Data protection and coronavirus prevention

***** Update at 11pm on 02 April 2020:
Guidelines and other public releases published by data protection supervisory authorities *****

Companies are currently considering, among other things, protecting their premises to prevent the coronavirus by means of single entry access control systems with infrared cameras installed, which use a thermal imaging function to automatically measure temperature differences between the people passing through these systems and a pre-parameterised reference temperature. In the event of an alarm, a further measurement is made by a person specifically appointed by the company. In some cases such systems have already been installed.

To justify such measures solely by referring to the company’s domestic authority would not take into account the fact that, in many cases, personal data will be generated in doing so. When deciding on the specific design of such measures, it must therefore be ensured that the recording of health-related data takes place within the boundaries of applicable data protection law. If these boundaries are overstepped, the data protection supervisory authorities can impose fines and data subjects can claim damages. Even surveys of all employees about their state of health or that of their relatives may be inadmissible under applicable data protection law, especially if they are designed as systematic serial surveys. This does not affect the employee’s obligation to report coronavirus infections that could pose a risk to other employees or the company or the admissibility of documenting such reports and the subsequent measures taken by the employer.

The strictest of conceivable measures is the automated measurement of the temperature of all people intending to enter a workplace. Although the temperature measurement itself does not yet involve collecting the names and addresses of the persons passing by the infrared cameras,  it cannot be ruled out that data protection law applies if it is possible (even subsequently) to identify the data subjects

In these cases the data generated during automated temperature measurement constitutes personal data within the meaning of Article 4(1) GDPR. This applies especially if the company has numerous sources available from which it can use data to identify the persons passing the cameras. For example, data from key card readers or working time recording systems, other video surveillance equipment (CCTV), or knowledge of persons supervising the measuring device or observing the live stream of images produced by the thermal camera, security guards or gate personnel, staff or visitor’s identification cards, and finally the knowledge of the person responsible for the subsequent personal measurement.

At most, a temperature measurement without any documentation of the results and without retaining or being able to match any of the data to a specific person afterwards, would not fall under the regulation for personal data. As infrared cameras would save the recorded footage and allow a (later) personal identification, the use of these cameras would always generate personal data.

If the people whose temperature is to be measured are employees of the company, such measurement procedures for the purposes of employment can only be justified under § 26(3) sentence 1 of the German Federal Data Protection Act (“FDPA”), i.e. if they are necessary, firstly, for the exercise of rights or to fulfill legal obligations arising from employment law, social security law and social protection. Secondly, there must be no reason to believe that there are overriding reasonable interests of the data subject against the taking of measures such as “forcible” temperature measurements.

The German federal commissioner for data protection and freedom of information generally sees Article 9(2)(b) GDPR in conjunction with § 26(3) FDPA as a justification for processing medical personal data at the workplace to protect against the coronavirus. However the individual action still is still subject to closer examination regarding proportionality.

For several reasons, these requirements under § 26(3) FDPA are not met in the case of automated temperature measurement: Even assuming that an employer would be obliged to identify an infected employee or to protect other employees from infection by already affected workers for welfare reasons, the measurement of temperature is such an inappropriate type of measure to achieve these purposes that the employer would be allowed to forcibly take measurements and record the measurement data thus generated: in fact, people infected with the coronavirus do not necessarily have a fever, according to data from the Robert-Koch-Institute, less than half of German corona cases reported a fever. So the measurement of temperature will not result in a clear identification of fomites. In addition, fever is generally only a symptom of inflammatory processes in the human body, so an increased body temperature detected does not necessarily indicate coronavirus infection. Finally, due to the incubation period of up to 14 days, a person, even if suffering from a feverish attack of coronavirus, has possibly been an unidentified fomite for a long time beforehand. Temperature measurements are therefore not a suitable means of unambiguously detecting coronavirus infections and do not meet the criterion of necessity in § 26(3) first sentence FDPA. The lack of unambiguousness of temperature checking is therefore a key aspect of evaluation in the balancing of interests to be done pursuant to § 26(3) first sentence FDPA. It ought to be evaluated whether there are any less interventionist measures apart from the “forcible” measurement of temperature which could be equally capable of fulfilling the employer’s duty of care and which take equal or better account of the reasonable interests of the employees concerned. In particular, surveying employees about coronavirus-specific symptoms, especially upon their return from risk areas, or questionnaires, or voluntary temperature measurement either by employees themselves or an (occupational) doctor could be considered.

Annex 1 of the manual published by the German Federal Office of Civil Protection and Disaster Assistance on in-company preparation for a pandemic recommends that the employer should purchase and have available infrared ear thermometers for temperature checks as part of the employer’s entry checks. This recommendation could be cause for consideration that in the current situation of an officially announced pandemic, in which also the national pandemic plan applies, temperature checks could be regarded as a meaningful measure as part of the entry checks to workplaces. But even this recommendation (now some 10 years old and published before the implementation of the GDPR or specific symptoms of COVID-19) from the Federal Office of Civil Protection and Disaster Assistance, just like the employer’s duty of care under the employment contract and laid down in §§ 3 and 4 of the German Occupational Safety Act (ArbSchG), does not necessarily mean that it would also be permissible for the employer to carry out compulsory temperature checks if there are less interventionist measures available for the employee, such as measurement by an (occupational) doctor or their medical staff who are subject to medical secrecy, or questioning employees about coronavirus-specific symptoms. On the contrary, even in these times of the coronavirus, the employer has no right in principle to know what an employee is suffering from. However, if protective measures have to be taken in companies due to the high risk of infection, as an exception, employees must inform their employer of the type of illness based on their fiduciary duty in their employment contract. This obligation to provide information can be supported by the employer via various measures, such as information campaigns, or setting up a hotline for advice and for reporting notifications of illness or suspected illness, etc. The employer is therefore faced with the task of dealing with the conflict between the duty of care on the one hand and the rights and freedoms of employees in the field of data protection and personal rights and freedoms on the other. However, since it has less strict means of intervention in the rights and freedoms of employees in the exercise of the duty of care, there is a high risk that a data protection authority arrives at the opinion that the employer is not allowed to take action itself and undertake medical examinations or enquire about medical history. Some data protection authorities in other EU countries have also taken this position, such as those in France, the Netherlands, Belgium, Luxemburg and Italy.

In Italy, where the COVID-19 crisis is severely worse than in Germany and the „11 March Decree” delegated the task of establishing appropriate health and safety plans for personnel who are still working in factories and offices to employers, and specifically allowed temperature screenings, employers shall either involve an H&S physician (medico competente) or appoint a service provider to carry out temperature screenings. The legal grounds for this would be Articles 6(1)(c) and 9(2)(b) GDPR, due to the Italian Decree. even with the Decree the measures are intentionally milder in comparison to the employer himself processing the medical data of his employees.

Also within Germany e.g. the Commissioner for Data Protection of Baden-Württemberg has already expressed his opinion, and joins the aforementioned countries stating that the employer must not take it upon himself to enquire or examine in regard to medical data.

The recommendation in the manual issued by the Federal Office of Civil Protection and Disaster Assistance is to be understood as stating that the employer should only have infrared ear thermometers at the disposal of the employees or the (occupational) doctor and their specialized staff for their own temperature checks. Even the World Health Organization (WHO) does not provide for temperature measurement by employers or recommend this measure in its guidance.

Even if the company operates in the area of food production, this leads to no other assessment. According to the published advice of the Robert Koch Institute, coronaviruses are transmitted primarily by secretions of the respiratory tract. If these infectious secretions reach the hands, which then touch a person’s face, infection is more likely. However, virus transmission via inanimate surfaces has not been documented so far. An infection with coronaviruses from surfaces not in the direct environment of a symptomatic patient, such as imported goods, post or luggage, therefore appears unlikely. Thus, also from that perspective, measuring body temperature is not an appropriate measure for protecting food production.

For visitors of the workplace, who are not employees of the company, the German Federal Commissioner for Data Protection stated that the exception of Article 9(2)(i) GDPR in conjunction with § 22(1)(1)(c) FDPA which allows the processing of special categories of personal data for reasons of public health interests, like the protection from major international health risks. Since the classification of the corona virus as a pandemic by the WHO, a justification for processing medical data may be possible. However it would also not be justified, due to the inappropriate nature of taking temperature to prevent the spread of COVID-19.

Of the possibilities provided for in Article 9(2) of the GDPR for national legislators in the EU Member States to adopt specific laws to protect against epidemics/pandemics and to legitimize the collection and further processing of health data by companies for this purpose, the German legislator has not yet made sufficiently clear that this confers legitimacy on the automated measurement of temperature of visitors with the clarity which is particularly necessary in relation to external parties. In this respect, less interventionist measures should therefore be implemented to comply with the general principle of accountability set forth in Article 5(2) GDPR.

A systematic serial survey of all employees for relevant illnesses of the employees themselves which, as “pre-existing conditions”, would immediately place them in a particularly high-risk group in the event of an infection, cannot be legitimized under § 26(3) FDPA. This applies all the more so to a systematic serial survey by the company of all employees regarding illnesses among their family members, for which there is no legal basis provided by Article 9(2) GDPR or the national legislation based upon it.

The German Federal Commissioner for Data Protection and Freedom of Information mainly sees a justification for data collection in regard to known cases or risk areas. And even this data has to be treated confidentially, and deleted after the purpose for collection (the end of the pandemic) has ceased.

In order to check employees and other visitors, the only option would be obtaining consent before they pass the temperature checking devices. However, under privacy law this comes with different content-based and formal criteria, which can only be fulfilled with a great deal of effort by measurement on the edge of factory or office premises. However, the data protection supervisory authorities might especially not consider that employees and other visitors of a premise have voluntarily given consent, since they have no other option in the specific situation of entering the premises except for having their temperature checked. Yet the voluntary nature is essential for a consent to be valid.

If employees in the establishment concerned have set up a works council, a works council agreement on temperature measurement could be drawn up. Such a works council agreement may form a legal basis for the collection and processing of personal data in accordance with § 26(4) first sentence FDPA. However, a works council agreement can never replace the individual consent of the data subject, since the mandate of a works council does not include the authority to decide on the strictly personal rights of the employee, in particular the right to the self-determination of information. A works council agreement allowing employees to have their temperatures measured would thus be unlawful.

A breach of applicable data protection laws is an administrative offence that can be subject to fines from the competent data protection authority of up to €20 million or 4% of the global group turnover of the previous year, whichever is higher. The extensive list of decision-making and assessment criteria in Article 82(2) GDPR allowed data protection supervisory authorities to take due account of the particular conflict between employee and visitor care obligations on the one hand and data protection on the other, which companies are currently facing, and to refrain from imposing fines in favor of a greater emphasis on supervisory measures (Article 58 GDPR). Damages for pain and suffering by the data subject under Article 82(2) GDPR would also be theoretically possible, although it is currently completely open as to how they would be measured. Criminal sanctions under § 42(2) FDPA appear to be unlikely, as the company receives no payoff and has no intention of enrichment.