Some organizations are taking into consideration installing temperature scanners or other means of verifying the body temperature of staff and visitors, in their effort to protect the workplace against the spread of COVID-19.
This is a sensitive topic which needs careful analysis by each company, especially with regard to the effectiveness of the devices used for this purpose, setting up records of such data, who has access to the data and what are the consequences for the data subjects – to name just a few issues.
Below is a short outline of certain guidance and opinions from European Data Protection Authorities on the topic of reading body temperature, to help organizations decide on the lawfulness of such a measure in their case.
The updated guidance from the Belgian Data Protection Authority (APD) specifically refers to measuring the body temperature of workers and visitors. According to the APD, the mere measurement, without recording the data, does not constitute per se processing of personal data. However, the guidance does not discuss the case when organizations might actually register a high temperature during such checks, and take certain measures. For example, if the thermal scanner placed at the entrance of a factory reads a temperature above the set threshold and the worker is isolated from the rest of the staff.
In its FAQs, the Spanish authority (AEPD) refers to national prevention of occupation risks legislation which obliges employers to verify if the health status of workers represents a danger – however, it indicates that such verification must be carried out by medical staff. The AEPD states that in any case, the processing of health data obtained from temperature measurements must be limited to the purpose of combating the spread of COVID-19 and respect all other GDPR principles.
The French authority (CNIL) strongly advises organizations against „mandatory readings of the body temperatures of each employee / agent / visitor to be sent daily to their hierarchy”. From the wording o the guidance, it seems that checking symptoms might be allowed if done in a confidential manner – for example, by the occupational doctor or a member of the staff who must observe the secrecy of the data.
The Romanian authority (ANSPDCP) is silent on this matter and instead indicates the general GDPR legal exemptions for processing health data. This means that data controllers must make their own (documented) assessments and decide
The initial statement of the European Data Protection Board does not cover this specific topic. However, the EU body has recently announced that it is speeding up the publication of more detailed guidance.