The Office for Personal Data Protection has recently published a standpoint in which it deals with the issue of the registration of visitors and copying their documents upon entering buildings. The purpose plays a crucial role in these matters, according to the standpoint.
Each of us has probably at least once in our lives encountered a situation where we were required to provide at least part of our personal information when entering certain areas, or respectively buildings, especially our names and surnames, and also the name(s) of the person(s) that we were visiting. From the perspective of the Office for Personal Data Protection, requiring such identification data in this range is quite legitimate when visiting buildings that are not normally intended for visits by the public (office buildings, manufacturing facilities, etc.). According to the Office, the owner of the building is only exercising his right to protect his property and safety in a manner that is proportionate to the nature of the building and other circumstances.
Furthermore, the processing of the above personal data in this range is consistent with Act No. 101/2000 Coll., on Personal Data Protection, when processing is carried out for the subsequent identification of the visitor in an emergency, directly or indirectly related to the visitor’s stay in the building. This could concern, for example, the emergence of property damage or a security/safety incident.
However, we must add that in the opinion of the regulator, it is already beyond acceptable range to require visitors, for no particular reason, to provide additional personal information (home address, etc.). This could result in a breach of the above Act on Personal Data Protection. The Act states that you can only collect personal data corresponding to the specified purpose and to the extent necessary to accomplish that purpose. Breach of the Act would also occur in the case of recording and storing copies of various types of documents and other papers in the possession of individuals, since these documents usually contain other personal information, such as the holder’s signature, his/her marital status, etc.
In this context, it is worth mentioning the existence of a general prohibition on making copies of identity cards and passports, which is embodied in Act No. 328/199 Coll., on Identity Cards, and Act No. 329/1999 Coll., on Travel Documents. There are only two exceptions to this prohibition. The first exception would be where the holder of the document himself expresses specifically and voluntarily his consent to the acquisition of copies. The other case is for copies governed by a special law or international treaty, which the Czech Republic is bound by.
Just as it is necessary to collect personal data only to the extent necessary to fulfil the specified purpose, the administrator of personal data collected may process personal data only in accordance with the purpose for which it was collected. A legitimate purpose is property protection. Conversely, checking the performance of activities of employees in the building should not be regarded as a legitimate purpose.
Another fact to remember is that according to the Act on Personal Data Protection, the personal data of visitors to the buildings may be retained only for the time that is necessary for the purpose of their processing. Usually in these cases it is the maximum period of several weeks.
In conclusion, let us mention that the administrator of personal data should not underestimate the security of personal data collected, since the Act establishes his duty to safeguard such personal data against unauthorised or accidental access within the scope of this Act.