Does taking the temperature of customers constitute the processing of personal data?

Does taking the temperature of customers constitute the processing of personal data?

On April 6, 2021, a complaint was filed before the Spanish Data Protection Agency (hereinafter, “AEPD”) by a natural person against an establishment for carrying out a verification of his body temperature to allow him access to the referred establishment, a verification that, according to the affected person, had been carried out by unqualified personnel and without authorization to do so. 

In this sense, and once the aforementioned complaint had been admitted for processing, the Subdirectorate General for Data Inspection proceeded to initiate preliminary investigation proceedings to clarify the facts denounced. 

Well, the proceedings were closed because the existence of an infringing action by the establishment denounced was not detected within the competence of the AEPD, since the temperature was taken using a manual thermometer that did not record images or biometric information of the user, without this process being accompanied by a record of the temperature obtained from the individuals accessing the establishment. Therefore, according to the AEPD, measures would have been taken to ensure the confidentiality of users and in order to follow recommendations, and prevent the spread of the virus, in the fight against the pandemic derived from COVID-19.

Temperature collection would involve the processing of sensitive personal data.

In the event that the temperature data obtained is not subject to any recording operation and, therefore, is not linked to the physical person, being impossible for the person in question to be identified or identifiable, it will be considered that the taking of temperature would not involve the processing of sensitive personal data. 

In other words, when these temperature controls are not accompanied by an identity control of the persons seeking access to the establishments and are not linked to a specific person through their registration or annotation, such measures would not be, in principle, included in the scope of application of the General Data Protection Regulation (hereinafter, “GDPR”) since the temperature is not associated with an identified or identifiable person. 

How should companies be implementing these security measures act?

Companies applying this type of security measures must comply with two basic principles: proportionality and data minimization. In other words, the measures put in place must be in accordance with the intended purpose and strictly necessary to achieve it. 

Therefore, companies should limit themselves to taking the temperature of users without leaving a written record of it, this practice being minimally invasive and exclusively for the sake of avoiding contagion by other people. 

Limitation of purpose and accuracy of the data

Notwithstanding the above, and in the event that the taking of a temperature is recorded and can be associated with a specific, identified or identifiable person, this may constitute a processing of health data and, as such, must comply with one of the legal bases listed in Article 6 of the GDPR and meet one of the specific exceptions listed in Article 9 of the GDPR.

In addition, the data protection principles set out in the GDPR in relation to purpose limitation and data accuracy must be taken into account. With regard to the purpose limitation principle, it should be noted that the temperature may only be taken for the specific purpose of detecting possible infected persons in order to prevent their access to the premises and the spread of the virus. 

On the other hand, and in relation to the principle of accuracy of the data, it implies that the thermometers or sanitary equipment used must be suitable for taking temperature, be approved and have criteria that take into account high levels of accuracy.

Rights and guarantees for users

The affected users will continue to maintain their rights in accordance with the RGPD, being applicable the guarantees that this Regulation establishes, although these will be adapted to the specific circumstances of this type of processing.