From the beginning of the Coronavirus crisis (COVID-19)different customers of the company consulted us if they could take the temperature of employees and visits to prevent possible contagion and access to the facilities.
The Legal Cabinet of the Spanish Data Protection Agency has spoken in this regard, and in the circumstances in which OMS has declared COVID-19 as a pandemic, the processing of health data (such as temperature intake) would be legitimized.
The key points of the report
Health protection, the first thing
“Similarly, and in accordance with the provisions of occupational risk prevention regulations, and occupational medicine, employers may, in accordance with these regulations and with the guarantees established by these rules, treat the data of their employees necessary to ensure the health of all their employees, including other employees other than the data subject , to ensure its right to health protection and prevent contagion within the company and/or workplaces.”
Another key to the report is the Recital (54), in which GDPR is clear, when it states that:
“The processing of special categories of personal data,without the consent of the data subject, may be necessary for reasons of public interest in the field of public health. Such processing should be subject to appropriate and specific measures to protect the rights and freedoms of natural persons. […] This processing of health-related data for reasons of public interest should not result in third parties, such as entrepreneurs, insurance companies or banks, processing personal data for other purposes.”
-Recital 46 is also interesting:
“The processing of personal data should also be considered lawful where necessary to protect an essential interest for the life of the data subject or that of another natural person. In principle, personal data should only be processed on the basis of the vital interest of another natural person where the processing cannot be manifestly based on a different legal basis. Certain types of treatment may respond to both important public interest and the vital interests of the data subject, such as when treatment is necessary for humanitarian purposes, including epidemic control and spread, or in humanitarian emergencies, especially in the event of natural or human disasters.”
At GlobalSUITE Solutions we have a consulting and auditing team, composed of both legal professionals with extensive knowledge in the applicable GDPR regulations,as well as technical professionals specialized in the implementation of the GDPR and the conduct of audits in the field.