The table below contains summaries of the documentation issued by the EU Member States supervisory authorities in relation to body temperature measurements in the COVID-19 context, as of 21 November 2020. If you have suggestions for content or questions, please contact Olga Gkotsopoulou and István Böröcz. The authors have also published a comparative analysis on the topic, that can be found below:
Böröcz, István and Olga Gkotsopoulou, 'Between masks and curfews: Critical synopsis of the guidance issued by national supervisory authorities on analogue and digital body temperature measurement in the context of the COVID-19 pandemic in the EU', PinG 1/2021 (January 2021): click here.
|Data Protection Authority||Summaries of guidance on body temperature measurement and references|
The Austrian supervisory authority (Österreichische Datenschutzbehörde) provides guidance in form of a FAQ on its website. According to the understanding of the authority, data on coronavirus infections qualify as sensitive data but as the ultimate goal is to contain the spread of the virus, its processing can be permissible to the necessary extent. The guide relies on the specific guidance of labour law, focusing therefore primarily on the liability of employers, who inter alia have the obligation to exclude health risks in the workplace. In general, the processing of the health data for purposes other than preventive healthcare, containment of the virus and therapeutic treatment is forbidden. Respectively, the legal ground for such processing is article 9 (2) b) as per the authority. Overall, data processing should adhere to the principle of purpose limitation. Concerning temperature measurement, the guide does not detail the means (i.e. the measuring tools), but places emphasis rather on the necessity of such measurement. As high temperature is only one of the symptoms, it must be assessed, whether there are less intrusive solutions, such as home office, disinfectants or wearing a mask. The guide highlights exceptions, when such measurement is a legal obligation explicitly defined by the Employee Data Protection Act (section 49 ArbeitnehmerInnenschutzgesetz) and there are no less intrusive means available.
On its website the Belgian Data Protection Authority (Gegevenbeschermingsautoriteit/L'Autorité de protection des données) has established a dedicated knowledge centre for COVID-19, including its opinions, advice, FAQ and related links. It also has a separate page for the measurement of body temperature. It refers to the protective measure in general, when an individual enters a building. The technologies mentioned entail the conventional thermometer and digital fever scanners. The Authority emphasises that measurement falls under the GDPR as the temperature of a natural person qualifies as data concerning health. In connection with temperature measurement three scenarios are explained: reading without recording; reading with recording; electronic recording by sophisticated means. In the first case, the data protection framework is not applicable as data is not recorded and filed. However, interference with the right to privacy still occurs, thus general principles still apply. In case of the second scenario, additional recording of information occurs (e.g. in order to justify a refusal of entry) which will be linked to a ‘file’. For example, a student’s temperature is measured by a regular thermometer which does not record data, but the teacher adds a remark to the student’s profile. As such processing has no legal basis, it is forbidden. In the third scenario data is not only saved in a file, but also processed electronically and automated, beforehand by the tool itself. Respectively, the use of advanced digital fever scanners, thermal imaging cameras or other automated systems which measure the level of body temperature in itself constitutes the processing of personal data concerning health and is therefore not authorized.
The Authority mentions four legal grounds, from the list enshrined in article 9 (2) GDPR: explicit consent; obligations and the exercise of specific rights of the controller or data subject in the field of labour law and social security and social protection law; substantial public interest; and public interest in the field of public health. The authority underlines that consent will not be an appropriate legal basis for processing body temperature in most circumstances due to for example the potential pressure in dependence-based relationships. As also pointed out by the Authority, currently there is a gap in Belgian law as the general obligation of employers to ensure the safety and health of the employee (art. 20, 2 ° Employment Contracts Act of 3 July 1978) is not sufficiently specific to be considered as a legal ground which allows the processing of sensitive data. Therefore, systematic temperature checks involving the processing of personal data are currently forbidden.
The Authority also points out that measuring fever is only partly ineffective, as COVID-19 not every time results in fever and fever not every time indicates COVID-19.
The Commission for Personal Data Protection published specific guidelines to employers concerning the pandemic, but not explicitly in connection with body temperature measurement. Regardless, a general rule applies to employers, saying that employers are obliged not to allow employees and other persons with acute infectious diseases at the workplace. To that end, they are allowed to process personal data, considering of course the provisions of the GDPR. For example, mandatory collective tests to identify infected employees are permissible in case the balancing test suggests that the legitimate interest precedes the rights and freedoms of the data subject.
The Croatian Data Protection Authority (Azop) has a separate page on its website for COVID-19 related information. Overall, the authority supports the measures to be taken to address the pandemic and points out that the processing of personal data should be designed to be in the service of humanity. Employers are allowed to process health data (while adhering to the relevant data protection rules). Concerning thermal cameras that measure a person's body temperature, the Authority published its opinion on 6 October 2020. According to it, recordings can qualify as sensitive data and thermal imaging constitutes a data processing operation, therefore the GDPR is applicable. It also points out that digitally stored recordings and the monitoring of the condition of employees and patients is questionable from a data protection point of view, with particular attention to the principles of data protection. The Authority refers to the storage of the results of the measurement as measured fever is in itself indicative of following the instructions of epidemiological services without the need to use data and to monitor the condition of individuals.
The Cypriotic DPA published a statement on the issue of body temperature measurement on 24 April 2020 and confirmed its previous guidelines with an updated statement on 5 August 2020. Temperature measurement data constitute sensitive data relating to health, hence their processing is allowed based on Article 9(2) GDPR.
The use of thermal cameras and / or body temperature systems is allowed, only if there is a legal basis and the processing takes place in line with the principles of purpose limitation and data minimization. The same remark applies when measuring the temperature of customers entering stores or employees accessing their workplaces. Given the variety and the technical characteristics and capacities, the DPA emphasizes, that the data controllers shall make an informed and careful decision concerning the selection of thermal cameras to install.
The Office for Personal Data Protection provides guidance on its website in form of FAQ. The authority underlines that measuring the body temperature of employees, or other people entering the workplace, using thermal cameras or scanners containing a temperature sensor, is a certain and unprecedented intervention in the personal integrity of a person with a possible impact on personal rights in the event of non-admission to the building. Respectively, the FAQ addresses primarily employers, who are obliged under the Czech Labour Code to undertake preventive steps to make sure the working environment is safe, including the acquisition of the necessary information regarding the medical condition of the persons present in the workplace. To that end, employers can implement necessary protective measures, but with the cooperation of respective authorities. Measuring body temperature is one of those. It is suggested to carry out such measures by qualified experts. The Authority emphasises that using thermal cameras or frames containing a temperature sensor is a certain and unprecedented intervention in the personal integrity of a person with a possible impact on personal rights in the event of non-admission to the building. The GDPR becomes applicable once the data is recorded and further work with data on elevated body temperature in conjunction with other data enabling the identification of the person whose body temperature was measured. Although such measurement is not an explicit legal obligation, it can be considered as a legitimate interest of the employer within the meaning of the GDPR but should be based on prior consultation with health professionals. According to the Authority, this allows the processing of health data for the exercise of special rights in the field of labor law. However, the necessity of such measure should be continuously assessed, and once the emergency is over, it should be stopped.
In its opinion the Danish Data Protection Authority (Datatilsynet) considers the recording and disclosing of health data in connection with COVID-19 justified as it allows employers to take necessary precautions. The importance of legitimate grounds and purpose limitation is emphasised by the authority as well (particularly concerning the employers). The authority expresses the need for vigilance from the employers concerning data processing in connection with covid. Unfortunately, there is no specific guidance concerning temperature measurement.
The Estonian Data Protection Inspectorate (AKI) provides guidance on COVID-related data processing on its website. The Authority emphasises the importance to adhere to the principles enshrined in the GDPR and the obligation of employers to ensure the health and safety of their employees. Data protection should not hamper the realisation of this task, thus the data minimisation principle is expected to be put in practice, i.e. interference with employees’ privacy should be minimised. Concerning the processing of sensitive data, legitimate interest is not sufficient, the controller should rely inter alia on consent. The Authority suggests that employees should share the relevant information with the employer to facilitate the protection against COVID-19 under the auspices of mutual understanding and cooperation. Respectively, the employer does not have the right to measure the employees’ body temperature unless it is based on a mutual agreement and justified by an emergency to prevent the spreading of the disease.
The Office of the Data Protection Ombudsman provides a FAQ on its website. The Authority reminds data controllers to the importance of adherence to data protection laws even the during COVID-19 pandemic. Respectively, processing personal data to fight against the epidemic is permitted and both the Finnish Act on the Protection of Privacy in Working Life and Communicable Diseases Act can be applicable. According to these laws medical checks targeting the employees’ state of health are permissible when carried out by healthcare professionals and trained personnel or under the supervision thereof. This provision includes inter alia body temperature measurements. When the high body temperature suggests the presence of COVID-19, the employee can be asked not to enter the premises. Respectively, such action is discretionary, but may not be discriminating, and taking e.g. body temperature could only be based on a data subject's consent.
In France, employers must implement protective measures for the health and safety of employees (in accordance with the Labor Code and the texts governing the public service (particularly articles L. 4121-1 and R. 4422-1 of the Labor Code or the decree n ° 82-453 of May 28, 1982 modified)). Since the beginning of the pandemic CNIL published a series of ’reminders’ to data controllers about data protection law in the context of a pandemic, with special attention to principles and the processing of data concerning health. The High Council of Public Health also recommended not to set up screening for COVID-19 by taking temperature in the population. Respectively, as a general rule, employers are forbidden take measures likely to infringe the rights and freedoms of the data subjects, in particular by collecting health data for the purposes other than the management of suspected exposure to the virus in a systematic way or through individual requests. This prohibition entails temperature readings of employees or visitors as soon as they are recorded in an automated process or in a paper register, as well as the use of automated temperature sensing devices, such as thermal cameras. However, CNIL acknowledges that when data recording does not occur, the GDPR is not applicable. Regardless, the Authority refers to the opinion of the General Directorate of Labor, according to which systematic screening of the employees is forbidden. Only competent health workers are permitted to process health data through medical questionnaires or medical tests. Respectively, such prohibition for employers also entails the prohibition of mandatory body temperature measurements using automated temperature sensors, such as thermal imaging cameras, and the recording of the measured data digitally or in paper (as per Article L. 1321-5 of the French Labor Code). The CNIL points out that smart cameras, which can detect presence or compliance with social distancing and mask-wearing rules, are usually not GDPR-compliant. However, temperature measurement without the processing of personal data (i.e. without recording the information) is permissible for employers. CNIL recommends that citizens carry out the measurement themselves in case of presumed fever or COVID symptoms.
On 10 September 2020, the Decision of the Conference of the Independent Federal and State Data Protection Supervisory Authorities about the use of thermal imaging cameras and electronic temperature recording was published. The report is a comprehensive study of the data protection implications of the matter in Germany, providing a full analysis of applicable lawful bases and limitations. Emphasis is put on the fulfilment of the principle of data protection by design and data security. The following parameters are key for the data controllers and manufacturers:
State German state authorities have also published their own opinions and guidance. The Nordrhein-Westfalen authority (Die Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen) published a general FAQ on 25 March 2020, which also addressees the issue of processing body temperature data. To the question “Can an employer ask employees about symptoms of a possible corona infection?”, the authority argues that symptom surveys are permitted but only if they are limited to typical symptoms of a COVID-19 infection and there is an increased risk of infection among the employees. However, it notes that even though cough and fever are common symptoms, there is currently no symptom that clearly indicates a corona infection. To the question “Can the employer take body temperature measurements of employees?”, the authority replies that contactless temperature measurements installed at the entrance of company premises or other buildings can be justified only under strict conditions and shall be assessed on individual basis, for instance whether there are already cases of infection or the company is located in high risk area. Recording the temperature measurements is not necessary. The authority also suggests that the measure could be implemented based on the consent of the employees. Employers are advised to consult their employees, employees advocacy councils and data protection officers, and invest in transparency with internal regulations.The Hamburg authority (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) has published a FAQ, which it regularly updates. In the version as of 29 September 2020, the authority emphasises that in the employment context, in principle, the employees are not obliged to disclose symptoms to their employer. However, in the exceptional current circumstances, the employer’s duty of care may require that the employer inquires its employees, based on the condition of Art. 9(2)(b) GDPR, if the design of the workplace is as such that an infection spread is expected. For instance, in workplaces with close contact or facilities important for the care of the population such as hospitals, body temperature measurements and symptoms inquiries may be permitted. It is not necessary to store information about symptoms or body temperature. It is sufficient to log the information that a person has been asked to refrain from going to their workplace for a defined period of time due to an entrance check. As for customers and visitors to stores, it is not permitted to ask about symptoms. The entities are only required to warn the persons by means of written or pictorial notices, to refrain from entering if they suffer from symptoms of an acute respiratory disease. Denial of access is only required by law, if the person does not wear a mouth and nose cover or reports to be COVID-19 infected (not documentation is allowed). The authority challenges the efficiency of symptom questionnaires and screenings. In the case of customers and visitors, it suggests that in the exceptional circumstance they are used, only the consent of Art. 9(2)(a) GDPR can be considered, but yet entry cannot be dependent on it. The same applies for thermal imaging cameras and digital thermometers which can only be offered at best as a voluntary service.
The Hellenic Data Protection Authority published a set of general guidelines, including references to temperature measurement by automated, semi-automated and manual means on 18 March 2020. The Authority reminds that “the legislation for the protection of personal data applies, in line with Art 2 par. 1 GDPR and Art 2 of the Greek Implementing Law 4624/2019 in the fully or partially automated processing of personal data, as well as in the non-automated processing of such data which are included or are intended to be included in archiving system. The scope of application of the GDPR is determined in a binding manner by Article 2 par. 1 and it cannot be extended by provisions of the national legislation.” The authority highlights that no activity can be prohibited in advance during this critical and unprecedented situation, as long as it takes place in line with the authority's guidelines, the principle of accountability and Articles 5 and 6 GDPR.
The body temperature measurement at the entrance of a workplace is considered onerous for the data subject and can only take place, if other available and appropriate measures have been excluded. However, collecting personal data in a systematic, continuous and generalized manner, regularly updating the employees’ health profiles could hardly be justified from a proportionality point of view.
The employer is obliged to ensure the health and safety of its employees and the employees are obliged to observe the safety rules and report immediately to the employer or/and the occupational physician all situations which may risk safety and health.
The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) provides COVID-related guidance through two opinions. Published in March, the Authority’s opinion stresses the importance of compliance with data protection laws and that COVID has not changed this requirement. The reduction of invasiveness is expected to be prime consideration of data controllers, as well as the legitime interest assessment and the information provided to the data subject. The opinion addresses employers in detail. They are allowed to collect travel-related data through questionnaires, based on the legitimate interest of the controller. However, the employer is not allowed to ask about the medical history of the employee, request the enclosure of health documentation or collect information about potential symptomps. Concerning medical examinations, any „requirement of screening tests with any diagnostic device (in particular, but not exclusively, with a thermometer) or the introduction of mandatory measurement of body temperature generally involving all employees called for by a measure of the employer” is deemed disproportionate and is forbidden. Such tests can be permormed however with the involvement of health care professionals. The legal ground thereof is art 9 (2) b) of the GDPR, as the Hungarian Labour Code requires the employer to ensure a healthy and safe work environment.
The Authority continued its work and in October, it revised its opinion published in March (introduced above). The main change is the acceptance of the body temperature checks. Due to the continuing emergence of the COVID-19, the Authority now deems it as a proportionate response. Such change was induced by the provision of the Government Decree 431/2020 (18 September) which requires the body temperature checks in public education and vocational training institutions and that everyone who intends to enter the building shall undergo such check mandatorily. Such checks are acceptable only if 1. used before the entry to the data controller’s premises, 2. everyone is subject thereof, without discrimination, 3. there is no identification, as well as registration, storage or transfer of data. Only statistical information can be collected from the checks. Even though the measurement of body temperature does not entail the recording of data, the GDPR is applicable, with special attention to the principle of purpose limitation and the Authority requires adherence thereto. The Authority also points out, that having a high body temperature does not necessarily indicate that the person has COVID-19.
As per its guidance published on 6 March 2020, the Data Protection Commission (DPC) is rather supportive concerning the adoption of protective measures against COVID. Organisations are encouraged to adopt and execute various (efficient) mitigation plans. As per the DPC, “Data protection law does not stand in the way of the provision of healthcare and the management of public health issues”. However, the Authority emphasises that processing of personal data in this context should be necessary and proportionate, should consider principles such as lawfulness, transparency, confidentiality, data minimisation and accountability and follow the guidance of public health authorities or other relevant authorities. DPC reminds data controllers that the identity of the data subject should not be revealed to third parties without justification. Similarly to other countries, employers in Ireland have the legal obligation to protect their employees (enshrined in section 8 of the Safety Health and Welfare at Work Act 2005). This obligation conforms the legal basis of the processing of health data, enshrined in Article 9(2)(b) of the GDPR. Concerning temperature measurement, the guidance suggests that „implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. This should take into consideration specific organisational factors such as the travel activities of staff attached to their duties, the presence of vulnerable persons in the workplace, and any directions or guidance of the public health authorities.” Respectively, the DPC remains supportive but overall vague, concerning this measure.
The Garante per la protezione dei dati personali published on 2 March 2020 its statement ‘Coronavirus: No do-it-yourself (DIY) data collection’ available in both Italian and English, where it disapproved in principle the collection of information about COVID-19 symptoms by private and public employers concerning the employer and its closes contacts. Specifically, employers must refrain from collecting such information in a systematic and generalized manner, neither through specific requests or unauthorized investigations. It reminds that the prevention of the virus spread is the responsibility of the healthcare professionals and the state civil protection authorities. The employee is, nevertheless obliged to inform the employer in case of risk for the workplace health and safety, in line with the state instructions, especially if working in public administrations. Of particular importance is that an employee who is in contact with the public, for instance someone working at a service desk, shall ensure to inform the competent authorities when encountering a suspected case and take the instructed measures. The employer may facilitate such communications by the employee and also contact the competent authorities in case of health hazard.
Later on, the Garante published a FAQ concerning corona-related questions, which is regularly updated, where it specifically addressed the questions ‘May an employer take the body temperature of employees, users, suppliers, visitors and customers at the entrance of their premises?’ and ‘In the emergency period, may the body temperature of passengers at airports be taken?’ As for the first one, the Garante states that regulatory measures and guidance were adopted in the country in order to allow for urgent measures. In this regard, employers who continued their operations during the lockdown, had to comply with a number of measures, including the measurement of body temperatures of employees to determine their access policy to the premises. The measure would also respectively apply upon the users, visitors, customers and suppliers of the business, as long as another access control scheme is not envisaged. Since the measurement of body temperature in real time, if it can be associated with the data subject’s identity, constitutes processing of personal data in line with Art 4(1), the authority underlines that recording data to body temperature is not permitted. What is allowed to record, is a) the fact that the temperature is higher than the threshold laid out in the emergency regulation and guidance and b) that this is the reason for refusing access to the workplace, in line with the principle of data minimization. To the contrary, it is not necessary to document this information as a reason for denying access to a customer or occasional visitors, even if the temperature is higher than then set threshold.
As for the second question about airports, the possibility of carrying out body temperature checks on all passengers of European and international flights arriving at Italian airports is provided for in the emergency regulations and guidance.
|Latvia||In addition to the information provided by the Latvian state concerning coronavirus, the Data State Inspectorate has published general guidelines, in the form of FAQ, including questions about temperature readings in the workplace. The authority suggests that in the context of prevention, an employer may measure the employees’ temperature to determine whether they can enter the workplace. However, the employer is not allowed to accumulate, combine, store or further use such data.|
The State Data Protection Inspectorate of Lithuania has published a number of general guidelines including its views about temperature measurement in the context of employment, educational institutions and other public and private entities, in Lithuanian and in English. In its guidance in English of 16 March 2020 and in Latvian of 24 April 2020, the inspectorate stresses that data controllers should refrain from the collection of temperature readings, medical certificates and any other kind of information regarding health status from staff or visitors, as this does not constitute an obligation of the employer.
On 14 April 2020, the authority published specific guidelines about the processing of health data in the employment context following the entry into force of the Labor Code amendments regarding quarantine. It puts particular emphasis on Article 49 (31) of the Labor Code, which appears to be falsely interpreted by many data controllers as an obligation to regularly collect and record the health data of their employees concerning body temperature and other signs of infection. The inspectorate underlines that the amended code does not impose such obligation and thus, such processing may be incompatible with data protection law.
On the other hand, it states that, if an employee suffers from an illness that could threaten the safety and health of her fellow employees, she should inform the employer. In line with data minimization, employers shall be provided only with the necessary information, that would enable them to take the necessary measures, including the possibility for remote work. The employer shall not indicate the employee’s illness in the proposal for remote work, but instead a ‘less intrusive’ reason, such as the protection of the health in the office.
Moreover, the inspectorate highlights the importance for an employer to take active steps to provide information to its employees about the current situation and to ensure organisational safety measures, as well as to instruct its employees about their personal obligation to measure body temperature, monitor their health and inform their employer in case of a COVID-19 confirmed or suspected infection.
On 11 June 2020, the Luxembourgish Commission for Data Protection published its recommendations in English about the processing of health data in the COVID-19 context, including information about temperature readings in the workplace and other establishments that accept visitors and customers and provides guidelines in the context of health and safety obligations for employers and employees.
On the one hand, the authority reminds that in a professional context, both public and private entities have a legal obligation to guarantee the health and safety of those present in their premises. and employers are allowed to process personal data in accordance with GDPR when it is strictly necessary to comply with their legal obligations, for instance if the data have been requested by the competent health authorities. Those obligations are enumerated by the authority as follows: to implement organisational measures, training and information measures, and measures for the prevention of professional risks. The Luxembourgish authority explains that the only data that can be processed are: “the date, the identity of the person, the fact that the person has stated that he or she has been contaminated or suspects it, as well as the organisational measures implemented” and some of this information may be transmitted by the employer to the Health Inspection. The identity of the person who is suspected to be infected must not be disclosed to other employees or agents. No public or private entity can keep files of the body temperature of their employees or agents or diseases (the “comorbidities”) which may be aggravating factors in the event of a COVID-19 infection and it is not part of their role to carry out any kind of investigations or “contact tracing”, which is the exclusive task of the Health Inspection.
On the other hand, employees must inform their employer if they suspect possible infection, in line with Article 2 of the Grand-Ducal Regulation of 17 April 2020 introducing a series of health and safety measures in the workplace in the context of the fight against COVID-19, especially when there is a reasonable risk. The authority also mentions that during the extraordinary circumstances imposed by the pandemic, the infected employee – if the latter comes in contact with other persons, including colleagues and the public – should inform the employer every time he or she suspects that there has been exposure to the virus (compared to the normal circumstances, where it is sufficient for the employer to be notified solely about the incapacity of the employee to work and no other information regarding health shall be provided). If the infected employee works remotely or in an isolated way which eliminates the risk of exposure for others, the possible exposure and the request for sick leave shall be processed under the usual procedure.
Specifically about the measurement of temperature at the workplace entrance in a systematic manner, the authority reminds that it is not its task to explore the labour law implications of such decision, but that the employers should consider that fever is not a systematic symptom of COVID-19 or could be caused by another infection, which would thus interfere with the employee’s privacy.
Albeit, it underlines that temperature measurement of visitors and employees/agents without recording the temperature data linked to an individual or where the data are not intended to form part of a filing system, does not constitute processing under GDPR. Taking manually the temperature, with no record kept (“no trace of it is recorded”) is not subject to GDPR. According to the authority, equally, “the use of thermal cameras for preventive purposes, which under no circumstances allows for the identification of employees, agents or visitors who are visible in the field of vision, without recording and without the possibility to reuse the images, does not fall within the scope of the GDPR. It would be otherwise, if the employer were to create a file containing all the temperatures taken and the data concerning the identity of the controlled persons, or if the employer could view the images of the thermal cameras and identify the data subjects. Unless it is provided for explicitly by law, such processing activities would be disproportionate, as they would not respect the principle of data minimisation, given that less intrusive measures could be implemented by the employer in order to ensure the health and safety of employees at their workplace.”
Lastly, the Commission emphasizes that only healthcare professionals may process notes or questionnaires concerning health status, and the employers must refrain from “a systematic, blanket collection of information or [through] individual enquiries or requests” concerning symptoms of the employees or other persons (close contacts, external agents).
The Information and Data Protection Commissioner of Malta published on 29 July 2020 general guidelines about the disclosure of health data in the context of occupational medicine and assessment of working capacity. In line with it, the employer may be able to process personal data relating to health based on the exception introduced in Art. 9(2)(b) GDPR and the occupational health practitioner based on Art. 9 (2)(h) GDPR. Even though there is no specific mention about temperature readings, it could be assumed that temperature is included in the medical information that could be processed in the employment context.
Back in April 2020, the Dutch DPA reported that the temperature measurement as access control system appeared to be a common practice among business. The authority has also published detailed FAQs, focused on temperature as personal data with particular emphasis in the employment and business context. In those FAQs, we read that the temperature of a person when used to allow access to the premises of a business or a workplace will usually constitute personal data. The rationale is as follows: “the temperature results will often have to be passed on and recorded somewhere to allow or deny someone access, either in an automated way or a manual way (including the opening of gates or a green light based on the measurement data).” Moreover, an individual’s body temperature is a “medical fact” and as such, the temperature is to be considered a special category of data relating to health. However, the reading of a temperature on a thermometer without the intention to record and further use those data and without any automated processing following it, in itself falls outside the GDPR scope. This would be the case, if the employer only provides the employers, visitors and customers with the possibility to measure their own temperature.
Thus, the authority states that in the case of employees and visitors (a visitor is defined for example a truck driver who has to unload their cargo), it is forbidden to measure and record their temperatures during the corona outbreak, despite the existence of consent, because such consent would be invalid due to the power imbalance in the employment relationship. As for customers, the temperature measurement is allowed only with the valid consent of the customer and their explicit consent for the processing of their medical data. In other words, if the customer refuses to consent, she shall not be denied entry and should be offered an alternative. The existence of other places which provide the same service is not an alternative and does not entail free choice.
The Dutch DPA also highlights that even if a case of temperature measurement is not covered by GDPR, there still is a possibility for serious privacy violations. For instance, if a person is denied access to a building following a temperature measurement, people who witness the scene may conclude that the person is sick. Thus, this would have been a disclosure of personal data of the individual relating to his/her health.
The authority also suggests that health data shall be processed only by a company doctor and reminds that there is no evidence about the measure of temperature readings. Lastly, concerning the possibility for business to ask questions to their customers about their health status, the business operators are allowed to do so, but they are not allowed to record the answers.
The Polish DPA published general guidelines with respect to the processing of personal data on 12 March 2020, which were followed by special guidelines about the processing of body temperature measurement data on 5 May 2020 and guidelines about educational facilities, with reference to temperature readings on 1 September 2020. Specifically concerning employee’s and visitors’ data, the Polish DPA argues that the GDPR does not oppose the processing of health data by the employer neither with respect to temperature measurement nor the use of symptoms questionnaire. Body temperature of a given person is special category personal data, when this information is recorded, transferred and collected. Hence, the authority refers to the exception introduced by Article 9 (2)(i) GDPR which allows for special categories of data to be processed if necessary for reasons relating to public interest in the field of public health including the protection against serious cross-border health threats, if required by law, and the emergency Act of 2 March 2020 and in particular Article 17 which allows the Chief Sanitary Inspector to set out and impose measures to employers and business with respect to the combat against COVID-19. Those measures proposed by the Inspector through a formal decision could also include the adoption of temperature measurements of employees and visitors entering a workplace or obtaining statements about their health status. The Prime Minister after a special procedure can also issue administrative orders which are enforceable immediately and do not require justification.
Thus, the employers and business would process personal data regarding health under Article 9(2) and Article 6(1)(d) GDPR. The authority also cites Recital 46 GDPR, indicating that processing of personal data should also be considered lawful in cases where it is necessary to protect vital interests of the data subject, e.g. when processing is necessary for humanitarian purposes, including monitoring of epidemics and their spread. In the employment context and the relationship with a public entity, consent of the data subject (Article 9(2)(a) GDPR) cannot be considered valid, due to the clear imbalance between the data controller and the data subject. For the legal regulations do not regulate the temperature threshold which would give rise to the conclusion that an employee may be infected with COVID-19, it is the sanitary services which can only set such threshold and not an employer, who would therefore have to wait for the sanitary services guidance on the matter.
The Polish DPA puts particular emphasis on the provision of information to the data subject about the data processing and indicates that the data subject shall receive this information the latest at the time of the collection. Albeit, a full version of the information should be available inside a questionnaire, and additionally at the reception desk, the office notice board or the website of the entity.
Concerning the processing of body temperature data at schools, the school principals are responsible to establish a preventive health care unit on the basis of an agreement with a medical entity. This medical entity will be the data controller of the health data contained in the medical record of the students, who receive primary healthcare at school.
The Portuguese DPA published guidelines concerning the processing of health data of the employees including body temperature data on 23 April 2020 and less than a month later on 19 May 2020 specific guidelines about the processing of body temperature data in educational establishments. On 12 May 2020, the authority was also called to answer to a parliamentary request on the previous authority’s guidelines regarding the measurement of employees' body temperature.
In the employment context, the Portuguese authority reminds the employers to refrain from the adoption of measures which have not been advised or ordered by the competent health authorities. The collection and recording of body temperature data of the employees constitutes health data, and further qualifies as processing, as it relates to identified natural persons. In principle, the employer does not have access to this information. In the exceptional situation during the pandemic, an employer cannot collect and record the body temperature of employees or any other information regarding their health status, as the emergency legislation and its subsequent acts have not authorized such measures and they do not have another legal basis. The monitoring of body temperature can be performed, under national law, only by the health authorities or the employees themselves in a self-monitoring way. The authority concedes that during the lockdown exit measures, the collection of information about an employee’s health status can only be legitimate if performed directly and exclusively by the occupational physician, with the sole purpose to adopt the appropriate measures to safeguard the health of the employee and third parties.
In the educational context, the authority recalls that the emergency act does not recommend the body temperature measurement of the students. An educational establishment cannot introduce innovative restrictions of the right to privacy and data protection, which can only be limited by law. The consent of a student or their legal guardian to body temperature measurement is only valid, if no warning or communication of negative consequences in case of denial, occurs. The educational establishments which provide a legal basis for such processing, shall further demonstrate how they implement the data protection principles, in particular the adequacy and necessity of the processing, taking into account the percentage of asymptomatic patients and patients without fever or persons with elevated body temperature due to other causes.
In the Decree 9/2020 of 21 November 2020, Article 5 refers specifically to the conditions of body temperature measurement in the COVID-19 context. Body temperature measurements via non-invasive means can take place, under the condition that no identification is possible (unless expressly authorised) and no records are kept. If the person refuses to undertake the measurement or their result is above a set threshold, the individual can be denied access to the premises.
The Romanian DPA has not published an opinion specifically about body temperature data. Nevertheless, it published a statement about the processing of health data on 18 March 2020. According to it, in the context of the pandemic and the emergency state, data processing of health data can take place, under Article 9(2)(b) GDPR when processing is necessary for fulfilling obligations and exercising rights of the controller or the data subject in the field of employment in so far as it is authorized by Union of Member State law and pursuant to appropriate safeguards, or the processing is necessary for the purposes of preventive or occupational medicine ; under Article 9(2)(i) GDPR when processing is necessary for reasons of public interest in the area of public health, such as protecting serious cross-border threats to health; under Article 9(2)(a) GDPR, with explicit consent of the data subject; or, under Article 9(2)(e) GDPR, for other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member state, including monetary, budgetary and taxation a matters, public health and social security.
The processing of non-sensitive personal data can take place in compliance with Article 6 GDPR. The disclosure of the name and the health status of an individual in the public space can occur with the consent of the individual.
Emphasis is given to the provision of information to the data subjects, for instance via the data controller’s website and to the adoption of security measures.
The Slovakian Office for Personal Data Protection has published an opinion about measuring the temperature of employees and potential visitors at workplaces. The opinion also refers to the state guidelines on how to process body temperature data from 30 March 2020.
The authority highlights the importance of the principles of adequacy and data minimization. It admits that the processing of a natural person's temperature data (health data) falls under Article 9 of the GDPR. The authority decided that in this case, it is Art. 9 par. 2 (i) that regulates the processing.
One official measure has been issued since then, which imposes body temperature measurements at the entrance of hospitals and industrial establishments. The authority notes that the data controller shall use the least invasive devices and the measures should not last longer than the end of the exceptional situation.
According to the state guidelines, body temperature measurements should be performed by a certified non-contact medical thermometer. Persons entering the workplace with increased temperature up to 38 ° C are sent to home isolation with a recommendation to self-monitor their health status. With a temperature of 38 ° C or higher, depending on the severity of the clinical symptoms, the person shall be referred either to home isolation with a recommendation to monitor their medical condition and contact their general practitioner, or in the event of sudden deterioration or life-threatening condition the employer contacts the emergency services without delay. Records of employees whose temperature has been measured are kept, with a report to the workplace management.
The guidelines also describe the protocol to be followed in case of a patient entering a hospital with increased body temperature.
The Information Commissioner of Slovenia has published a series of opinions on the topic of body temperature measurements, focusing on the use of thermal imaging cameras. On 12 May 2020, it published an opinion about the installation of cameras at the entrances of banks, on 26 May an opinion about the installation of cameras in front of stores, on 21 May a general opinion about thermal imaging cameras and on 23 September 2020 an opinion about thermal imaging cameras and the observation of employee’s working hours.
The Slovenian Commissioner points out that, despite the fact that many manufacturers of thermal cameras claim that their systems are fully compliant with data protection law requirements, “no technology alone can ensure compliance with data protection rules in advance”, as a case-by-case assessment is always necessary to determine compliance. The main purpose of thermal cameras use is to identify the individual with an increased temperature and take action, thus this would inevitably be processing of personal data. Private and public entities are not allowed to measure the temperatures of their employees or visitors, as this amounts to processing of health data, which is in principle prohibited, unless one of the exceptions of Article 9 applies. The authority stipulates that data controllers who wish to introduce such measure, should first consult with healthcare professionals or their provider of occupational medicine as to whether body temperature measurement would be necessary, appropriate and justified, to what extent and whether data retention is advisable and for how long. It is then the data controller’s responsibility to comply with all the data protection principles.
As to whether an employer can use thermal cameras to keep a record of its employees’ arrival times and working hours, the Slovenian authority reminds that keeping records of working hours with the use of video cameras cannot happen without processing biometric data, presumably facial characteristics. The use of biometric data for the purpose of recording working hours is in principle not allowed, as it is a rather invasive practice provided that there are other less intrusive and equally effective measures achieving the same purpose.
As for the installation of thermal cameral in front of stores, the Slovenian authority implies that the use of cameras is considered processing of personal data, because the purpose of temperature measurement is directed towards a particular individual. Such processing can be less or more intrusive, based on who deploys the system and thus it would result in different data protection implications. The authority underscores that, if the temperature measurement is voluntary and the reading is only shown to the concerned individual and neither stored or consulted by anyone else, then this operation may not even qualify as processing. In that case, the system operation is comparable to that of a conventional thermometer. However, additional organizational and technical arrangements may occur, to ensure that measured temperature is only visible to the concerned individual an no other visitors who happen to be nearby. The authority recommends transparency even in the case that the operation is not considered processing of personal data.
Concerning the implementation of thermal cameras in front of banks to measure the temperature of employees and customers, the Slovenian authority reminds that it is not possible to give a uniform opinion in advance for all different cases. It suggests that according to labor law, an employer in principle is not permitted to process their employees’ health data, including data about body temperature. The processing of such data is in general prohibited, unless a particular exception of Article 9(2) GDPR applies. During the COVID-19 pandemic, where both the public health and the health of individuals are at stake, processing of special categories may also be necessary for the protection of the vital interests of employees, the legitimate interests of society and also in the public interest. However, this is a question that must be answered primarily by a health professional, in particular occupational medicine. The employer therefore shall assess, in consultation with the competent authority and health professionals, the necessity and proportionality of the measure, the target of the measure (all employee or only certain employees), the necessity and appropriateness of storing this information, whether other less intrusive and effective measures exist, such as informing individuals that if they have certain symptoms shall not enter the premises.
The authority states that it is not competent to give opinions on the justification of measuring the temperature as an intervention in the individual's body, as this is an assessment that must be done by medical professionals.
The Spanish authority posted on 18 March 2020 on its website a report from the state legal service about the processing activities relating to the obligations of controllers from private and public entities to report on workers infected with COVID-19 (in English). On 30 April 2020, it published a communication about body temperature measurements and on 7 May, a full study on remote technologies introduced in the context of the coronavirus pandemic, including infrared cameras. The authority is particularly concerned about the implementation of body temperature measurement tools in a generalized manner and in various contexts.
The authority draws specific attention to thermal cameras which aim to read the temperatures of individuals, using artificial intelligence algorithms to identify human faces and distinguish them from other elements of an image.
The authority assessed body temperature measurement systems from two aspects: whether they represent a privacy threat and whether they offer a considerable benefit during the pandemic. Concerning the first question, it stresses that installation and use of such devices requires the prior assessment by the competent health authorities and can never rely on a ‘spontaneous’ decision of the manager of a public space. The use of such tools can entail serious threats, including a risk to discrimination, stigmatization, public disclosure and leaks of health data and potential conflict with those who perceive the measure as an attack against their rights and freedoms. The Spanish authority further argues that taking a temperature constitutes a particularly intense interference with the rights of those affected for three reasons: a) the body temperature constitutes health data, which can give rise to assumptions about whether a person is carrier or not of a specific disease (coronavirus), b) the body temperature measurement in public spaces may disclose to third parties information about the health status of another individual, and c) depending on the context, the possible denial of entrance to an area can have a significant impact on the person affected.
Concerning the second question, the Spanish authority reminds that, even though fever is one of the most common clinical evidences of a symptomatic COVID-19 infection, it is not an exclusive COVID-19 symptom and measures based on it, ignore the high number of asymptomatic cases. When body temperature tools are used without the guidance of health authorities and by untrained staff, can result in a ‘false sense of security’ magnifying the risk for new infections. Nevertheless, those tools could be useful in some environments, as part of a more extensive framework of checks and guarantees and in line with GDPR.
Subsequently, in case of use of body temperature measurement tools, the authority prompts that application should be in line with prior assessment by the competent health authorities with respect to their intrusiveness, necessity, proportionality, efficacy and justification, in line with scientifically established criteria and in a coordinated manner. A legal basis is necessary for the processing of special categories of data, including temperature data: consent cannot be a valid legal basis in most cases, since the affected persons would not be able to refuse to undergo a measurement without a detrimental effect. In the employment context, the possible legal basis could be found in the obligation of the employers to guarantee the safety and health of the employees at their service in work-related aspects. This obligation would serve both as an exception that allows the processing of health data and as a legal basis that legitimizes the processing or special categories of data. Another basis could be found in the general interests in the field of public health (Article 9(2)(i) GDPR). Nevertheless, the use of the legitimate interest is excluded for two reasons: a) no Article 9 (2) GDPR condition allows to lift the prohibition in case of legitimate interest, unless in certain matters contemplated by the law of the Union or of the Member States; and b) because the impact of this type of processing on the rights, freedoms and interests of those affected would make that legitimate interest not prevail in general.
The authority further emphasizes upon the principles of purpose limitation and accuracy. The first one is especially relevant in the case of thermal cameras that offer the possibility of recording data and processing additional information, in particular biometric information. Given the effect of a false measurement on the concerned individual, the principle of accuracy refers to the capacity to measure the temperature in a reliable manner with the use of certified tools through established procedures and criteria and its operation exclusively by trained staff. Concerning data storage, retention of temperature data shall not take place in principle, unless it is necessary in view of possible legal actions against decisions to deny access.
Last but not least, the Spanish authority reminds that those affected by such measures maintain their rights under the GDPR.
The Swedish authority has published guidelines about coronavirus and personal data and has specifically addressed the processing of temperature measurement data by employers, as response to the several questions it received. The authority acknowledges that the coronavirus outbreak calls for quick responses, rendering even more complex the processing of health data, which by default require higher safeguards. In principle, the processing of sensitive personal data is prohibited, but employers may process sensitive personal data when it is necessary to fulfill their obligations within labor law. The Swedish authority also emphasises that an employer should refrain from a systematic collection of information about illnesses from employees and their relatives, and to not assume tasks which, only competent authorities are entitled to. In line with the principle of minimization, an employer may record only the personal data that is necessary then restrict access to those who need to access the data.
An interesting observation is that, even though the authority provides a list of health data in the specific context, does not explicitly include body temperature in this list. For example, information that an individual is infected with COVID-19 qualifies as health data whereas information that an individual is in quarantine, does not.
Like other DPAs, it also stresses the provision of information to individuals concerning the personal data processing and the implementation of security measures and adds up the importance of documentation of the measures taken and the assessments made.
Specifically about body temperature measurements, the authority stresses that the relationship between employees and employers are regulated by labor law and as such, the question as to whether there is a right of an employer to carry out measurements and, of an employee to undergo a measurement, falls outside the authority’s power. However, if the data controller starts recording data following such measurement, for instance establishing a visitor database, then this processing would fall under the authority’s power and in principle, it is not permitted.
The authority also assessed that whether an employer may require or prohibit employees from working from home is not a data protection issue and does not fall inside the authority’s area of activity.
|United Kingdom (transition)||
The Information Commissioner’s Office has published a set of general guidelines on coronavirus for organisations and citizens. The authority argues that taking a temperature involves the processing of personal data even if no information is recorded. The temperature data must be treated as special category data for two reasons, because “information about an individual’s health could be inferred and a decision about an individual could then be made”. Temperature scans can have negative effects on individuals and thus staff policies should be in place as to how address an individual with increased body temperature. Therefore, temperature measurement is considered a potentially intrusive technique which requires stronger justification, meaning that the desired result could have not been achieved through other less intrusive means and the temperature testing was necessary and proportionate. The data controllers should also consider the detrimental effect that inaccurate readings may have on individuals and consider the effectiveness of temperature testing compared to other safety measures.
In the employment context, organisations can process body temperature data only after they have identified an Article 6 and Article 9 GDPR lawful basis, a schedule condition under the Data Protection Act 2018 and the relevant legal conditions about employment. In particular, when relying the public health condition, the controllers shall also observe the duty of confidentiality.
Moreover, it emphasizes that a thermal image of an individual “has the potential to be biometric data if it is linked to a CCTV system, that has facial recognition capabilities for the purposes of uniquely identifying someone”.
|European Data Protection Supervisor||The official executive summary and the text of the guidance can be found here.|
^^ Back to the top of the section.