AEPD (Spain) - E/03884/2020: Difference between revisions
No edit summary |
No edit summary |
||
Line 52: | Line 52: | ||
}} | }} | ||
The Spanish DPA concluded that using a thermal camera to verify if users of a service have higher temperature than a threshold, in the context of the covid-19 pandemic, does not fall under the scope of the GDPR when there is no further storing, processing or any operation on the data shown by the camera, and the persons are not asked to identified | The Spanish DPA concluded that using a thermal camera to verify if users of a service have a higher temperature than a certain threshold, in the context of the covid-19 pandemic, does not fall under the scope of the GDPR when there is no further storing, processing or any operation on the data shown by the camera, and the persons are not asked to identified themselves. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Spanish DPA (AEPD) launched an investigation on the company that manages the underground service of Bilbao, one of the main Spanish cities. In the context of the covid-19 pandemic, the company was using thermal cameras to | The Spanish DPA (AEPD) launched an investigation on the company that manages the underground service of Bilbao, one of the main Spanish cities. In the context of the covid-19 pandemic, the company was using thermal cameras to verify if the users of the underground had a higher temperature than a threshold (37.3ºC), in order to identify potential infected people. | ||
People were randomly picked to pass through the range of the cameras, that would | People were randomly picked to pass through the range of the cameras, that would show their temperature. What was shown was only a temperature map; images were not processed in any way, nor there was any kind of facial recognition system. Data were neither registered, stored or processed in any way. | ||
The only consequence deriving from the temperature map would be that the employees in charge would carry out a second test, with a clinic thermometer, to verify whether the temperature was above the threshold. Then, if still above the threshold, they would receive a recommendation on how to act (i.e. not use the metro and contact a doctor). | The only consequence deriving from the temperature map would be that the employees in charge would carry out a second test, with a clinic thermometer, to verify whether the temperature was above the threshold. Then, if still shown to be above the threshold, they would receive a recommendation on how to act (i.e. not use the metro and contact a doctor). | ||
=== Holding === | === Holding === | ||
The Spanish DPA, in line with the allegations of the controller, concluded that the GDPR was not applicable to this case, as it did not fall under its material scope. | The Spanish DPA, in line with the allegations of the controller, concluded that the GDPR was not applicable to this case, as it did not fall under its material scope. | ||
The temperature measurement was done without identification, without recording and without registering data of the persons, as their identification is not required either by official document or verbally. At no time was any personal data stored or recorded, neither image data, nor temperature data, nor name and surname, nor any other data relating to an identified or identifiable natural person. No information was stored, which | The temperature measurement was done without identification, without recording and without registering data of the persons, as their identification is not required either by official document or verbally. At no time was any personal data stored or recorded, neither image data, nor temperature data, nor name and surname, nor any other data relating to an identified or identifiable natural person. No information was stored, which could imply the impossibility of identifying a person by collecting only indirect identifiers, such as the aforementioned heat map or temperature; and no direct identifiers, such as an image or similar, nor the results of the temperature measurements were stored nor were the results transferred to another kind of non-automated or automated support. | ||
At all times, the anonymity of the persons was maintained, as they were not required to identify themselves, and there was no recording, as the image was issued in real time, in a heat map that did not allow a person to be unequivocally identified. | At all times, the anonymity of the persons was maintained, as they were not required to identify themselves, and there was no recording, as the image was issued in real time, in a heat map that did not allow a person to be unequivocally identified. | ||
Therefore, following Article 2(1) GDPR, there was no processing of data, neither automated or non-automated but meant to be part of a filing system. Hence, it is outside the material scope of the GDPR. | Therefore, following Article 2(1) GDPR, the AEPD concluded that there was no processing of data, neither automated or non-automated but meant to be part of a filing system. Hence, it is outside the material scope of the GDPR. | ||
Also, with regards to the definition of personal data from Article 4(1) GDPR, the DPA | Also, with regards to the definition of personal data from Article 4(1) GDPR, the DPA did not reach a firm conclusion, but remarked that the circumstances of each particular case should be taken into account. The device used and other variables that could make a person identifiable shall be considered. In this case, even if the person remained anonymous, as they were not asked to identify themselves, the procedure was carried out in public space, so any person that was not allowed to enter the subway because their high temperature would be known to have a temperature higher than 37.3ºC, what is, in addition, health data, so it is classified as sensitive data in accordance with Article 9 GDPR. Therefore, third persons would be able to know that a particular person might be infected by the SARS-CoV-2, as fever is a symptom of covid-19. Therefore, it would be debatable, in a case by case basis, whether the circumstances could have made that a particular person was identifiable. | ||
The DPA also discusses an hypothetical case in which such activity, or a similar activity, it could be considered processing of personal data; then, a legal basis would be necessary for the processing. Options for that would be a vital interest, a public interest or compliance with a legal obligation. Additionally, an exception from Article 9 would be necessary. | The DPA also discusses an hypothetical case in which such activity, or a similar activity, it could be considered processing of personal data; then, a legal basis would be necessary for the processing. Options for that would be a vital interest, a public interest or compliance with a legal obligation. Additionally, an exception from Article 9 would be necessary. | ||
In any case, the DPA reached the conclusion that the fact that the persons were not asked to identified themselves definitely meant that they were not identifiable | In any case, the DPA reached the conclusion that the fact that the persons were not asked to identified themselves definitely meant that they were not identifiable and that no kind of data related to temperature or to the scanned persons was stored or processed in any way. Therefore, as there is not processing of data related to identifiable persons, the case was considered not to fall under the scope of the GDPR, and it was archived. | ||
== Comment == | == Comment == |
Revision as of 13:56, 25 May 2021
AEPD (Spain) - E/03884/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 2(1) GDPR Article 4(1) GDPR Article 4(6) GDPR |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | |
Published: | 24.05.2021 |
Fine: | None |
Parties: | METRO BILBAO, S.A. |
National Case Number/Name: | E/03884/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA concluded that using a thermal camera to verify if users of a service have a higher temperature than a certain threshold, in the context of the covid-19 pandemic, does not fall under the scope of the GDPR when there is no further storing, processing or any operation on the data shown by the camera, and the persons are not asked to identified themselves.
English Summary
Facts
The Spanish DPA (AEPD) launched an investigation on the company that manages the underground service of Bilbao, one of the main Spanish cities. In the context of the covid-19 pandemic, the company was using thermal cameras to verify if the users of the underground had a higher temperature than a threshold (37.3ºC), in order to identify potential infected people.
People were randomly picked to pass through the range of the cameras, that would show their temperature. What was shown was only a temperature map; images were not processed in any way, nor there was any kind of facial recognition system. Data were neither registered, stored or processed in any way.
The only consequence deriving from the temperature map would be that the employees in charge would carry out a second test, with a clinic thermometer, to verify whether the temperature was above the threshold. Then, if still shown to be above the threshold, they would receive a recommendation on how to act (i.e. not use the metro and contact a doctor).
Holding
The Spanish DPA, in line with the allegations of the controller, concluded that the GDPR was not applicable to this case, as it did not fall under its material scope.
The temperature measurement was done without identification, without recording and without registering data of the persons, as their identification is not required either by official document or verbally. At no time was any personal data stored or recorded, neither image data, nor temperature data, nor name and surname, nor any other data relating to an identified or identifiable natural person. No information was stored, which could imply the impossibility of identifying a person by collecting only indirect identifiers, such as the aforementioned heat map or temperature; and no direct identifiers, such as an image or similar, nor the results of the temperature measurements were stored nor were the results transferred to another kind of non-automated or automated support.
At all times, the anonymity of the persons was maintained, as they were not required to identify themselves, and there was no recording, as the image was issued in real time, in a heat map that did not allow a person to be unequivocally identified.
Therefore, following Article 2(1) GDPR, the AEPD concluded that there was no processing of data, neither automated or non-automated but meant to be part of a filing system. Hence, it is outside the material scope of the GDPR.
Also, with regards to the definition of personal data from Article 4(1) GDPR, the DPA did not reach a firm conclusion, but remarked that the circumstances of each particular case should be taken into account. The device used and other variables that could make a person identifiable shall be considered. In this case, even if the person remained anonymous, as they were not asked to identify themselves, the procedure was carried out in public space, so any person that was not allowed to enter the subway because their high temperature would be known to have a temperature higher than 37.3ºC, what is, in addition, health data, so it is classified as sensitive data in accordance with Article 9 GDPR. Therefore, third persons would be able to know that a particular person might be infected by the SARS-CoV-2, as fever is a symptom of covid-19. Therefore, it would be debatable, in a case by case basis, whether the circumstances could have made that a particular person was identifiable.
The DPA also discusses an hypothetical case in which such activity, or a similar activity, it could be considered processing of personal data; then, a legal basis would be necessary for the processing. Options for that would be a vital interest, a public interest or compliance with a legal obligation. Additionally, an exception from Article 9 would be necessary.
In any case, the DPA reached the conclusion that the fact that the persons were not asked to identified themselves definitely meant that they were not identifiable and that no kind of data related to temperature or to the scanned persons was stored or processed in any way. Therefore, as there is not processing of data related to identifiable persons, the case was considered not to fall under the scope of the GDPR, and it was archived.
Comment
This is the first case in which the AEPD assesses temperature measuring activities related to the covid-19 pandemic.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/17 Procedure Nº: E / 03884/2020 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: On May 18, 2020, the Director of the Spanish Agency for Data Protection (AEPD) urged the Subdirectorate General for Data Inspection (SGID) to initiate the preliminary investigation actions referred to in article 67 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD) since, according to what has transpired to through the media, METRO BILBAO, S.A. (hereinafter MB), with NIF A48541957, would have initiated actions aimed at measuring the temperature of the suburban passengers. SECOND: The Subdirectorate General for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts previously described, having knowledge of the following points, as It emerges from the brief presented by MB, with entry number 018048/2020, in response to the request of this Agency: About the context According to MB, as part of the brief 018048/2020, “on May 11, 2020, the MB decides to implement a temperature control of the users of the metropolitan area, in response to the emergency situation caused by the coronavirus disease started in 2019 (COVID-19), and with the aim of offering to people an additional protection "expected" by the entity ". Add also that "the main reason why it was decided to implement this system is to “contribute to the safeguarding of the due physical security of people and of their vital interests, in the current emergency situation due to the disease of coronavirus started in 2019 (Covid-19) ”, both from workers and users since, when it comes to defending lives, it is not possible, ethically, this differentiation". About the process As described by MB in the document 018048/2020, the temperature control process consists in: “A thermographic camera will be installed without recognition and without recording (emitting, therefore, in real time) in a space specifically enabled in certain metropolitan stations. To get a better idea, the only thing that the cameras will capture will be a heat map of a person / animal / thing that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/17 allow to know the temperature measurement without identification, without recording and without registration of people's data as their identification is not required or through official document, nor verbally. (…) " "At no time will any type of personal data be stored or recorded, or image, nor temperature, nor name and surname, nor any other data related to a identified or identifiable natural person. In fact, no information, which implies the impossibility of identifying a person by collect only indirect identifiers, such as the aforementioned heat map or the temperature, but without direct identifiers, such as the image or similar, nor will the results of the temperature measurements or The results will be transferred to another manual or automated support. For all this, makes it impossible to talk about concepts such as registration, communication, deletion, etc ... These assumptions must be applicable to the Data Controllers who use mechanisms that capture images, or any other type of personal data that is associable to an identified or identifiable person (not only associable to person physical), and that, in addition, constitutes an automated treatment, or not automated that is carried out in the scope of a "file", which does not happen in this situation. (…) " “The dynamics consists of the determined users approaching the space reserved for measurement, individually, in order to measure your temperature. Only in the event that it exceeds the value for which it is considered, at medical effects, that a person could develop a fever, a second measurement to verify this result through a non-contact clinical thermometer, and you will be advised, in accordance with the indications of the Ministry of Health, that go to your home and contact the medical services authorized to perform the 2019 coronavirus disease (Covid-19) tests. In case Otherwise, even the person who presented a value for below what can be considered a fever. At all times, the anonymity of the people will be maintained since they are not requires identification, no recording occurs and the image broadcast in real time is, as we indicated, a heat map that does not allow to identify in a way unique to a person. (…) " “The personnel who will carry out this control will be qualified health personnel, from the DYA or Red Cross company, so that they know how to interpret the results. MB ha signed a collaboration agreement with Emergency Technicians of the aforementioned entities. In each space reserved for temperature control, operators report verbally to each user about all the necessary aspects, to offer the maximum possible transparency. Additionally, it is necessary to clarify that this information processing will have a temporary duration and that, except for legal provision that obliges us, no will perpetuate. (…) " Likewise, the attached document number 1 provided by MB in writing 018048/2020, includes a section (the fourth) entitled "Protocol of action for measurement of temperature ”in which the procedure used is developed. The document includes explanatory graphics of the explanations you make. The following is highlighted information contained therein: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/17 "To perform the operation of random temperature measurement of users in the public transport, the following technical elements will be available: Camera thermographic, Tripod, Control point, Beacon tape ” “The team will consist of 2 Health Emergency Technicians and 1 Security Guard Safety". According to the document itself, one of the technicians will be located in the “fixed position of measurement ”and the other in the“ selection station ”, while the security guard assigns him the "vigilance in control." The functions assigned to the different positions are as follows: “Fixed measurement station: It will be in charge of controlling the temperature with the camera thermographic, and to make a second measurement in case of positive with the thermometer contact manual. It will only act in the “positive” case (> 37.3ºC), allowing the passage normally if not. Selection position: It will be responsible for randomly selecting users towards the temperature measurement zone. Likewise, it will act for evaluation in case of doubt by positive (user who accredits illness that causes fever or other casuistry of various kinds that may occur). Surveillance Post: Surveillance in the control environment to avoid possible conflicts with users. " The document also describes the operation as follows: “Technician 2 (Recruitment Station) will randomly refer users to the check Point . As the user approaches the validation line, the thermal imager will be obtaining the measurement of your body temperature (1 second). Technician 1 (Position measurement) will only intervene if the camera emits a beep or an alarm flash, which which will mean that the user is above the programmed temperature. In case Otherwise, the user will be considered negative and will be able to continue their travel. In case the temperature is higher than 37.3ºC and the signal of alarm, Technician 1 (Fixed Measurement Station) will inform the user to remain in the set point, it will tell you that it has given a temperature higher than the recommended and that a second measurement will be carried out. This second measurement will be made using the non-contact clinical thermometer, keeping an outstretched arm's distance and taking the temperature by pointing to the forehead. If this second temperature take is lower than 37.3º, you will kindly inform the user who can continue. If it continues to test positive, Technician 1 (Fixed position of measurement), supported by the Security Guard, will advise you not to access the facilities or services. In case of doubt before a positive second from a user (user who alleges some disease other than COVID19, present a receipt or request some type of medical assessment), Technician 2 (Recruitment Station) will be notified so that and perform the titration. If the double positive were considered valid, the action would be identical to the previous case, namely, recommending not to access the facilities or services". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/17 Finally, it includes, among others, the following observation: “(…) In no case will personal data of the users, data doctors or images of the same associated with the previous data that could lead to identification ”. In this sense, the last section of the document, the fifth, entitled "Legal analysis" concludes that “(…) taking into account that the system used for taking temperature does not allow it to be associated with other data that allow the identification of direct or indirect way of the travelers, the legislation cannot be applied in force in terms of data protection ”. On the purpose and legal basis As part of the letter 018048/2020, MB responds on the purpose and legal basis of the treatment referring to a set of documents that have been incorporated into the file through the corresponding diligence. They are as follows: - "Opinion 4/2007 on the concept of personal data" of the Working Group of Article 29 adopted on June 20, 2007. - Communiqué from the CNIL of May 7, 2020 entitled “Coronavirus (COVID- 19): the rappels of the CNIL sur la collecte de données personnelles par les Employers ”. - Statement from the Dutch “Autoriteit Persoonsgegevens” entitled "Temperaturen in gezondheidscheck". - “Organic Law 3/1986, of April 14, on Special Measures in the Matter of Public health". - “Law 38/2015, of September 29, on the railway sector”. - "Protocol of action for the reactivation of judicial activity and health professional ”of the General Council of the Judiciary, dated April 29, 2020. - "Basic action protocol for returning to training and restarting of federated and professional competitions ”of the Superior Council of Sports, dated May 3, 2020. - "Recommendations for the opening of the activity in swimming pools after the crisis Covid-19 ”from the Ministry of Health, dated May 14, 2020. - "Law 33/2011, of October 4, General of Public Health". - “Law 31/1995, of November 8, on the Prevention of Occupational Risks”. - "Procedure of action for risk prevention services against exposure to SARS-CoV-2 ”from the Ministry of Health, dated June 8, 2020. - "Questions and answers about coronavirus disease (COVID-19)" by the World Health Organization (WHO). - "Advice for the population about rumors about the new coronavirus (2019-nCoV) ”from the World Health Organization (WHO). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/17 - "Decalogue on how to act in case of having symptoms of COVID-19" from Ministry of Health. - “Order SND / 399/2020, of May 9, for the flexibility of certain national restrictions, established after the declaration of the state of alarm in application of phase 1 of the Plan for the transition to a new normal". - “AEPD statement in relation to the taking of temperature by shops, work centers and other establishments ”of April 30, 2020. As stated by MB in writing 018048/2020 in this process “there is no Treatment of personal data". MB supports this assertion as following: “(…) As stipulated in the first articles of the RGPD, and more specifically in article 2.1 relative to the material scope of application of this norm, “The present Regulation applies to fully or partially automated data processing personal data, as well as the non-automated processing of personal data contained or intended to be included in a file ”. After the description of the dynamics to implement, from our point of view, no There is an automated processing of personal data, nor is there any treatment not automated system intended to be included in a file, understanding this concept as "Any structured set of personal data, accessible according to criteria determined, whether centralized, decentralized or distributed in a functional or geographic ”, according to article 4 RGPD, point six. For this reason, this action must be outside the scope of application of the regulations on protection of data. (…) " “(…) Regardless of whether the situation should be located under the defense of the data protection regulations or not, due to the existence or not of treatment automated or non-automated, according to the material scope of application, also It can be argued that, in our specific case, the use of the information necessary to fulfill the purpose of temperature control, as it has been implemented MB, it does not constitute personal data if we follow the definition that the RGPD itself offers on this concept in the first point of article 4, when stipulates that personal data will be “all information about a natural person identified or identifiable ("the interested party"); will be considered identifiable natural person any person whose identity can be determined, directly or indirectly, in by means of an identifier, such as a name, a number of identification, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychic, economic, cultural or social status of said person ”. Indeed, the first part is divided into 4 well-differentiated elements, which itself The now defunct Working Group on Article 29 (GT29) had already analyzed separately: "Information" + "About" + "Natural person" + "Identified or identifiable". If that concerns us, in our opinion, we consider that in the verification of the temperature the first 3 are met, but not the one indicated in fourth place. I mean, of course that the temperature measurement may be associated with a natural person, but what is not It will be possible, according to the data that MB collects, it will be to know the identity of that person, in a reasonable way, according to the GT29 itself established, since there is no collection or association with another direct or indirect identifier (for example, names and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/17 surname, DNI, passenger card or similar title, etc ...) that allows knowing the identity of a person. In these cases, according to the report on the concept of personal data issued by the GT29 already in 2007, we will simply find ourselves before anonymous data that does not require the protection of privacy legislation, for the simple fact that that this last right will not be affected. (…) " Furthermore, MB supports the argument that there is no processing of personal data in documents published by other European control authorities (downloaded from internet and incorporated into this file through the corresponding diligence). Namely: “CNIL (France): Publicly acknowledges that regulations on the treatment of data only apply to automated processing (in particular IT) or to non-processing automated personal data intended to be included in a file. For the Therefore, he concludes that if there was only verification of the temperature by means of a hand-held thermometer (such as the non-contact infrared type) at the input of a site, without leaving a trace, or any other operation that is carried out (such as information feedback, etc.), this situation does not fall under the data protection regulations. This statement can be consulted at following link: https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur- la-collecte-de-donnees-personnelles-par-les Autoriteit Persoonsgegevens (Netherlands): Along the same lines, the Control Authority Dutch recognizes that the GDPR does not apply to situations where you only read the temperature, without it being recorded or stored in an automated system, as is applicable to MB's performance. Yes that leaves the situation open to Said control may affect other rights, but not that of data protection in this case. This statement can be consulted at the following link: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/temperaturen-tijdens- Crown" Notwithstanding the foregoing, MB in writing 018048/2020 also performs an analysis in the event that it is understood that the process involves data processing personal: “But, even if we were to consider that, indeed, there was a processing of personal data (which we have already explained would not be the case in this situation) and we should identify the appropriate legitimations to de treatment of this type of information, there are currently different bases that they could come to "legalize" that treatment. They are set out below, so summarized, consistent with Report 0017/2020 on Covid-19 that you themselves have issued (and that we attach as Document 2), which addresses the possibility of processing personal data in the event of fact that we are evaluating, as well as the legitimation problem that would exist for make it happen: - Vital interest: In accordance with Recital 46 RGPD, the treatment in these cases could be legitimized by this cause, by establish that “The processing of personal data should also be considered lawful when necessary to protect an interest essential to the life of the interested party or that of another natural person. In principle, personal data should only be dealt with on the basis of the vital interest of another natural person C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/17 when the processing cannot be manifestly based on a legal basis different. Certain types of treatment can respond both to reasons important to the public interest as well as the vital interests of the interested party, such as when the treatment is necessary for humanitarian purposes, including the control of epidemics and their spread, or in situations of humanitarian emergency, especially in the event of natural disasters or human origin ”. - Public interest: This possibility is obvious, which may have justifications similar to that taken into account in the previous section, although, here yes, it must have legal backing. - Legal obligation: In this case, there are several laws that would allow a data processing, not only the aforementioned Law 38/2015, which has a sectoral character, but also others with a more general nuance and that may cover more situations, such as, for example, Organic Law 3/1986, of April 14, on Special Measures in Public Health Matters (modified by Royal Decree-Law 6/2020, of March 10, which adopts certain urgent measures in the economic sphere and for the protection of public health, published in the Official State Gazette of March 11 2020), which states, in its article 3, that “In order to control the communicable diseases, the health authority, in addition to carrying out the general preventive actions, you may adopt the appropriate measures for the control of the sick, of the people who are or have been in contact with them and the immediate environment, as well as those that are consider necessary in case of risk of a transferable nature ”. Should bring mentioned here that the health authority, the Ministry of Health or organizations to which it delegates, has already published, to date, different protocols where it is included, as a necessary security measure for the return to normality of these activities, the aforementioned controls temperature. For example, the Action Protocol for the reactivation of the judicial activity and professional health, of the General Council of the Judiciary, the Basic action protocol for returning to training and restarting of federated and professional competitions; or in the Recommendations for the restoration of activity in swimming pools for public use after the Covid-19 crisis. And let us also remember that the Government of Spain itself, in the management of this emergency situation and, specifically, in relation to with the measures that will be imposed on foreigners visiting Spain during the period that this situation lasts, it plans to carry out temperature controls at each person entering the country, in order to guarantee maximum security sanitary. Furthermore, in the search for more legal support, we could point out also Law 33/2011, of October 4, General of Public Health, which collects Similar assumptions that allow the processing of personal data following the instructions from the competent authorities. Or with a more concrete character, We could also mention Law 31/1995, of November 8, on the Prevention of Occupational Risks (LPRL), which includes similar assumptions (in this case, for the workers), recognizing that it is the employer's obligation to guarantee the safety at work. This last obligation of the employer must be understood in the sense wide, so that the simple circumstance that the employees or subcontractors of the own MB work in contact with customers and users of the same, would imply the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/17 the need for the protection provided to employees or subcontractors to be extensible to customers or users, as a consequence of the fact that access to MB installations by infected clients or users could put in risk the safety of employees or subcontractors, and that of the users themselves each. Even, the lack of action in the fulfillment of the obligations of protection of workers derived from the LPRL could constitute a crime, as it is regulated in articles 316-318 of the Penal Code. In this In this sense, it should be remembered that this opinion has been ratified by the Ministry of Health in the document that it has prepared relative to "Procedure of action for occupational risk prevention services against exposure to SARSCOV-2 ”that makes the following recommendation to the prevention services of occupational hazards on page 3: “Since contact with the virus can affect health and non-health environments, it is up to companies to assess the risk of exhibition in which workers can be found in each of the differentiated tasks that they carry out and follow the recommendations that on the matter issue the prevention service, following the guidelines and recommendations made by the health authorities ”. All this, let us remember, without forgetting that the RGPD itself also contains the possibility to process personal data in exceptional situations, as we have explained previously. Therefore, one more rule that enables us to do so. In short, for the specific case that concerns us and even for more casuistry, It seems that the legitimation of a potential processing of personal data would be a question that would admit various possibilities that act as a basis of legality in a factual assumption such as the one under analysis. (…) " Regarding the reference made to Law 38/2015 when evaluating the possible support in a legal obligation of the treatment, MB also provides the following information in writing 018048/2020: “(…) We would like to refer to Law 38/2015, of September 29, on the Railway Sector (LSF), which imposes on railway market operators, as well as general managers of railway infrastructures certain obligations between which is the one to "guarantee security" in its functions and attributions established in this Law. Without a doubt, preventing the spread of an epidemic is within these obligations that are collected throughout the articles of this law, directly applicable to MB. This is clear from articles such as 64.4 LSF, when they stipulate that “The responsibility for traffic safety on the Interesting Railway Network General corresponds to the administrators of the railway infrastructures and the railway companies that operate there. Infrastructure managers railway companies and railway companies shall apply safety rules and regulations and They will have security management systems in place, appropriate to the provisions of this law and its development provisions, which will include the necessary measures to the evaluation and control of railway traffic risks and their monitoring. I know They will also be responsible for the safety of the part of the railway system that affects them, including the supply of material and the contracting of services, regarding users, clients, workers, interested parties and third parties ”. It is also necessary to bring up article 104 LSF, which, in the section on Sanctioning and Inspection Regime, establishes in its section 3 that “The personnel of the inspection services that hold that condition, under the terms provided in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/17 current legislation, may collect from natural and legal persons or entities affected by the obligations established in this law or in its implementing regulations, as much information as they deem necessary for the exercise of their inspection function ”, in its section 4 that “It corresponds to the infrastructure managers railways the exercise of police power in relation to the traffic railway, the use and defense of the infrastructure, in order to guarantee the traffic safety, maintenance of infrastructure, facilities and Material means of any kind, necessary for its exploitation. What's more, will control the fulfillment of the obligations that tend to avoid all kinds of damage, deterioration of the roads, risk or danger to people, and respect for the limitations imposed in relation to the immediate land to the railroad to which Chapter III of Title II refers to, formulating the complaints, which, if applicable, are proceeding ”, in section 5 that“ The officials of the Ministry of Public Works and the State Railway Safety Agency and the personnel expressly authorized by railway infrastructure managers to ensure compliance with the regulations on safety in railway traffic will have, in their acts of service or because of the same, the consideration of agents of the authority, to effects of the requirement, where appropriate, of the responsibility corresponding to those who offer resistance or commit attack or contempt against them, on the job or in word. In the exercise of the functions indicated in the previous section, the aforementioned staff may require the persons referred to in section 3 how many information deemed necessary and, where appropriate, will report to the body competent to initiate the corresponding disciplinary proceedings, the behaviors and actions that contravene the provisions established in the itself and in its development rules. Likewise, they may request, through the corresponding governmental authority, the necessary support of the bodies and forces security "and in section 6 that" The facts verified by the personnel referred in the previous section will have probative value when they are formalized in a document public, observing the pertinent legal requirements, without prejudice to the evidence that In defense of their respective rights or interests, they may point out or provide the own interested parties ”. In view of the foregoing, MB has an obligation to safeguard the interests referred to in previous lines, and may be held responsible for any omission in this sense, if he had not taken all the security measures that were within their reach and that, indeed, were combined with the affectation of other rights. " Finally, MB performs the following analysis regarding its legitimacy to carry out carry out the temperature control process: “(…) The analysis on the question of the legitimacy to carry out this control action of the temperature on people in the field of MB should not attend to a proactive criterion that consists in the search for a law that allows us to carry out carry out this action, on the contrary, what we will have to verify is that there is no law that prohibits such conduct since, in accordance with the principle of legality in force in our country and recognized in the Spanish Constitution (CE), in different articles, the negative linkage of this principle would mean that “what is not expressly prohibited in our legal system, it is allowed ”. This interpretation is latent in different precepts of our Magna Carta, as, for example, in Article 9 EC, which includes its more general version in its C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/17 first section, which stipulates that “Citizens and public powers are subject to the Constitution and the rest of the legal system ”, and in its section third that “The Constitution guarantees the principle of legality, the normative hierarchy, the publicity of the rules, the non-retroactivity of the sanctioning provisions favorable or restrictive of individual rights, legal security, responsibility and the interdiction of the arbitrariness of the public powers ”. However, and regarding its application in the criminal or administrative sphere, there are more precepts in the aforementioned Constitutional Text that give us to understand this position. For example, article 25.1 EC, which establishes that “No one can be convicted or sanctioned for actions or omissions that at the time of do not constitute a crime, misdemeanor or administrative offense, according to the legislation in force in that moment ”, or also article 103.1, that by establishing that“ The Administration Public objectively serves the general interests and acts in accordance with the principles of effectiveness, hierarchy, decentralization, deconcentration and coordination, with full submission to the law and the Law ”, transmits to us the need to regulation to be able to think of attributing responsibility for some prohibited act. To understand it in another way would imply serious damage to the principles of freedom and legal certainty, something that would be unacceptable in any State of Law, and that the judiciary would punish with the objective of guaranteeing the primary values of all democracy." The following documents, referred to in the previous presentation, have been provided by MB to the AEPD as part of writing 018048/2020: - Annex document number 2 of brief 018048/2020: cabinet report Legal AEPD N / REF 0017/2020. - Annex document number 3 of brief 018048/2020: “Legal report about of the processing of data related to the body temperature of users in the Bilbao metro ”, prepared, according to the figure contained therein, by the Data Protection Delegate. This report, more extensively, delves into the arguments presented in his writing: the concept of data personal and their application to the present case; the legitimation of the treatment in in the event that it was subject to data protection regulations personal; the proportionality of the treatment (judgments of necessity, suitability, and proportionality). The document contains a section on conclusions (p. 15 and following), among which he advises MB “(…) the implementation of a device that does not capture or process any personal data, which will combine the most demanding characteristics of respect: It is not data personal, so there is no injury to privacy; The least medium is used harmful, so it is acted with diligent proportionality ”. Likewise, section 5 ("Legal analysis") of Annex Document number 1 of the brief 018048/2020 ("Random temperature controls for users") also affects the argument that the temperature control MB process would not be subject to to the personal data protection regulations. About the participants As part of the writing 018048/2020, MB declares with respect to the participants that, according to the arguments seen in the previous section (“MB does not perform a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/17 processing of personal data ")," does not fit here the assumption of responsibilities typical of the personal data protection legislation ”. However, he adds, “a transparency effects with the AEPD ”, the following description of responsibilities: - Client: MB, who “has considered it necessary to acquire a access control in its facilities, based on the possible existence of symptoms related to the current pandemic caused by the Covid-19 ". - Service provider: DYA, which “is configured as a simple service provider services without access to data, which does not entail the condition of a Responsible for the Treatment ”. As part of brief 018048/2020, MB attaches Annex Document number 4, agreement signed by DYA and MB on May 10, 2020. They are detailed below some paragraphs included in the agreement: "The current health emergency situation requires the adoption of measures specific that both result in greater safety of the transport user as in an awareness of it regarding the need to observe all preventive health measures in order to control the transmission situation of Covid-19. " “A common, though not universal, symptom of Covid-19 is fever. Control the people's body temperature before starting work and to the public, since either before accessing the stations or railway units, and then recommend that only people with a normal body temperature enter the those spaces, it could give passengers a feeling that the people at their around they are healthy ”. “DYA is committed to carrying out a measurement of the body temperature of travelers of the Bilbao metropolitan railway in the terms set forth herein document". “DYA will carry out a daily measurement at a railway reference station Metropolitan of Bilbao ”. "DYA will recommend the traveler to exceed the temperature standard established, refrain from continuing the journey. Temperature measurement should in no case imply treatment of data from personal character for the purposes of the General Data Protection Regulation (REGULATION (EU) 2016/679). Likewise, no transmission will be made. wireless any of these images or data, keeping the measurement equipment with said functionalities (WiFi, Bluetooth,…) deactivated at all times ”. "This agreement will enter into force on May 10, 2020 expiring to all effects within a month ”. The information provided to the AEPD does not include the annexes to the agreement referred to therein: "Administrative Clauses 18-LG-DC-067" and "Offer of DYA ”. About data retention C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/17 As stated by MB in writing 018048/2020, since no data is recorded and thermal cameras broadcast in real time, it is not appropriate to establish deadline policies conservation. On the duty of information On this matter, MB, in writing 018048/2020, states the following: “Based on the consideration that data processing is not taking place personal information, it makes no sense to implement an information procedure to the interested parties, for the purposes of data protection legislation. However, concrete instruction has been given so that operators who have the attributed function of controlling the temperature verbally inform the people about the situation and the reason for such control, indicating that, in At no time will the results of the tests be recorded, stored or used. measurements for any purpose other than to advise on the measurements of security to adopt. Additionally, all the necessary documentation is available to implement in case the MB decides, in the future, to go one step further and process data personal. In this sense, a badge has already been prepared to announce this collection and processing of personal data, as well as additional information to include". MB provides, as part written 018048/2020, an image of the badge that has prepared, and in which it is stated: notice of "thermo-monitored area"; responsable; purposes; indication of how to exercise data protection rights; and indication of how to obtain more information about the treatment. About risk assessment and security measures MB states that “prior to the implementation of this control, it has carried out an analysis of impact to choose the least harmful option with other rights of people in play". As he points out, this analysis is reflected in the reports Attached document number 1 ("Random temperature controls for users") and Attached document number 3 (“Legal report on the processing of data related to temperature body of users in the Bilbao metro ”). Both documents have already been analyzed in this report (the first of them in section 2 “Description of the process ”and the second in section 3“ Purpose and legal basis ”). Moves to Then, due to its relationship with this section, the fundamental content of the chapter “Analysis of existing technology. Solution adopted ”of the document "Random user temperature controls": “Based on the proposals made by the reference providers, we can catalog existing solutions in three different typologies: - Non-contact infrared thermometers - Portable thermal imaging cameras - 'Bullet' type thermographic cameras C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/17 “(…) Starting from the premise that the temperature measurements are going to be carried out randomly in terms of users (not all users will go through the control temperature) and mobile (in a different station each day) and that therefore, the Equipment must be easily installable and transportable, as well as simple in its handling, it is concluded that the most appropriate solution is thermal imaging cameras laptops. The main advantages that support this solution are the following list: - (…) Average reliability. +/- 0.5 ° C error in temperature measurement - (…) even though the measurement must be done in a row one by one, it is not a relevant aspect given that it is based on the premise that random measurements, not all users. Therefore, they are not expected agglomerations of users to pass through the measurement controls of temperature. On the other hand, regarding the Personnel who will use the thermal imaging cameras portable, it is considered convenient that it be Health Personnel with knowledge in this field so that you know how to interpret the results obtained in case of double positive and can resolve the doubts or claims that users submit to the respect (…) ”. In addition, in the brief 018048/2020 MB summarizes, in the following way, the measures you have adopted: - "Carry out technical and legal analyzes on the solution to be implemented previously, having opted for the least damaging of the rights of the people. - Do not select any device that could generate data processing personal. The least intrusive option has been chosen, and it does not process data relating to an identified or identifiable person and who, therefore, is constitute as anonymous data, which have no impact on the privacy or intimacy of people. - Advise people who may come to present any symptoms related to the disease that has caused this pandemic that is go to your home, and contact the health authorities to verify your health condition. In strict accordance with the message and obligations transmitted by the competent authorities in this matter. - Adopt this measure on a temporary basis limited to the duration of the health emergency situation. - Hire qualified health personnel for the interpretation of the proposed measurements. - Inform people about the aforementioned situation, verbally, by of the operators, with the aim of promoting transparency ”. In addition, as seen above, Annex Document number 4 that collects The agreement signed between DYA and MB includes the following measure: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/17 “(…) There will be no wireless transmission of said images or data, keeping the measurement equipment with said functionalities (WiFi, Bluetooth,…) deactivated at all times ”. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II In the present case, MB would be taking the body temperature of users of the subway using thermal imaging cameras without recognition and without recording, which the only thing they will capture will be a heat map of a person / animal / thing that will allow know the temperature measurement without identification, without recording and without recording of personal data as their identification is not required. According to MB, this data will be displayed in real time and only by health personnel. Regarding the legal basis of the treatment, MB points out that in this process there is no a processing of personal data as stipulated in article 2.1 of the RGPD, since in this case there is no automated data processing personal data, nor is it a non-automated treatment intended to be included in a file. And, for this reason, this action should be outside the scope of application of the regulations on data protection. Details what we would find before data anonymous names that do not require the protection of privacy legislation, for the simple fact that this last right will not be affected. However, MB also performs an analysis in the event that it is understood that the process involves the processing of personal data and concludes that the processing could be based on the protection of a vital interest, in the terms of recital 46 of the RGPD, or in the public interest or compliance with a legal obligation. To this Last respect, cites Organic Law 3/1986, of April 14, on Special Measures in Public Health Matter, Law 33/2011, of October 4, General Public Health and Law 31/1995, of November 8, on the Prevention of Occupational Risks. MB also makes a reference to Law 38/2015, of September 29, on the Sector Railway, which imposes on the railway market operators and the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/17 general administrations of railway infrastructures the obligation, among others, to guarantee safety in rail traffic. Finally, MB mentions the Spanish Constitution, understanding that “(…) the analysis on the question of the legitimacy to carry out this action of control of the temperature on people in the field of MB should not meet a criterion proactive that consists of the search for a law that allows us to carry out that action, on the contrary, what we will have to verify is that there is no law that prohibits such conduct since, in accordance with the principle of legality in force in our country and recognized in the Spanish Constitution (CE), in different articles, the negative linkage of this principle would mean that “what is not expressly prohibited in our legal system, it is allowed ”. III In relation to the temperature taken by users of suburban transport to help prevent the spread of the COVID-19 pandemic, it is considered It is necessary to highlight that the body temperature of people is a health data in itself, according to the definition contained in article 4, paragraph 15, of the RGPD. According to article 4 of the RGPD, sections 1 and 2, "personal data" will be understood as: "Any information about an identified or identifiable natural person"; and by "Treatment": "any operation or set of operations carried out on data personal data or personal data sets, either by procedures automated or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction. " Based on the above, people's temperature controls can constitute a treatment of health data related to an identified natural person or identifiable, and, as such, must comply with one of the legal bases listed in Article 6 of the RGPD and meet any of the specific exceptions that are listed in article 9 of the RGPD. To determine if in a specific case there has been a processing of data from an identified or identifiable person, it must be based on the type of device employee and take into account other circumstances of the decision making process temperature that can make the person identifiable, as in the case of whether or not body temperature is recorded or that the temperature capture in the establishments open to the public are carried out with advertising, in such a way that the affected person can be identified by third parties. In the body temperature controls carried out by MB to take the temperature to metro users, are used for this, in a first measurement, thermal imaging cameras and, in a second measurement, manual thermometers, both only designed for taking body temperature. When these controls temperature measurements are not accompanied by an identity check of the persons who intend to access the establishment, that is, when the temperature measurement is not C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/17 links to a certain person through their registration or annotation, such measures would not be, in principle, included in the scope of application of the RGPD by not associate the temperature with an identified or identifiable person. However, denying access to a person because of their temperature or informing you that your body temperature exceeds a certain threshold could reveal to third parties who have no justification to know that the person to whom entry has been denied or reported your temperature has a temperature body above what is considered not relevant and, above all, that it may be infected by the virus, since fever is a symptom of the disease caused by SARS-CoV-2, so it will also be necessary to establish in each case whether the specific circumstances that concurred in the temperature taking process of a certain person events were derived that made it identifiable. In the case under examination, thermal imaging cameras and manual thermometers are used for temperature measurements without this process being accompanied by record of the temperature obtained from the metro users. Nor has verified the concurrence of special circumstances that have made it possible to link the aforementioned treatment to an identified or identifiable person. Therefore, according to the reasoning, it is not appreciated in this case that the treatment of data that is carried out refers to identified or identifiable natural persons, consequently being excluded from the scope of application of the RGPD IV Article 68.1 of the LOPDGDD, referring to the agreement to initiate the procedure for the exercise of the sanctioning power, establishes that once the preliminary investigation actions, will correspond to the Presidency of the Agency Spanish Data Protection, when appropriate, issue an agreement to initiate procedure for the exercise of the sanctioning power. After analyzing the reasons given by METRO BILBAO, S.A., which operate in the record, the lack of rational evidence of the existence of a infringement within the competence of the Spanish Agency for Data Protection, not proceeding, consequently, the opening of a sanctioning procedure. All this without prejudice to the fact that the Agency, applying the powers of investigation and corrective measures that it holds, can carry out subsequent actions related to the data processing referred to in the factual antecedents. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED TO THE FILING of the present proceedings against METRO BILBAO, S.A. SECOND: NOTIFY this resolution to METRO BILBAO, S.A. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/17 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es