It seems that gradually different countries are trying to implement a plan for the transition to a "new normality”. In some of them, a wide range of measures have been implemented to prevent new infections of Covid-19.
Among these measures, numerous organisations have decided to take individuals’ temperature in a variety of environments, and it seems the result may condition their access to work and educational centres or even shops, among other establishments.
The Spanish Data Protection Authority, the AEPD, has made an announcement pointing out that the criterion for taking the temperature should be always established by the competent health authority and not, for example, by the owner of the establishment.
Furthermore, the AEPD adds that the proportionality of such measures shall be assessed and emphasises that the temperature which a person would be considered to be infected with Covid-19 should be established on the basis of scientific evidence.
In relation to the applicable legal basis, the Authority confirms that consent would not be valid, as it cannot be freely given, therefore controllers may need to seek an alternative legal basis to rely on for this processing. In particular, in the work environment, employers may rely on the legal obligation to ensure the safety and health of employees in work-related aspects. Also, it may be necessary to meet one of the conditions of Article 9 GDPR as the check results would be health data.
In addition, the ICO has recently issued guidance for employer regarding workplace testing and it has indicated that “as long as there is a good reason for doing so” health data related to Covid-19 can be processed. In this respect, the ICO determines that on one hand, public authorities may rely on public task as their legal basis and, on the other hand, private employers may rely on legitimate interests if they have previously conducted a legitimate interest assessment and an applicable condition set out in Article 9 GDPR has been identified.