Video: European justice update on massive collection of connection data (Euronews)
Click here to enlarge
Since Monday, in Paris, Marseille and in all the other cities of the six departments on maximum alert, restaurateurs are required to install a “reminder book”. This tool, which can take several forms (notebook, form, software) allows customers to enter their name and phone number in order to be called back in the event of a case of Covid being detected. Necessary to combat the spread of coronavirus, however, this “reminder book” poses a concern for the management of personal data. The CNIL, guarantor of the application of the General Data Protection Regulation, has established safeguards.
Favor an individual form rather than a notebook
In a note, the National Commission for Informatics and Liberties draws up a list of instructions to be followed for restaurateurs in order to guarantee the security of data provided by customers. First, they must be “informed of the purpose of this collection and the rights they have regarding their data”. As the obligation is only valid in the maximum alert zone, not all establishments are concerned, hence the need for a reminder when customers arrive, either orally by the manager or the manager. server, or via a poster.
Concerning the notebook itself, the Cnil asks to avoid the free-access notebook, where everyone writes their name and telephone number themselves… and can in the process see those of previous customers. Instead, she recommends an individual form to be completed at her table, or that the restaurateur himself completes upon arrival (a model is available on the Cnil website). Form which must then “be kept in a secure place and not be left in sight of all customers”. For establishments that have opted for a digital system (software, QR Code), the data must be protected with a “robust” password and especially not stored on a USB key.
Data for strictly health purposes
The census of customers is also supervised by the Cnil on the merits. “The data to be collected must be limited to the identity of the person (surname / first name) as well as to a single means of contact (telephone number): it is forbidden to collect any further data”, she writes on her site. The restaurateur must note the time of arrival and departure. On the other hand, he is not entitled to claim an identity document, it is up to the customer to show honesty. In addition, contact information should only be kept for 14 days. Beyond that, they must be removed or destroyed.
Finally, the data provided by customers can only be used in a health setting, when they are requested by health authorities for the purpose of tracing contact cases. Restaurant owners are prohibited from using it to formulate promotional offers or for personal purposes. In the event of abuse, customers are invited to contact the Cnil.