AEPD (Spain) - E/03882/2020

From GDPRhub
AEPD (Spain) - E/03882/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 4(15) GDPR
Article 6 GDPR
Article 6(1)(c) GDPR
Article 9 GDPR
Article 9(2)(h) GDPR
Law 31/ 1995 of 8 November on Prevention of Occupational Risks
Type: Investigation
Outcome: No Violation Found
Started:
Decided:
Published: 25.05.2021
Fine: None
Parties: El Corte Inglés
National Case Number/Name: E/03882/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Óscar Jacobo

The Spanish DPA confirmed that the use of a thermal camera by private security guards to detect individuals' temperatures does does not fall under the scope of the GDPR when there is no further processing of the data shown by the camera, and the persons are not asked to identify themselves.

English Summary

Facts

The Spanish DPA (AEPD) launched an investigation on body temperature checks carried out by El Corte Inglés, the biggest Spanish department store companies. The company was using thermographic cameras to verify if employees, customers or visitors of its establishments had a high body temperature, as a potential symptom of coronavirus.

According to the system adopted by El Corte Iglés, Persons passed through the range of the cameras, that showed temperature map to private security guards. The information received does not show recognizable details to make possible identification of visitors, nor is it combined with data taken with video surveillance cameras. Body temperature data will be displayed in real-time and only by a particular member of the private security department of El Corte Inglés, located in the control centre, which is provided with an access control and video surveillance system. Data of temperature checks were neither registered, stored or processed in any way. The main purpose of the temperature measurement would be to dissuade symptomatic persons from coming, as well as to reassure the rest of the customers and employees.

Dispute

Are temperature-check measures, implemented in the context of the COVID-19 pandemic, according to GDPR?

Holding

The DPA emphasises that body temperature shall be considered personal data and, consequently, data concerning health according to Article 4(1) and 4(15) GDPR. Hence, temperature-check measures could be considered processing of health data relating to an identified or identifiable natural person. If this is the case, compliance with a legal obligation according to Article 6(1)(c) GDPR would be a valid legal basis, related to the exception provided by Article 9(2)(h) GDPR: the employer has the obligation to ensure the safety and health of employees, according to articles 14 and following of Law 31/1995 of 8 November on Prevention of Occupational Risks. This obligation operates as an exception that allows the processing of health data, under the circumstances provided in Article 9.2.h) of the GDPR, and as a legal basis that legitimizes the processing, since the processing is necessary for the fulfilment of a legal obligation imposed on the employer.

At any rate, the Spanish DPA did not reach a solid conclusion regarding whether temperature measurement falls under material scope of GDPR and remarked that the circumstances of each particular case should be taken into account. The device used and other variables that could make a person identifiable shall be considered, such as if body temperature data are registered or stored.

Nevertheless, in this particular case, the Spanish DPA concluded that the GDPR was not applicable, as it did not fall under its material scope: there is not processing of data related to identifiable persons.

The main circumstances taken into account by the Spanish DPA are as follows: the measurement of temperature is not followed by identity checks of visitors; the data of temperature obtained is neither registered nor stored, nor there are other circumstances that enable data subject identification.

Additionally, AEPD underlines that the measurement of temperature may be conducted by private security guards, according to Article 32.1 of the Private Security Act, which establishes that they are responsible, among other functions, for the protection of persons "carrying out checks, searches and preventions necessary for the fulfilment of their mission".

Comment

This is the second case in which the Spanish DPA has analysed temperature measurement in the context of the covid-19 pandemic, after their E/03884/2020 decision. In contrast to the first decision, in this case, the supervision of body temperature measuring was conducted by private security guards instead of medical staff. Moreover, the temperature of all the visitors was measured, instead of choosing people randomly.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/18










     Procedure Nº: E / 03882/2020


                  RESOLUTION OF ACTION FILE


Of the actions carried out by the Spanish Agency for Data Protection and

based on the following

                                      FACTS

FIRST: On May 14, 2020, the Director of the Spanish Agency for
Data Protection (AEPD) urged the Subdirectorate General for Data Inspection

(SGID) to initiate the preliminary investigation actions referred to in article
67 of Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (LOPDGDD) since, according to what has transpired to
through the media, EL CORTE INGLÉS, S.A. (hereinafter, ECI),
with CIF A28017895, would have initiated actions aimed at the installation of

thermal imaging cameras at the entrance of your establishments to measure temperature
of customers.

SECOND: The Subdirectorate General for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts

previously described, having knowledge of the following points, as
It emerges from the brief presented by ECI, with entry number 017706/2020, in
response to the request of this Agency:

About the context


According to ECI, as part of its letter number 017837/2020, “it has come
designing contingency plans [see annex 2] in the face of COVID-19 from the
perspective of its staff, as well as third parties who must be related to
us: clients, suppliers and personnel of other companies that provide us
services".


Annex 2 of your brief 017837/2020, entitled "CONTIGENCE PLAN FOR THE
STORE REOPENING ”, dated April 27, 2020 and classified as
"DOCUMENT FOR INTERNAL USE", includes, as indicated, "the measures
preventive measures in the resumption of the activity of the stores after its suspension to

cause of the pandemic status due to exposure to the COVID19 virus ”. He adds that "this
plan will be adapted at all times to the indications established by the Ministry of
the Health or other competent authorities and also to the availability in the
market of preventive means, both sanitary and technical ”. As he points out, “the
The ultimate goal of the plan is that, at the time of reopening, it is complete or
staggered, our stores are and are perceived by employees and customers as the

safer and better prepared ”.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/18








The measures included in the plan are subdivided into four sections: "SECURITY AND
EMPLOYEE HEALTH ”; "ORGANIZATIONAL MEASURES"; "FACILITIES AND
COMMON SPACES"; and "INFORMATION AND COMMUNICATION".

In the section relating to the health and safety of employees, measures of
hygiene and social practices, measures regarding workers especially
sensitive and symptomatic workers, it is contemplated to carry out rapid tests of
antibodies, labor flexibility measures, COVID training, transport of
employees, uniforms, an employee helpline as well as safety measures
personal protection.


In the section on organizational measures of the plan, social distancing is cited
of 2 meters, the control of the influx of customers and taking body temperature at
customers, measures regarding elevators, fitting rooms and return of items, as well
as measures for activities that require close contact, actions

specific by division, measures on work organization and working hours
opening.

In the section relating to facilities and common spaces, measures are listed
regarding air conditioning, changing rooms, rest rooms and toilets, also regarding
cleaning and disinfection, water fountains and doors.


In the section on information and communication, for employees it is contemplated
a link and internal mail as well as a specific plan. For customers, it is anticipated
telephone information and WhatsApp. Reference is also made to communication in
store through posters and public address.


Regarding the measures related to temperature control, it is anticipated that
following:

   - In the section relating to the health and safety of employees, within the

         subsection "SYMPTOMATIC WORKERS", it is specified that "in the
         Personnel accesses will be carried out random temperature controls
         body to employees, by means of devices that allow an agile reading and
         reliable. It is a deterrent measure, it is not necessary to do it to all
         employees every day, if not at random ”.


   - The section on organizational measures includes the subsection
         "TAKE CUSTOMERS BODY TEMPERATURE" which indicates that
         "As far as possible, thermal imaging cameras, arches
         thermographic or equivalent device on the access doors of the
         clients, which will allow clients to take body temperature

         in an agile way and without waiting. It is a dissuasive measure so that you do not go
         the symptomatic person, as well as reassurance towards the rest of the clients
         and employees ”.

About the process


ECI describes the system for capturing images and measuring the temperature of the
Following way:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/18








“Thermal imaging technology is based on a procedure for generating
non-contact imaging, which allows you to see the thermal radiation of an object or body in
the spectrum invisible to the human eye (infrared length) through a monitor.
All this is done with full respect for privacy: the camera does not show details
recognizable to identify people's faces. [see Annex 1] The cameras

Thermal radiation converts the IR radiation emitted by objects or people with
temperatures above absolute zero, in a graphic image and measures the
temperature accurately. When the system detects a figure in the image that
exceeds the temperature threshold to be set, an acoustic warning is issued to a
PC and / or an alarm system ”.


ECI refers in its writing that the treatments carried out during the process would be the
following:

   “- Pickup: The camera has an image capture range of 2 to 9 meters and
         its maximum horizontal opening angle is between 24º to

         37.5º. Its vertical opening angle is between 18º and 18.2º
         depending on the lens installed. The maximum resolution varies between 256x192
         at 384x288 pixels. Image sensors are the models
         *** MODEL.1 and MODEL.2. The reading precision is between ± 0.3ºC and
         ± 0.5ºC. The simultaneous face detection capacity is 30 faces.


   - Consultation: The data will be displayed in real time and only by personnel
         authorized for this purpose. The authorized personnel for this visualization belong
         to the security company that provides the service, or to El Corte Inglés, S.A.
         It should be noted that the images are displayed only in the center of
         control, which has an access control and a security system
         video surveillance.


   - Interconnection: Communication made from the camera, the server and the
         monitor, with the aim of creating an online union, communicating
         teams permanently. The camera will connect to the infrastructure of
         local and exclusive network of the Prevention and Safety Department that
         arranges the building. The visualization of the video stream will be achieved through

         of software installed on a certified computer and a dedicated monitor
         within the control center.

   - Deletion: the data is no longer processed (displayed) as soon as the person is
         is outside the range of observation of the camera, not remaining
         information in the system, since the vision is done in real time. The

         camera is pre-configured by setting a detection frame on the
         thermographic image, only within that frame is where it will be carried out
         temperature measurement. Once outside the detection frame no
         measurement can be performed. "


He adds that “the physical characteristics of the lens directly influence the size
of the detection frame, being this conditioned to the horizontal opening angle and
vertical and at the distance of the image capture ”.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/18








Annex 1 of brief 017837/2020 includes a sample of two images that, according to
indicated, correspond to captures from thermal imaging cameras. ECI indicates that
camera does not display recognizable details to identify people's faces. Y
that thermal imaging cameras do not combine images with conventional cameras
video surveillance. Both the images from the thermal camera system

thermography, like surveillance images, belongs to systems totally
separate, from the point of view of treatment and storage.

Furthermore, as part of its response, ECI states that, “if the
referred actions, none of the following treatments would be carried out:
   - Record: the temperature information would NOT be entered or recorded

         body in any type of system or device, automated or not
         automated.
   - Structuring: the information would NOT be ordered or structured by not performing
         any treatment.
   - Modification: NO information would be altered or changed.

   - Conservation: the information would NOT be stored or maintained for a
         certain period of time.
   - Extraction: the information of a system or device would NOT be obtained
         original for shipment or transfer to another system or device.
   - Dissemination: NO data would be transferred or communicated to a person other than the
         interested.

   - Communication by transmission: the data would NOT be sent to another recipient
         from your system or source device through electronic means.
   - Collation: the data of two or more treatments or systems would NOT be analyzed
         to establish similarities and differences and develop some kind of assessment.
   - Limitation: It would NOT apply since no data is stored or carried out
         no further treatment.

   - Communication: NO data would be revealed to a person other than the
         interested."

On the purpose and legal basis

The description that ECI makes of the purpose of these treatments is:


"It is intended to measure the body temperature of customers and employees by means of
thermal imaging cameras, in order to obtain an indicator (the presence of a
elevated body temperature) that makes it possible to detect clients who present
symptoms compatible with COVlD-19 (cold, runny nose, nasal congestion,
feverish appearance) and, where appropriate, inform the affected person who presents these

symptoms, as indicated on page 8 of the "Protocol and Guide to Good
Practices aimed at commercial activity in a physical and non-sedentary establishment "
of the Ministry of Industry, Commerce and Tourism ”.

According to ECI, the document “Protocol and Guide of Good Practices aimed at the

commercial activity in a physical and non-sedentary establishment ”of the Ministry of
Industry, Commerce and Tourism contains, among others, the following recommendations:

   - "Basic knowledge about Covid-19 for its prevention:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/18








             o The symptoms of Covid-19 are cough, fever and respiratory distress
                 mainly and muscle pain and headache in some cases. "


   - “Avoid entering the establishment of clients with symptoms
         catarrhal (runny nose, nasal or conjunctival congestion, dry or productive cough,
         tearing, feverish appearance).

         In the event that a client with symptoms has entered the premises, carry out a

         disinfection of all points such as shelves, trolleys, etc., with which
         may have had contact ”.

   - “One of the symptoms of Covid-19 is high fever. Therefore, it is recommended to
         workers who have a daily temperature check before
         leave your home and, if it is over 37.5 degrees, do not go to the

         work and notify your company by calling the authorized medical contact
         by the company. Likewise, they should contact the public service of
         health to process your withdrawal for TI and medical assistance. "

In relation to the legal basis of the treatment, ECI states that “as established

the RGPD UE 2016/679, the situation would be framed in the exceptions that the
It also provides for the prohibition of the processing of certain special categories of data
personal data, such as health data, when there is a need to protect data
vital interests of the interested party and / or third parties (art. 6 and 9 of the RGPD). Specifically the
Recital 46 of the Regulation explicitly refers to the control of an epidemic

and its spread ”. It also provides the following considerations:

   - “In the labor context, the European Data Protection Committee
         (CEPD), indicates that the processing of personal data may be necessary
         to comply with a legal obligation to which the employer is subject, such as
         obligations related to health and safety at the workplace

         work, or in the public interest, such as disease control and other
         threats to health ”.

         It also cites Royal Legislative Decree 2/2015, which approves the
         Consolidated text of the Workers' Statute Law, and Law 31/1995,

         of Occupational Risk Prevention, in the following terms:

         “The decision to establish a temperature control corresponds to the
         company under the LPRL and article 20 of the Statute of the
         Workers, which allows you to adopt the measures you deem most appropriate

         surveillance and control to verify compliance by the worker of their
         obligations and job duties.

         Article 29 of the LPRL establishes that it is up to each worker to ensure,
         according to their possibilities and by complying with the
         prevention that in each case are adopted, for their own safety and

         health at work and that of those other people to whom you can
         affect their professional activity, due to their acts and omissions in the
         work in accordance with your training and company instructions.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/18








         The same article 29 establishes that non-compliance by workers of
         Obligations regarding the prevention of occupational risks will have the
         consideration of labor breach for the purposes provided for in article

         58.1 of the Workers' Statute.

         Therefore, the worker currently has the legal obligation to go to the
         workplace without fever, the company is empowered to verify the
         fulfillment of this obligation in accordance with article 20.3 of the Statute
         from the workers.


         The main conclusion that can be drawn from a positive result in the
         temperature control is that the self-protection measure is effective and that
         access to a worker who could generate a risk to their employees is prevented
         classmates".


   - “The CEPD and the AEPD also cite as legal bases for the treatment the
         public interest and the vital interest of containing the pandemic to which it refers
         recital 46 of the RGPD ”.

About the participants


ECI refers to the following actors who participate in the treatment:

   - Responsible for treatment: ECI.


   - Treatment managers: the following private security companies:

         - Mega2, S.L. Responsible for the installation of the system and its maintenance.
         In addition, it provides services of security guards whose responsibility is
         “Observe the monitors and be attentive to acoustic warnings or alerts, and

         activate the relevant protocol ”.

         - Securitas, S.A. Its guards have the responsibility to “observe the
         monitors and be attentive to acoustic warnings or alerts, and activate the
         relevant protocol ”.


         - EULEN Seguridad, S.A. Its watchers have the responsibility to
         “Observe the monitors and be attentive to acoustic warnings or alerts, and
         activate the relevant protocol ”.

ECI explains that the data will be displayed in real time and only by personnel

authorized for this purpose. The personnel authorized for this visualization belong to the
security company that provides the service, or El Corte Inglés, S.A.

The images are only displayed in the control center, which has a
access control and a video surveillance system. The private security service is

provided by security guards authorized by the Ministry of the Interior.

Security companies, considered in charge of treatment, have the
Responsibility to observe the monitors and be attentive to the acoustic services or

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/18








alerts and activate the relevant protocol. All this, in accordance with the regulation of the
Ministry of the Interior of Spain that establishes the possibility of carrying out said

controls with legal coverage by private security personnel, who have
mandatory first aid training, legal duty to maintain confidentiality,
according to Article 31 of Order INT / 318/2011 and that, according to Article 32.1 of the Law
of Private Security, it corresponds to them, among other functions, within their service, the

protection of people “carrying out checks, records and
necessary precautions for the fulfillment of its mission ”.

About data retention


Regarding the conservation of the data obtained through this system, ECI
states that “no data is kept, no data is stored nor is it carried out
any further treatment ”. He adds that “the system has been configured in such a way that
only the information is viewed by security personnel in real time,

without registering or archiving information in any type of support. So the
Data processing only occurs while the client passes through the area of
observation or scope of the camera, after which they automatically stop
be treated WITHOUT KEEPING DATA ON ANY KIND OF SUPPORT ".


On the duty of information

In relation to the duty of information, ECI states that “posters have been designed
informative, which will be installed in the access doors, to inform the
clients, in a first layer ”. It adds that “in said posters it is indicated where

Consult the complete and detailed information: *** URL.1 ”.

Annex 8 of writing 017837/2020 has been provided, a copy of the posters with the title
“THERMAL CAMERAS” and the subtitle “TEMPORARY CONTROL OF THE

BODY TEMPERATURE". In addition, the following information is provided on the poster:

   -     Responsable
         EL CORTE INGLÉS, S.A. Hermosilla 112, 28009, Madrid


   - Purpose
         Guarantee the safety of people, preventing the spread of
         pandemic. The images are viewed in real time. Are not preserved
         data or images in any type of support or record.


   - Legitimation
         The treatment is necessary to protect vital interests of the interested party or
         others.


   - Recipients
         The data will not be transferred to third parties.

1Article 31 of Order IN / 318/2011: “10. The private security personnel will keep strict reserve
professional about the facts that he knows in the exercise of his functions, especially the information

tions you receive regarding security and personal data to be processed, investigated
or custody, and may not provide data on said events other than to the persons who have contravened them.
state and the competent judicial and police bodies for the exercise of their functions ”.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/18








   -     Rights
         The art. 15 to 22 of the RGPD regulate the rights of those affected, not
         However, the exercise of these must be qualified in the field of decision-making.

         temperature, since no data is recorded on any medium.

         If you wish to exercise your rights, in accordance with current legislation, the
         Interested parties can contact by email to the address
         *** EMAIL.1, indicating the subject "Temperature Control".


   -     Additional Information
         You can consult the complete and detailed information on the web: *** URL.1.

As part of Annex 8 of writing 017837/2020 the content of the address is provided
Internet *** URL. 1. The information contained in said

link:

"PRIVACY POLICY ON THERMAL CAMERAS IN THE COURT
ENGLISH

PRIVACY POLICY TEMPERATURE CONTROL


RESPONSIBLE:
El Corte Inglés, S.A., with registered office at: Calle Hermosilla 112, 28009 Madrid.
Contact: *** EMAIL. 1.


PURPOSE:
Guarantee the safety of people, protecting the health and life of those who
find in this center. Contribute to the containment of the pandemic, preventing its
spread. The images and temperature data are viewed in real time. Not
data or images are kept in any type of support or record.


When high temperatures are detected, the system issues an alert, so that
precise decisions can be made in real time and thus reinforce the measures of
protection. Supporting our commitment to create a safer, cleaner and more
healthy to work and shop.


LEGITIMATION:
The RGPD UE 2016/679 provides exceptions to the prohibition of the treatment of certain
special categories of personal data, such as health data, where there is
need to protect the vital interests of the interested party and / or third parties (art. 6 and 9 of the
GDPR). Specifically, recital 46 of the Regulation explicitly refers to the

control of an epidemic and its spread 1.

RECIPIENTS:
No data will be transferred to third parties except legal obligation.


RIGHTS:
The exercise of rights must be nuanced, since the temperature and images
displayed are not recorded on any type of computerized medium or on paper,


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/18








Therefore, no answer can be given to any of the rights, since there is no
records any data.


In any case, if you wish to exercise your rights, in accordance with the legislation
current, interested parties can contact the address by email
delegado.protecciondatos@elcorteingles.es, indicating in the subject "Control of
Temperature".


The interested person can file a claim with the Spanish Agency for
Data Protection, especially when you are not satisfied with the exercise of your
rights, for more details see the web https://www.agpd.es

1- Recital 46: The processing of personal data must also be considered lawful

when necessary to protect an interest essential to the life of the person concerned or that of another
Physical person. In principle, personal data should only be processed on the basis of the
vital interest of another natural person when the treatment cannot be manifestly based on
a different legal basis. Certain types of treatment can respond both to reasons
important public interest as well as the vital interests of the interested party, such as
when the treatment is necessary for humanitarian purposes, including epidemic control and
its spread, or in humanitarian emergency situations, especially in case of
natural or man-made catastrophes. "


About risk assessment and security measures

In addition to the information recorded in the risk analysis associated with the treatment
"Body Temperature Control" (Annex 9 document of writing 017837/2020
provided by ECI), ECI makes a description of the technical and organizational measures

of treatment security as part of your writing 017837/2020 in the following
terms:

"With the installation of thermographic cameras to measure body temperature
of customers and, where appropriate, inform them, the following measures will be implemented

technical and organizational techniques that we understand guarantee the security of the treatment:

1. The temperature, if applicable, will be taken by the thermal imaging camera and displayed
by security personnel. All this, in accordance with the regulation of the
Ministry of the Interior of Spain that establishes the possibility of carrying out said

controls with legal coverage by private security personnel, who have
compulsory first aid training, legal duty to maintain
confidentiality, according to Article 31 of Order lNT / 318/2011 and that, according to
Article 32.1 of the Private Security Law, corresponds to them, among other functions,
within its service, the protection of people “carrying out checks,

records and preventions necessary for the fulfillment of its mission "

2. The cameras have specific certificates that ensure that it is a
homologated product, in accordance with the following technical standards related to
electrotechnical: [see Annex 3]

- EN 55032: 2015
- EN 61000-3-3-: 2013
- EN 61000-3-2: 2014
- EN 55024: 2010 / A1: 2015

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/18








- EN 55035: 2017
- EN 50130-4: 2011 / A1: 2014 "


Annex 3 of the writing of writing 017837/2020, entitled "Certificates of products
homologated according to standardized standards ”, includes a set of
certificates of conformity issued for thermal imaging cameras from companies
"Hangzhou Hikvision Digital Technology Co., Ltd" and "ZHEJIANG DAHUA VISION
TECHNOLOGY CO., LTD ".


"3. The cameras come with factory calibration certificates. [see Annex 4] "

Annex 4 of the document of document 017837/2020, entitled "Calibration certificates of
cameras ”, includes a set of calibration certificates issued for cameras
thermographic from the companies "Hangzhou Hikvision Digital Technology Co., Ltd" and

"Zhe Jiang Dahua Vision Technology".

"4. The system does not have a recording medium, so that the information
generated (images and metadata with information) is used to provide data to the system
display, at the time of the high temperature alarm, generating a
warning window, and thus being able to view the value of the measurement performed,

in real time, and apply the relevant protocol in each case.

All of this is done with full respect for privacy, as the camera does not display
recognizable details to identify faces. [see Annex 1] Neither is the
information in any type of support. "


Annex 1 of the brief of brief 017837/2020, entitled “Sample of images
captured by thermal imaging cameras ”, includes a sample of two images that,
as indicated, they correspond to captures from thermal imaging cameras.


"5. The system will be mounted on an exclusive local network (LAN) infrastructure
of the Department of Prevention and Security.

The body temperature measurement system consists of the following
elements:
- Thermal camera for thermography.

- Thermal camera management software.

The camera connects to a LAN network (exclusive of Security), for communications
TCP / IP, so that the images are transmitted to the computer that has installed
the management software (located in the Permanent Security Post), which is the one that

allows us to manage the alarms generated by said camera
(verification).

All installed elements have usernames and passwords, with different
access levels. (…)


In the software, of the systems to be used, there will only be three roles, in which
it | they will be able to configure more or less options (…):


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/18








   - Superuser (H) / Administrator (D): is employed by the installer and
         system maintainer, exclusively, to carry out its installation and commissioning
         underway, as well as the work necessary for its maintenance.
   - Administrator (H) / Advanced User (D): with this role you can perform the
         configuration of all options (always configurable by the

         Super user).
   - Operator (H) / Normal user (D): can only view images in
         direct, and treat the alarms in real time, being able to see the images
         produced at that time, associated with said alarm.

Within these roles, users are configured, being generated in such a way that they are

obtain correct identification and authentication unequivocally and
custom (user id + password).
The superuser (or administrator, depending on the Software), can also restrict
the duration of validity of the password of each user.


Configuration images are included in this report as an example
provided by the supplier's installer (*** SUPPLIER.1 and
*** PROVIDER. 2) in which the users created System or Admin and
Vigilant. [see Annex 5] "

Annex 5 of the brief of brief 017837/2020, entitled "Configuration images

extracted from the suppliers manual (*** SUPPLIER.1 and *** SUPPLIER.2) ”,
includes screenshots of what are stated to be software programs.
configuration of the user roles of both providers.

"In addition to the software's own access systems, the computer on which it is
installed, it has its own users to access the operating system, which

allow access to different aspects of its configuration, being the user
the Vigilante (or its corresponding role), which cannot install or
perform any action not authorized by the system administrator (modifications
on software, unauthorized software installation, etc…).

The thermal imaging camera software allows various queries of the log
(textual traces of computer activity) in which the behavior is recorded

of the users assigned to the defined roles. Indicating which user has made
the action, and what has been, and on what element has been acted. [see Annex 6] "

Annex 6 of the brief of brief 017837/2020, entitled “Log Software cameras
thermographic ", includes screenshots of what, as indicated, would be the logs
that record the systems of both providers when operating with the systems. Thus, the

corresponding to “*** SUPPLIER.2” would show, for each event, the moment, the
user, event type, event content, and IP address. The system
"*** SUPPLIER.1", on the other hand, shows, for each event: the moment, the user,

the type of log (system or operation), the description, the type and name of the device, the
group, name and type of object.

“This report includes the typical local network diagram of the department of
safety. [see Annex 7] "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/18








Annex 7 of the brief of brief 017837/2020, entitled "Local network type scheme",
It includes a diagram of the configuration of the “EXCLUSIVE SAFETY NETWORK”.

"6. Unauthorized treatment or access is impossible, since the images and data

processed by the system are displayed directly on the monitors in the conference room.
control of the mall. The aforementioned room has Physical Access Control and
Electronic.

7. The field of capture of the cameras extends to the access doors, with a

range of 2 to 9 m.

8. It is planned to install posters on the access doors, to inform the
customers.

9. Thermal imaging cameras do not combine images with conventional thermal imaging cameras.
video surveillance, as explained below:

The body thermography measurement system, based on the use of the camera
thermal installed, even using as support the exclusive computer network of

Security, as a channel for transmitting information from the measurement point
to the control center, and which is used as a channel for the images of

Video surveillance is totally autonomous in relation to the latter, since it uses a
own and dedicated software, and the recording of the images on the
existing recorders or storage elements.

Consequently, both the images from the thermal camera of the

thermography, like surveillance images, belongs to systems totally
separate, from the point of view of treatment and storage.

10. In the Department of Prevention and Security of El Corte Inglés a
inventory of thermographic systems, updated at all times. (…) "

In addition, the risk analysis associated with the treatment "Body Control of
Temperature ”dated May 26, 2020 (annex 9 of writing 017837/2020) grants

a score of 13.46 out of 100 for the risk level associated with the treatment of
body temperature control. In this situation, ECI has rated this activity

treatment as "LOW RISK" determining that "it is not necessary
carry out the DPIA in the treatment "Body Temperature Control". However, the
document inside it refers to it as "impact assessment report

on the protection of personal data ”, and includes, among others, the following
information:

   - Definition of the "TEMPERATURE CONTROL" treatment.

   - In the "EXECUTIVE SUMMARY" section, it includes a set of indicators,
         among which is:

         - A graph that describes the evolution of the risk of the treatment throughout the
         weather. Thus, it assigns a level of 75 (out of 100) in the first moment (19 of



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/18








         May 2020) and a level lower than 25 (out of 100) at the last moment that
         set the graph (May 26, 2020).

         - A “heat map” showing the disposition of the identified risks

         according to impact and probability. There is no risk assigned to it
         a "Very High - Maximum" probability. Nor is there any that has a
         "Very high - Maximum" impact.

   - Identified risks, assessments and control measures: in general, they are

         assigns the identified risks a probability rating as
         “LOW- Negligible” and of the impact as “LOW- Negligible”. And for each
         risk, the control measures implemented to mitigate them are listed.





                            FOUNDATIONS OF LAW

                                             I


In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for

Data Protection.

                                             II

In the present case, ECI would be taking the body temperature at

employees and customers using thermal cameras whose image does not show details
recognizable to identify people's faces or combined with images
taken with conventional video surveillance cameras.

These data will be displayed in real time and only by personnel belonging to

the security company that provides the service or ECI.

According to ECI, the data will not be sent to another recipient or disclosed
no data to a person other than the interested party. Nor would the
information about body temperature in any type of system or device. The
data is no longer processed (displayed) as soon as the person is outside the area

observation of the camera, with no information remaining in the system, since
viewing is done in real time.

The purpose of measuring the body temperature of customers and employees by means of
thermal imaging cameras would be to obtain an indicator (the presence of a temperature

elevated body) that makes it possible to detect clients who present symptoms
compatible with COVID-19 (cold, runny nose, nasal congestion, feverish appearance) and,
If applicable, inform the affected person who presents these symptoms, as indicated

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/18








indicated on page 8 of the "Protocol and Guide to Good Practices aimed at the activity
commercial in physical and non-sedentary establishment "of the Ministry of Industry,
Commerce and Tourism. "It would be a dissuasive measure so that the

symptomatic person, as well as tranquility towards the rest of the clients and
employees.

Regarding the legal basis of the treatment, ECI points out that in the labor context, the
European Data Protection Committee (CEPD), indicates that the processing of data
personal data may be necessary to comply with a legal obligation to which you are

subject to the employer, such as obligations related to health and safety in
the workplace, or in the public interest, such as disease control and other
health threats.

It also points out that the CEPD and the AEPD also cite as legal bases for the

treatment of the public interest and the vital interest of containing the pandemic to which
refers to recital 46 of the RGPD.

ECI indicates that the decision to establish a temperature control corresponds to the
company by virtue of Law 31/1995, of November 8, on Risk Prevention
Labor (hereinafter, LPRL) and article 20 of Royal Legislative Decree 2/2015,

of October 23, which approves the revised text of the Law of the Statute of the
Workers (hereinafter, “Workers Statute”), which allows you to adopt the
measures that it deems most appropriate of surveillance and control to verify the
fulfillment by the worker of his obligations and labor duties.


Article 29 of the LPRL establishes that it is up to each worker to ensure, according to
its possibilities and by complying with the prevention measures that in
each case are adopted, for their own safety and health at work and for that of
those other people who may be affected by their professional activity, due to
their acts and omissions at work, in accordance with their training and the

company instructions.

The same article 29 establishes that non-compliance by workers of the
Obligations regarding the prevention of occupational risks will be considered
labor breach for the purposes provided for in article 58.1 of the Statute of the
Workers


Therefore, the worker currently has the legal obligation to go to the center of
I work without fever and the company is empowered to verify compliance with this
obligation in accordance with article 20.3 of the Workers' Statute.


ECI defends that the main conclusion that can be obtained from a positive result
in temperature control is that the self-protection measure is effective and that
prevents access to a worker who could create a risk for his colleagues.

It also understands that, according to the RGPD, the situation would be framed in

the exceptions that it provides to the prohibition of the treatment of certain
special categories of personal data, such as health data, where there is
need to protect the vital interests of the interested party and / or third parties (art. 6 and 9 of the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/18








GDPR). Specifically, it refers that recital 46 of the RGPD refers to
explicit control of an epidemic and its spread.


In addition, the temperature measurement is agreed not as an isolated measure, but as
complementary and within a set of measures adopted and implemented by
ECI to prevent the spread of COVID-19, which are detailed in the document "PLAN DE
CONTINGENCY FOR THE REOPENING OF STORES ”, which will be adapted to the
indications established by the Ministry of Health or other competent authorities
and also to the availability in the market of preventive means, both sanitary

as technicians. In short, taking body temperature is not about a
isolated data processing but is related to the pandemic caused by
COVID-19.

                                          III


In relation to taking people's temperature as part of the measurements
taken in the workplace to help prevent the spread of the pandemic
of COVID-19, it is considered necessary to highlight that the body temperature of
people is a health data in itself, according to the definition contained in the
Article 4, paragraph 15, of the GDPR.


According to article 4 of the RGPD, sections 1 and 2, "personal data" will be understood as:
"Any information about an identified or identifiable natural person"; and by
"Treatment": "any operation or set of operations carried out on data
personal data or personal data sets, either by procedures

automated or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction. "


Based on the above, people's temperature controls can
constitute a treatment of health data related to an identified natural person or
identifiable, and as such must comply with one of the legal bases listed in
Article 6 of the RGPD and meet any of the specific exceptions that are
listed in article 9 of the RGPD.


In general, the employer has the obligation to guarantee the safety and
health of the workers at your service in aspects related to the
work, as can be seen from articles 14 and following of Law 31/1995, of 8
November, Prevention of Occupational Risks. This obligation operates at the same time as
exception that allows the treatment of health data, under the

circumstances provided for in article 9.2.h) of the RGPD, and as a legal basis that
legitimizes the treatment, since the treatment is necessary for the fulfillment of
a legal obligation imposed on the employer (article 6.1.c) of the GDPR).

There is no doubt that in the current situation of health crisis caused by the

COVID-19, the employer is obliged to take extraordinary measures
aimed at preventing new infections of COVID-19 and these measures should
be applied according to the criteria defined by the health authorities.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/18








In the field of companies, the Ministry of Health, in its document
"Action procedure for occupational risk prevention services
against exposure to SARS-CoV-2 ", indicates that" The intervention of companies, to

through prevention services (SPRL), against exposure to SARS-COV-2
has been and is crucial, adapting its activity with recommendations and measures
prevention updates (...) with the general objective of limiting contagions:
measures of an organizational nature, collective protection, personal protection,
especially vulnerable worker and level of risk, study and management of cases and
contacts occurred in the company and collaboration in the management of disability

temporary ”and adds that“ companies, through prevention services, are
calls to collaborate with the health authorities in the early detection of all
cases compatible with COVID-19 and their contacts, to control transmission. "

In this context, it should be understood that the control of the body temperature of

workers carried out by employers, as a measure to allow access to
work centers in order to limit contagion, since fever is a
symptom of the disease caused by SARS-CoV-2, as part of a set
broader range of measures including preventive, hygienic, protective,
etc., meets the criteria indicated by the health authorities.


In the case examined, ECI, in accordance with the criteria indicated, has prepared
an action plan that includes body temperature controls to comply with
your health and safety obligations. Consequently, in accordance with
reasoned, this treatment of workers' health data finds its
legitimation in the cause provided for in article 6.1.c) of the RGPD and in the exceptions

that enable the processing of health data, contained in article 9.2.h) of the
GDPR.

Finally, it should be added that, with respect to taking the temperature of the
workers by security guards, the TSJ of C. Valenciana, (Sala de lo Social,

Section 1) in its Judgment number 2335/2020 of June 22 (AS 2020 \ 2050), has
considered that such a measure can be considered included among the proper functions
attributed to security guards, consisting of the protection of people
that may be found in the protected real estate and in the access control
to said premises, by noting the following:


“In the context of the socio-sanitary crisis caused by COVID-19, the taking of
temperature of workers entering the workplace is a measure that
Its sole purpose is to prevent people with symptoms that may be
associated with COVID 19, access its facilities with the corresponding risk of
contagion to other workers and possible users of supermarkets,

thus endangering the measures to contain the pandemic and the
physical integrity of the people who may be in the center
commercial, whose surveillance is entrusted to the security company. Control in
access to the center is a function of the guards and in this case this task
implies the introduction of a new criterion of restriction to it, which by the

exceptional character of the circumstances is projected both in the function
specifically contemplated in the norm to guarantee the safety of people
that are in the local, as in the most generic of contributing and collaborating in the
specific plan for the prevention of occupational hazards against COVID 19, therefore

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/18








We understand that the entrusted function at this time fully fits into the
legal, conventional and contractual functions attributed to security guards
safety."

In short, in the present case there is no evidence to justify the
opening of a sanctioning procedure.

                                           IV

In relation to the temperature taking of the users, the temperature controls

of people may constitute a treatment of health data related to a
identified or identifiable natural person and, as such, must comply with one of the
legal bases listed in article 6 of the RGPD and the concurrence of any of the
specific exceptions that are listed in article 9 of the RGPD.


To determine if in a specific case there has been a processing of data from
an identified or identifiable person, it must be based on the type of device
employee and take into account other circumstances of the decision making process
temperature that can make the person identifiable, as in the case of
whether or not body temperature is recorded or that the temperature capture in the
establishments open to the public are carried out with advertising, in such a way that the

affected person can be identified by third parties.

In the body temperature controls carried out by ECI to take the
temperature to visitors or customers, thermal imaging cameras are used for this purpose.
They are only designed for taking body temperature. When these

Temperature checks are not accompanied by an identity check of the
people who intend to access the establishment, that is, when the taking of
temperature is not linked to a particular person through their record or
annotation, such measures would not, in principle, be included in the scope of
application of the RGPD by not associating the temperature to an identified person or

identifiable.

However, denying access to a person because of their temperature or
informing you that your body temperature exceeds a certain threshold could reveal
to third parties who have no justification to know that the person to whom
entry has been denied or reported your temperature has a temperature

body above what is considered not relevant and, above all, that it may be
infected by the virus, since fever is a symptom of the disease caused
by SARS-CoV-2, so it will also be necessary to establish in each case whether
the specific circumstances that concurred in the temperature taking process
of a certain person events were derived that made it

identifiable.

In the case under consideration, thermal imaging cameras are used for the measurements of
temperature without this process being accompanied by temperature recording
obtained from visitors or customers. Nor has the concurrence of

special circumstances that have made it possible to link the aforementioned treatment to a
identified or identifiable person.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/18








Therefore, according to the reasoning, it is not appreciated in this case that the treatment of
data that is carried out refers to identified or identifiable natural persons,

consequently being excluded from the scope of application of the RGPD

                                           V

Article 68.1 of the LOPDGDD, referring to the agreement to initiate the procedure for

the exercise of the sanctioning power, establishes that once the
preliminary investigation actions, will correspond to the Presidency of the Agency
Spanish Data Protection, when appropriate, issue an agreement to initiate
procedure for the exercise of the sanctioning power.


Once the reasons given by EL CORTE INGLÉS, S.A., which act
In the record, the lack of rational evidence of the existence of
an offense within the competence of the Spanish Agency for the Protection of
Data, not proceeding, consequently, the opening of a procedure
sanctioner.


All this without prejudice to the fact that the Agency, applying the powers of investigation and
corrective measures that it holds, can carry out subsequent actions related to the
data processing referred to in the factual antecedents.


Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:

FIRST: PROCEED WITH THE FILING of the present proceedings against THE COURT
INGLÉS, S.A.


SECOND: NOTIFY this resolution to EL CORTE INGLÉS, S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may

file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision

Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day
upon notification of this act, as provided in article 46.1 of the aforementioned Law.

940-0419
Mar Spain Martí
Director of the Spanish Agency for Data Protection



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es