Temperature check to prevent the spread of COVID-19
In a situation where, for example a person's body temperature is measured, or data concerning his or her health is collected, and then this information is recorded, transmitted and collected, a special category of personal data will be processed.
Nevertheless, in the opinion of the President of the Personal Data Protection Office, the regulations on the protection of personal data do not object to the processing of data of employees and visitors in the scope of for example temperature measurement or the implementation of a questionnaire with disease symptoms. The GDPR indicates in its Article 9(2)(i) that special categories of (health-related) data may be processed when processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, if this is provided for by law. This provision therefore corresponds to the national regulations in the field of the fight against the COVID-19 pandemic. Pursuant to Article 17 of the Act of 2 March 2020 on special arrangements for preventing, counteracting and combating COVID-19, other infectious diseases and crisis situations caused by them (Journal of Laws of 2020, item 374) - so called "Special Act", the Chief Sanitary Inspector has the power to influence other entities and changes in the existing regulations, as well as to indicate the adoption of appropriate solutions.
The Special Act provides a number of possibilities for the Chief Sanitary Inspector to perform its tasks, who sets the general directions of the sanitary authorities’ activities. On the basis of new regulations, it also has the power to introduce additional solutions - bearing in mind the need to regulate certain issues and take necessary actions related to fighting the epidemic. In the opinion of the President of the Office, Article 17 of the Special Act does not exclude the possibility for employers or entrepreneurs to introduce the above mentioned solutions aimed at combating COVID-19. Therefore, if the sanitary inspector considers it necessary to adopt a solution in the form of measuring the temperature of employees and the so called guests entering the premises of the workplace or obtaining statements from employees concerning their health, it can make use of a legal measure appropriate for it, as a result of which the workplace will be obliged to make a decision on measuring the temperature or collecting statements from employees concerning their health. The sanitary services may also decide to measure body temperature of the visitors who enter the building in order to settle the matter.
Therefore, all actions which will be taken by a sanitary inspector and entities which will be influenced by him will result from the law which regulates his actions and from the above mentioned decisions, guidelines and recommendations – that is the rights resulting from the Special Act. These measures shall constitute the legal basis for these activities, including the processing of personal data concerning health.
In the matter of undertaking actions related to counteracting COVID-19 at the workplace, it should be noted that the basis legalizing the processing of health data in the employment sector, and thus in the employer-employee relationship and in relation to the public entity, cannot be Article 9(2) (a) of the GDPR, that is the consent of the data subject. This results directly from the General Data Protection Regulation, which indicates that consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. In the employer-employee relationship there is also inequality of these two entities. The employer cannot also order temperature measurements for employees and so-called visitors entering the workplace . In any case, it must show a legal basis that would give such entitlement. It should be emphasized that the law does not regulate what temperature gives the basis to conclude that the employee is ill or infected with the COVID-19 virus. Therefore, it is the sanitary services, not the employer, that - when taking specific actions - point in specific cases at adopting the appropriate solutions.
Referring to the issues related to the implementation of the information obligation, it should be noted that the controller is obliged to provide to the persons whose personal data are processed by it all necessary information in this regard. The content of the information clause should contain elements indicated by the GDPR and should be disclosed to these persons. The information obligation should be fulfilled by the controller in such a way that the data subject can get acquainted with all the information directly. The clause can be included e.g. in the questionnaire, as well as it can be available at the workplace or in the office, for example at the reception desk, on the notice board or on the website. Nevertheless, the data subject should be informed about the basic issues related to the processing of his personal data (controller’s data, purpose of processing, legal basis, scope of data) at the latest at the time of collecting the data, and then possibly referring to the full content of the clause available in the abovementioned places.
The President of the Personal Data Protection Office indicates that the provisions on the protection of personal data do not oppose the actions related to counteracting COVID-19. Instead, he emphasizes that the solutions taken by entrepreneurs, employers and other entities will be legal only if the controller implements them on the basis of legal provisions - in accordance with the principle of legality set out in Article 5(1) GDPR. In the present case, the legal bases should undoubtedly be found in the solutions indicated by the Chief Sanitary Inspector.