Under Sections 101 and 102 of Act No. 262/2006 Coll., Labour Code, which regulate the prevention of threats to life and health at work and mandate that employers create a safe and non-hazardous working environment, it is generally possible to measure the temperature of people in the workplace. Besides employees, this obligation also applies to everyone who enters the employer’s workplace (e.g. repairmen, cleaners, drivers, couriers, business partners, etc.).
Of course not all body temperature measurement is automatically considered personal data processing. Measuring the temperature of employees or other persons entering the workplace falls under personal data processing and protection only if the employer records the measurements and processes this data further in connection with other data that could identify the person whose temperature was measured (typically the person’s name). For example, it will not be considered personal data processing if the measurement is used only to determine if the person will be allowed to enter the workplace and is not further recorded or stored.
According to the Czech Data Protection Authority, if the temperature measurement will be subject to further personal data processing, the following rules apply:
- such data processing is based on a legitimate interest of the employer within the meaning of Article 6 (1) f) in connection with Article 9 (2) b) GDPR, which allows the processing of health data to exercise special rights in the field of labour law and helps the employer to meet its obligations in preventing threats to life and health in the current exceptional conditions, including contacting medical personnel;
- the necessity of the body temperature measurement and related personal data processing, even if limited to determining the state of health, must be continuously assessed by the employer as the data controller, especially in terms of the nature of the workplace, the number and concentration of workers or other persons present in the workplace, and the current development of the pandemic;
- following the end of the state of emergency these measures will likely no longer be justifiable and their reintroduction could only be considered if such a situation were to reoccur.
We would also like to remind you that even personal data processing during the state of emergency must comply with all the principles and other obligations stipulated for it, such as the purpose limitation principle (personal data cannot be processed for other purposes that are incompatible with the initial purpose), data minimisation (personal data must be limited to what is necessary in relation to the purposes for which they are processed) or storage limitation (storing data for the necessary time only).
This document is only general communication and is not a legal advice in a specific matter.