Key Facts

Companies must record customers' contact details when they enter their premises.
Data protection is crucial; data may only be used for the purpose for which it was collected.
New lists must be created daily in order to comply with data protection deadlines.
Data subjects must be informed about data collection in accordance with the GDPR.
Data must be destroyed securely and in accordance with applicable regulations, e.g. by shredding.
The release of lists to authorities must be documented and securely transferred.
The consent of the data subjects is required to carry out data collection.

For many companies, self-employed persons and freelancers, there is now or will soon be an obligation to record the contact data of all customers and participants when they enter and leave the premises.

However, in the case of these lists, data protection should be observed, in contrast to what is currently practiced – quite incorrectly – by many authorities and courts. Otherwise, there may be trouble from another side.

No person shall be able to take note of the data of other persons. Therefore, one should only ask for the data and enter it into lists oneself. If this is too time-consuming, it must be ensured that the previous entries are covered when the contact data is entered independently.
A new list should also be started for each day in order to be able to comply with the deletion deadlines under data protection law.
The collected data may not be used for any other purpose, such as customer contact or advertising.
Everyone must be informed about the data collection in accordance with Art. 13 GDPR. The information must include the following:

- Name and contact details of the person responsible.
- Contact details of the data protection officer, if any.
- purposes for which the personal data are processed and the legal bases for the processing.
- Recipients or categories of recipients (e.g., health department).
- Duration of storage.
- Reference to the existence of the right of access, rectification, erasure or restriction of processing and the right to lodge a complaint with a supervisory authority.
- Note that data subjects can only be served, informed or audited to the extent that they consent to the data collection.

If the health department or other authorities request the contents of the lists, this release should also be documented. In purely formal terms, a secure transmission channel must be used, i.e. mail, fax or e-mail with end-to-end encryption.

The data must be destroyed or deleted in accordance with the applicable Corona regulation for the respective federal state probably no later than one month after the last contact with the person in question. This in turn must also be done in compliance with data protection, which is why lists must actually be shredded with a shredder and files on a PC or tablet, for example, must be disposed of by secure deletion. It would therefore be insufficient to dispose of paper documents in the household waste or the waste paper garbage can, or to simply delete files in the normal way.

Contact me for further questions!

Tags: Data protection Law E‑mail Information Mail Privacy Regulation Test