The investigation revealed that the two surveyed employers, including a multinational, process the health data of their employees. That was not allowed at these companies on the basis of the GDPR. It has not been disclosed which companies are involved.
Body temperature is a personal data if the temperature can be traced back to a specific person, and that was the case with both organizations. They were able to find out who has a normal or too high temperature. Body temperature is also a health issue, for which stricter rules apply in the privacy law. The processing of special personal data is usually prohibited. A possible exception applies if someone gives explicit permission, which one of the two companies did – yet that permission was not valid according to the AP.
AP vice-president Monique Verdier says people should be able to freely give consent and that employees will often feel pressured to give consent. That permission should therefore not have any adverse consequences, but the company that requested permission would not allow refusing employees to enter.
Soon after the outbreak of the virus, the AP says it received many questions and complaints about temperature measurements in the catering industry, shops, factories and offices. The AP then decided to focus primarily on measuring body temperature in the workplace.
Verdier: “The AP understands that employers want to take measures to limit the risks of the coronavirus, but the measures must remain within the boundaries of the law. Employees are not always in a position to refuse the measurement. That is why the AP has decided to investigate this. “