On September 11, 2020, the German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, published its position on the use of thermal cameras and electronic temperature checks in the context of the COVID-19 pandemic.
Despite voicing general criticisms of body temperature checking in the context of COVID-19, the DSK stated that it considers the use of thermal cameras in the work place to be admissible, provided that the requirements of data protection by design laid down in Art. 25 GDPR and security of data processing in to Art. 32 GDPR are complied with.
In detail:
- German DPAs consider that electronic temperature checks followed by documentation or recording are subject to the GDPR. They indicate, however, that body temperature checks, which are operated manually and are not followed by registration, documentation or other processing of personal data might be not subject to the GDPR.
- In public areas such as shopping malls and airports, body temperature checks are not considered to be admissible. The DPAs emphasize that it does not consider automated body temperature checks to be adequate and necessary, as an increased body temperature cannot be necessarily regarded as a symptom of Coronavirus referring to the position of the Robert-Koch-Institute. From the authorities’ point of view there are other less invasive and more effective measures, e.g. wearing facemasks, restricting access to stores, keeping a safe distance, introducing a hygiene concept, etc.
- German DPAs point out that body temperature checks cannot be based on consent under the GDPR because it usually difficult for consent to be freely given (in particular, in employment) and informed.
- In relation to temperature testing in the workplace, it could be considered to be necessary as a measure of occupational health and safety. This would be based on Articles 9 (2) h, 88 and Section 26 of the German Federal Data protection Act (Bundesdatenschutzgesetz) but only where the temperature measurement is conducted by healthcare professionals who are subject to the obligation of professional secrecy under Article 9 (3) GDPR. The authorities also recommend combining temperature measurement with health-related questions or an assessment of whether the employee has other symptoms of the disease.
- When using a thermal camera controllers should ensure that the requirements of Articles 25 and 32 GDPR are complied with. In particular, the authorities recommend implementing the following settings:
- Capture only certain body parts, such as the forehead and inner angles, as capturing the whole body is not necessary.
- High measuring accuracy
- Definition of a threshold value triggering capture by the camera (i.e. the manufacturer or user of the camera should configure it in such a way that the camera only makes recordings or triggers an alarm if it detects an increased (body) temperature, e.g. from 98.1°F (36.8°C))
- Use of security personnel overseeing the thermal cameras and detect the persons with increased body temperature.
Our take
The German authorities do not comment on whether automated body temperature checks – without actually recoding the data electronically – are subject to the GDPR, but we recommend that it is best to assume that EU data protection laws will apply in this context. The use of the thermal cameras can be admissible in the work place in combination with other measures and if implementing privacy by design requirements. Body temperature checks in the public areas, such as airports and malls, can only be conducted if GDPR does not apply. For example, using thermal cameras which are only able to check the temperature without directly or indirectly identifying a person, i.e. using software automatically blurring faces and only checking the body temperature of people passing through.
