Mandatory registration is not just a data security risk



[ad_1]

As of October 26, the requirement for catering establishments and leisure and entertainment service providers to register the names, surnames and phone numbers of all their customers came into force throughout Lithuania.

As stated in the operations manager’s decision, data collection agencies must retain the data for 21 days and then destroy it immediately.

Arnas Paliukėnas, President of the Lithuanian Bar Association, says that such requirements are unrealistic and that companies that have not faced the processing of personal data so far may not only pose a threat to data security, but also face huge fines.

In his opinion, even simple data, such as a person’s name or their phone number, which falls into the wrong hands, can be used for malicious purposes.

“From a data protection point of view, this data is sensitive, anyway. Now, as regards the situation, it does not seem to me, in terms of data protection, that a company can prepare adequately in such a long time. Not in one day, not in two, not in three. We may not say impossible, but very complicated.

Make sure they are handled, that a responsible person is named where they will be kept, either physically or in the media. It is quite a complicated procedure ”, explains A. Paliukėnas.

Outdoor cafe

Fines can be in the hundreds of thousands

According to A. Paliukėnas, in 2018, when the General Data Protection Regulation (BDAR) came into force throughout the European Union (EU), Lithuanian-based companies learned to apply the new data processing system in practice for several months.

“We have had this stressful situation very recently, at least the legal professionals would confirm without a doubt that when it was necessary for companies to adapt to data protection regulations, there was really quite a bit of tension.

There were many consultations, seminars, quite a long time before it went into effect. Although the data protection law has existed at the national level until then, even so, there was a lot of everything before regulation and it was really necessary to prepare for it, ”says the president of the Illustrious Bar Association.

Some companies, like many catering establishments, have never before encountered the collection and processing of private personal data of their visitors. According to A. Paliukėnas, therefore, the current situation is a great recipe for disaster.

“If someone (companies – aut. Past) did not have to do it, preparing from scratch would not say that it is simple and therefore the regulation may not fully comply with data protection requirements.” And if you don’t prepare, there can be not only a thousand, but also a hundred thousand fines, ”says the lawyer.

Other people can organize registrations

However, not all companies choose to record and manage sensitive data themselves.

For example, in Vilnius, more than 200 public institutions already use the specially created InBar system for visitor registration.

Its creator, Mark Adam Harold, says he understands why people may not want to provide their personal information. However, according to him, now all companies are simply obliged to comply with government decisions, so the only way out is to take all necessary measures to keep data safe.

“We just register visitors, as the operations manager says. {…} Now we rent servers and store data there, in accordance with all security requirements, ”says tv3.lt, the system developer.

In his opinion, this data collection method is the safest and people do not have the opportunity to report incorrect data.

“There are questionnaires for other systems used by companies: websites. But we decided not to. There are several reasons why people often store fake data in such systems in the first place. They record any fake street and phone numbers.

If it’s an SMS system, you get a message on your phone and you can really know that the person is being tracked, ”explains MA Harold, inventor of InBar.

Veryga: “There are no data leaks here”

Health Minister Aurelijus Veryga told reporters at a press conference that All data collection obligations are agreed with the State Data Protection Inspectorate (VDAI).

“There are really no such data security breaches here. Of course, every controller is obliged to collect data responsibly, not transfer it to third parties, and destroy it when the time comes,” said A. Veryga.

State Data Protection Inspection

SDPI itself also issued a notice explaining how registration data should be handled.

As basic rules that all companies that record personal data must follow, the SDPI highlighted the following: process only those data where it is necessary to process them; manage them for the purposes established in the decisions of the Chief of Operations; store data for up to 21 days; guarantee adequate security of personal data.

All institutions must also provide visitors with concise information about what will be done with their data.

“For example, the name of the company, the contacts, the purposes for which the personal data is processed, the information that the personal data is processed to comply with a legal obligation of the controller, what personal data will be processed, how long will be stored and more. This information can be provided both in a paper document and in electronic format “, reads the VDAI report.

From October 26. Visitor registration is required to enter individual leisure and entertainment venues such as movie theaters, dance studios, sports clubs, children’s kite areas, bowling, laser arenas, escape rooms, etc., as well as catering establishments, restaurants , cafes, bars, night clubs. and other entertainment venues, casinos and slot machines, bingo halls, gambling halls, and betting points located in supermarkets.



[ad_2]