To facilitate the search for contact cases of Covid-19, restaurateurs located in the maximum alert zone must install a "reminder book" to list the customers who eat in the establishment.
A tool that can take several forms but questions the protection of personal data.
The CNIL published a guide to good practices on Wednesday.
Since Monday, in Paris, Marseille and in all the other cities of the six departments on maximum alert, restaurateurs have the obligation to install a "reminder book".
This tool, which can take several forms (notebook, form, software) allows customers to enter their name and telephone number in order to be called back in the event of a case of Covid being detected.
Necessary to fight against the spread of the coronavirus, this "reminder book" nevertheless poses a concern for the management of personal data.
The CNIL, guarantor of the application of the General Data Protection Regulation, has established safeguards.
>> Find Europe Matin in replay and podcast here
Favor an individual form rather than a notebook
In a note, the National Commission for Informatics and Liberties draws up a list of instructions to be observed for restaurateurs in order to guarantee the security of data provided by customers.
In the first place, they must be "informed of the purpose of this collection and of the rights they have regarding their data".
As the obligation is only valid in the maximum alert zone, not all establishments are concerned, hence the need for a reminder when customers arrive, either orally by the manager or the manager. server, or via a poster.
Concerning the notebook itself, the Cnil asks to avoid the free-access notebook, where everyone writes their name and telephone number themselves… and can in the process see those of previous customers.
Instead, she recommends an individual form to be filled out at her table, or that the restaurant owner completes himself on arrival (a model is available on the Cnil website).
Form which must then "be kept in a secure place and not be left in sight of all customers".
For establishments that have opted for a digital system (software, QR Code), the data must be protected with a "strong" password and especially not stored on a USB key.
Data for strictly health purposes
The census of customers is also supervised by the Cnil on the merits.
"The data to be collected must be limited to the identity of the person (surname / first name) as well as to a single means of contact (telephone number): it is forbidden to collect any further data", she writes on her site.
The restaurateur must note the time of arrival and departure.
On the other hand, he is not entitled to ask for an identity document, it is up to the customer to show honesty.
In addition, contact information should only be kept for 14 days.
Beyond that, they must be removed or destroyed.
Finally, the data provided by customers can only be used in a health context, when they are requested by the health authorities for the purpose of tracing contact cases.
Restaurant owners are prohibited from using it to formulate promotional offers or for personal purposes.
In case of abuse, customers are invited to contact the Cnil.