Identification and data protection
Identification and data protection
Data protection compliance in the identification of customers for entry to entertainment venues is under debate.
It is clear that the coronavirus has forced drastic changes in our daily lives, including those we considered unnecessary before this situation. our daily lives, including those that we considered unnecessary prior to this situation.
Previously, companies had implemented other measures to combat the spread of COVID-19.
With the opening of leisure centers, we are faced with another new measure, this is the identification of customers prior to accessing leisure establishments.
What does the Data Protection Agency say?
On July 31, the Spanish Agency for Data Protection (AEPD), shows that not all the measures taken to control the spread of the pandemic, are framed within the provisions of the regulations of data protection. data protection and that, on the contrary, they may violate it.
Similarly, not all data collected in this area of virus health monitoring can be considered special category data.
Conclusions
The AEPD determines that requesting identification from customers, such as their full name and DNI are excessive measures, for the following reasons:
- The need for this registry has not been accredited by the health authorities, nor is it regulated on a mandatory basis, i.e., by a regulation with the rank of law.
- The legal basis for implementing this type of measures, in which there would be a transfer of data to the health authorities, would be Article 6.1.e) of the RGPDsince the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller, i.e. there is a public interest in controlling the pandemic.
- However, in order to guarantee the highest level of data protection, it is important to analyze in which types of establishments it is necessary to implement measures for the prior identification of clients, and the health authorities should identify those establishments that are at risk of not being able to comply with the security measures of safe distance, use of masks, use of disinfectant gel, etc.
- Data collection should be harmonized with the principle of data minimization.
- The purpose of data collection must be respected at all times, prohibiting the use of such personal data related to any purpose other than pandemic control.
- Customers (data subjects) must be informed of the processing of their personal data, as well as of the security measures adopted to ensure their safety.
What should entertainment venues do?
Establishments that are taking these measures as part of their initiative to control the spread of the virus, must have data protection consultants to implement in their business the principles governing the processing of personal data, as well as contemplate the instructions made by the AEPD, avoiding claims before the supervisory body and possible sanctions.
In this sense, the principle of data minimization prevails, proposing to request only the client’s telephone number and to note down the day and time of attendance at the site.
The anonymization of clients would also be a measure to be considered, as a criterion assumed by the European Data Protection Committee in the Recommendation on the use of location data and contact-tracking applications in the context of the pandemic.
Ask data protection consultants for help.
If you do not know all the implications that the Data Protection Regulation has on your business, Business Adapter Data Protection Valencia can help you. Contact us.