Corona, attendance lists and data protection

For many companies, self-employed persons and freelancers, there is now or will soon be an obligation to record the contact data of all customers and participants when they enter and leave the premises.

Key Facts

Companies must record customers' contact details when they enter their premises.
Data protection is crucial; data may only be used for the purpose for which it was collected.
New lists must be created daily in order to comply with data protection deadlines.
Data subjects must be informed about data collection in accordance with the GDPR.
Data must be destroyed securely and in accordance with applicable regulations, e.g. by shredding.
The release of lists to authorities must be documented and securely transferred.
The consent of the data subjects is required to carry out data collection.

However, in the case of these lists, data protection should be observed, in contrast to what is currently practiced – quite incorrectly – by many authorities and courts. Otherwise, there may be trouble from another side.

No person shall be able to take note of the data of other persons. Therefore, one should only ask for the data and enter it into lists oneself. If this is too time-consuming, it must be ensured that the previous entries are covered when the contact data is entered independently.
A new list should also be started for each day in order to be able to comply with the deletion deadlines under data protection law.
The collected data may not be used for any other purpose, such as customer contact or advertising.
Everyone must be informed about the data collection in accordance with Art. 13 GDPR. The information must include the following:

- Name and contact details of the person responsible.
- Contact details of the data protection officer, if any.
- purposes for which the personal data are processed and the legal bases for the processing.
- Recipients or categories of recipients (e.g., health department).
- Duration of storage.
- Reference to the existence of the right of access, rectification, erasure or restriction of processing and the right to lodge a complaint with a supervisory authority.
- Note that data subjects can only be served, informed or audited to the extent that they consent to the data collection.

If the health department or other authorities request the contents of the lists, this release should also be documented. In purely formal terms, a secure transmission channel must be used, i.e. mail, fax or e-mail with end-to-end encryption.

The data must be destroyed or deleted in accordance with the applicable Corona regulation for the respective federal state probably no later than one month after the last contact with the person in question. This in turn must also be done in compliance with data protection, which is why lists must actually be shredded with a shredder and files on a PC or tablet, for example, must be disposed of by secure deletion. It would therefore be insufficient to dispose of paper documents in the household waste or the waste paper garbage can, or to simply delete files in the normal way.

Contact me for further questions!

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.