CORONA GUIDELINES DUTCH DATA PROTECTION AUTHORITY

Now that the corona peak seems to have passed, more and more organisations and companies are starting to get back on track. However, the start-up of daily activities is also accompanied by a new way of dealing with these activities. After all, the fear is still present among the population and nobody wants to see a second peak in the coming months. Because of this, a lot of questions have arisen with regard to taking temperatures of employees, customers, visitors and how education should proceed in times of uncertainty. We briefly summarise for you the guidelines of the Personal Data Authority.

Taking temperature

As an organisation, you have probably already thought of various ways to keep corona or COVID-19 out of your organisation. The recording of temperatures, and then refusing or giving access, is one of the most suggested techniques in this debate. Whether this is really THE solution is questionable. On the one hand, the recording of temperatures is not a certainty for the detection of corona (the RIVM has confirmed that only a small part of infections involves an increase) and, on the other hand, this is not permitted because of the processing of health data during this process. This is something that is very strictly controlled by the GDPR and also by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The GDPR will not apply when the temperature is read and nothing else is done with it (no registration or processing in an automated system). As soon as the temperatures are stored or give or deny access, it is not allowed to do so. You can, however, give your employees, visitors and customers the opportunity to measure their temperature themselves. Besides that, the recording of temperatures is additionally protected by other fundamental rights. Thus, the best decision seems to be not to proceed with temperature recording, but to take other precautions.

When the person concerned gives his/her explicit consent for the measurement of his/her temperature, it is allowed. However, this is subject to the additional condition that it must be freely given. In an employment relationship this is not allowed.

Employees

Not allowed (even with permission)! Only the company doctor may carry out health checks.

Visitors

Not allowed (even with permission)!

Customers

Entrepreneurs with a contact profession are not allowed to measure temperature, unless these customers give their free and explicit permission to do so. The entrepreneur must be able to prove that this permission has been given freely.

Healthcare institutions

Healthcare institutions should only process health data if this is necessary for the treatment of the patient. They may not measure temperature as access control for visitors, patients or employees.

Education

Educational institutions are gradually starting to teach pupils and students in school again. Nevertheless, many are still being taught via video calls. This means that educational institutions have a great responsibility when it comes to the processing of personal data of pupils, students and teachers. After all, they are the data controllers in the event of video calls and/or proctoring according to the GDPR. The following three requirements apply:

  • Check whether video calling or proctoring is really necessary (especially with proctoring);
  • Inform about the protection of personal data of pupils, students and teachers;
  • Establishing processing agreements, in accordance with the GDPR, with the software companies that supply the systems.

Can a school or university store footage taken during class?

The school or university may not retain this footage. It must also be ensured that the software suppliers delete this footage immediately, in order to ensure that the footage is not stored anywhere.

Can a school or university ask to install software for taking tests or exams (proctoring)?

This is only possible when really necessary and only for reasons of examination fraud prevention. The invasion of privacy must be kept to a minimum in all cases. Limiting the number of moments of proctoring and opting for the least intrusive form are extremely important in this respect. Eyetracking is excluded from these possibilities, as it is too far-reaching.

 

If you have any questions or would like to use our services to be privacy proof in times of corona, please contact us. We can ensure that you will never again have to worry about the protection of personal data within your organisation.