As the COVID-19 lockdown begins to ease, everyday life should gradually return to normality. This includes the reopening of food and drink outlets such as restaurants and bars, where people tend to gather in confined spaces and which can therefore quickly become a source of infection.
In order to uncover and interrupt possible chains of infection, many federal states in Germany have added specific data-protection provisions to their federal regulations mainly affecting food service operators, but also other businesses such as fitness studios or hairdressers.
Federal states take different approaches
Depending on the federal state, food service operators are obliged (or at least encouraged) to record the contact details of their guests for a certain period of time and to send them to the relevant authorities upon request.
However, the applicable provisions in the individual states differ greatly in terms of clarity, requirements and consistency.
The following examples show the different approaches taken and the issues associated with the respective provisions from a data privacy perspective.
- The COVID-19 regulation of the State of Berlin is, compared to federal states, the least strict, stating that restaurants are ‘strongly encouraged’ to use reservation systems or other appropriate procedures to track contacts. So, while restaurants are not obliged to record the contact details of their guests, if they collect these data, they must keep them for a period of four weeks and provide the authority with them upon request.
- At first glance, North Rhine-Westphalia appears to be relying on a voluntary approach for customers of food and drink establishments by requiring them to consent to entering their contact data and visiting hours in lists at the table. Customers who do no consent should be denied entry, suggesting that compliance is not in fact voluntary. Whether the operator is allowed or obliged to send these data to the authorities remains unregulated as well.
- Another example of incomplete or inconsistent provisions is Baden-Wuerttemberg. Here, operators of food service establishments must, for contact-tracing purposes, collect and process customers’ names, contact details, and date and time of the visit – with the customers’ consent. These data must be deleted by the establishment’s operator four weeks after collection. Again, the rules are silent on whether the operator may or must send these data to the authorities, and what happens if a customer does not grant consent.
- The regulations of Rhineland-Palatinate are somewhat clearer. When making a reservation, customers must state the contact details (surname, first name, address and telephone number) of all members of their party. The premises operator must keep these for one month and send them to the responsible authority upon request. The regulation covers restaurants, cafeterias, canteens, cafés, ice-cream parlours, wine bars, tasting rooms and similar establishments. Student union canteens and dining-halls are excluded from the contact data collection, while non-public canteens are not listed separately, which suggests that the obligation to collect data also applies to them.
Proportionality of the measures
According to the EU’s General Data Protection Regulation (GDPR), such obligations may be imposed on businesses on a national level provided that they are proportionate. However, proportionality is questionable as the obligations result in collecting and retaining a large amount of personal data.
Having seen German authorities’ inability to notify the responsible German institution for counting COVID-19 infections, it seems highly unlikely that they could pass on such a large amount of information if requested to do.
Additionally, for some federal state regulations, a softer approach might be enough to ensure effective contact tracing (eg by collecting a single email address from each group of customers). Furthermore, the regulations appear disproportionate considering the other protective measures that must be taken by food and drink operators as well as guests.
Consequences for businesses
Even though provisions vary across German states, the GDPR still applies. In particular, a food and drink establishment must have a GDPR-compliant privacy notice informing customers that it is collecting personal data. This applies as well to collecting personal data in these lists.
Furthermore, the personal data being collected must be kept in a safe place and made available only to a limited group of employees. They may also only be sent to the competent authority if the authority requests it and using a secure means of transmission. Each such request and the transmission itself must be documented to comply with the principle of accountability.
In accordance with the principle of purpose limitation, food service operators may neither use the data for other purposes like advertising nor collect any data other than those required by law. And of course, all customer data must be deleted after the legal retention period has expired.
If a premises operator does not comply with these data protection requirements, data protection authorities and consumer associations can impose penalties, including high fines.
As long as there is no uniform approach in Germany, food service businesses that operate nationwide must assess the rules for each federal state to ensure they are fully compliant. This is in addition to complying with the GDPR.
To comply with the regulations as well as the GDPR, food service businesses should consider drafting rules for their employees on how to process the data they collect.
We expect other countries to consider following the German approach as well and, given the proportionality discussions, it is likely that already existing approaches might be modified within the coming weeks.
Therefore, all food and drink businesses operating at a European level must prepare themselves and their employees to start providing good food and drink again while correctly collecting large amounts of personal data.