In the past weeks, various countries lifted the Covid-19 coronavirus lockdown measures. The Netherlands, again allow more than 100 people on the same premise. Many companies consider reopening their offices but at the same time look for ways to protect employees, customers and visitors against the Covid-19 coronavirus and their business against the disruptions of potential outbreaks.
As one of the symptoms of the virus is an elevated body temperature and measuring of body temperature at the entrance to the company premises is often suggested. Is this allowed under the General Data Protection Regulation (GDPR)? Are there other legal limitations? What is the opinion of the Dutch Data Protection Authority (Dutch DPA) on the body temperature measurement? This article attempts to shortly explain the ins and outs of body temperature measurement in the Netherlands from the data protection law point of view and to give some practical guidance.
Companies should carefully consider whether implementing measurements of body temperature of their employees or visitors would be necessary and proportionate in their specific situation. Although merely taking temperature of employees, by non-automated means, without recoding or further processing of the results, would generally fall outside the scope of GDPR, it will be difficult to implement this in practice without jeopardising any other rights of individuals, such as a fundamental right to privacy or rights arising from employment law. Consent of employees to taking body temperature will not be valid from data protection point of view, as they are dependent on their employers. Similarly, no free consent would be possible to obtain from many of the company’s visitors. In relation to customers, companies should be able to implement voluntary body temperature checks, in particular in situations where mandatory statements regarding health of customers or their families are required by the Covid-19 coronavirus measures.
Background
An individual’s body temperature could qualify as personal data, more specifically, as personal data concerning health (health data) and therefore a so-called “special category of personal data” with the meaning of the GDPR. According to the same GDPR, processing health data is strictly prohibited, unless, among others, the individual gives explicit consent. The GDPR applies high standards to the validity of consent: it should be freely given, specific, informed and unambiguous indication of the data subject’s wishes made by a statement or a clear affirmative action. Important for this context, “freely given” consent means that the individual is able to exercise a real choice. In practice, the individual must be able to refuse or withdraw consent at any time without detriment. For example, in case of entering a building, the individual may still enter the building after refusing to give consent to measuring temperature.
Obtaining a valid, “freely given” consent will be difficult where there is an imbalance of power such as between an employee and an employer. The employee might feel forced to give his or her consent. For this reason, consent is rarely available as a valid basis for processing employee’s personal data by employers.
However, the unprecedented challenges of responding to the Covid-19 coronavirus pandemic have not left any part of society unaffected. It was clear that the Dutch DPA was struggling with providing clear guidance on privacy and data processing in the context of the pandemic, and in particular on measuring body temperature, having changed its view on this topic a number of times. The following main points reflect the most recent view of the Dutch DPA:
- Manually measuring individual’s body temperature, without recording or further processing the results, would not represent processing of personal data and therefore not fall under the GDPR. However, measuring body temperature with the use of automated systems, such as a thermal cameras or systems that open entrance gate, allow access based on temperature checks or automatically processes the results in other ways will qualify as data processing and fall under the scope of the GDPR.
- Similar to employment relationship an imbalance of powers would exist when visitors seek access to the company’s premises. For example, an employee of a supplier delivering goods may feel pressured to consent to body temperature measurement in order to be able to enter the premises and complete the delivery. In that case, consent is not freely given and processing of personal data is not allowed.
- The GDPR will most likely not apply to situations when employees, visitors or customers of the organisation are provided with a discreet opportunity to measure their own body temperature and nothing is further done with the results of this self-check.
- Employers should probably be able to require employees to monitor their own health, including temperature, and contact a company doctor if necessary, as well as require them to work from home, but explains that such situations fall outside the scope of the GDPR (unless they involve processing of health data or consequences are attributed to taking temperature of employees). The Dutch DPA recommends employers to evaluate their specific situation from an employment law perspective.
- The Dutch DPA reiterates that even if the temperature measurement might not fall under the GDPR, other legal limitations may exists when it comes to body temperature measurement. In an employment context, limitations may arise from employment law or a specific employment contract. Further, temperature checks might constitute a gross violation of other fundamental rights, such as the right to privacy or to physical integrity. For example, when the results are read aloud and other people waiting in line are able to hear the results of an individual.
What is allowed with respect to body temperature measurement in the Netherlands?
Employees. Employers should carefully consider whether to implement body temperature measurements for their employees. Employers are allowed to only manually measure body temperature of employees and read the results thereof without further processing these result. Discretion is required to avoid infringement of employee’s fundamental rights, such as right to privacy or physical integrity. There may also be limitations based on the employment law or individual employment contract. It is strictly prohibited to process the results of body temperature measurements.
Customers/visitors. Companies are allowed to manually measure body temperature of customers/visitors and read the results thereof. Discretion is required to avoid jeopardising any other fundamental rights. Further, body temperature measurement with the use of an automatic system and/or registering the results of the measurements is allowed only if the customer/visitor freely gives consent. Whether consent is given freely should be assessed on a case-by-case basis. Consent is likely to be considered freely given when:
- the customer/visitor does not feels forced to give consent, due to an imbalance of power; and
- there are no negative consequences in case the visitor/customer refuses to give consent. Either this means there should be no consequences at all, or an equivalent alternative is offered to the customer/visitor.
- Companies should always carefully consider whether to implement such body temperature measurement would be necessary and proportionate in their specific situation.
International diversities
During the Covid-19 pandemic, national legislators and supervisory authorities have taken different positions on this topic. In contrary to the Netherlands, in some countries it is mandatory to measure person’s body temperature prior to entering premises. In addition, national employment laws in the EU vary significantly. Some supervisory authorities have also interpreted the GDPR and national data protection laws differently. These different views make it difficult for companies to implement a uniform approach to Covid-19 related temperature checks globally. We recommend taking into consideration all relevant national laws and seeking advice of local counsel. We have been tracking developments in data protection and cybersecurity regulatory guidance on the Covid-19 coronavirus for a number of jurisdictions, available here.
Please feel free to contact Nicole Wolters Ruckert or Pien van Vliet if you would like to discuss any Covid-19 coronavirus related measures involving processing personal data in your organisation or have specific questions on the protection of personal data and cybersecurity aspects of the Covid-19 coronavirus pandemic in the Netherlands and worldwide.
