Some of the hospital districts have recommended that restaurants and event organisers collect customers’ contact information so that it can be used to trace coronavirus infections and exposures, if necessary.
If you collect information, pay special attention to the following issues.
1. Confirm the legal basis for processing and the lawfulness of consent
There must always be a legal basis for the processing of personal data. A recommendation by an authority alone does not constitute a basis for processing personal data.
In Finland, companies do not have a legal obligation to collect contact information for tracing infections. Collecting information is possible based on data subject's consent, however. This means that customers can decide if they wish to provide their information to the restaurant or event organiser for tracing people who have been exposed to coronavirus.
The consent must be freely given, specific, informed and unambiguous. The customers must be clearly informed of the purpose, for which the information is collected. Customers also have the right to refuse to provide information. Providing information cannot be used as a condition for entering a restaurant, for example.
Further information on the legal basis for processing data
Further information on asking for the consent of the data subject
2. Limit the purpose of processing the information
The information can only be used for tracing infection chains, not for marketing or other customer communications, for example.
Further information on limiting the purpose of processing
3. Minimise the amount of information collected
Only information necessary for tracing infections can be collected. For example, a customer’s name and telephone number can be requested. A combination of contact information and an alias can also be sufficient for tracing infection chains.
Further information on the minimisation of data
4. Determine the data storage period
Information can only be processed for as long as it is needed for tracing infection chains. For example, in the Koronavilkku application, the data are stored for 21 days, after which they are destroyed. The data must be destroyed carefully after they are no longer needed.
Further information on determining the data storage period
5. Implement the rights of the data subject
Data subjects have many rights, and their fulfilment must be ensured. Customers must be told clearly and comprehensively about how and for which purpose the personal data will be used. Customers can also withdraw their consent for the processing of data, and the data must be removed if the customers request it.
Further information on the rights of the data subject
6. Make sure that the data are processed safely
Only the persons, whose duties involve the processing of personal data are permitted to access the data.
Customers must not be instructed to submit their contact information in such a way that other customers can see the information.
7. Describe the roles of parties processing personal data
Does another party process the data on behalf of the restaurant or the event organiser by using an application, for example? In that case, a processing agreement must be drawn up.
Further information on processors
Further information on processors’ responsibilities