The Netherlands: DPA changes position – taking temperature might not be subject to GDPR

Since the COVID-19 outbreak, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA”) had made it clear, on several occasions, that taking temperature tests (or otherwise processing health data) as a precautionary measure in light of COVID-19 is a strict “no go”. The position of the Dutch DPA was that most individuals, in particular employees and suppliers, are in a dependent position and therefore not able to freely consent to such temperature tests given the imbalance of power. The only exception was that health data can be processed by a (company) doctor.

However, recently the Dutch DPA adjusted its guidance on temperature testing (in the form of a Q&A) which could give  room for  companies to engage in such temperature testing. The starting point remains strict: taking temperature tests as a measure to control access will in most cases be subject to the strict regime of the GDPR, as the measurement data is often “processed” within the meaning of the GDPR (e.g. because the  measurement results are communicated to a person or registered in order to grant or deny access). Nonetheless, the Dutch DPA now admits, following its Belgian colleagues, there might be situations where temperature tests are set up in such a manner that they do not fall within the scope of the GDPR. This is the case where the processing of personal data is not carried out “wholly or partly by automated means” or does not “form part of a filing system or are intended to form part of a filing system” (Article 2 GDPR). According to the Dutch DPA, the GDPR is not applicable in situations where the measurement results are only read off a thermometer, without storing the measurement results and without undertaking any automated processing (which is for example the case with systems that open gates, that give a green or red  light or which otherwise carry out actions by automated means, all as a result of measurement data).

This clarification of the Dutch DPA provides room for flexibility for companies that wish to engage in temperature tests as a protective measure in light of COVID-19. However, in order for companies to successfully carry out temperature tests outside the scope of the GDPR, they will need to carefully design their testing processes and procedures. Measures should be put in place to avoid that temperature tests are somehow captured or communicated, including setting up adequate procedures and providing training to staff. Even though the GDPR might not be applicable, the Dutch DPA states that there can still be an unjustified breach of privacy in cases where a visitors is denied access (by a security guard) whilst this is visible to the entire queue (who could subsequently draw conclusions regarding the health status of a visitor). Therefore, flexibility and creativity is required from companies in order to design the testing process in such a manner that the integrity and privacy of a visitor is guaranteed at all times of the testing process.

Ilias Abassi and Richard van Schaik