Legal advice for bars and restaurants: how not to get into trouble when registering clients

It is important to prepare well

“Although it is not yet clear how and what personal data the institutions will have to collect, the same Thursday afternoon A. Veryga said that it is most likely the name, surname and telephone number of the person. This means that the companies that comply with the Government Resolution will become data controllers, who will also be subject to the data protection provisions of the BDAR. Companies face up to 4% for non-compliance. annual turnover or up to 20 million. fines amounting to euros ”Says P. Mockevičius.

According to the lawyer, in order to avoid such fines, it is important that companies realize that even such an obligation of the Government and an extraordinary pandemic situation does not exempt from the obligation to comply with data protection requirements. According to P. Mockevičius, institutions that intend to register visitors must take appropriate technical and organizational measures to protect the data collected.

“To this end, it is important to establish and document visitor registration and related data processing procedures in advance, designate the personnel responsible for collecting, storing and destroying visitor data, and ensure that unauthorized personnel or passers-by do not have access to visitor data, “says P. Mockevičius.

Visitors must be properly informed

According to the lawyer, it is also very important that companies adequately inform visitors when collecting personal data.

“Before registering a visitor, a clear, concise and easy to understand message must be provided indicating the identity and contact details of the controller, in this case a company or a freelancer. The notification must also inform the person on the purpose and legal basis of the data processing, the possible recipients of the data, the data controller’s intentions to transfer personal data outside the EU, the data retention period, personal rights and possible consequences of non-disclosure, ”says Mockevičius.

According to the attorney, this information can be provided both on paper and electronically. The key is that the company can demonstrate that such information was actually provided. If the data is to be collected on a paper questionnaire, it is desirable to provide such notice on the questionnaire itself or as a separate annex. If the data is collected electronically, the necessary information can be provided in an electronic data collection form.

“It is highly recommended to include a label in the data collection questionnaire by which the person confirms that they have read and understood the information provided. This can be important in the event of a dispute or complaint. The duty to demonstrate that the data was collected and stored in accordance with the requirements of the BDAR, in such situations, rests with the data controller, ”says P. Mockevičius.

You must not be arbitrary

According to a lawyer for Sorainen, the principle of data reduction enshrined in the BDAR is also very important. It prohibits the processing of more personal data than is necessary to achieve the stated purposes.

“This means that in this case, the institutions should collect only the visitor data required by the decision of the Emergency Operations Manager at the state level. It should clearly indicate what specific personal data the institutions should store and for how long. The collection of any other information would be considered excessive and could only be accumulated with the separate consent of the person, ”says P. Mockevičius.

According to the lawyer, it is equally important to ensure that the data collected is used only for submission to the National Center for Public Health if this is necessary for the epidemiological diagnosis of COVID-19. The use of collected visitor data for marketing or other purposes is prohibited, unless there is another legal basis for doing so, such as individual visitor consent.

Collect data, only safely

Mr. Mockevičius also draws attention to the security of data collection tools. Whether the data is collected on paper or in electronic form, they must ensure the security of the data collected.

“In other words, it is not enough to attach a common questionnaire open to everyone at the door of the institution, in which each visitor would register their contacts. Registered visitors should not see the data of other visitors. If the data is collected on paper questionnaires, it is important not to leave it in an open and easily accessible place. Whatever form of data collection is chosen, it must ensure that the data is protected against inadvertent disclosure, loss or destruction, ”says P. Mockevičius.

According to him, when using the electronic data collection method, it is important to choose a reliable IT service provider and a system that meets security requirements. Additionally, the device and system must be protected by a strong and regularly changed password, and better yet, by a dual authentication solution.

The data must also be properly deleted

According to the lawyer, at the end of the mandatory data retention period, visitor information must be properly and irreversibly destroyed. Unfortunately, according to P. Mockevičius, not everyone understands that throwing out personal data media is not an appropriate way to do it.

“Before any data carrier is removed, all the data it contains must be destroyed. This can be done using dedicated software using reliable data destruction algorithms. If this is not possible, the media must be destroyed with shredders or other means. mechanical ”, says P. Mockevičius.

According to P. Mockevičius, it is also important that institutions guarantee the rights of the people whose data is collected.

These include the possibility of requesting that the person responsible for the treatment give access to the personal data of the interested party and, if necessary, rectify them. In addition, it should be noted that the controller must respond to requests and requests from individuals related to the processing of their personal data no later than one month after the date of receipt of the request or request. If the person’s requests are not to be honored, reasons must be given.

The new requirements go into effect on Monday

The government has decided that as of October 26, activities will only be allowed in leisure and entertainment venues, catering establishments, restaurants, cafes, bars, clubs and other entertainment venues, as well as gambling dens, gambling venues. and betting shops, where its visitors are registered. .

The ruling foresees only two exceptions in which visitor registration is not required. It is not necessary to register each visitor when food is brought or when catering services are provided to company employees on the premises or premises of these companies.