Belgian DPA issues guidance on body temperature testing
On 5 June the Belgian Data Protection Authority (DPA) published new guidelines regarding the testing/measuring of the body temperature of data subjects. The DPA considers the temperature of a natural living person to be a special category of personal data (i.e. health data) which in principle is prohibited to be processed unless one of the exceptions under Art. 9.2 of the General Data Protection Regulation 2016/679 (GDPR) applies.
In its guidance the DPA makes the following distinctions between 3 different situations to clarify if the measuring of the body temperature falls within the scope of the GDPR:
- Mere reading of the body temperature without any recording of the temperature
The mere reading of the body temperature on a classic thermometer without recording this in a file will not be considered as an activity involving the processing of personal data and falls outside the scope of the GDPR. Also, the consequences that are associated with the body temperature (i.e. refusing access to the premises due to (1) a high temperature (i.e. fever) or (2) the refusal of a temperature check by the data subject) fall outside the scope of the GDPR under the condition that no additional registration of personal data (including the consequences) has taken place.
- Reading of the body temperature including the recording of the temperature in a file
When the body temperature of a data subject is recorded in a file, this recording will be considered as an activity involving the processing of personal data (i.e. health data) and falls within the scope of the GDPR. Therefore, the recording of the body temperature of a student or an employee in his/her student/personnel file is forbidden since no lawful processing ground is currently available.
- Advanced electronic measuring techniques of the body temperature
Moreover, the GDPR is not only applicable when personal data is being recorded but also if the processing of personal data takes place in an advanced digital manner, which is the case when automatic (or remote) means are being used. The GDPR states that processing means any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means (Art. 4.2 of the GDPR).
Therefore, advanced digital thermometers, heat scanners or other automatic means that measure the body temperature of a data subject are considered to be an activity involving the processing of personal data, in particular health data, and are consequently prohibited.
To conclude, the DPA has stated that the mere reading of the body temperature falls outside the scope of the GDPR, under the condition that the body temperature and consequences are not being recorded. However, as soon as there is a (i) recording in a file or (ii) a fully or partially processing operation by automated means of the body temperature, the GDPR does apply and the data controller needs to respect all principles of the GDPR (i.e. lawfulness, transparency, data minimization, etc.).
The DPA clearly states that consent will, in most cases, not be considered to be an appropriate processing ground for the processing of the body temperature, since this consent will not be freely given especially in a labor context.
Since there is currently no specific and clear lawful basis to process the health data (by a law or collective labor agreement), data controllers are not allowed to:
- record the body temperature of the data subject in a file;
- record consequences related to the body temperature of the data subject in a file (i.e. for example no access to the building); or
- record the body temperature via advanced electronic devices such as: an advanced digital thermometer, heat scanner or other automatic means that measure the body temperature.
The above guidelines remain subject to future modifications and amendments by the DPA.
If you have any questions regarding the testing of body temperature or regarding the earlier published general COVID-19 guidelines and principles of the DPA, please do not hesitate to contact us.
 COVID-19 Tax & Legal update: Legal aspects to consider when processing personal data.