Small meetings under the COVID-19 ordinance in Berlin

Wednesday March 18th, 2020 by Silvan Jongerius

Since March 14, 2020, the Berlin Senate has put emergency measures in place to limit the spread of the COVID-19 virus. While in Berlin events and meetings are encouraged to be avoided all together, meetings or events, even personal ones with at most 50 persons may take place when a detailed attendee list is kept. 

This list should contain name, address and phone number and is to be kept for four weeks after the event. While containing the COVID-19 virus is very important, we should also not forget about people’s privacy and the requirements under the GDPR. After all, data protection aims at protecting citizens from the misuse of data collected from them, be it accidentally or maliciously carried out by private or public organisations. Therefore, we have created a template, an example privacy notice and usage instructions for anyone organising these smaller kinds of events.

Let’s not forget, also in times of panic we should not just throw our privacy overboard. Remember that medical data is additionally protected under the GDPR and mishandling of this can lead to serious sanctions.

Privacy notice & attendance list template

Download our template privacy notice with attendance list here (Microsoft Word, docx).

Below are the specific instructions for the Berlin area (technically the state of Berlin).

Determine if the GDPR applies to your processing activity

The GDPR does not apply to processing activities done by natural persons (i.e. not legal persons or entities) strictly outside of a commercial context. (GDPR Recital 18), however, if you are a company, a non-profit organisation, acting on behalf of either or organising an event that may be seen as commercial, and you intend to host a gathering of less than 50 people, follow the instructions below to help you comply with both the recent SARS-CoV-2-EindV and the GDPR.


  1. Review the example of privacy information and add your organisation’s details where needed.
  2. Print the list to be filled out by the participants themselves, and print the privacy notice next to it, or set up an online form for this.
  3. Keep the list in a safe place. We recommend putting it in a sealed envelope, with the event date written on it.
  4. Set up a reliable reminder for 4 weeks after the end of the event, at this point, destroy the list (for example using a shredder). Do not keep it any longer as there is no continuing legal requirement to do so, and you may be in breach. If you have collected the information digitally, ensure the complete deletion of the file.

Do ensure that

  • the list serves no other purpose than compliance with the State of Berlin ordinance;
  • the list is not shared with any party other than health authorities (and only upon their request);
  • at the end of the 4-week retention period, it is not extended by a new ordinance requiring you to keep the data for longer;
  • the list is shredded/deleted after the retention period.

This information has been composed by Alex Carroll, Maurane Petrella and Silvan Jongerius of TechGDPR and is meant as a helpful tool for companies in Berlin. It comes without any kind of warrantee and does not constitute legal advice.

Tags: ,

How to use legitimate interest under the GDPR?
January 29th, 2021

The impact of the GDPR on Big Data
December 1st, 2020

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
Uncategorized (2)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
CJEU ruling
Cold calling
Data transfers
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
International transfers
medical data
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
January 2021 (1)
December 2020 (1)
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.