IP - 07121-1/2020/1677

From GDPRhub
IP - 07121-1/2020/1677
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 9 GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided:
Published: 23.09.2020
Fine: None
Parties: n/a
National Case Number/Name: 07121-1/2020/1677
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: Informacijski pooblaščenec (in SL)
Initial Contributor: n/a

The Slovenian DPA (IP) issued an Opinion in which it concluded that companies and institutions are generally not entitled to measure the temperatures of employees and visitors, as this constitutes processing health data.

English Summary

Facts

The DPA had previously issued a press release that touched upon the topic of introducing systems for measuring the temperature of workers or visitors. In the press release, the DPA concluded that companies and institutions are generally not entitled to measure the temperatures of employees or visitors and thus process their health personal data. This type of health data, the DPA held, belongs to Article 9 of the GDPR and cannot be processed without specific authorization.

The DPA then went on to also discuss the viability of using video cameras to record the working hours of employees.

Dispute

What temperature-check measures companies could introduce on a wide-scale basis. Whether video cameras can be used to record the working hours of employees.

Holding

The DPA advised that if a company is to introduce measures regarding temperature checks, these measures must be necessary and justified. On the topic of video cameras, the DPA said that the use of biometric measures for the purpose of recording working time is generally not allowed, as it is an invasive way of processing personal data, and there are milder and equally effective measures for recording working time.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

The Information Commissioner (hereinafter: IP) received your letter in which you explained that you are introducing cameras in the company to monitor the body temperature of workers and others entering the company. Is it possible to also use these cameras as a record of the arrival of workers (the existing record system should thus include pictorial material, pictures of workers)?

 On the basis of the information you have provided to us, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, official consolidated text, hereinafter ZVOP-1) and 2 Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your question.

IP explains that regarding the introduction of systems for measuring the temperature of workers or visitors, it issued a press release, which is available at:

https://www.ip-rs.si/novice/previdno-pri-uvajanju-termokamer-in-merjenju-telesne-temperature-posameznikov-1186/

The same applies mutatis mutandis to other circumstances, and we also recommend the following opinions already issued:

https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1636

https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1633
 
As we have pointed out, companies and institutions are generally not entitled to measure the temperatures of employees or visitors and thus process their health personal data - these data belong to specific types of personal data and the General Regulation stipulates that their processing is prohibited unless any exceptions are made. Companies and institutions should consult with representatives of the medical profession before introducing measurement, they can ask for the opinion of the selected occupational medicine practitioner and obtain an assessment of the profession, whether such measurement is necessary and justified, to what extent it should be performed and the extent of data retention. suitable, if at all.

The healthcare profession is therefore the one that can give a credible answer about the necessity and appropriateness of processing this data, and if it considers that measurement or monitoring is appropriate, the company / institution must comply with all provisions of the General Regulation - especially the principles of personal data protection. inform and provide all necessary safeguards, including: minimization and proportionality of the scope of personal data processing and retention periods, data security, and their accuracy and timeliness.

Recording the working hours of employees with the help of video cameras cannot realistically be done other than by recognizing their biometric characteristics (presumably facial [1] ), which means the use of biometric measures and therefore the conditions for introducing biometric measures under ZVOP-1 would apply. ). Guidelines on biometric measures, which explain the conditions for the introduction of biometric measures, are available at:

https://www.ip-rs.si/fileadmin/user_upload/Pdf/smernice/Biometrija_-_smernice.pdf

According to IP practice, the use of biometric measures for the purpose of recording working time is generally not allowed, as it is an invasive way of processing personal data, and there are milder and equally effective measures for recording working time. allow such use of biometric measures.

With satisfaction,


Mojca Prelesnik, B.Sc. dipl. right,

Information Commissioner


Prepared:                                                                                                                             

mag. Andrej Tomšič,
Deputy Information Commissioner