Since March 14, 2020, the Berlin Senate has put emergency measures in place to limit the spread of the COVID-19 virus. While in Berlin events and meetings are encouraged to be avoided all together, meetings or events, even personal ones with at most 50 persons may take place when a detailed attendee list is kept. 

This list should contain name, address and phone number and is to be kept for four weeks after the event. While containing the COVID-19 virus is very important, we should also not forget about people’s privacy and the requirements under the GDPR. After all, data protection aims at protecting citizens from the misuse of data collected from them, be it accidentally or maliciously carried out by private or public organisations. Therefore, we have created a template, an example privacy notice and usage instructions for anyone organising these smaller kinds of events.

Let’s not forget, also in times of panic we should not just throw our privacy overboard. Remember that medical data is additionally protected under the GDPR and mishandling of this can lead to serious sanctions.

Privacy notice & attendance list template

Download our template privacy notice with attendance list here (Microsoft Word, docx).

Below are the specific instructions for the Berlin area (technically the state of Berlin).

Determine if the GDPR applies to your processing activity

The GDPR does not apply to processing activities done by natural persons (i.e. not legal persons or entities) strictly outside of a commercial context. (GDPR Recital 18), however, if you are a company, a non-profit organisation, acting on behalf of either or organising an event that may be seen as commercial, and you intend to host a gathering of less than 50 people, follow the instructions below to help you comply with both the recent SARS-CoV-2-EindV and the GDPR.

Instructions

1. Review the example of privacy information and add your organisation’s details where needed.
2. Print the list to be filled out by the participants themselves, and print the privacy notice next to it, or set up an online form for this.
3. Keep the list in a safe place. We recommend putting it in a sealed envelope, with the event date written on it.
4. Set up a reliable reminder for 4 weeks after the end of the event, at this point, destroy the list (for example using a shredder). Do not keep it any longer as there is no continuing legal requirement to do so, and you may be in breach. If you have collected the information digitally, ensure the complete deletion of the file.

Do ensure that

• the list serves no other purpose than compliance with the State of Berlin ordinance;
• the list is not shared with any party other than health authorities (and only upon their request);
• at the end of the 4-week retention period, it is not extended by a new ordinance requiring you to keep the data for longer;
• the list is shredded/deleted after the retention period.

This information has been composed by Alex Carroll, Maurane Petrella and Silvan Jongerius of TechGDPR and is meant as a helpful tool for companies in Berlin. It comes without any kind of warrantee and does not constitute legal advice.

Tags: covid-19, privacy policy