AEPD (Spain) - E/03884/2020

From GDPRhub
AEPD (Spain) - E/03884/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 2(1) GDPR
Article 4(1) GDPR
Article 4(6) GDPR
Type: Investigation
Outcome: No Violation Found
Decided:
Published: 24.05.2021
Fine: None
Parties: METRO BILBAO, S.A.
National Case Number/Name: E/03884/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA concluded that the use of a thermal camera to verify if users of a service have a higher temperature than a certain threshold, in the context of the COVID-19 pandemic, does not fall under the scope of the GDPR when there is no further storing, processing or any operation on the data shown by the camera, and the persons are not asked to identify themselves.

English Summary[edit | edit source]

Facts[edit | edit source]

The Spanish DPA (AEPD) launched an investigation on the company that manages the underground service of Bilbao, one of the main Spanish cities. In the context of the covid-19 pandemic, the company was using thermal cameras to verify if the users of the underground had a higher temperature than a threshold (37.3ºC), in order to identify potential infected people.

People were randomly picked to pass through the range of the cameras, that would show their temperature. What was shown was only a temperature map; images were not processed in any way, nor there was any kind of facial recognition system. Data were neither registered, stored or processed in any way.

The only consequence deriving from the temperature map would be that the employees in charge would carry out a second test, with a clinic thermometer, to verify whether the temperature was above the threshold. Then, if still shown to be above the threshold, they would receive a recommendation on how to act (i.e. not use the metro and contact a doctor).

Holding[edit | edit source]

The Spanish DPA, in line with the allegations of the controller, concluded that the GDPR was not applicable to this case, as it did not fall under its material scope.

The temperature measurement was done without identification, without recording and without registering data of the persons, as their identification is not required either by official document or verbally. At no time was any personal data stored or recorded, neither image data, nor temperature data, nor name and surname, nor any other data relating to an identified or identifiable natural person. No information was stored, which could imply the impossibility of identifying a person by collecting only indirect identifiers, such as the aforementioned heat map or temperature; and no direct identifiers, such as an image or similar, nor the results of the temperature measurements were stored nor were the results transferred to another kind of non-automated or automated support.

At all times, the anonymity of the persons was maintained, as they were not required to identify themselves, and there was no recording, as the image was issued in real time, in a heat map that did not allow a person to be unequivocally identified.

Therefore, following Article 2(1) GDPR, the AEPD concluded that there was no processing of data, neither automated or non-automated but meant to be part of a filing system. Hence, it is outside the material scope of the GDPR.

Also, with regards to the definition of personal data from Article 4(1) GDPR, the DPA did not reach a firm conclusion, but remarked that the circumstances of each particular case should be taken into account. The device used and other variables that could make a person identifiable shall be considered. In this case, even if the person remained anonymous, as they were not asked to identify themselves, the procedure was carried out in public space, so any person that was not allowed to enter the subway because their high temperature would be known to have a temperature higher than 37.3ºC, what is, in addition, health data, so it is classified as sensitive data in accordance with Article 9 GDPR. Therefore, third persons would be able to know that a particular person might be infected by the SARS-CoV-2, as fever is a symptom of covid-19. Therefore, it would be debatable, in a case by case basis, whether the circumstances could have made that a particular person was identifiable.

The DPA also discusses an hypothetical case in which such activity, or a similar activity, it could be considered processing of personal data; then, a legal basis would be necessary for the processing. Options for that would be a vital interest, a public interest or compliance with a legal obligation. Additionally, an exception from Article 9 would be necessary.

In any case, the DPA reached the conclusion that the fact that the persons were not asked to identified themselves definitely meant that they were not identifiable and that no kind of data related to temperature or to the scanned persons was stored or processed in any way. Therefore, as there is not processing of data related to identifiable persons, the case was considered not to fall under the scope of the GDPR, and it was archived.

Comment[edit | edit source]

This is the first case in which the AEPD assesses temperature measuring activities related to the covid-19 pandemic.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/17










     Procedure Nº: E / 03884/2020


                   RESOLUTION OF ACTION FILE


Of the actions carried out by the Spanish Agency for Data Protection and

based on the following

                                       FACTS

FIRST: On May 18, 2020, the Director of the Spanish Agency for
Data Protection (AEPD) urged the Subdirectorate General for Data Inspection

(SGID) to initiate the preliminary investigation actions referred to in article
67 of Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (LOPDGDD) since, according to what has transpired to
through the media, METRO BILBAO, S.A. (hereinafter MB), with
NIF A48541957, would have initiated actions aimed at measuring the temperature of the

suburban passengers.

SECOND: The Subdirectorate General for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts
previously described, having knowledge of the following points, as

It emerges from the brief presented by MB, with entry number 018048/2020, in
response to the request of this Agency:


About the context
According to MB, as part of the brief 018048/2020, “on May 11, 2020,

the MB decides to implement a temperature control of the
users of the metropolitan area, in response to the emergency situation caused by the
coronavirus disease started in 2019 (COVID-19), and with the aim of offering
to people an additional protection "expected" by the entity ". Add
also that "the main reason why it was decided to implement this system

is to “contribute to the safeguarding of the due physical security of people and
of their vital interests, in the current emergency situation due to the disease of
coronavirus started in 2019 (Covid-19) ”, both from workers and users
since, when it comes to defending lives, it is not possible, ethically, this
differentiation".



About the process

As described by MB in the document 018048/2020, the temperature control process
consists in:
“A thermographic camera will be installed without recognition and without recording (emitting,

therefore, in real time) in a space specifically enabled in
certain metropolitan stations. To get a better idea, the only thing
that the cameras will capture will be a heat map of a person / animal / thing that

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/17








allow to know the temperature measurement without identification, without recording and without
registration of people's data as their identification is not required or through
official document, nor verbally. (…) "

"At no time will any type of personal data be stored or recorded, or
image, nor temperature, nor name and surname, nor any other data related to a
identified or identifiable natural person. In fact, no

information, which implies the impossibility of identifying a person by
collect only indirect identifiers, such as the aforementioned heat map or the
temperature, but without direct identifiers, such as the image or
similar, nor will the results of the temperature measurements or
The results will be transferred to another manual or automated support. For all this,

makes it impossible to talk about concepts such as registration, communication, deletion,
etc ... These assumptions must be applicable to the Data Controllers who
use mechanisms that capture images, or any other type of personal data that
is associable to an identified or identifiable person (not only associable to person
physical), and that, in addition, constitutes an automated treatment, or not
automated that is carried out in the scope of a "file", which does not happen in this

situation. (…) "
“The dynamics consists of the determined users approaching the space

reserved for measurement, individually, in order to measure your
temperature. Only in the event that it exceeds the value for which it is considered, at
medical effects, that a person could develop a fever, a second
measurement to verify this result through a non-contact clinical thermometer,
and you will be advised, in accordance with the indications of the Ministry of Health, that

go to your home and contact the medical services authorized to
perform the 2019 coronavirus disease (Covid-19) tests. In case
Otherwise, even the person who presented a value for
below what can be considered a fever.

At all times, the anonymity of the people will be maintained since they are not
requires identification, no recording occurs and the image broadcast in real time
is, as we indicated, a heat map that does not allow to identify in a way
unique to a person. (…) "

“The personnel who will carry out this control will be qualified health personnel, from the
DYA or Red Cross company, so that they know how to interpret the results. MB ha

signed a collaboration agreement with Emergency Technicians of the aforementioned
entities.
In each space reserved for temperature control, operators report

verbally to each user about all the necessary aspects, to offer the
maximum possible transparency.

Additionally, it is necessary to clarify that this information processing will have
a temporary duration and that, except for legal provision that obliges us, no
will perpetuate. (…) "

Likewise, the attached document number 1 provided by MB in writing 018048/2020,
includes a section (the fourth) entitled "Protocol of action for measurement of
temperature ”in which the procedure used is developed. The document includes
explanatory graphics of the explanations you make. The following is highlighted
information contained therein:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/17








"To perform the operation of random temperature measurement of users in the
public transport, the following technical elements will be available: Camera
thermographic, Tripod, Control point, Beacon tape ”

“The team will consist of 2 Health Emergency Technicians and 1 Security Guard
Safety".

According to the document itself, one of the technicians will be located in the “fixed position of
measurement ”and the other in the“ selection station ”, while the security guard
assigns him the "vigilance in control." The functions assigned to the different positions

are as follows:
“Fixed measurement station: It will be in charge of controlling the temperature with the camera
thermographic, and to make a second measurement in case of positive with the thermometer

contact manual. It will only act in the “positive” case (> 37.3ºC), allowing the passage
normally if not.

Selection position: It will be responsible for randomly selecting users
towards the temperature measurement zone. Likewise, it will act for evaluation in case
of doubt by positive (user who accredits illness that causes fever or other
casuistry of various kinds that may occur).

Surveillance Post: Surveillance in the control environment to avoid possible conflicts
with users. "

The document also describes the operation as follows:

“Technician 2 (Recruitment Station) will randomly refer users to the
check Point .

As the user approaches the validation line, the thermal imager will be
obtaining the measurement of your body temperature (1 second). Technician 1 (Position
measurement) will only intervene if the camera emits a beep or an alarm flash, which
which will mean that the user is above the programmed temperature. In case
Otherwise, the user will be considered negative and will be able to continue their
travel.

In case the temperature is higher than 37.3ºC and the signal of
alarm, Technician 1 (Fixed Measurement Station) will inform the user to remain in

the set point, it will tell you that it has given a temperature higher than the
recommended and that a second measurement will be carried out.

This second measurement will be made using the non-contact clinical thermometer,
keeping an outstretched arm's distance and taking the temperature by pointing
to the forehead.

If this second temperature take is lower than 37.3º, you will kindly inform the
user who can continue. If it continues to test positive, Technician 1 (Fixed position of
measurement), supported by the Security Guard, will advise you not to access the
facilities or services.

In case of doubt before a positive second from a user (user who alleges some
disease other than COVID19, present a receipt or request some type of
medical assessment), Technician 2 (Recruitment Station) will be notified so that

and perform the titration. If the double positive were considered valid, the action would be
identical to the previous case, namely, recommending not to access the facilities or
services".
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/17








Finally, it includes, among others, the following observation:

“(…) In no case will personal data of the users, data
doctors or images of the same associated with the previous data that could
lead to identification ”.

In this sense, the last section of the document, the fifth, entitled "Legal analysis"
concludes that “(…) taking into account that the system used for taking
temperature does not allow it to be associated with other data that allow the identification of
direct or indirect way of the travelers, the legislation cannot be applied
in force in terms of data protection ”.



On the purpose and legal basis
As part of the letter 018048/2020, MB responds on the purpose and legal basis

of the treatment referring to a set of documents that have been incorporated into the
file through the corresponding diligence. They are as follows:

   - "Opinion 4/2007 on the concept of personal data" of the Working Group
        of Article 29 adopted on June 20, 2007.
   - Communiqué from the CNIL of May 7, 2020 entitled “Coronavirus (COVID-

        19): the rappels of the CNIL sur la collecte de données personnelles par les
        Employers ”.
   - Statement from the Dutch “Autoriteit Persoonsgegevens” entitled

        "Temperaturen in gezondheidscheck".
   - “Organic Law 3/1986, of April 14, on Special Measures in the Matter of

        Public health".
   - “Law 38/2015, of September 29, on the railway sector”.

   - "Protocol of action for the reactivation of judicial activity and health
        professional ”of the General Council of the Judiciary, dated April 29,
        2020.

   - "Basic action protocol for returning to training and restarting
        of federated and professional competitions ”of the Superior Council of
        Sports, dated May 3, 2020.

   - "Recommendations for the opening of the activity in swimming pools after the crisis
        Covid-19 ”from the Ministry of Health, dated May 14, 2020.

   - "Law 33/2011, of October 4, General of Public Health".

   - “Law 31/1995, of November 8, on the Prevention of Occupational Risks”.

   - "Procedure of action for risk prevention services
        against exposure to SARS-CoV-2 ”from the Ministry of Health,
        dated June 8, 2020.

   - "Questions and answers about coronavirus disease (COVID-19)" by
        the World Health Organization (WHO).
   - "Advice for the population about rumors about the new coronavirus

        (2019-nCoV) ”from the World Health Organization (WHO).

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/17








   - "Decalogue on how to act in case of having symptoms of COVID-19" from
        Ministry of Health.

   - “Order SND / 399/2020, of May 9, for the flexibility of certain
        national restrictions, established after the declaration of the state of
        alarm in application of phase 1 of the Plan for the transition to a new
        normal".

   - “AEPD statement in relation to the taking of temperature by
        shops, work centers and other establishments ”of April 30, 2020.

As stated by MB in writing 018048/2020 in this process “there is no
Treatment of personal data". MB supports this assertion as
following:

“(…) As stipulated in the first articles of the RGPD, and more specifically
in article 2.1 relative to the material scope of application of this norm, “The present
Regulation applies to fully or partially automated data processing
personal data, as well as the non-automated processing of personal data contained

or intended to be included in a file ”.
After the description of the dynamics to implement, from our point of view, no
There is an automated processing of personal data, nor is there any treatment not

automated system intended to be included in a file, understanding this concept as
"Any structured set of personal data, accessible according to criteria
determined, whether centralized, decentralized or distributed in a functional or
geographic ”, according to article 4 RGPD, point six. For this reason, this
action must be outside the scope of application of the regulations on protection

of data. (…) "
“(…) Regardless of whether the situation should be located under the defense of the
data protection regulations or not, due to the existence or not of treatment

automated or non-automated, according to the material scope of application, also
It can be argued that, in our specific case, the use of the information
necessary to fulfill the purpose of temperature control, as it has been
implemented MB, it does not constitute personal data if we follow the definition that the
RGPD itself offers on this concept in the first point of article 4, when
stipulates that personal data will be “all information about a natural person

identified or identifiable ("the interested party"); will be considered identifiable natural person
any person whose identity can be determined, directly or indirectly, in
by means of an identifier, such as a name, a number of
identification, location data, an online identifier or one or more elements
characteristic of the physical, physiological, genetic, psychic, economic, cultural or
social status of said person ”.

Indeed, the first part is divided into 4 well-differentiated elements, which itself
The now defunct Working Group on Article 29 (GT29) had already analyzed separately:

"Information" + "About" + "Natural person" + "Identified or identifiable". If
that concerns us, in our opinion, we consider that in the verification of the temperature
the first 3 are met, but not the one indicated in fourth place. I mean, of course
that the temperature measurement may be associated with a natural person, but what is not
It will be possible, according to the data that MB collects, it will be to know the identity of that
person, in a reasonable way, according to the GT29 itself established, since there is no

collection or association with another direct or indirect identifier (for example, names and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/17








surname, DNI, passenger card or similar title, etc ...) that allows knowing the
identity of a person.

In these cases, according to the report on the concept of personal data issued by the
GT29 already in 2007, we will simply find ourselves before anonymous data that does not
require the protection of privacy legislation, for the simple fact that
that this last right will not be affected. (…) "

Furthermore, MB supports the argument that there is no processing of personal data in
documents published by other European control authorities (downloaded from
internet and incorporated into this file through the corresponding
diligence). Namely:

“CNIL (France): Publicly acknowledges that regulations on the treatment of
data only apply to automated processing (in particular IT) or to non-processing

automated personal data intended to be included in a file. For the
Therefore, he concludes that if there was only verification of the temperature by means of a
hand-held thermometer (such as the non-contact infrared type) at the input of
a site, without leaving a trace, or any other operation that is carried out (such as
information feedback, etc.), this situation does not fall under the
data protection regulations. This statement can be consulted at

following link: https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-
la-collecte-de-donnees-personnelles-par-les
Autoriteit Persoonsgegevens (Netherlands): Along the same lines, the Control Authority

Dutch recognizes that the GDPR does not apply to situations where you only read
the temperature, without it being recorded or stored in an automated system,
as is applicable to MB's performance. Yes that leaves the situation open to
Said control may affect other rights, but not that of data protection in
this case. This statement can be consulted at the following link:
https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/temperaturen-tijdens-

Crown"
Notwithstanding the foregoing, MB in writing 018048/2020 also performs an analysis

in the event that it is understood that the process involves data processing
personal:
“But, even if we were to consider that, indeed, there was a

processing of personal data (which we have already explained would not be the case in
this situation) and we should identify the appropriate legitimations to de
treatment of this type of information, there are currently different bases that
they could come to "legalize" that treatment. They are set out below, so
summarized, consistent with Report 0017/2020 on Covid-19 that you
themselves have issued (and that we attach as Document 2), which addresses the

possibility of processing personal data in the event of fact
that we are evaluating, as well as the legitimation problem that would exist for
make it happen:

   - Vital interest: In accordance with Recital 46 RGPD, the
       treatment in these cases could be legitimized by this cause, by
       establish that “The processing of personal data should also be considered
       lawful when necessary to protect an interest essential to the life of the
       interested party or that of another natural person. In principle, personal data

       should only be dealt with on the basis of the vital interest of another natural person
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/17








       when the processing cannot be manifestly based on a legal basis
       different. Certain types of treatment can respond both to reasons
       important to the public interest as well as the vital interests of the interested party,
       such as when the treatment is necessary for humanitarian purposes,
       including the control of epidemics and their spread, or in situations of

       humanitarian emergency, especially in the event of natural disasters or
       human origin ”.

   - Public interest: This possibility is obvious, which may have
       justifications similar to that taken into account in the previous section, although,
       here yes, it must have legal backing.

   - Legal obligation: In this case, there are several laws that would allow a
       data processing, not only the aforementioned Law 38/2015, which has a
       sectoral character, but also others with a more general nuance and that may
       cover more situations, such as, for example, Organic Law 3/1986,
       of April 14, on Special Measures in Public Health Matters (modified
       by Royal Decree-Law 6/2020, of March 10, which adopts

       certain urgent measures in the economic sphere and for the protection
       of public health, published in the Official State Gazette of March 11
       2020), which states, in its article 3, that “In order to control the
       communicable diseases, the health authority, in addition to carrying out the
       general preventive actions, you may adopt the appropriate measures for the
       control of the sick, of the people who are or have been in contact

       with them and the immediate environment, as well as those that are
       consider necessary in case of risk of a transferable nature ”. Should bring
       mentioned here that the health authority, the Ministry of Health or
       organizations to which it delegates, has already published, to date, different
       protocols where it is included, as a necessary security measure for the

       return to normality of these activities, the aforementioned controls
       temperature. For example, the Action Protocol for the reactivation of the
       judicial activity and professional health, of the General Council of the Judiciary, the
       Basic action protocol for returning to training and restarting
       of federated and professional competitions; or in the Recommendations
       for the restoration of activity in swimming pools for public use after the

       Covid-19 crisis. And let us also remember that the Government of Spain itself,
       in the management of this emergency situation and, specifically, in relation to
       with the measures that will be imposed on foreigners visiting Spain during the
       period that this situation lasts, it plans to carry out temperature controls at each
       person entering the country, in order to guarantee maximum security
       sanitary.

Furthermore, in the search for more legal support, we could point out
also Law 33/2011, of October 4, General of Public Health, which collects
Similar assumptions that allow the processing of personal data following the

instructions from the competent authorities. Or with a more concrete character,
We could also mention Law 31/1995, of November 8, on the Prevention of
Occupational Risks (LPRL), which includes similar assumptions (in this case, for the
workers), recognizing that it is the employer's obligation to guarantee the safety
at work. This last obligation of the employer must be understood in the sense

wide, so that the simple circumstance that the employees or subcontractors of the
own MB work in contact with customers and users of the same, would imply the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/17








the need for the protection provided to employees or subcontractors to be
extensible to customers or users, as a consequence of the fact that access to
MB installations by infected clients or users could put in
risk the safety of employees or subcontractors, and that of the users themselves
each. Even, the lack of action in the fulfillment of the obligations of

protection of workers derived from the LPRL could constitute a crime,
as it is regulated in articles 316-318 of the Penal Code. In this
In this sense, it should be remembered that this opinion has been ratified by the Ministry of
Health in the document that it has prepared relative to "Procedure of action
for occupational risk prevention services against exposure to
SARSCOV-2 ”that makes the following recommendation to the prevention services of

occupational hazards on page 3: “Since contact with the virus can affect
health and non-health environments, it is up to companies to assess the risk of
exhibition in which workers can be found in each of the
differentiated tasks that they carry out and follow the recommendations that on the matter
issue the prevention service, following the guidelines and recommendations made

by the health authorities ”.
All this, let us remember, without forgetting that the RGPD itself also contains the possibility
to process personal data in exceptional situations, as we have explained

previously. Therefore, one more rule that enables us to do so.
In short, for the specific case that concerns us and even for more casuistry,
It seems that the legitimation of a potential processing of personal data would be a

question that would admit various possibilities that act as a basis of legality in a
factual assumption such as the one under analysis. (…) "

Regarding the reference made to Law 38/2015 when evaluating the possible support in
a legal obligation of the treatment, MB also provides the following
information in writing 018048/2020:

“(…) We would like to refer to Law 38/2015, of September 29, on the Railway Sector
(LSF), which imposes on railway market operators, as well as
general managers of railway infrastructures certain obligations between
which is the one to "guarantee security" in its functions and attributions
established in this Law. Without a doubt, preventing the spread of an epidemic is
within these obligations that are collected throughout the articles of this law,

directly applicable to MB.
This is clear from articles such as 64.4 LSF, when they stipulate that “The

responsibility for traffic safety on the Interesting Railway Network
General corresponds to the administrators of the railway infrastructures and the
railway companies that operate there. Infrastructure managers
railway companies and railway companies shall apply safety rules and regulations and
They will have security management systems in place, appropriate to the provisions of
this law and its development provisions, which will include the necessary measures to

the evaluation and control of railway traffic risks and their monitoring. I know
They will also be responsible for the safety of the part of the railway system that
affects them, including the supply of material and the contracting of services, regarding
users, clients, workers, interested parties and third parties ”.

It is also necessary to bring up article 104 LSF, which, in the section on
Sanctioning and Inspection Regime, establishes in its section 3 that “The personnel
of the inspection services that hold that condition, under the terms provided in
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/17








current legislation, may collect from natural and legal persons or entities
affected by the obligations established in this law or in its implementing regulations,
as much information as they deem necessary for the exercise of their inspection function ”,
in its section 4 that “It corresponds to the infrastructure managers
railways the exercise of police power in relation to the traffic

railway, the use and defense of the infrastructure, in order to guarantee the
traffic safety, maintenance of infrastructure, facilities and
Material means of any kind, necessary for its exploitation. What's more,
will control the fulfillment of the obligations that tend to avoid all kinds of damage,
deterioration of the roads, risk or danger to people, and respect for the
limitations imposed in relation to the immediate land to the railroad to which

Chapter III of Title II refers to, formulating the complaints, which, if applicable, are
proceeding ”, in section 5 that“ The officials of the Ministry of Public Works and
the State Railway Safety Agency and the personnel expressly authorized by
railway infrastructure managers to ensure compliance with
the regulations on safety in railway traffic will have, in their acts of

service or because of the same, the consideration of agents of the authority, to
effects of the requirement, where appropriate, of the responsibility corresponding to those who
offer resistance or commit attack or contempt against them, on the job or in
word. In the exercise of the functions indicated in the previous section, the aforementioned
staff may require the persons referred to in section 3 how many
information deemed necessary and, where appropriate, will report to the body

competent to initiate the corresponding disciplinary proceedings, the
behaviors and actions that contravene the provisions established in the
itself and in its development rules. Likewise, they may request, through the
corresponding governmental authority, the necessary support of the bodies and forces
security "and in section 6 that" The facts verified by the personnel referred
in the previous section will have probative value when they are formalized in a document

public, observing the pertinent legal requirements, without prejudice to the evidence that
In defense of their respective rights or interests, they may point out or provide the
own interested parties ”.

In view of the foregoing, MB has an obligation to safeguard the interests
referred to in previous lines, and may be held responsible for any
omission in this sense, if he had not taken all the security measures that
were within their reach and that, indeed, were combined with the affectation of
other rights. "

Finally, MB performs the following analysis regarding its legitimacy to carry out
carry out the temperature control process:

“(…) The analysis on the question of the legitimacy to carry out this control action
of the temperature on people in the field of MB should not attend to a
proactive criterion that consists in the search for a law that allows us to carry out
carry out this action, on the contrary, what we will have to verify is that there is no

law that prohibits such conduct since, in accordance with the principle of legality in force in
our country and recognized in the Spanish Constitution (CE), in different articles, the
negative linkage of this principle would mean that “what is not expressly
prohibited in our legal system, it is allowed ”.

This interpretation is latent in different precepts of our Magna Carta,
as, for example, in Article 9 EC, which includes its more general version in its

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/17








first section, which stipulates that “Citizens and public powers
are subject to the Constitution and the rest of the legal system ”, and in its section
third that “The Constitution guarantees the principle of legality, the normative hierarchy,

the publicity of the rules, the non-retroactivity of the sanctioning provisions
favorable or restrictive of individual rights, legal security,
responsibility and the interdiction of the arbitrariness of the public powers ”.

However, and regarding its application in the criminal or administrative sphere, there are
more precepts in the aforementioned Constitutional Text that give us to understand this
position. For example, article 25.1 EC, which establishes that “No one can be
convicted or sanctioned for actions or omissions that at the time of
do not constitute a crime, misdemeanor or administrative offense, according to the legislation in force in

that moment ”, or also article 103.1, that by establishing that“ The Administration
Public objectively serves the general interests and acts in accordance with the
principles of effectiveness, hierarchy, decentralization, deconcentration and coordination,
with full submission to the law and the Law ”, transmits to us the need to
regulation to be able to think of attributing responsibility for some prohibited act.

To understand it in another way would imply serious damage to the principles of freedom and
legal certainty, something that would be unacceptable in any State of Law, and that
the judiciary would punish with the objective of guaranteeing the primary values of all

democracy."
The following documents, referred to in the previous presentation, have been provided by

MB to the AEPD as part of writing 018048/2020:
   - Annex document number 2 of brief 018048/2020: cabinet report
       Legal AEPD N / REF 0017/2020.

   - Annex document number 3 of brief 018048/2020: “Legal report about
       of the processing of data related to the body temperature of users in

       the Bilbao metro ”, prepared, according to the figure contained therein, by the
       Data Protection Delegate. This report, more extensively,
       delves into the arguments presented in his writing: the concept of data
       personal and their application to the present case; the legitimation of the treatment in
       in the event that it was subject to data protection regulations

       personal; the proportionality of the treatment (judgments of necessity,
       suitability, and proportionality). The document contains a section on
       conclusions (p. 15 and following), among which he advises MB “(…) the
       implementation of a device that does not capture or process any personal data,
       which will combine the most demanding characteristics of respect: It is not data
       personal, so there is no injury to privacy; The least medium is used

       harmful, so it is acted with diligent proportionality ”.
Likewise, section 5 ("Legal analysis") of Annex Document number 1 of the brief

018048/2020 ("Random temperature controls for users") also affects
the argument that the temperature control MB process would not be subject to
to the personal data protection regulations.


About the participants

As part of the writing 018048/2020, MB declares with respect to the participants
that, according to the arguments seen in the previous section (“MB does not perform a

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/17








processing of personal data ")," does not fit here the assumption of responsibilities
typical of the personal data protection legislation ”. However, he adds, “a
transparency effects with the AEPD ”, the following description of responsibilities:

   - Client: MB, who “has considered it necessary to acquire a
       access control in its facilities, based on the possible
       existence of symptoms related to the current pandemic caused by the

       Covid-19 ".
   - Service provider: DYA, which “is configured as a simple service provider

       services without access to data, which does not entail the condition of a
       Responsible for the Treatment ”.
As part of brief 018048/2020, MB attaches Annex Document number 4,

agreement signed by DYA and MB on May 10, 2020. They are detailed below
some paragraphs included in the agreement:

"The current health emergency situation requires the adoption of measures
specific that both result in greater safety of the transport user
as in an awareness of it regarding the need to observe all
preventive health measures in order to control the transmission situation
of Covid-19. "

“A common, though not universal, symptom of Covid-19 is fever. Control the
people's body temperature before starting work and to the public, since
either before accessing the stations or railway units, and then

recommend that only people with a normal body temperature enter the
those spaces, it could give passengers a feeling that the people at their
around they are healthy ”.

“DYA is committed to carrying out a measurement of the body temperature of travelers
of the Bilbao metropolitan railway in the terms set forth herein
document".

“DYA will carry out a daily measurement at a railway reference station
Metropolitan of Bilbao ”.

"DYA will recommend the traveler to exceed the temperature standard
established, refrain from continuing the journey.

Temperature measurement should in no case imply treatment of data from
personal character for the purposes of the General Data Protection Regulation
(REGULATION (EU) 2016/679). Likewise, no transmission will be made.
wireless any of these images or data, keeping the measurement equipment

with said functionalities (WiFi, Bluetooth,…) deactivated at all times ”.
"This agreement will enter into force on May 10, 2020 expiring to all
effects within a month ”.

The information provided to the AEPD does not include the annexes to the agreement
referred to therein: "Administrative Clauses 18-LG-DC-067" and "Offer

of DYA ”.


About data retention


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/17








As stated by MB in writing 018048/2020, since no data is recorded and
thermal cameras broadcast in real time, it is not appropriate to establish deadline policies
conservation.



On the duty of information

On this matter, MB, in writing 018048/2020, states the following:
“Based on the consideration that data processing is not taking place

personal information, it makes no sense to implement an information procedure
to the interested parties, for the purposes of data protection legislation.
However, concrete instruction has been given so that operators who

have the attributed function of controlling the temperature verbally inform the
people about the situation and the reason for such control, indicating that, in
At no time will the results of the tests be recorded, stored or used.
measurements for any purpose other than to advise on the measurements of
security to adopt.

Additionally, all the necessary documentation is available to implement
in case the MB decides, in the future, to go one step further and process data
personal. In this sense, a badge has already been prepared to announce this

collection and processing of personal data, as well as additional information to
include".

MB provides, as part written 018048/2020, an image of the badge that has
prepared, and in which it is stated: notice of "thermo-monitored area"; responsable;
purposes; indication of how to exercise data protection rights; and
indication of how to obtain more information about the treatment.



About risk assessment and security measures
MB states that “prior to the implementation of this control, it has carried out an analysis of

impact to choose the least harmful option with other rights of people in
play". As he points out, this analysis is reflected in the reports Attached document
number 1 ("Random temperature controls for users") and Attached document
number 3 (“Legal report on the processing of data related to temperature
body of users in the Bilbao metro ”). Both documents have already been

analyzed in this report (the first of them in section 2 “Description
of the process ”and the second in section 3“ Purpose and legal basis ”). Moves to
Then, due to its relationship with this section, the fundamental content of the
chapter “Analysis of existing technology. Solution adopted ”of the document
"Random user temperature controls":

“Based on the proposals made by the reference providers, we can
catalog existing solutions in three different typologies:

   - Non-contact infrared thermometers

   - Portable thermal imaging cameras
   - 'Bullet' type thermographic cameras



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/17








“(…) Starting from the premise that the temperature measurements are going to be carried out
randomly in terms of users (not all users will go through the control
temperature) and mobile (in a different station each day) and that therefore, the
Equipment must be easily installable and transportable, as well as simple in its
handling, it is concluded that the most appropriate solution is thermal imaging cameras

laptops.
The main advantages that support this solution are the following

list:
   - (…) Average reliability. +/- 0.5 ° C error in temperature measurement

   - (…) even though the measurement must be done in a row one by one, it is not a
        relevant aspect given that it is based on the premise that
        random measurements, not all users. Therefore, they are not expected

        agglomerations of users to pass through the measurement controls of
        temperature.
On the other hand, regarding the Personnel who will use the thermal imaging cameras

portable, it is considered convenient that it be Health Personnel with knowledge in
this field so that you know how to interpret the results obtained in case of double
positive and can resolve the doubts or claims that users submit to the
respect (…) ”.

In addition, in the brief 018048/2020 MB summarizes, in the following way, the measures
you have adopted:

   - "Carry out technical and legal analyzes on the solution to be implemented
        previously, having opted for the least damaging of the rights of the
        people.

   - Do not select any device that could generate data processing
        personal. The least intrusive option has been chosen, and it does not process data
        relating to an identified or identifiable person and who, therefore, is
        constitute as anonymous data, which have no impact on the
        privacy or intimacy of people.

   - Advise people who may come to present any symptoms
        related to the disease that has caused this pandemic that is

        go to your home, and contact the health authorities to verify your
        health condition. In strict accordance with the message and obligations
        transmitted by the competent authorities in this matter.

   - Adopt this measure on a temporary basis limited to the duration of the
        health emergency situation.

   - Hire qualified health personnel for the interpretation of the
        proposed measurements.
   - Inform people about the aforementioned situation, verbally, by

        of the operators, with the aim of promoting transparency ”.
In addition, as seen above, Annex Document number 4 that collects
The agreement signed between DYA and MB includes the following measure:




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/17








“(…) There will be no wireless transmission of said images or
data, keeping the measurement equipment with said functionalities (WiFi,
Bluetooth,…) deactivated at all times ”.





                            FOUNDATIONS OF LAW


                                             I

In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and

guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.

                                            II


In the present case, MB would be taking the body temperature of users
of the subway using thermal imaging cameras without recognition and without recording, which
the only thing they will capture will be a heat map of a person / animal / thing that will allow
know the temperature measurement without identification, without recording and without recording of

personal data as their identification is not required.

According to MB, this data will be displayed in real time and only by
health personnel.

Regarding the legal basis of the treatment, MB points out that in this process there is no

a processing of personal data as stipulated in article 2.1
of the RGPD, since in this case there is no automated data processing
personal data, nor is it a non-automated treatment intended to be included in a
file. And, for this reason, this action should be outside the scope of application
of the regulations on data protection. Details what we would find before data

anonymous names that do not require the protection of privacy legislation, for the
simple fact that this last right will not be affected.


However, MB also performs an analysis in the event that it is understood that the
process involves the processing of personal data and concludes that the processing
could be based on the protection of a vital interest, in the terms of recital
46 of the RGPD, or in the public interest or compliance with a legal obligation. To this
Last respect, cites Organic Law 3/1986, of April 14, on Special Measures in

Public Health Matter, Law 33/2011, of October 4, General Public Health and
Law 31/1995, of November 8, on the Prevention of Occupational Risks.


MB also makes a reference to Law 38/2015, of September 29, on the Sector

Railway, which imposes on the railway market operators and the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/17








general administrations of railway infrastructures the obligation, among others,
to guarantee safety in rail traffic.


Finally, MB mentions the Spanish Constitution, understanding that “(…) the analysis

on the question of the legitimacy to carry out this action of control of the
temperature on people in the field of MB should not meet a criterion
proactive that consists of the search for a law that allows us to carry out that
action, on the contrary, what we will have to verify is that there is no law that
prohibits such conduct since, in accordance with the principle of legality in force in our
country and recognized in the Spanish Constitution (CE), in different articles, the

negative linkage of this principle would mean that “what is not expressly
prohibited in our legal system, it is allowed ”.


                                           III

In relation to the temperature taken by users of suburban transport to
help prevent the spread of the COVID-19 pandemic, it is considered
It is necessary to highlight that the body temperature of people is a health data in

itself, according to the definition contained in article 4, paragraph 15, of the RGPD.

According to article 4 of the RGPD, sections 1 and 2, "personal data" will be understood as:
"Any information about an identified or identifiable natural person"; and by
"Treatment": "any operation or set of operations carried out on data
personal data or personal data sets, either by procedures

automated or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction. "

Based on the above, people's temperature controls can

constitute a treatment of health data related to an identified natural person or
identifiable, and, as such, must comply with one of the legal bases listed in
Article 6 of the RGPD and meet any of the specific exceptions that are
listed in article 9 of the RGPD.

To determine if in a specific case there has been a processing of data from

an identified or identifiable person, it must be based on the type of device
employee and take into account other circumstances of the decision making process
temperature that can make the person identifiable, as in the case of
whether or not body temperature is recorded or that the temperature capture in the
establishments open to the public are carried out with advertising, in such a way that the
affected person can be identified by third parties.


In the body temperature controls carried out by MB to take the
temperature to metro users, are used for this, in a first measurement,
thermal imaging cameras and, in a second measurement, manual thermometers, both
only designed for taking body temperature. When these controls

temperature measurements are not accompanied by an identity check of the persons who
intend to access the establishment, that is, when the temperature measurement is not
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/17








links to a certain person through their registration or annotation, such measures
would not be, in principle, included in the scope of application of the RGPD by not
associate the temperature with an identified or identifiable person.


However, denying access to a person because of their temperature or
informing you that your body temperature exceeds a certain threshold could reveal
to third parties who have no justification to know that the person to whom
entry has been denied or reported your temperature has a temperature
body above what is considered not relevant and, above all, that it may be

infected by the virus, since fever is a symptom of the disease caused
by SARS-CoV-2, so it will also be necessary to establish in each case whether
the specific circumstances that concurred in the temperature taking process
of a certain person events were derived that made it
identifiable.


In the case under examination, thermal imaging cameras and manual thermometers are used
for temperature measurements without this process being accompanied by
record of the temperature obtained from the metro users. Nor has
verified the concurrence of special circumstances that have made it possible to link
the aforementioned treatment to an identified or identifiable person.


Therefore, according to the reasoning, it is not appreciated in this case that the treatment of
data that is carried out refers to identified or identifiable natural persons,
consequently being excluded from the scope of application of the RGPD


                                           IV

Article 68.1 of the LOPDGDD, referring to the agreement to initiate the procedure for
the exercise of the sanctioning power, establishes that once the
preliminary investigation actions, will correspond to the Presidency of the Agency

Spanish Data Protection, when appropriate, issue an agreement to initiate
procedure for the exercise of the sanctioning power.

After analyzing the reasons given by METRO BILBAO, S.A., which operate in the
record, the lack of rational evidence of the existence of a
infringement within the competence of the Spanish Agency for Data Protection,

not proceeding, consequently, the opening of a sanctioning procedure.

All this without prejudice to the fact that the Agency, applying the powers of investigation and
corrective measures that it holds, can carry out subsequent actions related to the
data processing referred to in the factual antecedents.


Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:

FIRST: PROCEED TO THE FILING of the present proceedings against METRO

BILBAO, S.A.

SECOND: NOTIFY this resolution to METRO BILBAO, S.A.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/17









In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may

file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,

in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day
upon notification of this act, as provided in article 46.1 of the aforementioned Law.


                                                                                       940-0419
Mar Spain Martí
Director of the Spanish Agency for Data Protection









































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es