Restaurant and café terraces opening – a quick peek at the applicable data privacy provisions
Starting June 1st, restaurant and café terraces are open, due to new legislative amendments issued on the gradual return to the “normal” ante-pandemic lifestyle.
In this respect, Order no. 461/30.05.2020 jointly enacted by the Ministry of Health and the National Sanitary Veterinary and Food Safety Authority (the “Order”) establishes the rules that have to be followed in order to ensure that when returning, as much as possible to the old normality, that the COVID-19 virus will not start to spread again.
Among other administrative measures meant to ensure that another COVID-19 outbreak will not happen, the Order establishes that the economic operators from the food and drink industry must (i) monitor their employees’ health condition and (ii) implement a customers’ reservations registry in order to ensure that concrete data is processed in case an epidemiologic investigation is necessary, although, no specific sanction is imposed under the order with respect to the lack of such.
The Romanian provisions that implement a new reservations registry are in line with the measures imposed by other European states, such as Germany, where operators of restaurants and cafés are either obliged or encouraged to use reservation systems or other adequate procedures to track contacts.
While it is still confusing if the implementation of such a registry is mandatory or not, pursuant to the provisions of the Order, it is clear that, if operators of restaurants and cafés chose to adopt a reservations system, having a reservation registry is compulsory under the GDPR requirements.
However, in the absence of any specific guidelines on what personal data is required and on how to handle such personal data, the SAA Data Privacy team is offering its insight on these specific requirements.
Firstly, the restaurants and cafés operators must keep in mind that, although we are living in complex times, the GDPR principles, and, in particular, the data minimization principle – providing that the companies must limit personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed – must be complied with regardless.
With respect to what personal data should be processed for reservations, we consider that the name, surname and telephone number or e-mail address to be sufficient in case an epidemiologic investigation would be required.
Moreover, in order to comply with the above-mentioned minimization principle, it is clear that operators of restaurants and cafés need not process the personal data belonging to all the persons sitting at one table, and processing the personal data of the person that has made the reservation is sufficient.
When it comes to the processing period, such should not exceed a 16 days period from the moment the reservation is made and the relevant data is entered into the reservations registry.
The operators of restaurants and cafés should ensure that an adequate reservation registry is in place and most importantly, that the data subjects are informed with respect to the new processing.
Moreover, adequate technical and organizational measures should be implemented in order to establish the proper compliance with data privacy requirements.
If you need more information on the above, our Data Privacy team is available at your convenience.