For around three months, operators of restaurants, cafés and other commercial operations in Hamburg have been required to collect contact information from their guests due to the applicable Corona regulations. The regulation requires that unauthorized third parties are not allowed to gain knowledge of the data. Even after an initial warning, however, not all innkeepers observe the requirements, so they now have to expect sanctions.
Don’t miss any news! With our daily newsletter you will receive all the news from heise online for the past 24 hours every morning.
Subscribe to the newsletter now
Lots of complaints
According to his own statements, the Hamburg data protection officer, Johannes Caspar, receives complaints from citizens about restaurants with open, freely accessible contact lists “almost daily”. There are also reports of the misuse of telephone numbers for flirt messages or similar private purposes. The supervisory authority therefore carried out spot checks in 100 commercial and catering establishments in June to check whether the data were collected correctly and the requirements for the protection of the privacy of those affected were complied with. There they found inadmissible open lists in a third of the cases.
During follow-up inspections, the inspectors found “that the vast majority of restaurants happily followed the advice on the legal situation and successfully changed the practice,” said Caspar on Friday, relieved. In four restaurants, however, the same grievances still prevailed despite the previous awareness campaign. Therefore, fine proceedings would now be initiated against the companies concerned.
The GDPR enables the supervisory authorities to impose fines of up to four percent of revenues for serious violations. Caspar emphatically appealed to all those obliged to treat contact data confidentially and to comply with the rules for the protection of customers. That should be in the interests of all responsible bodies. You already have one for this Question and answer list as well as detailed information material including a Sample form provided.
A team from the Brandenburg data protection officer, Dagmar Hartge, also recently carried out on-site inspections and found that well over half of 54 cafes and restaurants collected too many data categories and did not adhere to the deletion deadlines. The authority is still examining whether in a few cases “with serious violations” a “formal warning” or further measures are necessary.