GDPR Data Consent and Storage

Answer:

Visitors shouldn't be able to see who has signed in books before. This would mean that the personal data of the individuals signing in the books is disclosed to unintended recipients and the situation is considered a data breach.

2. What happens if somebody walks off with your visitors’ book? I’m afraid this is also a breach of data security and confidentiality.

Answer:

Walking off with the register will be considered a data breach.

3. If a visitor exercises their GDPR ‘Right to be forgotten’, verbally or in writing, you must erase/delete their personal information. How do you achieve this in your visitors’ book? Rip out a whole page?

Answer:

You could just redact the name of the visitor using a black marker or move to an electronic register.

4. How long does your visitors’ sign-in book sit in your reception?

Answer:

As mentioned before, the registry should not just sit in the reception to be consulted by everyone as that in itself is a data breach. The retention period in this case is something you need to establish by yourself depending on the types and categories of personal data you hold and the reasons for keeping the data. For example you could refer to the statute of limitations period in your local legislation.

5. How is it stored? What happens to the book when it’s full? If used visitors’ books are stored in a desk or cupboard, you’re in breach of GDPR because you’ve kept the information longer than necessary after the visitor has left, especially if they’re unlikely to return.

Answer:

When the register is full you just switch to a new one and archive the old one. Both registers, the one in use and the one which is archived should be kept secure and not made available to unauthorized persons.

6. Do you explain to each visitor how their information will be used, then gain the permission required under GDPR’s ‘Data consent and storage’ requirements before visitors sign your book?

Answer:

You can display a printed Privacy Notice at your reception so everyone can see it and consult. There is no need to verbally inform everyone. You can find more information about Privacy Notices in our free webinar Privacy Notices under the EU GDPR: https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

7. Can you prove that each visitor has given their consent before they signed?

Answer:

You won't be relying on consent as a lawful ground for processing the data of the individuals borrowing or consulting your books. I strongly recommend that you use legitimate interest and in this case providing an adequate Privacy Notice will most likely suffice.

8. Do you need all the information that is stored in your visitors’ book? GDPR stipulates that you can only collect required information. Does the information you need about each person vary according to visitor type? How does your visitors’ book help you manage this? Or does it hold the same information about each person who visitsyour premises?

Answer:

I don't know what information you are asking from the visitors so I cannot provide you with an accurate answer. However, you need to consider the reason for asking the information. For example, if you only collect the information to be able to count how many people visited you, most likely name and surname will suffice.

If you collect the information to be able to identify with certainty who borrowed a specific book to be able to take legal action to recover the book you may need to collect more information.

All the purposes for which you collected personal data must be clearly explained in your Privacy Notice.

If you want to find out more about the EU GDPR requirements then check out the this free EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course//