What the Romanian law provides in a nutshell: starting mid-May, when travel relaxation measures were introduced, body temperature readings in the Covid-19 context are expressly regulated. Employers have the obligation to perform them, while employees must obey to such requests. However, these mandatory readings must follow a certain standard: performed via a non-contact thermometer and with no recording of the data. The employee having a body temperature above 37.3 Celsius (plus/minus the error margin of the device) must be sent to the family doctor, while visitors' access must be denied.
What happens though when body temperature readings are done differently, either by exceeding or by non-observing the set of legal requirements described above? Let us think of cases when the temperature read by the non-contact thermometer is recorded, when an automated thermo scanner is used, when the body temperature reading device is used in conjunction with a CCTV or when AI is being involved in the process. Is such processing observing the GDPR principles, is it legal and justifiable in the current context?
Body temperature reveals data concerning health of a natural person, which is included in the special categories of personal data. This means that it falls under the ambit of Art. 9 of GDPR that deals with the processing of special categories of data. As a rule, these data cannot be processed, while any processing must fall under at least one of the limited exceptions in para. 2 of Art. 9 GDPR.
Within our legal analysis regarding body temperature checks in the Covid-19 context, we have identified four (4) legal grounds that may be applicable for processing sensitive data under para.2 of art. 9 GDPR:
Ground | Art. GDPR | Justified in the Covid-19 context? |
---|---|---|
Explicit consent | Letter a) Art 9 para 2 | Consent is always problematic when it comes to employees due to the presumed imbalance of power that may occur in the employment context. The consent must be (i) explicit, (ii) based on complete and accurate information on the nature and scope of such screening and (iii) freely given, without any negative consequences on the continuation of the employment relation in the very same way (e.g. by expressly informing the employee that refuse of consent does not lead to any negative consequences at all). In the same time, the employee should/could be made aware that, especially given the Covid-19 context, the consent should not be abusively withheld. |
For the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment […] so far as it is authorised by Union or Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject | Letter b) Art 9 para 2 | Indeed, the employer has the legal obligation under local law to ensure the health and safety of its employees. Moreover, there is explicit legislation implementing the obligation of the employer to perform the body temperature reading of its employees. However, this specific legislation does not provide appropriate safeguards for the human rights and freedoms when there is a processing of data that exceeds the limitations under these enactments. As already mentioned, the Romanian legislator is considering that no recording (storing) of personal data is implied when performing body temperature checks; therefore, apart from visualizing (consulting) the data, there should be no other processing. |
For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee or medical diagnosis […] on the basis of Union or Member State law, by or under the responsibility of a professional subject to the obligation of professional secrecy | Letter h) Art 9 para 2 Art 9 para 3 | While processing by the occupational doctor as part of the periodical medical checks of employees (as regulated by the Romanian law) can be justified on this ground, a daily body temperature check done by other individuals than an occupational doctor or done via automated means (e.g. fully-automated thermo scanner) cannot fall under this exception. In this sense, according to Article 3 paragraph 1 of Romanian Data Protection Law (Law no.190/2018), the processing of health-related data for the purpose of achieving an automated decision-making is permitted with the explicit consent of the data subjects, or if the processing is based on express legal provisions, with the application of appropriate measures for the protection of the rights, freedoms and legitimate interests of the data subject. |
For reasons of public interest in the area of public health, such as protecting against serious cross-border threats […] on the basis of Union or Member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy | Letter i) Art 9 para 2 | While Covid-19 represents a valid reason of public interest in the area of public health for a processing of personal data, the Romanian law does not provide for suitable and specific measures to be applied related to body temperature checks in the Covid-19 context, in order to safeguard the rights and freedoms of the data subject. |
Considering this background, the processing of personal data in the context of body temperature readings is rather problematic and difficult to justify for most of the situations. Obviously, processing of special categories of personal data in particular situations may be justifiable on one of the four legal grounds above, especially in case of companies in the medical sector or delivering other essential services.
Some situations met in practice remain however extremely complex and difficult, such as the case of the shopping malls, where the body temperature reading of visitors via a non-contact thermometer is not feasible, or sometimes even the body temperature checks done at the entrance in an office building where the waiting time may lead to crowding that contradicts the scope and purpose of the Covid-19 preventive screening.
This article reflects the legislative status in Romania as of 1 June 2020.
Article provided by: Adelina Iftime Blagean (Wolf Theiss, Romania)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)