Nowadays, there will still be companies which are not adapted to the new legislation. If you are not up-to-date with the General Data Protection Regulation (GDPR), you can risk fines of up to Euros 20,000,000 or 4% of the total annual income, and the competent Control Authority in Spain, the Spanish Data Protection Agency (AEPD) will opt for the highest amount. In Letslaw we can help you to be adapted to both the GDPR and the new Local Law in this respect.
How do I know if I do any data processing in my restaurant?
What is personal data? Personal data is considered to be any information about an identified or identifiable natural person. It will be identifiable when the identity of the natural person can be determined, directly or indirectly, through any personally identifiable data, such as, for example, a name, an email address or a location.
Whenever the data is processed to identify a natural person, such as an employee or a provider, you will be processing personal data. Nowadays, restaurants collect a large amount of personal data of the diners who come to eat to the establishment, you also can obtain the data through very different ways, such as, the reservation form on the website, by telephone or in person at the restaurant itself. Restaurants also process personal data of all their employees.
What do I have to do if I install video surveillance cameras?
The image of a person which identify or may identify a persona, it is a personal data that could be used for various purposes. The most common one is to ensure the safety of people, property and facilities, by assuming the processing of personal data.
When an image (personal data) is carried out for security purposes, we have to consider the following values:
- Legitimization: the purpose of video surveillance in a restaurant is to ensure the safety of people, property and facilities, so the public interest legitimates such data processing. Recital 45 of the GDPR provides that if the data processing is necessary for the fulfillment of a mission carried out in the public interest.
- Proportionality: personal data must be collected for specific, explicit and legitimate purposes. That is, the images can only be used for the purpose that has motivated the installation of video surveillance cameras, linked with ensuring the safety of people, goods and facilities.
- Data minimization: the processing data must be appropriate, relevant and limited for the purpose of its used. In addition, the minimization of data is related to the number of cameras that are installed to the aforementioned purpose. That is, the number of cameras must be reasonable.
- Principle of Proactive Responsibility: it is one of the obligations of the data controller that must show and provide evidence of the enforcement of the principles established in the GDPR. An internal document must be prepared, called the Activity Registry, which reflects who is responsible, the purposes of the data processing, the technical and organizational security measures, among others. From Letslaw we offer a suitable advice for the writing of the Register of Activities.
- Report interested parties: the information right should be enforced, providing minimum information in a clear and transparent way by means of an informative badge placed in a visible place.
On the other hand, the images and sounds captured by the video surveillance systems that record images must be canceled within a maximum period of one (1) month from their capture. However, when serious or very serious criminal or administrative violations are detected in the recordings and there is an investigation, they should not be eliminated.
Recommendations to verify if I enforce GDPR in restaurants
In order to ensure that a restaurant is well-adapted to GDPR, it must carry out specific actions that we develop below.
In addition, the interested parties must be informed of all the mechanisms available in order to exercise the rights recognized in the GDPR. These mechanisms should be simple and easily accessible to all interested parties.
On the other hand, the Proactive Responsibility Principle should be enforced. Therefore, restaurants must carry out: (i) an analysis to know the possible gaps and contingencies of the data processing, analyze the risk and the probabilities of that risk; (ii) a record of processing activities in which the technical and organizational security measures are established to guarantee the correct protection of personal data.
Consequently, the enforcement by restaurants, of the current regulations on data protection is not something complex, but necessary. It is interesting to carry out an “ad hoc” adaptation in the sector of the bars and restaurants and for that it is necessary to have an optimal legal advice. In Letslaw we have a team specialized in personal data protection.
We analyze and review all questions on this regulation, in order to report companies about the developments and their consequences in Spain and in the rest of Europe to avoid sanctions.
If you want information about the adaptation of your company, you can contact us.