In the context of their return-to-work policies companies are seeking solutions to detect individuals with fever at the entrance of their premises with the aim of preventing further contamination within the buildings. This can be achieved by means of conventional thermometers, digital fever scanners directed at the forehead of the person, or sophisticated thermal camera systems. The Belgian Data Protection Authority has issued a guidance in which it adopts a strict position regarding the implications of temperature screenings for individuals’ data privacy rights. More specifically, it provides that the simple act of taking a temperature falls within the scope of the GDPR even if the temperature measurement itself has not been recorded. The guidance also provides that in light of Article 4, paragraph 2 of the GDPR, measuring temperature by means of an advanced digital process is subject to the requirements of the Regulation.
On 5 June 2020, the Belgian Data Protection Authority (DPA) issued a guidance regarding temperature screenings within the context of the return-to-work policies developed by companies following the COVID-19 pandemic. In the guidance, the Belgian DPA addresses, among others, the privacy concerns arising from different methods of temperature screening.
The DPA adopts the position that, in cases where these can be linked to an individual, temperature screening activities fall within the scope of the GDPR. This is the case even if the temperature measurement is not itself recorded. The guidance also provides that, in light of Article 4, paragraph 2 of the GDPR, measuring temperature by means of a sophisticated digital process, such as digital fever scanners or thermal cameras, constitutes automated processing of personal data.
In the guidance, the DPA recalls that a person’s temperature constitutes personal health data. It also recalls that GDPR protects personal data that are subject to automatic processing or which are intended to be included in a filing system. In the case of health data processing is, in principle, prohibited by Article 9, paragraph 1 of the GDPR subject to certain exceptions.
In order to assist companies in determining when measuring the temperature of natural persons falls within the scope of the GDPR, the Belgian DPA provides the following examples:
Situation 1: Temperature screenings without recording
According to the DPA, simple temperature readings on a conventional thermometer without the intention of recording the measurement data at a later stage, do not fall within the scope of the GDPR.
An example of this practice is the measurement of the temperature of employees for the purpose of preparing an anonymous report demonstrating the percentage of employees who present high temperature without identifying them.
Situation 2: Temperature screenings with recording
The DPA provides that if the measured temperature of employees is recorded in a file, this recording constitutes processing of personal health data and is, in principle, prohibited.
The DPA also adopts the position that measuring temperature falls within the scope of the GDPR even if the temperature measurement itself has not been recorded. A relevant example is that of employees who are denied access to the workplace following a manual temperature screening.
Even if the result of the temperature taking itself has not been recorded, the DPA notes that, in these cases, registering the absence of an employee will inevitably be linked to the file and/or identity of that employee. It must, therefore, be treated as processing of personal health data. According to the DPA, this processing falls within the GDPR and has no legal basis in Belgium.
Situation 3: Electronic temperature- screenings by sophisticated means
According to the DPA’s guidance, the GDPR does not only apply in cases where personal data are recorded in a file. It also applies in cases where the processing takes place by means of an advanced digital process.
According to the DPA’s interpretation, “processing” does not refer only to the storage of data. It also refers to any of the operations mentioned in Article 4, paragraph 2 of the GDPR when these operations are performed in an automated manner. Among these operations is the automated collection of data without subsequent storage or recording.
The DPA guidance concludes that the use of advanced digital fever scanners, thermal cameras, or other automated systems that measure the level of body temperature constitutes processing of personal health data and, therefore, it is not authorized.
The DPA guidance recalls that, according to Article 9, paragraph 2 of the GDPR, the processing of health data is prohibited unless the controller demonstrates a legal basis for this processing activity.
This legal basis in the employment context would be the existence of a provision of national law or a relevant collective bargaining agreement.
The DPA guidance notes, however, that there is currently no specific legal provision that would allow employers to process the personal health data of employees in Belgium.
The DPA guidance, therefore, calls upon the Belgian legislator to adopt related legislation that would allow the processing of health data if the legislator considers that temperature screenings are necessary in view of the exceptional circumstances to which the coronavirus crisis has given rise.
Vicky Vlontzou, a trainee in our Brussels office, contributed to this entry.