The CNIL issues its recommendations on the keeping of a "reminder book" by catering establishmentsThis is a direct consequence of the reinforcement of health measures in maximum alert zones.
1. Data collected
The data collected must be limited to that which is necessary, without any supporting documentation being required, i.e. :
- the identity of the person (surname/first name)
- a means of contact (telephone number)
- the date and time of the person's arrival
2. Purpose of processing
The sole purpose of the processing carried out must be to transmit information to the health authorities (CPAM, ARS, etc.) in order to facilitate the search for contact cases, where appropriate, and may not be used for commercial purposes.
3. Data retention period
Data is kept for 14 days in accordance with the recommendations of the Ministry of Health and Solidarity.
4. Data security
Data security involves confidentiality: only the people who need to know the data should have access to it (e.g. the manager who sends the data to the health authorities, the server that collects the data).
The CNIL distinguishes between two cases:
- paper form, which must be individual or by table if it is made available to the customer, or must be collected by the restaurateur himself, so that no customer can have access to the data of others. This paper "reminder book" must then be kept in a secure place.
- the electronic form, whose storage must be protected by a strong password (including upper and lower case letters, numbers and special characters) and on equipment stored in a secure location.
5. Informing those concerned
As with any processing of personal data, data subjects must be provided with exhaustive and transparent information about the processing operation at the time of collection of their data, by including an information notice:
- on the paper or electronic form
- on a notice board in the establishment, or
This information must include in particular :
- the identity and contact details of the establishment;
- the purpose of data collection (transmission of information to the health authorities to facilitate the tracing of contact cases);
- the data retention period (14 days);
- the rights of the data subject (access or rectification of data, deletion under certain conditions, etc.);
- the recipients of the data, in particular the health authorities.
To help establishments subject to this obligation, a model information notice is available from the CNIL on its website.
The CNIL also takes into account companies not subject to the health protocol who would nevertheless like to set up a "reminder book" by providing a separate model for information notices and setting specific conditions:
- it is necessary, i.e. it meets an identified need;
- it is subject to the consent of each individual.
As a reminder, in order to be valid, consent must be freely given, which means, as the CNIL points out, that the data controller cannot refuse access to its establishment if the individual refuses to provide his or her data.