Wagamama customers in the UK have allegedly been sent a survey after sharing contact details for Covid-19 contact tracing, The Times reports.
The Information Commissioner’s Office (ICO) is now making enquiries after receiving a number of complaints about the restaurant chain.
UK regulations state that hospitality venues including restaurants must ask at least one member of every party of customers to provide their name and contact details or use a QR code.
A contact phone number, email or postal address should be taken for each customer or visitor, or for the lead member of a group of people, along with the date of visit, arrival time and, where possible, departure time.
Some customers reportedly received a survey after sharing contact details with Wagamama, despite not granting permission.
An ICO spokesperson confirmed that “We have received a number of complaints about Wagamama and we will be making enquiries.”
She added: “The rules are clear. Collecting personal details for customer logs must not be a way to develop vast marketing databases by the backdoor. This type of behaviour risks complaints from members of the public, a loss of customer trust in organisations and potential action by the ICO.”
The Wagamama website states that the company takes “security and privacy very seriously. When you provide your data for test and trace, we will never use it for any other reason”.
If market research is genuine and therefore covered by GDPR (as opposed to direct marketing, governed by Privacy and Electronic Communications Regulations [PECR] rules), then consent isn’t necessarily required.
However, businesses must be transparent and comply with the GDPR rules. ICO general advice states that information gathered for the purposes of contact tracing should only be used for that purpose. If there is no strong justification provided for using it for another reason, then the processing could be unlawful.
Wagamama did not immediately respond to a request for comment.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.