The European Data Protection Supervisor issued today orientations on the use of body temperature checks by Union institutions, bodies, offices and agencies (EUIs) in the context of the COVID-19 crisis, highlighting that a careful assessment and appropriate data protection safeguards are necessary.
Wojciech Wiewiórowski, EDPS, said: “Body temperature checks of employees and visitors, used as an additional measure in the fight against COVID-19, can be implemented through a variety of devices and processes that should be subject to careful assessment. Some of these processes are neutral while others may constitute an interference into individuals’ rights to private life and/or personal data protection. Basic manual body temperature checks are in principle not subject to the EU personal data protection law. The present orientations include a non-exhaustive list of technical and organisational recommendations to help EUIs and Data Protection Officers (DPOs) in meeting the requirements of EU data protection rules, where applicable”.
In its orientations, the EDPS distinguishes between those body temperature checks that are subject to Data Protection Regulation (EU) 2018/1725 and those which are not: Basic body temperature checks that are designed to measure body temperature only, and that are operated manually and are not followed by registration, documentation or other processing of individuals’ personal data are in principle not subject to the Regulation. Other systems of temperature checks, operated manually or automatically, followed by the processing of individuals’ personal data are subject to the Regulation.
Depending on the processing capabilities of the systems used to carry out body temperature checks, additional data protection safeguards need to be implemented. Data protection by design and by default also means that EUIs should design body temperature checks in such a way that the amount of collected personal data is minimised.
Furthermore, the EDPS notes that temperature checks carried out on a mandatory basis should not be based solely on automated processing but that human involvement should be provided at relevant stages of the temperature checks.
Finally, the EDPS advises EUIs implementing temperature checks to review the necessity and proportionality of such measures regularly, in light of the evolution of the epidemic and its scientific understanding.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, offices and agencies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". See the glossary on the EDPS website.
The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.