To much of the publics’ great relief, the government announced on 23 June 2020 that pubs, bars and restaurants could re-open from 4 July 2020.
However, the hospitality sector will have to adapt to a new concept of “normal” when re-opening their premises. In addition to complying with the government guidance on social distancing and hygiene measures, the government has put in place emergency health regulations, which require businesses assist the NHS with the national track and trace effort. This means that hospitality businesses will have to keep a record of customers for a period of 21 days after a customer’s visit to their premises.
Such businesses need to remember, that while these are exceptional times, data protection laws still apply and they must collect the personal data in accordance with the requirements set out in the General Data Protection Regulation (“GDPR”).
In order to ensure compliance with the GDPR, businesses must consider the following key principles:
- Transparency – businesses should ensure customers are made aware of what types of personal data they are required to collect and why. Certain members of the public may not be aware of the regulations and therefore may not expect to hand over their personal data when out for a drink or a meal. Keeping customers informed is likely to assist with building trust and overcoming any discontent;
- Data minimisation – businesses should only collect the amount of personal data as is required to enable them to comply with their obligations under the regulations. This is likely to consist of the customer’s name and one form of contact information;
- Fair use – businesses should only use the personal data collected in the customer records for the purpose for which it is collected; that is, to assist with the national track and trace effort. To use the personal data for other purposes, such as marketing, would constitute a breach of the GDPR unless the customer has given their consent at the point of collection;
- Storage limitation – businesses should not keep the personal data they collect for longer than is required to enable it to fulfil the purpose for which it was collected. The question of determining what is an appropriate retention period has been taken out of the hands of businesses, as the regulations prescribe that the correct period is 21 days. Businesses must ensure that they securely delete personal data after expiry of this period; and
- Data protection – if businesses are sharing personal data with third parties, for instance, app providers who will process it on their behalf, they must ensure that they have the appropriate contractual safeguards in place to protect the personal data.
Get in touch
If you would like to discuss any of the issues raised in this article, or would like assistance with any data protection issues, Rebecca Anforth (Senior Associate), would be delighted to hear from you. You can reach Rebecca on 01872 226999 or you can email her firstname.lastname@example.org.