COVID-19 Data Collection in Restaurants Done Right: Lessons From a German Regulator

August 26, 2020Articles

The German state of North Rhine Westphalia has issued an audit checklist for compliant use of data collected in connection with COVID-19 tracing.

This checklist will prove useful for U.S. states as similar requirements for collection of data for contact tracing purposes are imposed on public venues and in view of pending bills prohibiting the use of the data for non-COVID purposes.

  • How do you inform individuals the purpose of contact data collection (traceability of possible infection chains and access restrictions)?
  • How do you collect the information from the patrons? Do you hand each group/table a blank list? How do you handle reservations?
  • Do you collect data electronically? How? How do you store the data electronically and how is it sorted (data of visit? otherwise)? Do you use a third-party service provider to this end? Which?
  • How do you store the paper contact lists and who has access to the data?
  • Do you inform everyone who has access to the data about data protection-compliant handling of this data (in particular about the protection against access by unauthorized third parties, narrow purpose of use)?
  • How do you ensure the regular (and timely) destruction of the paper contact data lists or the electronic data collection securely? Data must be deleted/destroyed in compliance with the data protection regulations and if you have a service provider for this you must confirm that this was performed.
  • Have you already transmitted data to a regulatory authority/health authority after a written request and, if so, how do you ensure that this transmission is secure?
  • How do you deal with your customers if they raise data protection concerns?

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with privacy and data security issues related to COVID-19 contact tracing, contact Odia at [email protected] or 215.444.7313.