AEPD (Spain) - E/03884/2020
|AEPD (Spain) - E/03884/2020
|Article 2(1) GDPR
Article 4(1) GDPR
Article 4(6) GDPR
|No Violation Found
|METRO BILBAO, S.A.
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The Spanish DPA concluded that the use of a thermal camera to verify if users of a service have a higher temperature than a certain threshold, in the context of the COVID-19 pandemic, does not fall under the scope of the GDPR when there is no further storing, processing or any operation on the data shown by the camera, and the persons are not asked to identify themselves.
English Summary[edit | edit source]
Facts[edit | edit source]
The Spanish DPA (AEPD) launched an investigation on the company that manages the underground service of Bilbao, one of the main Spanish cities. In the context of the covid-19 pandemic, the company was using thermal cameras to verify if the users of the underground had a higher temperature than a threshold (37.3ºC), in order to identify potential infected people.
People were randomly picked to pass through the range of the cameras, that would show their temperature. What was shown was only a temperature map; images were not processed in any way, nor there was any kind of facial recognition system. Data were neither registered, stored or processed in any way.
The only consequence deriving from the temperature map would be that the employees in charge would carry out a second test, with a clinic thermometer, to verify whether the temperature was above the threshold. Then, if still shown to be above the threshold, they would receive a recommendation on how to act (i.e. not use the metro and contact a doctor).
Holding[edit | edit source]
The Spanish DPA, in line with the allegations of the controller, concluded that the GDPR was not applicable to this case, as it did not fall under its material scope.
The temperature measurement was done without identification, without recording and without registering data of the persons, as their identification is not required either by official document or verbally. At no time was any personal data stored or recorded, neither image data, nor temperature data, nor name and surname, nor any other data relating to an identified or identifiable natural person. No information was stored, which could imply the impossibility of identifying a person by collecting only indirect identifiers, such as the aforementioned heat map or temperature; and no direct identifiers, such as an image or similar, nor the results of the temperature measurements were stored nor were the results transferred to another kind of non-automated or automated support.
At all times, the anonymity of the persons was maintained, as they were not required to identify themselves, and there was no recording, as the image was issued in real time, in a heat map that did not allow a person to be unequivocally identified.
Therefore, following Article 2(1) GDPR, the AEPD concluded that there was no processing of data, neither automated or non-automated but meant to be part of a filing system. Hence, it is outside the material scope of the GDPR.
Also, with regards to the definition of personal data from Article 4(1) GDPR, the DPA did not reach a firm conclusion, but remarked that the circumstances of each particular case should be taken into account. The device used and other variables that could make a person identifiable shall be considered. In this case, even if the person remained anonymous, as they were not asked to identify themselves, the procedure was carried out in public space, so any person that was not allowed to enter the subway because their high temperature would be known to have a temperature higher than 37.3ºC, what is, in addition, health data, so it is classified as sensitive data in accordance with Article 9 GDPR. Therefore, third persons would be able to know that a particular person might be infected by the SARS-CoV-2, as fever is a symptom of covid-19. Therefore, it would be debatable, in a case by case basis, whether the circumstances could have made that a particular person was identifiable.
The DPA also discusses an hypothetical case in which such activity, or a similar activity, it could be considered processing of personal data; then, a legal basis would be necessary for the processing. Options for that would be a vital interest, a public interest or compliance with a legal obligation. Additionally, an exception from Article 9 would be necessary.
In any case, the DPA reached the conclusion that the fact that the persons were not asked to identified themselves definitely meant that they were not identifiable and that no kind of data related to temperature or to the scanned persons was stored or processed in any way. Therefore, as there is not processing of data related to identifiable persons, the case was considered not to fall under the scope of the GDPR, and it was archived.
Comment[edit | edit source]
This is the first case in which the AEPD assesses temperature measuring activities related to the covid-19 pandemic.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.