One of the requirements introduced by HM Government of Gibraltar during the COVID- 19 pandemic is that certain establishments have had to implement new measures which include the processing of personal data of customers and visitors.

This is part of the contact tracing scheme introduced to fight the pandemic.

The Data Protection Commissioner is reminding these establishments that all personal data collected must be processed in compliance with the Government’s regulations and data protection legislation, which is that personal data must only be used for the purposes of contact tracing, collected and stored securely, and destroyed after 10 days.

The Data Protection Commissioner points out that all establishments which are subject to the regulations should observe the following:

- Ensure personal data is used in a way that is fair and lawful. This means data must not be processed in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.

- Ensure transparency at all times. Organisations must be clear, open and honest with individuals and provide information as to their collection and use of personal data, including how and why they are processing the personal data.

- Ensure that only the minimum amount of personal data is processed. Organisations should only collect personal data which the regulations specify e.g. the name and contact telephone number of all the customers who have booked a table at the restaurant, cafeteria or bar.

- Avoid keeping personal data for longer than you need it. For example, regulation 12(8)(b) of the Civil Contingencies Emergency (Coronavirus) (Business and restrictions) (No.6) Regulations 2020 specifies that personal data shall be retained for no more than 10 days.

- Ensure the security of processing. Data protection law requires personal data to be collected and used with security measures to prevent personal data from being accidentally or deliberately compromised. This includes protecting data from those persons who do not need access to that data and briefing staff on their responsibilities. It is also important that establishments do not display personal data (e.g. as a paper record) in clear, plain sight of other persons.