge Monclús
This post is also available in: Español