Measuring temperature of visitors and employees: is that allowed?
Due to the corona crisis, many companies are taking measures to work as safely as possible and to prevent the spread of the coronavirus. For some professions, working from home is quite possible, but there are also sectors in which it remains necessary, or desirable, for employees, suppliers, customers, contractors and other visitors to appear in the workplace. We receive many questions from entrepreneurs about whether they can measure the body temperature of anyone who wants access to the company’s building or site. This is often not allowed and this may lead to fines from the Dutch Data Protection Authority. The Dutch Data Protection Authority recently confirmed this.
But: why is that so, and what is possible?
Special personal data
Measuring a person’s body temperature is, in principle, a processing of personal data. “Processing” can refer to many different actions regarding personal data: for instance viewing, storing, passing on, looking at or deleting personal data. Simply viewing a temperature on a thermometer or with a thermal camera, without the temperature being stored or recorded, is often already a processing of personal data. We do note that this is context dependent.
This may, for example, be different in cases where the temperature is measured for a few seconds, without there being any direct or indirect link whatsoever to (other) personal data. In that case, the measurement could fall outside the definition of “processing” as meant in the GDPR. An example could be scanning temperatures with thermal cameras in public spaces, without (directly or indirectly) recording further data from those involved. This will more likely be the case in, for example, a department store, than in a hospital or at the airport; in turn, this may be more likely to occur in a hospital or airport than in an office with 25 employees.
In a company, however, it will often be necessary to register additional data and / or to attach consequences to the results of the measurement. Think of an employee who is refused at the gate because his temperature is too high. Not only will he be denied access to the workplace based on his body temperature, additional data is also likely to be recorded. The employer may register him as absent or sick, or the employee may end up on a list of employees who are temporarily denied access to the workplace. In this scenario, it is no longer just a matter of reading the temperature of an (anonymous) person, but further data is recorded about a particular individual, precisely because his temperature has been measured by the employer.
So: there are a few exceptions, but in principle, the General Data Protection Regulation (GDPR) and related privacy rules apply at the workplace, because the data will almost always be (sometimes indirectly) traceable to a specific employee or visitor. For the sake of completeness, we also mention that even if in a specific case there is no ‘processing’ of personal data within the meaning of the GDPR, there is other legislation that must be taken into account in the context of an employer-employee relationship, when taking measures like this.
If the GDPR applies, it is also important that temperature measuring concerns data about a person’s health. This involves a special category of personal data and, in principle, a processing prohibition applies. The basic principle is that measuring temperatures is not permitted, unless one can invoke a legal exception.
Exception for measuring body temperatures?
So, the question is whether there is a legal exception that allows entrepreneurs to measure the temperature of their employees and visitors.
An employer may only process personal data about the health of its employees, if this is necessary for the continued payment of wages and rehabilitation. Therefore, an employer is allowed to know that employee Jansen is ill and cannot lift, but not exactly what is wrong with Jansen (for example a hernia). An employer is not allowed to play company doctor and make a diagnosis based on his own research, such as an alcohol and drug test or a temperature measurement. Even if employees themselves tell what is wrong with them, an employer may in principle not register it.
Another exception to the aforementioned processing prohibition mentioned in the GDPR, is the processing of health data that is necessary “for reasons of public interest in the field of public health, such as protection against serious cross-border health risks“. However, this exception requires national legislation to regulate this specific kind of processing, while respecting medical confidentiality and the data subject’s right to privacy. Such legislation does not (yet) exist in the Netherlands. Therefore, employers cannot use this exception.
A legal exception that we also occasionally see in this context, i.e. processing for “the protection of the vital interests of the data subject”, does not apply in this case either. For this exception to apply, there must be a situation in which a data subject cannot give their permission, for example because they are unconscious. Moreover, one may wonder whether in this case, the interests involved are the data subject’s own interests (we do not think so).
Finally, a well-known exception: the explicit consent of the data subject. This consent for processing must be free, specific, informed and unambiguous. In the employer-employee relationship, it is assumed that an employee can hardly ever give free permission – after all, he is dependent on his employer. In that case, there is no legal permission, so that this exception does also not apply.
Suppliers, customers and other visitors
The same applies to other people present at the workplace. There is no national legislation (yet) that makes it possible to test the body temperature of visitors and customers. Here too, however, the assessment depends on the specific circumstances of the case.
Explicit consent of these categories of data subjects might be an option in very specific cases, but only if consent is really completely freely given. This means, i.a., that the data subject must not be negatively affected by the fact that he does not give his consent. In practice, this will often be difficult . For instance, think of a truck driver who is asked at the gate if he wants to be tested. He will probably feel compelled to a greater or lesser degree to give his consent; otherwise he will not be allowed onto the site and therefore cannot do his job. This might also lead to employment law consequences from his own employer. In this case, his consent is not legally – because not freely – given. It is difficult to come up with a scenario in which permission is given freely, because most companies prefer to carry out selection at the gate before they allow visitors into the building or on their grounds.
Measuring the temperature of employees and visitors will often not be permitted. The problem often lies in the context in which the temperature measurement is applied. There does not seem to be a good legal exception, which would be necessary under the GDPR to measure the body temperature of employees and visitors by an entrepreneur. And even if it were available, the processing of health data is, in principle, only reserved for doctors. In addition, the processing must be necessary for the intended purpose. Whether this is the case, depends on the specific circumstances, but these might also raise questions in many cases. For example, the question is whether it is not enough to rely on one’s own employees: requesting them to measure their own temperature daily is allowed. And is temperature measuring an appropriate means to reach the purpose, stopping the spread of the coronavirus? After all, it has now become apparent that people without symptoms can also spread the virus, while employees could otherwise get a false sense of safety, because they and their colleagues have passed the test.
What is possible?
First of all, it is of course important to assess whether you are “processing personal data” within the meaning of the GDPR. If that is the case (and in our opinion, this will often be the case), entrepreneurs are not allowed to measure temperatures. Of course, entrepreneurs can take other actions to keep their staff and visitors as safe as possible. We strongly advise you to do that too: an employer is obliged to ensure a safe working environment. For example, it is very important to continue to follow the RIVM’s instructions and to continuously inform employees and visitors about them.