Below we present a summary of the Polish Data Protection Authority’s (the “Polish DPA”) recently published guidance on screening employees and guests entering employers' premises, temperature and health data (symptoms) in order to support employers in protecting their businesses and people (the “Guidance”).
The Guidance is available here in Polish only.
Currently many businesses are struggling to ensure the health and safety of their employees and guests, as well as comply with the data protection standards at the same time. As more and more employees are returning to work, the question is whether the employer may screen their body temperature (either with standard thermometers or more sophisticated technologies – such as thermal cameras), or collect questionnaires about their potential COVID symptoms.
As an employer, can I screen an employee’s body temperature or gather health data (symptoms) about employees and other persons?
Yes, employers may collect and store temperature readings or questionnaires with health data.
According to the Guidance, such actions can be undertaken if the sanitary authorities have issued an appropriate decision (in cases of individual employers), guidelines or recommendations.
What are the legal grounds for processing temperature data or other health data (symptoms) in Poland?
Under the Guidance, collecting body temperature or other health data, their recording and sharing, constitutes processing of special categories of personal data.
The Polish DPA has stated that data protection law does not oppose processing of such data. Article 9(2)(i) GDPR should apply as processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. However, this requires a separate legal basis in Polish law which provides for suitable safeguards of the rights and freedoms of the data subject.
Under Article 17 of the Act on Specific Solutions Related to the Prevention and Combating COVID-19 of 2 March 2020, the Chief Sanitary Inspector (or regional sanitary authorities) may order specific measures (by way of guidelines, recommendations or decisions) that are addressed to employers/ entrepreneurs/ other entities and individuals aimed at preventing the spread of COVID-19.
It is up to the sanitary authorities to decide what are the necessary specific measures (e.g., temperature readings of employees and guests entering the premises or collecting data on health symptoms).
If such decision is issued, employers will be obliged to comply. The decision constitutes legal grounds for processing health data. So far, we are aware of only one such decision issued in relation to a production facility.
The Polish DPA seems to imply that sanitary authority recommendations may also serve as a legal basis for processing health data. Although such interpretation may be questionable from a legal perspective, from a practical perspective this may prove to be beneficial for entrepreneurs.
On 13 May, the Sanitary Authority published a list of guidelines published earlier by other ministries, stating that they have been prepared in cooperation with the Sanitary Authority. Currently there are over 55 guidelines published and the number is growing daily.
Given the Polish DPA’s position, it is important to closely follow the guidance published by the sanitary authorities and other ministers to identify a legal basis for processing health data.
Unfortunately this is not an easy task as the Guidelines are difficult to find being located on various ministry websites, are also inconsistent and unclear.
The Guidelines are not consistent on why only certain sectors are allowed to measure their employees’ temperature and collect information about the lack of COVID symptoms (e.g., hairdressers, beauty salons), whereas other employers are not allowed to do so.
Can I ask employees for consent to read their temperature instead of waiting for sanitary authorities actions?
According to the Polish DPA, no.
Employees' consent under Article 9(2)(a) GDPR) cannot constitute a valid legal basis as consent should not apply to the processing where there is a clear imbalance between the data subject and the controller (as in the employer – employee relation).
However, the sanitary authorities say that employers may take temperature readings of employees (in the guidelines for hairdressers and beauty salons), but needs to have the employee’s consent. Therefore, it seems that the sanitary authorities do not refer to the GDPR standard of consent, but rather consent in the labour law meaning.
The obvious discrepancy between the Polish DPA's and the sanitary authorities' position creates confusion.
Are there any additional obligations the employer may need to consider when introducing temperature readings or health questionnaires?
The employer who introduces temperature readings and other specific measures to prevent the spread of COVID-19 needs to update its privacy notices provided to the employees and other individuals entering the employer’s premises.
These should specify the employer, the purposes of the data processing, the duration of the storage of data, the scope of data, and the legal basis for such processing.
The employer should also consider updating its record of processing activities and conducting a data protection impact assessment.