Track and Trace: Staying GDPR compliant

Dan Dowen, Commercial Contracts Associate Solicitor at Berry Smith, provides guidance on how to ensure that your hospitality business can adhere to the Track and Trace programme while still complying with the GDPR

As most people are aware, the UK Government has taken a wide range of measures over the course of the Covid 19 pandemic to appropriately manage the spread of the virus and enable the public to live and work in the safest way possible.

One of these measures, implemented by the Department of Health and Social Care, is the recently implemented Track and Trace programme, which, amongst other elements, requires hospitality businesses to collect and keep a record of a customer or  visitors’ personal data. This personal data must be kept by the business for 21 days. The intention is, of course, that the personal data will be used to identify and contact those who may have been in contact with an individual who has tested positive for Covid-19, hopefully preventing the further spread of the infection.

However, many businesses have struggled with collecting this personal data and are concerned about how to do this without falling foul of data protection rules, which apply whenever personal data is collected.


Dan Dowen, Commercial Contracts Associate Solicitor, sets out below some guidance on how to ensure that your hospitality business can adhere to the Track and Trace programme while still complying with the General Data Protection Regulations (GDPR):

1 – Only collect relevant information.

The Government guidance makes it clear that it is only necessary to collect an individual’s name, address, contact details and time of arrival/ departure.

2 – Use personal data appropriately.

You must ensure that you only collect and use information for the purposes of the Track and Trace programme. Do not use the personal data collected for any marketing purposes to ensure that you are adhering to GDPR’s requirement of fair use of personal data.

3 – Be transparent with customers.

It is commercially beneficial to ensure that your business is being transparent and informative with your customers. Explain to them why their personal information is being collected and assure them that it will only be used for track and trace purposes. This will help maintain and strengthen the relationship with your customers.

4 – Retain, store and dispose of data appropriately.

You must ensure that you store data securely in order to protect customers’ confidentiality.  Your staff should be informed and trained on how to do this.

Furthermore, as you only need to retain data for 21 days, make sure that you erase it after this period in line with government guidance.

Information should not be available for others to access and must therefore be kept secure during retention and disposed of thoroughly after the retention period expires.

How we can help

We, at Berry Smith, specialise in advising on all aspects of Data Protection. We have guided and assisted many clients through various data protection matters and can help your business ensure that it is fully complaint and advise you on how to maximise your efficiency in the most appropriate way.

For further information on GDPR or any commercial matter, please contact Dan Dowen at or alternatively please call 029 20 345511 and ask for the commercial team.

Dan Dowen, Associate