During the corona crisis, organizations may want to implement access controls, thereby measuring the body temperature of employees, visitors or customers before they gain access to the store, office, hospital, cinema, and so on. Initially, the Dutch Data Protection Authority was crystal clear about this: measuring temperature is not allowed just like that. In the meantime, the Data Protection Authority seems to have adopted a slightly more nuanced position.
What happened before?
Previously, the Data Protection Authority emphasized that employers hardly ever have the right to keep records of employees’ medical data. Even if it (presumably) concerns corona. According to the supervisor, this means that the employer may not keep a record of where employees have been on holiday. Employers are also not allowed to measure and/or record the temperature of employees.
Not much later, the Data Protection Authority announced that only employers in the healthcare sector were allowed to check employees for corona during the corona crisis.
On 24 April 2020, the Data Protection Authority published a clear message on its website: measuring temperature cannot be done just like that. `A company cannot play doctor. Only a healthcare professional is allowed to perform health tests and to process the medical data of employees´.
When does the GDPR apply?
The GDPR applies when personal data is processed wholly or partially by automated means. The GDPR may also apply to the manual processing of personal data. This is the case if the personal data is or will be included in a file.
Is it only about reading the temperature on a thermometer, therefore without (the intention of) storing (passing on, recording) this measurement data? And without automatic processing (gates opening, green light)? Then that reading is not in itself under the protection of the GDPR. And therefore not under the supervision of the Data Protection Authority. The GDPR therefore does not apply if an organisation only gives employees, visitors or customers the opportunity to measure their own temperature.
If the result is subsequently passed on and registered somewhere to give or deny someone access, the GDPR does apply. Systems where gates are opened, where the green light is given or which do something automated in another way on the basis of the measurement data, are also subject to the GDPR.
Still an infringement of privacy?
The Data Protection Authority does, however, have an important comment to make. Even when the temperature check is not subject to the GDPR, this does not mean that there are no privacy concerns:
The invasion of privacy can also be serious if, for example, someone is not allowed inside after a temperature measurement (is stopped by a security guard, for example) and a whole queue of people waiting can see that and possibly draw conclusions about this person’s health. The GDPR then offers no protection. And the Data Protection Authority cannot take action against this. Nevertheless, it may indeed be an unlawful infringement of the fundamental right to privacy.
Do you want to keep access controls during the corona crisis by measuring the temperature of employees, visitors or customers? Even if the GDPR does not apply because you do not record anything, it is very important that sufficient account is taken of privacy.