The Privacy Protection Authority (the "PPA") has published a guideline (the "Guideline") regarding privacy protection of the data of visitors which is collected upon their entering the premises of businesses. The Guidelines provide parameters for stores and businesses which are required by the Emergency regulations (New Coronavirus – Restrictions on Activities), 2020 (the "Emergency Regulations") to ask those persons entering their premises questions about their health. Under the Guidelines, such businesses are required to respect the overarching privacy principles of consent, purpose limitation and proportionality when questioning the visitors.

Under the Emergency Regulations, businesses are required to ask the visitors whether they have been coughing, whether their temperature is higher than 38 degrees Celsius (currently or in the past week) and whether they had close contact with a Coronavirus patient in the past two weeks. It is preferable for the business to also measure a visitor's temperature. Other emergency regulations require businesses to retain certain information about the numbers of persons in the business, the numbers of person who were questioned and the numbers of persons who were denied access. Businesses who take these measures are granted a "purple certificate" allowing them to remain open. The PPA proposes that businesses which gather the statistical information post notices about the same on their premises.

The Guideline provides that businesses should avoid asking further questions from the visitors beyond those included in the specific list required by the Emergency Regulation, such as further questions regarding the visitor's health, or requesting his or her name and id number. Efforts should be made not to identify the visitor. If additional information regarding visitors to the premises is generally collected by the store or business, for example by means of CCTV cameras, such information should not be used for out of the ordinary purposes or transferred to third parties (unless required by law) and should generally be deleted within a few days. Information collected by means of thermometers should not be used for purposes other than prevention of entrance to the premises to sick persons and should preferably not be stored. If thermal cameras are used, they should generally not record data and should only be used on a "real-time" basis.

The Guidelines are available at:

Originally published 7 May, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.