Skip to content

You are here:

Data-protection-compliant documentation of customer data during the coronavirus crisis

Currently, a great number of business people are required to collect the contact data of their customers. The aim of this is to ensure that in the event of a COVID-19 disease outbreak it would be possible to reliably trace potential contacts. The collection and processing of these customer data fall within the scope of data protection laws. The example of the applicable provisions in Lower Saxony is intended to illustrate what data has to be collected and how to prevent potential privacy breaches.

Customer data collection

When collecting customer data you already have to pay attention to some particularities so that the collection of this data can be done in a way that is compliant with data protection requirements.

  • If lists are used to collect data for a number of customers then the next customer will see the respective contact data for the prior customer. To prevent such a privacy breach, the customer data can be recorded on separate pages in each case.
  • Collecting data by means of a continuous list is only allowed if the prior customer’s respective details are covered up.
  • It should also be noted that not all kinds of data may be collected but solely those mentioned in the coronavirus regulation. These are: surname, first name, full address, a telephone number as well as the time of entry into and departure from the establishment. The coronavirus regulation in Lower Saxony, at any rate, does not include recording the e-mail address as well.

Recommendations: Customer data should be collected anew each day, since this is the only way that defined deletion deadlines can be complied with. Furthermore, when data is collected, under Art. 13 GDPR it is necessary to provide customers with information about this. To this end, a notice with data protection information should be displayed at the point where the contact data are collected.

Processing of data

As regards the processing of data, it should be noted, in particular, that data may only be processed for the purpose intended in the respective coronavirus regulation. This is basically for distribution to the competent public health authority in order to prevent the further spread of the virus. Under no circumstances may the collected data be used for promotional purposes.

If a public health authority requests the data then you should bear in mind that they have to be submitted via a secure transmission channel.

Please note: Sending the data via a simple e-mail is not adequate in this case. It is recommended that the data be sent by post or by e-mail with end-to-end encryption.

Erasure of data

The contact data should be retained for at least three weeks. After a maximum of one month the contact data should be erased in a way that is compliant with data protection requirements. The lists used to collect the data should at least be shredded in a data document shredder. If the contact data have been digitally collected then the erasure has to be carried out securely. Erasure via the wastebasket function is not adequate in this case. If the structure created here for managing the contact data is not adequate then this could quickly lead to a GDPR violation, which could result in a fine.

Conclusion: Since it must be assumed that the requirement to collect contact data will continue to be applicable, we strongly recommend taking an in-depth look into how to collect data in a manner that conforms to the data protection provisions. To this end, for example, the relevant web page of the federal state of Lower Saxony would be helpful – see the link:

Back to top of page