open search
close
Corona Internationales Arbeitsrecht Neueste Beiträge

Please check your temperature: or don’t? Data privacy questions from Germany

Print Friendly, PDF & Email

What are the data protection implications of temperature checks as a Covid-19 precaution? This article investigates, with reference to a current investigation by the Hesse Data Protection Commissioner. 

After the phase of coronavirus-related remote working, still in use in many companies, the question now arises as to what measures must and may be taken when returning to work onsite, to check whether an employee may have become infected with the coronavirus. One well-known measures is temperature checking. This is already being practised in many countries, but in Germany it is controversial, especially with regard to data protection issues. The Hesse state data protection commissioner recently tackled this issue in relation to retailers.  

What is at stake?

After the corona-related forced closure of the retail trade, many shops have introduced an obligation to use mouth-nose-coverings when they reopen and a limit on the number of people who can be in the shop simultaneously. Some retailers have also introduced an obligatory temperature check to restrict access. If a temperature reading is abnormal (elevated temperature can indicate suspected coronavirus infection), the person may not enter the shop.

Subject of the examination of the State Data Protection Commissioner of Hesse

In this context, the Hesse State Data Protection Commissioner is currently examining, firstly, whether body temperature measurements are personal date at all, secondly, whether it is proportionate to collect this data, and thirdly, whether the data collected but not recorded is in fact stored, given that video surveillance footage is also available.

Personal data

Under Article 4(1) of the GDPR, personal data is any information relating to an identified or identifiable natural person. Although body temperature measurement is an individual characteristic of individuals, there is only a concrete reference to the person that person’s name, at least, is known. If, as here where temperature checks relate to access to a shop, the temperature measurement is not assigned to an individual, no personal data is likely to be created, at least as long as payment (e.g. by credit card) does not associate a temperature measurement with a specific individual.

The situation may be different, on the other hand, for temperature measurements for employees, since employees’ names are known and a direct reference to the measured body temperature can be established without further steps.

Parallel video surveillance

Furthermore, the Hesse data protection commissioner assessed whether parallel video surveillance and recording of individuals and checking their temperature can result in the storage of personal data. This could be the case if the temperature check is actually visible on the video. Recording body temperature by means of video cameras should therefore be avoided as far as possible.

Proportionality

In principle, personal data may also be collected to a certain extent in the employment relationship with the aim of protecting the health of the general public on the basis of s26 of the Federal Data Protection Act. To degree, this principle also applies to customers who wish to enter a retail outlet. In this context, however, the Hessian data protection authority has queried whether the invasion of privacy caused by temperature checks is still appropriate. Furthermore, it is questionable whether temperature checks are an effective measure to prevent or contain the spread of Covid-19. Although fever symptoms sometimes occur during illness with Covid-19, this is not always the case, and fever is not its ‘unique selling point’: it is often a symptom of ‘normal’ cold or flu. Ultimately, temperature checks may create a false sense of security, which may not be proportionate, given the data collected data.

Conclusion and outlook

To date the Hesse State Data Protection Commission assessment is not conclusive; they are initial thoughts and arguments and it remains to be seen how the authority will finally position itself. Furthermore, the assessment initially refers only to customers. Conclusions could, however, be drawn for employers who are considering carrying out temperature checks on their employees, relating both to the question of the existence of personal data and the proportionality of the measure. For the assessment of the latter, further scientific findings on Covid-19 virus may be decisive. At present, employers are advised to carry out temperature, if necessary only with employees’ consent. In any case, recording this data and permanently linking it to named employees concerned is not advisable.

Visit our Coronavirus Resources Hub and find the information and tools you need to help you manage your international workforce in these times of crisis.

Ius Laboris




Ius Laboris is a leading international employment law practice combining the world’s leading employment, labour and pension firms. Our role lies in sharing insights and helping clients to navigate the world of labour and employment law successfully.
Verwandte Beiträge
Internationales Arbeitsrecht Italy Neueste Beiträge

New guidelines for retention of emails

The  Italian Data Protection Authority has adopted an updated version of a guideline document on email retention that it originally issued in December 2023, but which had been suspended. The document is entitled ‘Computer programmes and services for email management in the workplace and metadata processing’. With this document, the Data Protection Authority states that it intends to provide employers with guidelines on how to manage employee email accounts, and…
Internationales Arbeitsrecht

It’s finally here: adequacy decision on EU-US data transfers

Data transfers from the EU to the US will now be easier for many companies, following a long-awaited decision from the European Commission. More than a year after the first announcement of the Trans-Atlantic Data Privacy Framework, the European Commission adopted its adequacy decision on the EU-US Data Privacy Framework (DPF) on 10 July 2023, which entered into force with immediate effect. Transfers to US companies signed up…
Datenschutz Internationales Arbeitsrecht Neueste Beiträge

GDPR: five years on

For those  impacted by the EU General Data Protection Regulation, known as the GDPR since its entry into operation across the bloc on 25 May 2018, it’s quite something to think that the legislation has been with us for five years today. So what has gone well and what has gone less well? One of the main purposes of the legislation was to get the…
Abonnieren Sie den kostenfreien KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

 

Die Abmeldung ist jederzeit möglich.