What you need to know.
Fever is one of the possible symptoms of infection with the COVID-19 virus. As part of the fight against the pandemic, companies may consider measuring the temperature of customers and employees, for example when entering their buildings.
Not every temperature measurement falls within the scope of the GDPR. Measuring the temperature with a conventional thermometer without recording any data related to that measurement does not, as a rule, constitute processing of personal data. If, after a temperature measurement, a hospital refuses to admit a person with a fever as a visitor but does not register this further, there is in principle no processing of personal data.
However, as soon as a temperature measurement is registered (for example, because a "lock-out measure" is noted in the personnel file of the employees in question), personal data is processed. In this case, the GDPR obligations must be complied with.
What you need to do.
The data recorded in the context of the temperature measurement relates to the state of health of the person concerned. As the processing of health data is in principle prohibited, you will in particular have to be able to prove that you rely on a ground for exception within the meaning of Article 9.2 GDPR:
If the data subject has given his/her explicit consent to this processing, his/her health data may be processed.
However, the consent must be "freely given", meaning that companies will not always be able to invoke this ground for exception. In an employment relationship, for example, it is assumed that data subjects often cannot give "free consent" because of the hierarchical relationship with their employer.
On the other hand, data subjects must always be able to refuse to give their consent without being adversely affected. This means that "consent" is not an appropriate ground for exception for companies that want to make temperature measurements mandatory.
If (national) legislation imposes this processing, the health data of the data subjects may be processed on this basis. The Belgian data protection authority is of the opinion that such a lawful ground is available neither in a labour context nor in a school context. In France and the Netherlands as well, such processing does not appear to be imposed by the legislation.
In addition, you should not lose sight of the other obligations under the GDPR. Amongst other things, those concerned must be informed about the temperature measurement and the objectives pursued by it.
