By: Sergi Gálvez and Jorge Monclús
By: Sergi Gálvez y Jorge Monclús
The Council of Ministers recently approved the “New Normality Transition Plan” — also referred to as the “de-escalation plan” — and the National Social Security Institute published Good Practices Guidelines to prevent the risk of exposure to the coronavirus at work by activities and sectors, speeding up the implementation of new measures to ensure activities resume with maximum safety, avoiding new infections and, ultimately, the spread COVID-19. These measures notably include checking people’s temperature as they enter workplaces, stores, education centers and other establishments or facilities, given its significance and impact on privacy. The Spanish Data Protection Agency (“AEPD”) has just published a statement issuing guidelines on this point: Taking temperature constitutes sensitive data processing: the AEPD reminds that taking a person’s temperature involves health-related data, not only because body temperature is a health datum in itself, but also because, based on it, a person is presumed to have a specific disease or not, namely COVID-19 in this case. Implementation criteria: according to the AEPD, taking temperature would require health care authorities to determine the need for the measure in advance and its alignment with the aim of effectively preventing the spread of the disease in the relevant areas and regulating the specific limits and guarantees in processing people’s personal data. It stresses that taking a person’s temperature may not be the most appropriate measure, given that there is a percentage of asymptomatic people who have COVID-19 but do not have a fever and, moreover, there may be people with high temperatures not caused by COVID-19. It is particularly significant that the AEPD states that the temperature based on which a person is considered potentially infected with COVID-19 should be established based on scientific evidence rather than being an arbitrary decision by each entity implementing this measure, as a heterogeneous application would reduce its effectiveness and could lead to unjustified discrimination. Principle of legality: the AEPD clarifies that the legal basis cannot, in general, be the data subjects’ consent, as it would not be free. In the area of labor, the legal basis would be the employers’ obligation to guarantee the health and safety of their employees at work. It is important for the AEPD that this legal basis “could be broadly taken into account, given that, although the specific purposes of centers or premises may mean a high concentration of customers or users unconnected to the company managing them, employees for whom the employer maintains its obligations will always be present in them.” In any case, the impact of these measures on customer or user rights and on the level of employee protection must be properly weighted. Restriction on the use and accuracy of the data: in this context, the principles of restriction on the use of the data (temperature can only be taken to detect possible COVID-19 infections and prevent infected people from entering a certain place and coming into contact with other people in it) and accuracy (the temperature checking equipment must be appropriate to reliably record temperature ranges) are specially relevant. Rights and guarantees: as the AEPD has reminded in its recent criteria, in the context of COVID-19, data subjects maintain their rights under the General Data Protection Regulations (“GDPR”), and the other guarantees established by the GDPR continue to apply. Finally, the AEPD refers to thermal-imaging cameras, highlighting the relevance of the principles of use restriction and data minimization, insofar as using new temperature checking technologies poses the risk of the data obtained being used for other unrelated purposes.