COVD-19 protection privacy
At the time of the outbreak of the coronavirus, many entities, with regard to implementing the HZJZ recommendations, measure the body temperature of visitors at the entry into their premises. In this way they intend to help combat the epidemic and seek to increase the security of its employees, visitors and, indirectly, of a society (generally speaking).
In order to measure the temperature either in accordance with the GDPR, operators should meet certain conditions.
From the data processing point of view, two basic methods of temperature measurement are applied. The first method is to measure the temperature of individuals without recording any data. Such measurement shall not constitute the processing of personal data under the GDPR. However, the measurement of temperature with automated or manual recording of measurement results constitutes the processing activity to which the requirements of the GDPR apply and for which a valid legal basis is required. Where the measurement of the temperature is processed according to the GDPR, the entity shall draw up a notification of the processing of personal data with the following information: The identity and contact details of the controller, the contact details of the controller or third party where the processing is based on that grounds, the recipients or categories of recipients of the personal data, where applicable, if the controller's intention is to transfer personal data to a recipient in a third country or an international organisation.
It should be pointed out that the body temperature is a personal data referring to the health status of a person, and the GDPR is included in specific personal data. Consent is not desirable as a legal basis because it is non-binding on the individual, without it being permitted to deny the primary business or legal needs of the individual. The processing of specific personal data is permitted in the case of activities of an entity in the public interest or on the basis of EU or national law and in those circumstances entities need to find their legal basis.
Since COVD-19 is often asymptomatic, temperature measurement is only partially effective in preventing COVD-19, because the increased temperature is not an uncontested COVD-19, on the other hand, the infected person does not necessarily have a fever, but it can infect others. Thus, the health data collected by measuring the temperature are not absolutely necessary, as it is not necessarily evidence of COVED-19 infestation, and such processing is not sufficiently specific to prevent the COVD-19 outbreak. For the processing of health data by measuring the temperature by an entity, the legislature would need the legislator to fill the gap in the law so that such treatment would have legal basis.
While operators are legally obliged to ensure health and safety in their premises, instead of processing health personal data by measuring body temperature, the application of appropriate measures is desirable. Examples of such measures may be temperature measurement without recording data or meeting legal epidemiological measures.
When measuring the temperature without recording the data, it should be borne in mind that only the measurement is not the processing of personal data under the GDPR, but the operator's behaviour to an individual after the temperature check (e.g. an entity sends an employee home and records an internally present situation) is an activity of processing under the GDPR and for that activity an entity should have legal basis.