AEPD (Spain) - E/03882/2020
|AEPD (Spain) - E/03882/2020|
|Relevant Law:||Article 4(1) GDPR|
Article 4(2) GDPR
Article 4(15) GDPR
Article 6 GDPR
Article 6(1)(c) GDPR
Article 9 GDPR
Article 9(2)(h) GDPR
Law 31/ 1995 of 8 November on Prevention of Occupational Risks
|Outcome:||No Violation Found|
|Parties:||El Corte Inglés|
|National Case Number/Name:||E/03882/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Óscar Jacobo|
The Spanish DPA concluded that the use of thermal cameras to verify if employees and customers have an abnormal temperature, in the context of the COVID-19 pandemic, does not fall under the scope of the GDPR when there is no processing of data, neither registering, nor storing, nor any other operation on the data shown by the camera, and the persons are not identified.
The Spanish DPA (AEPD) launched an investigation on body temperature checks carried out by El Corte Inglés, the biggest Spanish department store companies. The company was using thermographic cameras to verify if employees, customers or visitors of its establishments had a high body temperature, as a potential symptom of coronavirus.
According to the system adopted by El Corte Iglés, Persons passed through the range of the cameras, that showed temperature map to private security guards. The information received does not show recognizable details to make possible identification of visitors, nor is it combined with data taken with video surveillance cameras. Body temperature data will be displayed in real-time and only by a particular member of the private security department of El Corte Inglés, located in the control centre, which is provided with an access control and video surveillance system. Data of temperature checks were neither registered, stored or processed in any way. The main purpose of the temperature measurement would be to dissuade symptomatic persons from coming, as well as to reassure the rest of the customers and employees.
Are temperature-check measures, implemented in the context of the COVID-19 pandemic, according to GDPR?
The DPA emphasises that body temperature shall be considered personal data and, consequently, data concerning health according to Article 4(1) and 4(15) GDPR. Hence, temperature-check measures could be considered processing of health data relating to an identified or identifiable natural person. If this is the case, compliance with a legal obligation according to Article 6(1)(c) GDPR would be a valid legal basis, related to the exception provided by Article 9(2)(h) GDPR: the employer has the obligation to ensure the safety and health of employees, according to articles 14 and following of Law 31/1995 of 8 November on Prevention of Occupational Risks. This obligation operates as an exception that allows the processing of health data, under the circumstances provided in Article 9.2.h) of the GDPR, and as a legal basis that legitimizes the processing, since the processing is necessary for the fulfilment of a legal obligation imposed on the employer.
At any rate, the Spanish DPA did not reach a solid conclusion regarding whether temperature measurement falls under material scope of GDPR and remarked that the circumstances of each particular case should be taken into account. The device used and other variables that could make a person identifiable shall be considered, such as if body temperature data are registered or stored.
Nevertheless, in this particular case, the Spanish DPA concluded that the GDPR was not applicable, as it did not fall under its material scope: there is not processing of data related to identifiable persons.
The main circumstances taken into account by the Spanish DPA are as follows: the measurement of temperature is not followed by identity checks of visitors; the data of temperature obtained is neither registered nor stored, nor there are other circumstances that enable data subject identification.
Additionally, AEPD underlines that the measurement of temperature may be conducted by private security guards, according to Article 32.1 of the Private Security Act, which establishes that they are responsible, among other functions, for the protection of persons "carrying out checks, searches and preventions necessary for the fulfilment of their mission".
This is the second case in which the Spanish DPA has analysed temperature measurement in the context of the covid-19 pandemic, after E/03884/2020 decision (https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_E/03884/2020). In contrast to the first decision, in this case, the supervision of body temperature measuring was conducted by private security guards instead of medical staff. Moreover, the temperature of all the visitors was measured, instead of choosing people randomly.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.