Measuring temperature of visitors and employees: is that allowed?

Measuring temperature: is that allowed?

Due to the corona crisis, many companies are taking measures to work as safely as possible and to prevent the spread of the corona virus. For some professions, working from home is quite possible, but there are also sectors in which it remains necessary or desirable for employees, suppliers, customers, contractors and other visitors to (or again) appear in the workplace. We receive a lot of questions from entrepreneurs whether they can measure the body temperature of anyone who wants access to the property or the company site. In this blog we work out why measuring body temperature is allowed or not under some circumstances. And how can companies best deal with this, or: what is possible?

Special personal data

Processing of personal data? First of all, the question is whether measuring a person's body temperature is a processing of personal data, so that the General Data Protection Regulation (GDPR) applies. "Processing" can refer to many different actions with personal data: think of viewing, storing, passing on, viewing or removing personal data. The single viewing of a temperature on a thermometer or with a thermal camera, without the temperature being stored or recorded or the measurement data ending up in an automated system (for example, that the employee is reported sick or that an automatic access gate at too high a temperature does not open), according to the Dutch Data Protection Authority is no processing of personal data within the meaning of the GDPR. This does not mean, however, that there are therefore no privacy concerns about measuring the temperature: this may, for example, still conflict with the more comprehensive fundamental right to privacy. It is therefore still necessary to make a sound balance of interests, taking into account all kinds of relevant circumstances. Whether there is a processing of personal data is context-dependent. As soon as something is noted or otherwise registered with regard to the temperature of a person, or, for example, a gate does not open, there will be a processing of personal data and the GDPR applies. There is probably no processing if the temperature of persons is scanned with thermal cameras in public areas, without further (direct or indirect) data being recorded from those involved; for example in a department store. In a hospital or airport, the chance of processing with such a measurement is already greater, and in an office with 25 employees, processing could be even earlier, because it is often linked to a registration and the data can be traced more easily. to the person concerned. Special personal data If there is a processing and (therefore) the GDPR applies, it is important that it concerns data about someone's health. This involves special personal data and, in principle, a processing prohibition applies (you can read more about special personal data in this article). The basic principle is that measuring temperatures is only permitted if the result is not processed. After an earlier, even stricter position of the AP, this is now the view (in the Netherlands). If a company does want to record body temperature, this is only allowed if one can invoke a legal exception for the processing of special personal data.

Exception for measuring body temperature?

So the question is whether there is a legal exception that allows entrepreneurs to measure the temperature of their employees and visitors when the GDPR applies.

For employees

An employer may only process personal data about the health of its employees if this is necessary for the continued payment of wages and reintegration. An employer may therefore know that employee Jansen is ill and cannot lift, but not exactly what is wrong with Jansen (for example a hernia). An employer may also not sit in the chair of the company doctor and make a diagnosis based on his own research, such as an alcohol and drug test or a temperature measurement. Even if the employee tells himself or herself what is wrong with him, an employer may not register it. Another exception to the aforementioned processing prohibition mentioned in the GDPR is the processing of health data that is necessary "for reasons of public interest in the field of public health, such as protection against serious cross-border health risks". However, this exception requires that there should be national law regulating this specific processing, while respecting medical confidentiality and the data subject's right to privacy. There is not (yet) such legislation in the Netherlands. Employers can therefore not make use of this exception. The legal exception that we also occasionally see in this context, namely processing for the “protection of the vital interests of the data subject”, does not apply in this case either. It must then be a situation in which a data subject cannot give permission, for example because he is unconscious. In addition, one may wonder whether this concerns the interests of the person concerned (no, we think). Finally, a well-known exception: the express consent of the person concerned. This consent to the processing must be free, specific, informed and unambiguous. In the employer-employee relationship, it is assumed that an employee can hardly ever give free permission - after all, he is dependent on his employer. In that case, there is no legal permission, so that this exception does not apply either. However, this differs per country. Measure temperature in the workplace Within a company it will often be necessary to register additional data and / or to attach consequences to the results of the measurement. Think of an employee who is refused at the gate because of too high a temperature. Not only will he be denied access to the workplace, but additional data will probably also be recorded. The employer may register him as absent or sick, or the employee may end up on a list of employees who are temporarily denied access to work. In this scenario, it is no longer just a matter of reading the temperature of an (anonymous) person, but further data is recorded about a specific individual, precisely because his temperature has been measured by the employer. This is in principle not allowed. For the sake of completeness, we also mention that even if in a specific case there is no 'processing' of personal data within the meaning of the GDPR, there is certainly other legislation that must be taken into account in the context of an employer-employee relationship. of such measures.

For suppliers, customers and other visitors

The same applies to other parties present at the workplace to a large extent. There is no national legislation (yet) that allows visitors and customers to be tested for body temperature. Here too, however, the assessment will depend on the specific circumstances of the case. Express consent of these categories of data subjects could be an option in very specific cases, but only if such consent is really completely free. This means, among other things, that the data subject must not be negatively affected by the fact that he does not give permission. This will often be difficult in practice. Think of a truck driver who is asked at the gate if he wants to be tested. He will probably feel compelled to agree to a greater or lesser degree, otherwise he will not be allowed onto the site and therefore cannot do his job. Moreover, this could lead to employment law consequences for his own employer. His consent is then not legally - because not freely - given. It is difficult to come up with a scenario in which permission is given freely, because most companies like to carry out selection at the gate before they allow visitors into the building or their grounds.

Conclusion

Within an organization with employees and visitors, there will often be a link with other personal data, and a temperature is not only read once. This means that the GDPR applies and - in the absence of an appropriate legal exception to the processing prohibition of medical data - measuring temperature as an access control will often not be permitted. If a legal exception could be invoked, in a specific case, the processing of health data is, in principle, only reserved for doctors. In addition, the respective processing must therefore be necessary for the intended purpose. That depends on the concrete circumstances, but in many cases there are also question marks. For example, the question is whether trust in one's own employees is not enough: requests to measure one's own temperature daily; that is allowed. And is temperature measurement an appropriate means to counteract the target, the spread of the coronavirus? After all, it has now become clear that people without complaints can also spread the virus, while employees could otherwise get a false sense of safety because they and their colleagues have passed the test. Only when a temperature measurement is not accompanied by a registration and / or ends up in an automated system, this measurement (subject to other regulations, which must therefore always be checked) is permitted.

What is possible if the GDPR applies?

First of all, it is of course important to test whether there is a "processing of personal data" within the meaning of the GDPR. If that is the case (and in our opinion it is soon the case), it is often not allowed to measure temperature by entrepreneurs. Of course, entrepreneurs can then take other actions to keep their staff and visitors as safe as possible. We strongly advise you to do that too: an employer must ensure a safe working environment. For example, it is very important to continue to follow RIVM's instructions and to continuously inform employees and visitors. More information about the possibilities in your specific situation? We like to think along! Contact us at privacy@ploum.nl or call us, Ploum privacy team.