AEPD (Spain) - E/03882/2020
AEPD (Spain) - E/03882/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(15) GDPR Article 6 GDPR Article 6(1)(c) GDPR Article 9 GDPR Article 9(2)(h) GDPR Law 31/ 1995 of 8 November on Prevention of Occupational Risks |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | |
Published: | 25.05.2021 |
Fine: | None |
Parties: | El Corte Inglés |
National Case Number/Name: | E/03882/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Óscar Jacobo |
The Spanish DPA confirmed that the use of a thermal camera by private security guards to detect individuals' temperatures does does not fall under the scope of the GDPR when there is no further processing of the data shown by the camera, and the persons are not asked to identify themselves.
English Summary
Facts
The Spanish DPA (AEPD) launched an investigation on body temperature checks carried out by El Corte Inglés, the biggest Spanish department store companies. The company was using thermographic cameras to verify if employees, customers or visitors of its establishments had a high body temperature, as a potential symptom of coronavirus.
According to the system adopted by El Corte Iglés, Persons passed through the range of the cameras, that showed temperature map to private security guards. The information received does not show recognizable details to make possible identification of visitors, nor is it combined with data taken with video surveillance cameras. Body temperature data will be displayed in real-time and only by a particular member of the private security department of El Corte Inglés, located in the control centre, which is provided with an access control and video surveillance system. Data of temperature checks were neither registered, stored or processed in any way. The main purpose of the temperature measurement would be to dissuade symptomatic persons from coming, as well as to reassure the rest of the customers and employees.
Dispute
Are temperature-check measures, implemented in the context of the COVID-19 pandemic, according to GDPR?
Holding
The DPA emphasises that body temperature shall be considered personal data and, consequently, data concerning health according to Article 4(1) and 4(15) GDPR. Hence, temperature-check measures could be considered processing of health data relating to an identified or identifiable natural person. If this is the case, compliance with a legal obligation according to Article 6(1)(c) GDPR would be a valid legal basis, related to the exception provided by Article 9(2)(h) GDPR: the employer has the obligation to ensure the safety and health of employees, according to articles 14 and following of Law 31/1995 of 8 November on Prevention of Occupational Risks. This obligation operates as an exception that allows the processing of health data, under the circumstances provided in Article 9.2.h) of the GDPR, and as a legal basis that legitimizes the processing, since the processing is necessary for the fulfilment of a legal obligation imposed on the employer.
At any rate, the Spanish DPA did not reach a solid conclusion regarding whether temperature measurement falls under material scope of GDPR and remarked that the circumstances of each particular case should be taken into account. The device used and other variables that could make a person identifiable shall be considered, such as if body temperature data are registered or stored.
Nevertheless, in this particular case, the Spanish DPA concluded that the GDPR was not applicable, as it did not fall under its material scope: there is not processing of data related to identifiable persons.
The main circumstances taken into account by the Spanish DPA are as follows: the measurement of temperature is not followed by identity checks of visitors; the data of temperature obtained is neither registered nor stored, nor there are other circumstances that enable data subject identification.
Additionally, AEPD underlines that the measurement of temperature may be conducted by private security guards, according to Article 32.1 of the Private Security Act, which establishes that they are responsible, among other functions, for the protection of persons "carrying out checks, searches and preventions necessary for the fulfilment of their mission".
Comment
This is the second case in which the Spanish DPA has analysed temperature measurement in the context of the covid-19 pandemic, after their E/03884/2020 decision. In contrast to the first decision, in this case, the supervision of body temperature measuring was conducted by private security guards instead of medical staff. Moreover, the temperature of all the visitors was measured, instead of choosing people randomly.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 Procedure Nº: E / 03882/2020 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: On May 14, 2020, the Director of the Spanish Agency for Data Protection (AEPD) urged the Subdirectorate General for Data Inspection (SGID) to initiate the preliminary investigation actions referred to in article 67 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD) since, according to what has transpired to through the media, EL CORTE INGLÉS, S.A. (hereinafter, ECI), with CIF A28017895, would have initiated actions aimed at the installation of thermal imaging cameras at the entrance of your establishments to measure temperature of customers. SECOND: The Subdirectorate General for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts previously described, having knowledge of the following points, as It emerges from the brief presented by ECI, with entry number 017706/2020, in response to the request of this Agency: About the context According to ECI, as part of its letter number 017837/2020, “it has come designing contingency plans [see annex 2] in the face of COVID-19 from the perspective of its staff, as well as third parties who must be related to us: clients, suppliers and personnel of other companies that provide us services". Annex 2 of your brief 017837/2020, entitled "CONTIGENCE PLAN FOR THE STORE REOPENING ”, dated April 27, 2020 and classified as "DOCUMENT FOR INTERNAL USE", includes, as indicated, "the measures preventive measures in the resumption of the activity of the stores after its suspension to cause of the pandemic status due to exposure to the COVID19 virus ”. He adds that "this plan will be adapted at all times to the indications established by the Ministry of the Health or other competent authorities and also to the availability in the market of preventive means, both sanitary and technical ”. As he points out, “the The ultimate goal of the plan is that, at the time of reopening, it is complete or staggered, our stores are and are perceived by employees and customers as the safer and better prepared ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/18 The measures included in the plan are subdivided into four sections: "SECURITY AND EMPLOYEE HEALTH ”; "ORGANIZATIONAL MEASURES"; "FACILITIES AND COMMON SPACES"; and "INFORMATION AND COMMUNICATION". In the section relating to the health and safety of employees, measures of hygiene and social practices, measures regarding workers especially sensitive and symptomatic workers, it is contemplated to carry out rapid tests of antibodies, labor flexibility measures, COVID training, transport of employees, uniforms, an employee helpline as well as safety measures personal protection. In the section on organizational measures of the plan, social distancing is cited of 2 meters, the control of the influx of customers and taking body temperature at customers, measures regarding elevators, fitting rooms and return of items, as well as measures for activities that require close contact, actions specific by division, measures on work organization and working hours opening. In the section relating to facilities and common spaces, measures are listed regarding air conditioning, changing rooms, rest rooms and toilets, also regarding cleaning and disinfection, water fountains and doors. In the section on information and communication, for employees it is contemplated a link and internal mail as well as a specific plan. For customers, it is anticipated telephone information and WhatsApp. Reference is also made to communication in store through posters and public address. Regarding the measures related to temperature control, it is anticipated that following: - In the section relating to the health and safety of employees, within the subsection "SYMPTOMATIC WORKERS", it is specified that "in the Personnel accesses will be carried out random temperature controls body to employees, by means of devices that allow an agile reading and reliable. It is a deterrent measure, it is not necessary to do it to all employees every day, if not at random ”. - The section on organizational measures includes the subsection "TAKE CUSTOMERS BODY TEMPERATURE" which indicates that "As far as possible, thermal imaging cameras, arches thermographic or equivalent device on the access doors of the clients, which will allow clients to take body temperature in an agile way and without waiting. It is a dissuasive measure so that you do not go the symptomatic person, as well as reassurance towards the rest of the clients and employees ”. About the process ECI describes the system for capturing images and measuring the temperature of the Following way: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/18 “Thermal imaging technology is based on a procedure for generating non-contact imaging, which allows you to see the thermal radiation of an object or body in the spectrum invisible to the human eye (infrared length) through a monitor. All this is done with full respect for privacy: the camera does not show details recognizable to identify people's faces. [see Annex 1] The cameras Thermal radiation converts the IR radiation emitted by objects or people with temperatures above absolute zero, in a graphic image and measures the temperature accurately. When the system detects a figure in the image that exceeds the temperature threshold to be set, an acoustic warning is issued to a PC and / or an alarm system ”. ECI refers in its writing that the treatments carried out during the process would be the following: “- Pickup: The camera has an image capture range of 2 to 9 meters and its maximum horizontal opening angle is between 24º to 37.5º. Its vertical opening angle is between 18º and 18.2º depending on the lens installed. The maximum resolution varies between 256x192 at 384x288 pixels. Image sensors are the models *** MODEL.1 and MODEL.2. The reading precision is between ± 0.3ºC and ± 0.5ºC. The simultaneous face detection capacity is 30 faces. - Consultation: The data will be displayed in real time and only by personnel authorized for this purpose. The authorized personnel for this visualization belong to the security company that provides the service, or to El Corte Inglés, S.A. It should be noted that the images are displayed only in the center of control, which has an access control and a security system video surveillance. - Interconnection: Communication made from the camera, the server and the monitor, with the aim of creating an online union, communicating teams permanently. The camera will connect to the infrastructure of local and exclusive network of the Prevention and Safety Department that arranges the building. The visualization of the video stream will be achieved through of software installed on a certified computer and a dedicated monitor within the control center. - Deletion: the data is no longer processed (displayed) as soon as the person is is outside the range of observation of the camera, not remaining information in the system, since the vision is done in real time. The camera is pre-configured by setting a detection frame on the thermographic image, only within that frame is where it will be carried out temperature measurement. Once outside the detection frame no measurement can be performed. " He adds that “the physical characteristics of the lens directly influence the size of the detection frame, being this conditioned to the horizontal opening angle and vertical and at the distance of the image capture ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/18 Annex 1 of brief 017837/2020 includes a sample of two images that, according to indicated, correspond to captures from thermal imaging cameras. ECI indicates that camera does not display recognizable details to identify people's faces. Y that thermal imaging cameras do not combine images with conventional cameras video surveillance. Both the images from the thermal camera system thermography, like surveillance images, belongs to systems totally separate, from the point of view of treatment and storage. Furthermore, as part of its response, ECI states that, “if the referred actions, none of the following treatments would be carried out: - Record: the temperature information would NOT be entered or recorded body in any type of system or device, automated or not automated. - Structuring: the information would NOT be ordered or structured by not performing any treatment. - Modification: NO information would be altered or changed. - Conservation: the information would NOT be stored or maintained for a certain period of time. - Extraction: the information of a system or device would NOT be obtained original for shipment or transfer to another system or device. - Dissemination: NO data would be transferred or communicated to a person other than the interested. - Communication by transmission: the data would NOT be sent to another recipient from your system or source device through electronic means. - Collation: the data of two or more treatments or systems would NOT be analyzed to establish similarities and differences and develop some kind of assessment. - Limitation: It would NOT apply since no data is stored or carried out no further treatment. - Communication: NO data would be revealed to a person other than the interested." On the purpose and legal basis The description that ECI makes of the purpose of these treatments is: "It is intended to measure the body temperature of customers and employees by means of thermal imaging cameras, in order to obtain an indicator (the presence of a elevated body temperature) that makes it possible to detect clients who present symptoms compatible with COVlD-19 (cold, runny nose, nasal congestion, feverish appearance) and, where appropriate, inform the affected person who presents these symptoms, as indicated on page 8 of the "Protocol and Guide to Good Practices aimed at commercial activity in a physical and non-sedentary establishment " of the Ministry of Industry, Commerce and Tourism ”. According to ECI, the document “Protocol and Guide of Good Practices aimed at the commercial activity in a physical and non-sedentary establishment ”of the Ministry of Industry, Commerce and Tourism contains, among others, the following recommendations: - "Basic knowledge about Covid-19 for its prevention: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/18 o The symptoms of Covid-19 are cough, fever and respiratory distress mainly and muscle pain and headache in some cases. " - “Avoid entering the establishment of clients with symptoms catarrhal (runny nose, nasal or conjunctival congestion, dry or productive cough, tearing, feverish appearance). In the event that a client with symptoms has entered the premises, carry out a disinfection of all points such as shelves, trolleys, etc., with which may have had contact ”. - “One of the symptoms of Covid-19 is high fever. Therefore, it is recommended to workers who have a daily temperature check before leave your home and, if it is over 37.5 degrees, do not go to the work and notify your company by calling the authorized medical contact by the company. Likewise, they should contact the public service of health to process your withdrawal for TI and medical assistance. " In relation to the legal basis of the treatment, ECI states that “as established the RGPD UE 2016/679, the situation would be framed in the exceptions that the It also provides for the prohibition of the processing of certain special categories of data personal data, such as health data, when there is a need to protect data vital interests of the interested party and / or third parties (art. 6 and 9 of the RGPD). Specifically the Recital 46 of the Regulation explicitly refers to the control of an epidemic and its spread ”. It also provides the following considerations: - “In the labor context, the European Data Protection Committee (CEPD), indicates that the processing of personal data may be necessary to comply with a legal obligation to which the employer is subject, such as obligations related to health and safety at the workplace work, or in the public interest, such as disease control and other threats to health ”. It also cites Royal Legislative Decree 2/2015, which approves the Consolidated text of the Workers' Statute Law, and Law 31/1995, of Occupational Risk Prevention, in the following terms: “The decision to establish a temperature control corresponds to the company under the LPRL and article 20 of the Statute of the Workers, which allows you to adopt the measures you deem most appropriate surveillance and control to verify compliance by the worker of their obligations and job duties. Article 29 of the LPRL establishes that it is up to each worker to ensure, according to their possibilities and by complying with the prevention that in each case are adopted, for their own safety and health at work and that of those other people to whom you can affect their professional activity, due to their acts and omissions in the work in accordance with your training and company instructions. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/18 The same article 29 establishes that non-compliance by workers of Obligations regarding the prevention of occupational risks will have the consideration of labor breach for the purposes provided for in article 58.1 of the Workers' Statute. Therefore, the worker currently has the legal obligation to go to the workplace without fever, the company is empowered to verify the fulfillment of this obligation in accordance with article 20.3 of the Statute from the workers. The main conclusion that can be drawn from a positive result in the temperature control is that the self-protection measure is effective and that access to a worker who could generate a risk to their employees is prevented classmates". - “The CEPD and the AEPD also cite as legal bases for the treatment the public interest and the vital interest of containing the pandemic to which it refers recital 46 of the RGPD ”. About the participants ECI refers to the following actors who participate in the treatment: - Responsible for treatment: ECI. - Treatment managers: the following private security companies: - Mega2, S.L. Responsible for the installation of the system and its maintenance. In addition, it provides services of security guards whose responsibility is “Observe the monitors and be attentive to acoustic warnings or alerts, and activate the relevant protocol ”. - Securitas, S.A. Its guards have the responsibility to “observe the monitors and be attentive to acoustic warnings or alerts, and activate the relevant protocol ”. - EULEN Seguridad, S.A. Its watchers have the responsibility to “Observe the monitors and be attentive to acoustic warnings or alerts, and activate the relevant protocol ”. ECI explains that the data will be displayed in real time and only by personnel authorized for this purpose. The personnel authorized for this visualization belong to the security company that provides the service, or El Corte Inglés, S.A. The images are only displayed in the control center, which has a access control and a video surveillance system. The private security service is provided by security guards authorized by the Ministry of the Interior. Security companies, considered in charge of treatment, have the Responsibility to observe the monitors and be attentive to the acoustic services or C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/18 alerts and activate the relevant protocol. All this, in accordance with the regulation of the Ministry of the Interior of Spain that establishes the possibility of carrying out said controls with legal coverage by private security personnel, who have mandatory first aid training, legal duty to maintain confidentiality, according to Article 31 of Order INT / 318/2011 and that, according to Article 32.1 of the Law of Private Security, it corresponds to them, among other functions, within their service, the protection of people “carrying out checks, records and necessary precautions for the fulfillment of its mission ”. About data retention Regarding the conservation of the data obtained through this system, ECI states that “no data is kept, no data is stored nor is it carried out any further treatment ”. He adds that “the system has been configured in such a way that only the information is viewed by security personnel in real time, without registering or archiving information in any type of support. So the Data processing only occurs while the client passes through the area of observation or scope of the camera, after which they automatically stop be treated WITHOUT KEEPING DATA ON ANY KIND OF SUPPORT ". On the duty of information In relation to the duty of information, ECI states that “posters have been designed informative, which will be installed in the access doors, to inform the clients, in a first layer ”. It adds that “in said posters it is indicated where Consult the complete and detailed information: *** URL.1 ”. Annex 8 of writing 017837/2020 has been provided, a copy of the posters with the title “THERMAL CAMERAS” and the subtitle “TEMPORARY CONTROL OF THE BODY TEMPERATURE". In addition, the following information is provided on the poster: - Responsable EL CORTE INGLÉS, S.A. Hermosilla 112, 28009, Madrid - Purpose Guarantee the safety of people, preventing the spread of pandemic. The images are viewed in real time. Are not preserved data or images in any type of support or record. - Legitimation The treatment is necessary to protect vital interests of the interested party or others. - Recipients The data will not be transferred to third parties. 1Article 31 of Order IN / 318/2011: “10. The private security personnel will keep strict reserve professional about the facts that he knows in the exercise of his functions, especially the information tions you receive regarding security and personal data to be processed, investigated or custody, and may not provide data on said events other than to the persons who have contravened them. state and the competent judicial and police bodies for the exercise of their functions ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/18 - Rights The art. 15 to 22 of the RGPD regulate the rights of those affected, not However, the exercise of these must be qualified in the field of decision-making. temperature, since no data is recorded on any medium. If you wish to exercise your rights, in accordance with current legislation, the Interested parties can contact by email to the address *** EMAIL.1, indicating the subject "Temperature Control". - Additional Information You can consult the complete and detailed information on the web: *** URL.1. As part of Annex 8 of writing 017837/2020 the content of the address is provided Internet *** URL. 1. The information contained in said link: "PRIVACY POLICY ON THERMAL CAMERAS IN THE COURT ENGLISH PRIVACY POLICY TEMPERATURE CONTROL RESPONSIBLE: El Corte Inglés, S.A., with registered office at: Calle Hermosilla 112, 28009 Madrid. Contact: *** EMAIL. 1. PURPOSE: Guarantee the safety of people, protecting the health and life of those who find in this center. Contribute to the containment of the pandemic, preventing its spread. The images and temperature data are viewed in real time. Not data or images are kept in any type of support or record. When high temperatures are detected, the system issues an alert, so that precise decisions can be made in real time and thus reinforce the measures of protection. Supporting our commitment to create a safer, cleaner and more healthy to work and shop. LEGITIMATION: The RGPD UE 2016/679 provides exceptions to the prohibition of the treatment of certain special categories of personal data, such as health data, where there is need to protect the vital interests of the interested party and / or third parties (art. 6 and 9 of the GDPR). Specifically, recital 46 of the Regulation explicitly refers to the control of an epidemic and its spread 1. RECIPIENTS: No data will be transferred to third parties except legal obligation. RIGHTS: The exercise of rights must be nuanced, since the temperature and images displayed are not recorded on any type of computerized medium or on paper, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/18 Therefore, no answer can be given to any of the rights, since there is no records any data. In any case, if you wish to exercise your rights, in accordance with the legislation current, interested parties can contact the address by email delegado.protecciondatos@elcorteingles.es, indicating in the subject "Control of Temperature". The interested person can file a claim with the Spanish Agency for Data Protection, especially when you are not satisfied with the exercise of your rights, for more details see the web https://www.agpd.es 1- Recital 46: The processing of personal data must also be considered lawful when necessary to protect an interest essential to the life of the person concerned or that of another Physical person. In principle, personal data should only be processed on the basis of the vital interest of another natural person when the treatment cannot be manifestly based on a different legal basis. Certain types of treatment can respond both to reasons important public interest as well as the vital interests of the interested party, such as when the treatment is necessary for humanitarian purposes, including epidemic control and its spread, or in humanitarian emergency situations, especially in case of natural or man-made catastrophes. " About risk assessment and security measures In addition to the information recorded in the risk analysis associated with the treatment "Body Temperature Control" (Annex 9 document of writing 017837/2020 provided by ECI), ECI makes a description of the technical and organizational measures of treatment security as part of your writing 017837/2020 in the following terms: "With the installation of thermographic cameras to measure body temperature of customers and, where appropriate, inform them, the following measures will be implemented technical and organizational techniques that we understand guarantee the security of the treatment: 1. The temperature, if applicable, will be taken by the thermal imaging camera and displayed by security personnel. All this, in accordance with the regulation of the Ministry of the Interior of Spain that establishes the possibility of carrying out said controls with legal coverage by private security personnel, who have compulsory first aid training, legal duty to maintain confidentiality, according to Article 31 of Order lNT / 318/2011 and that, according to Article 32.1 of the Private Security Law, corresponds to them, among other functions, within its service, the protection of people “carrying out checks, records and preventions necessary for the fulfillment of its mission " 2. The cameras have specific certificates that ensure that it is a homologated product, in accordance with the following technical standards related to electrotechnical: [see Annex 3] - EN 55032: 2015 - EN 61000-3-3-: 2013 - EN 61000-3-2: 2014 - EN 55024: 2010 / A1: 2015 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/18 - EN 55035: 2017 - EN 50130-4: 2011 / A1: 2014 " Annex 3 of the writing of writing 017837/2020, entitled "Certificates of products homologated according to standardized standards ”, includes a set of certificates of conformity issued for thermal imaging cameras from companies "Hangzhou Hikvision Digital Technology Co., Ltd" and "ZHEJIANG DAHUA VISION TECHNOLOGY CO., LTD ". "3. The cameras come with factory calibration certificates. [see Annex 4] " Annex 4 of the document of document 017837/2020, entitled "Calibration certificates of cameras ”, includes a set of calibration certificates issued for cameras thermographic from the companies "Hangzhou Hikvision Digital Technology Co., Ltd" and "Zhe Jiang Dahua Vision Technology". "4. The system does not have a recording medium, so that the information generated (images and metadata with information) is used to provide data to the system display, at the time of the high temperature alarm, generating a warning window, and thus being able to view the value of the measurement performed, in real time, and apply the relevant protocol in each case. All of this is done with full respect for privacy, as the camera does not display recognizable details to identify faces. [see Annex 1] Neither is the information in any type of support. " Annex 1 of the brief of brief 017837/2020, entitled “Sample of images captured by thermal imaging cameras ”, includes a sample of two images that, as indicated, they correspond to captures from thermal imaging cameras. "5. The system will be mounted on an exclusive local network (LAN) infrastructure of the Department of Prevention and Security. The body temperature measurement system consists of the following elements: - Thermal camera for thermography. - Thermal camera management software. The camera connects to a LAN network (exclusive of Security), for communications TCP / IP, so that the images are transmitted to the computer that has installed the management software (located in the Permanent Security Post), which is the one that allows us to manage the alarms generated by said camera (verification). All installed elements have usernames and passwords, with different access levels. (…) In the software, of the systems to be used, there will only be three roles, in which it | they will be able to configure more or less options (…): C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/18 - Superuser (H) / Administrator (D): is employed by the installer and system maintainer, exclusively, to carry out its installation and commissioning underway, as well as the work necessary for its maintenance. - Administrator (H) / Advanced User (D): with this role you can perform the configuration of all options (always configurable by the Super user). - Operator (H) / Normal user (D): can only view images in direct, and treat the alarms in real time, being able to see the images produced at that time, associated with said alarm. Within these roles, users are configured, being generated in such a way that they are obtain correct identification and authentication unequivocally and custom (user id + password). The superuser (or administrator, depending on the Software), can also restrict the duration of validity of the password of each user. Configuration images are included in this report as an example provided by the supplier's installer (*** SUPPLIER.1 and *** PROVIDER. 2) in which the users created System or Admin and Vigilant. [see Annex 5] " Annex 5 of the brief of brief 017837/2020, entitled "Configuration images extracted from the suppliers manual (*** SUPPLIER.1 and *** SUPPLIER.2) ”, includes screenshots of what are stated to be software programs. configuration of the user roles of both providers. "In addition to the software's own access systems, the computer on which it is installed, it has its own users to access the operating system, which allow access to different aspects of its configuration, being the user the Vigilante (or its corresponding role), which cannot install or perform any action not authorized by the system administrator (modifications on software, unauthorized software installation, etc…). The thermal imaging camera software allows various queries of the log (textual traces of computer activity) in which the behavior is recorded of the users assigned to the defined roles. Indicating which user has made the action, and what has been, and on what element has been acted. [see Annex 6] " Annex 6 of the brief of brief 017837/2020, entitled “Log Software cameras thermographic ", includes screenshots of what, as indicated, would be the logs that record the systems of both providers when operating with the systems. Thus, the corresponding to “*** SUPPLIER.2” would show, for each event, the moment, the user, event type, event content, and IP address. The system "*** SUPPLIER.1", on the other hand, shows, for each event: the moment, the user, the type of log (system or operation), the description, the type and name of the device, the group, name and type of object. “This report includes the typical local network diagram of the department of safety. [see Annex 7] " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/18 Annex 7 of the brief of brief 017837/2020, entitled "Local network type scheme", It includes a diagram of the configuration of the “EXCLUSIVE SAFETY NETWORK”. "6. Unauthorized treatment or access is impossible, since the images and data processed by the system are displayed directly on the monitors in the conference room. control of the mall. The aforementioned room has Physical Access Control and Electronic. 7. The field of capture of the cameras extends to the access doors, with a range of 2 to 9 m. 8. It is planned to install posters on the access doors, to inform the customers. 9. Thermal imaging cameras do not combine images with conventional thermal imaging cameras. video surveillance, as explained below: The body thermography measurement system, based on the use of the camera thermal installed, even using as support the exclusive computer network of Security, as a channel for transmitting information from the measurement point to the control center, and which is used as a channel for the images of Video surveillance is totally autonomous in relation to the latter, since it uses a own and dedicated software, and the recording of the images on the existing recorders or storage elements. Consequently, both the images from the thermal camera of the thermography, like surveillance images, belongs to systems totally separate, from the point of view of treatment and storage. 10. In the Department of Prevention and Security of El Corte Inglés a inventory of thermographic systems, updated at all times. (…) " In addition, the risk analysis associated with the treatment "Body Control of Temperature ”dated May 26, 2020 (annex 9 of writing 017837/2020) grants a score of 13.46 out of 100 for the risk level associated with the treatment of body temperature control. In this situation, ECI has rated this activity treatment as "LOW RISK" determining that "it is not necessary carry out the DPIA in the treatment "Body Temperature Control". However, the document inside it refers to it as "impact assessment report on the protection of personal data ”, and includes, among others, the following information: - Definition of the "TEMPERATURE CONTROL" treatment. - In the "EXECUTIVE SUMMARY" section, it includes a set of indicators, among which is: - A graph that describes the evolution of the risk of the treatment throughout the weather. Thus, it assigns a level of 75 (out of 100) in the first moment (19 of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/18 May 2020) and a level lower than 25 (out of 100) at the last moment that set the graph (May 26, 2020). - A “heat map” showing the disposition of the identified risks according to impact and probability. There is no risk assigned to it a "Very High - Maximum" probability. Nor is there any that has a "Very high - Maximum" impact. - Identified risks, assessments and control measures: in general, they are assigns the identified risks a probability rating as “LOW- Negligible” and of the impact as “LOW- Negligible”. And for each risk, the control measures implemented to mitigate them are listed. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II In the present case, ECI would be taking the body temperature at employees and customers using thermal cameras whose image does not show details recognizable to identify people's faces or combined with images taken with conventional video surveillance cameras. These data will be displayed in real time and only by personnel belonging to the security company that provides the service or ECI. According to ECI, the data will not be sent to another recipient or disclosed no data to a person other than the interested party. Nor would the information about body temperature in any type of system or device. The data is no longer processed (displayed) as soon as the person is outside the area observation of the camera, with no information remaining in the system, since viewing is done in real time. The purpose of measuring the body temperature of customers and employees by means of thermal imaging cameras would be to obtain an indicator (the presence of a temperature elevated body) that makes it possible to detect clients who present symptoms compatible with COVID-19 (cold, runny nose, nasal congestion, feverish appearance) and, If applicable, inform the affected person who presents these symptoms, as indicated C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/18 indicated on page 8 of the "Protocol and Guide to Good Practices aimed at the activity commercial in physical and non-sedentary establishment "of the Ministry of Industry, Commerce and Tourism. "It would be a dissuasive measure so that the symptomatic person, as well as tranquility towards the rest of the clients and employees. Regarding the legal basis of the treatment, ECI points out that in the labor context, the European Data Protection Committee (CEPD), indicates that the processing of data personal data may be necessary to comply with a legal obligation to which you are subject to the employer, such as obligations related to health and safety in the workplace, or in the public interest, such as disease control and other health threats. It also points out that the CEPD and the AEPD also cite as legal bases for the treatment of the public interest and the vital interest of containing the pandemic to which refers to recital 46 of the RGPD. ECI indicates that the decision to establish a temperature control corresponds to the company by virtue of Law 31/1995, of November 8, on Risk Prevention Labor (hereinafter, LPRL) and article 20 of Royal Legislative Decree 2/2015, of October 23, which approves the revised text of the Law of the Statute of the Workers (hereinafter, “Workers Statute”), which allows you to adopt the measures that it deems most appropriate of surveillance and control to verify the fulfillment by the worker of his obligations and labor duties. Article 29 of the LPRL establishes that it is up to each worker to ensure, according to its possibilities and by complying with the prevention measures that in each case are adopted, for their own safety and health at work and for that of those other people who may be affected by their professional activity, due to their acts and omissions at work, in accordance with their training and the company instructions. The same article 29 establishes that non-compliance by workers of the Obligations regarding the prevention of occupational risks will be considered labor breach for the purposes provided for in article 58.1 of the Statute of the Workers Therefore, the worker currently has the legal obligation to go to the center of I work without fever and the company is empowered to verify compliance with this obligation in accordance with article 20.3 of the Workers' Statute. ECI defends that the main conclusion that can be obtained from a positive result in temperature control is that the self-protection measure is effective and that prevents access to a worker who could create a risk for his colleagues. It also understands that, according to the RGPD, the situation would be framed in the exceptions that it provides to the prohibition of the treatment of certain special categories of personal data, such as health data, where there is need to protect the vital interests of the interested party and / or third parties (art. 6 and 9 of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/18 GDPR). Specifically, it refers that recital 46 of the RGPD refers to explicit control of an epidemic and its spread. In addition, the temperature measurement is agreed not as an isolated measure, but as complementary and within a set of measures adopted and implemented by ECI to prevent the spread of COVID-19, which are detailed in the document "PLAN DE CONTINGENCY FOR THE REOPENING OF STORES ”, which will be adapted to the indications established by the Ministry of Health or other competent authorities and also to the availability in the market of preventive means, both sanitary as technicians. In short, taking body temperature is not about a isolated data processing but is related to the pandemic caused by COVID-19. III In relation to taking people's temperature as part of the measurements taken in the workplace to help prevent the spread of the pandemic of COVID-19, it is considered necessary to highlight that the body temperature of people is a health data in itself, according to the definition contained in the Article 4, paragraph 15, of the GDPR. According to article 4 of the RGPD, sections 1 and 2, "personal data" will be understood as: "Any information about an identified or identifiable natural person"; and by "Treatment": "any operation or set of operations carried out on data personal data or personal data sets, either by procedures automated or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction. " Based on the above, people's temperature controls can constitute a treatment of health data related to an identified natural person or identifiable, and as such must comply with one of the legal bases listed in Article 6 of the RGPD and meet any of the specific exceptions that are listed in article 9 of the RGPD. In general, the employer has the obligation to guarantee the safety and health of the workers at your service in aspects related to the work, as can be seen from articles 14 and following of Law 31/1995, of 8 November, Prevention of Occupational Risks. This obligation operates at the same time as exception that allows the treatment of health data, under the circumstances provided for in article 9.2.h) of the RGPD, and as a legal basis that legitimizes the treatment, since the treatment is necessary for the fulfillment of a legal obligation imposed on the employer (article 6.1.c) of the GDPR). There is no doubt that in the current situation of health crisis caused by the COVID-19, the employer is obliged to take extraordinary measures aimed at preventing new infections of COVID-19 and these measures should be applied according to the criteria defined by the health authorities. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/18 In the field of companies, the Ministry of Health, in its document "Action procedure for occupational risk prevention services against exposure to SARS-CoV-2 ", indicates that" The intervention of companies, to through prevention services (SPRL), against exposure to SARS-COV-2 has been and is crucial, adapting its activity with recommendations and measures prevention updates (...) with the general objective of limiting contagions: measures of an organizational nature, collective protection, personal protection, especially vulnerable worker and level of risk, study and management of cases and contacts occurred in the company and collaboration in the management of disability temporary ”and adds that“ companies, through prevention services, are calls to collaborate with the health authorities in the early detection of all cases compatible with COVID-19 and their contacts, to control transmission. " In this context, it should be understood that the control of the body temperature of workers carried out by employers, as a measure to allow access to work centers in order to limit contagion, since fever is a symptom of the disease caused by SARS-CoV-2, as part of a set broader range of measures including preventive, hygienic, protective, etc., meets the criteria indicated by the health authorities. In the case examined, ECI, in accordance with the criteria indicated, has prepared an action plan that includes body temperature controls to comply with your health and safety obligations. Consequently, in accordance with reasoned, this treatment of workers' health data finds its legitimation in the cause provided for in article 6.1.c) of the RGPD and in the exceptions that enable the processing of health data, contained in article 9.2.h) of the GDPR. Finally, it should be added that, with respect to taking the temperature of the workers by security guards, the TSJ of C. Valenciana, (Sala de lo Social, Section 1) in its Judgment number 2335/2020 of June 22 (AS 2020 \ 2050), has considered that such a measure can be considered included among the proper functions attributed to security guards, consisting of the protection of people that may be found in the protected real estate and in the access control to said premises, by noting the following: “In the context of the socio-sanitary crisis caused by COVID-19, the taking of temperature of workers entering the workplace is a measure that Its sole purpose is to prevent people with symptoms that may be associated with COVID 19, access its facilities with the corresponding risk of contagion to other workers and possible users of supermarkets, thus endangering the measures to contain the pandemic and the physical integrity of the people who may be in the center commercial, whose surveillance is entrusted to the security company. Control in access to the center is a function of the guards and in this case this task implies the introduction of a new criterion of restriction to it, which by the exceptional character of the circumstances is projected both in the function specifically contemplated in the norm to guarantee the safety of people that are in the local, as in the most generic of contributing and collaborating in the specific plan for the prevention of occupational hazards against COVID 19, therefore C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/18 We understand that the entrusted function at this time fully fits into the legal, conventional and contractual functions attributed to security guards safety." In short, in the present case there is no evidence to justify the opening of a sanctioning procedure. IV In relation to the temperature taking of the users, the temperature controls of people may constitute a treatment of health data related to a identified or identifiable natural person and, as such, must comply with one of the legal bases listed in article 6 of the RGPD and the concurrence of any of the specific exceptions that are listed in article 9 of the RGPD. To determine if in a specific case there has been a processing of data from an identified or identifiable person, it must be based on the type of device employee and take into account other circumstances of the decision making process temperature that can make the person identifiable, as in the case of whether or not body temperature is recorded or that the temperature capture in the establishments open to the public are carried out with advertising, in such a way that the affected person can be identified by third parties. In the body temperature controls carried out by ECI to take the temperature to visitors or customers, thermal imaging cameras are used for this purpose. They are only designed for taking body temperature. When these Temperature checks are not accompanied by an identity check of the people who intend to access the establishment, that is, when the taking of temperature is not linked to a particular person through their record or annotation, such measures would not, in principle, be included in the scope of application of the RGPD by not associating the temperature to an identified person or identifiable. However, denying access to a person because of their temperature or informing you that your body temperature exceeds a certain threshold could reveal to third parties who have no justification to know that the person to whom entry has been denied or reported your temperature has a temperature body above what is considered not relevant and, above all, that it may be infected by the virus, since fever is a symptom of the disease caused by SARS-CoV-2, so it will also be necessary to establish in each case whether the specific circumstances that concurred in the temperature taking process of a certain person events were derived that made it identifiable. In the case under consideration, thermal imaging cameras are used for the measurements of temperature without this process being accompanied by temperature recording obtained from visitors or customers. Nor has the concurrence of special circumstances that have made it possible to link the aforementioned treatment to a identified or identifiable person. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/18 Therefore, according to the reasoning, it is not appreciated in this case that the treatment of data that is carried out refers to identified or identifiable natural persons, consequently being excluded from the scope of application of the RGPD V Article 68.1 of the LOPDGDD, referring to the agreement to initiate the procedure for the exercise of the sanctioning power, establishes that once the preliminary investigation actions, will correspond to the Presidency of the Agency Spanish Data Protection, when appropriate, issue an agreement to initiate procedure for the exercise of the sanctioning power. Once the reasons given by EL CORTE INGLÉS, S.A., which act In the record, the lack of rational evidence of the existence of an offense within the competence of the Spanish Agency for the Protection of Data, not proceeding, consequently, the opening of a procedure sanctioner. All this without prejudice to the fact that the Agency, applying the powers of investigation and corrective measures that it holds, can carry out subsequent actions related to the data processing referred to in the factual antecedents. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED WITH THE FILING of the present proceedings against THE COURT INGLÉS, S.A. SECOND: NOTIFY this resolution to EL CORTE INGLÉS, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es