GDPR vs. body temperature measurement  

Krzysztof Grabowski, Data Protection Inspector
Temperature measurement has recently been a very hot topic for every Data Administrator. Is it allowed to measure the temperature of employees in order to prevent the spread of coronavirus epidemics?

The answer to this question is simple - it is allowed. The question of how to do it legally is much more difficult. Some experts suggest to collect such data on the basis of consent, others do not recommend such a solution. So how should an employer behave in the face of contradictory opinions? 

Employee temperature checks - legal basis

It appears that the data on employees' body temperature should not be collected on the basis of consent (Article 9(2)(a)), as the basic conditions for consent are not met (Article 7 of the GDPR and Recital 43 GDPR). It therefore appears that the employer taking such action should look for other legal basis, which derive both from the GDPR provisions and other national legislation.

Below are a few possible legal basis:

  • The most important basis for the processing of personal data when measuring the body temperature of employees is Article 9(2)(i) of the GDPR, which states that the processing of such data is allowed if it is necessary for public interest reasons related to public health, such as preventing serious cross-border health threats or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices, on the basis of UE law or UE Member States’ law, which provide specific measures to protect the rights and freedoms of data subjects, in particular professional confidentiality.
  • We also have legal basis relating to ordinary data, such as Article 6(1)(d) of the GDPR - processing is necessary to protect the vital interests of the data subject or of another individual.
  • In addition, in urgent situations, we have Article 9(2)(c) GDPR - processing is necessary to protect the vital interests of the data subject or of another natural person and the data subject is physically or legally incapable of giving consent.

Where the measurement concerns employees, the employer may justify the data processing of the data with:

  • Article 94 (1) and (4) of the Labour Code - Work organisation and safe and hygienic working conditions
  • Article 207, paragraph 2 (1) and (3) of the Labour Code - employer's obligations in the field of health and safety at work in the workplace
  • Article 6(1)(c) GDPR - processing is necessary to fulfil the legal obligation of the administrator (Article 94(1) and (4) and Article 207(1) and (3) of the Labour Code)
  • Article 9(2)(b) GDPR - processing is necessary for the fulfilment of the obligations and execute of specific rights by the administrator or the data subject in the field of labour, social security and social protection law, so far as this is allowed by EU law or Member State law, or by a collective agreement under Member State law providing for adequate safeguards for the fundamental rights and interests of the data subject

Temperature measurement - data administrator responsibilities

Even in exceptional situations, such as the coronavirus pandemic, it is important to keep in mind the basic principles of personal data processing:

  • The amount of personal data should be adequate for the intended purpose
  • Data should be processed for a specific and explicit purpose
  • The obligation to provide information to individuals should include:
    • the name of the administrator
    • legal basis
    • retention times
    • the purpose of processing
    • the rights of individuals
    • contact details of the administrator or the Data Protection Officer (if designated).

Information on data processing should be easily accessible and written in a way that is understandable to all.

Personal data collection should be secured by appropriate technical and organisational measures.

Contact our expert 

Personal data protection