The Deputy Prime Minister and Minister of Health has issued the Standards and Guidance for Bars, Clubs, and Similar Establishments including places of Entertainment dated 19 August 2020. On 24 August, 2020, Standards for Operations on the Principles of Social Distancing, Enhanced Hygienic Practices and Minimised Infection Risks in Malta’s Tourism Infrastructure were released, which, among other industries, cover restaurants services.
These standards and guidelines carry, among others, a requirement to owners/management of the respective establishments to collect contact details of 1 person per table and store these details for 4 weeks after collection. According to guidelines dated 24 August 2020, the contact details include name and the phone number of the person.
The standards and guidelines are officially issued by the health authority under the Public Health Act, therefore requirements thereunder are to be considered a legal obligation placed upon the respective owners/management. For this reason, the said requirement is fully legitimate and should be complied with, without exception until further notice.
Data processing carried out in compliance with this requirement is considered by Office of the Information and Data Protection Commissioner (IDPC) as done under the legal basis laid down in Article 6 (1) (c) of GDPR, which provides that the data processing may be done if processing is necessary for compliance with a legal obligation to which the controller is subject.
The document does not provide for details any technical requirements for collection and storage, therefore, the controller must follow the general rules and principles laid down in GDPR.
In regards to the storage of the personal data, the data must be:
- kept securely;
- only provided to health authorities if and when requested;
- under no circumstances, used for a different purpose other than that set out by the health authorities; and
- destroyed after the lapse of the 4-week timeframe.
Also kindly note that the data subjects rights laid down in GDPR shall still apply. As the processing is done under the legal basis of legal obligation of the controller, certain exceptions apply. Namely, in the given situation the rights that shall apply include the right of access to the data and information regarding its processing, i.e. the data subject should be made aware of his rights under GDPR and that the data will be destroyed within four weeks, rectification of data and restriction of processing.
The authorities have not yet clarified whether the owner/management of the establishment should require customer’s identification document to verify the correctness of information provided, however, considering this is not a duty of the establishment explicitly expressed in official documents, it is advisable not conduct checking of ID documents. The situation as it currently stands, imposed no obligation on the data controller (the owner/management of the establishment) to verify the data being collected and therefore, in no case copies of ID document should be collected and stored.