Orientations from the EDPS: body temperature checks by EU institutions in the context of the COVID-19 crisis

INTRODUCTION

To prevent the spread of the Covid-19 contamination, the European Union Institutions (“EUIs”) have implemented, among other necessary health and safety measures (such as masks provision, disinfecting gel, contact tracing by health authorities, etc.), body temperature checks for the EUIs’ staff and visitors.

Due to the fact that such checks can be implemented through a variety of devices and processes and, in some case, they may constitute an interference into individuals’ rights to private life and/or personal data protection, on the 1^st September 2020, the European Data Protection Supervisor (“EDPS”) issued orientations on the use of body temperature checks by EUIs (“Guidelines”).

The Guidelines may also be useful for the legal assessment required by the GDPR, with particular regard to the lawfulness of the processing, automated individual decision-making as well as technical and organisational measures to be implemented also by private entities for carrying out body temperature checks.

THE GUIDELINES

The EDPS distinguishes between those body temperature checks that are subject to the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (the “Regulation”) and those body temperature checks which are not subject to the Regulation.

It is assumed that, pursuant to Article 2(5) of the Regulation, the latter “applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”, where “processing wholly or partly by automated means” refers to all processing done by means of computer technologies and “processing other than by automated means” primarily refers to any manual data processing operation executed by humans, in a filing system.

In particular, the EDPS distinguishes between:

• basic body temperature checks designed to measure body temperature only, operated manually and not followed by registration, documentation or other processing of an individual’s personal data. Such checks would, in principle, not be subject to the scope of the Regulation;
• other systems of temperature checks, operated manually and followed by registration, documentation or other processing of an individual’s personal data, or systems operated automatically with advanced temperature measurement devices. Such checks would in general fall under the scope of the Regulation.

• BODY TEMPERATURE CHECKS FALLING OUTSIDE THE REGULATION’S MATERIAL SCOPE

The basic body temperature checks consist in a system where an authorized person uses a basic temperature measurement device (such as a manual thermometer) to check the temperature of a person (employee, visitor, etc.) who wishes to enter the building. Such system only provides an instantaneous temperature value, without any recording or registration of the measurement.

The EDPS considers that the aforementioned checks do not fall under the material scope of the Regulation as defined under Article 2(5) because the checks do not involve a processing of personal data wholly or partly by automated means, and that in the absence of any registration of the temperature, such measurements cannot be considered as a processing other than by automated means of personal data forming part of a filing system or are intended to form part of a filing system.

Anyways, to remain outside the material scope of the Regulation, it is essential that the temperature measurement is not followed by registration, documentation or other processing allowing to link such information to a data subject.

However, the systematic use of basic body temperature checks may interfere with the fundamental right to private life protected under Article 7 of the Charter of Fundamental Rights of the European Union (the “Chart”) and therefore it should comply with the legality, necessity and proportionality conditions laid down in Article 52(1) of the Charter.

• BODY TEMPERATURE CHECKS SUBJECT TO THE REGULATION

If the body temperature checks are operated manually and are followed by the registration of the measurement or combined with an identity check, such checks must be considered as forming part of a filing system subject to the scope of application of the Regulation.

The Regulation will also apply to the body temperature checks carried out by using digital means such as thermal cameras or thermal scans. In fact, the EDPS considers such checks as a processing of personal data wholly or partly by automated means as defined by Article 2(5) of the Regulation. Since the information regarding the body temperature is collected and it relates to an identified or identifiable specific person, the aforementioned temperature measurement constitutes a processing of personal data. In particular, the data processed are health data, a special category of personal data able to reveal information about the person’s health status regarding a possible infection with COVID-19.

Considering the special nature of such data and the health information they are able to reveal, their processing needs to be lawful in accordance with Article 5(1) of the Regulation but also to comply with the conditions laid down in Article 10(2) of the Regulation.

In the context of COVID-19 outbreak, the processing of special categories of personal data is lawful if the conditions provided for by Article 10(2)(b), 10(2)(g) and 10(2)(i) of the Regulation are met and respectively if the processing:

• is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law insofar as it is authorised by Union law providing for appropriate safeguards for the fundamental rights and the interests of the data subject (Article 10(2)(b));
• is necessary for reasons of substantial public interest, on the basis of Union law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (Article 10(2)(g));
• is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy (Article 10(2)(i)).

The application of the aforementioned Article(s) will depend on the specific context and on the practical implementation of such body temperature checks.

TEMPERATURE CHECKS AND AUTOMATED DECISION MAKING

The EDPS highlights that in certain types of temperature checks (such as thermal scan or thermal camera) there is not a meaningful human intervention and it may entail an automated individual decision-making process regulated by Article 24 of the Regulation.

As stated by the EDPS, since there is currently no Union Law, as per Article 24(4), authorising temperature checks based solely on automated processing to allow or deny access to EUIs premises on health and safety grounds, a fully automated temperature checks system would only be lawful on a voluntary basis, with the data subjects’ explicit consent under Article 10(2)(a) of the Regulation.

In the light of the above, the EDBS considers that temperature checks applied on a mandatory basis should not be based solely on automated processing, and should therefore provide for meaningful human involvement at relevant stages of the check process. Moreover, in accordance with the EDPB’s Guidelines on Automated individual decision making and profiling for the purposes of Regulation 2016/679 (6^th Feb. 2018), the EDPS advises controllers to identify and record the degree of any human involvement in the temperature check process and at what stage this takes place.

TECHNICAL AND ORGANISATIONAL MEASURES

The deployment of body temperature checks devices may call for specific and appropriate safeguards under Articles 10 and, where applicable, Article 24 of the Regulation.

Moreover, considering that the body temperature checks may imply personal data processing, it is advisable to apply the obligations of data protection by design and by default, set out in Article 27 of the Regulation, by designing a body temperature check procedure where the collection of personal data is minimised.

In addition to the obligations above, the EDPS suggests to implement, depending on the processing capabilities of the system used to carry out body temperature checks, additional data protection safeguards and to document those measures specific policy periodically reviewed.

To this end, the EDPS has drafted a list of recommendations that should be taken into account when the temperature check system falls within the scope of the Regulation. These recommendations ensure that appropriate safeguards are in place and they consist in the following:

• to design systems for carrying out body temperature checks that operates independently, not linked to any other IT system and in particular not connected to the security system such as the CCTV network;
• such system should be designed as a real-time system and no recording should be made of the reading;
• if automated systems are used, to verify that there is no recording of the thermal images and the results are only displayed on “live” screen;
• the data controller should verify the data accessed by the manufacturer of a temperature measurement devices if a telemetry system is installed for monitoring the correct operation of such apparatus;
• to analyse the full data life cycle, in order to ensure that no recording or storage occurs. Furthermore, the use of the system should be limited to filter access to EUIs premises and not be deployed for another purpose;
• to verify the accuracy of the devices by providing a regular calibration of the sensor;
• to train the personnel who will be in charge of the checks by informing them about the procedure to follow in case a positive temperature check.

With reference to both types of temperature checks, the EDPS suggests to respect the principle of transparency by informing the staff member or visitor entering the EUI’s building about the temperature check system through a clear explanation of the reason of such a check in a language (or languages) generally understood by both, staff members and most frequent visitors.

In the end, giving the pandemic crisis, the EDPS believes it is essential to comply with the requirements set out in the Regulation and in the Charter of Fundamental Rights and to this end, the EDPS advises EUIs implementing temperature checks to continuously review the necessity and proportionality of such measures in the light of the evolution of the epidemic situation and its scientific understanding.