COVID-19: Temperature checks and diagnostic tests – new guidelines from the portuguese supervisory authority (CNPD)
Data Protection Alert Portugal
On November 13, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados or CNPD) issued guidelines on the processing of health data regulated under Decree no. 8/2020, dated November 8, in particular, on the processing of health data carried out within the scope of (i) body temperature measurements in controlling access to workplaces, services or public institutions, education and commercial establishments, cultural or sports spaces, means of transport, residential buildings, healthcare establishments, prison establishments or centers of education and (ii) the performance of SARS-CoV-2 diagnostic tests to the data subjects listed in the aforementioned decree.
CNPD considers that “articles 4, 5 and 7 of Decree nº 8/2020 do not establish appropriate and specific measures for the defense of the rights and interests of those subject to body temperature checks or to the obligation of doing diagnostic tests”, and therefore considers that in order to comply with the GDPR, the companies (data controllers) must adopt the following measures:
Checking body temperature
i. They must “bind the employee performing the temperature check to a specific confidentiality duty, through an agreement or independent declaration”;
ii. They must “define and execute the procedures following the detection of a case of a temperature of 38º C or more, guaranteeing and ensuring discretion and dignity in the treatment of the person being checked”.
Performing SARS-CoV-2 diagnosis tests
i. They must “guarantee that it is a healthcare professional, subject to the obligation of professional secrecy, who performs the diagnosis tests”;
ii. They must “define and execute the procedures following the detection of a positive result, guaranteeing and ensuring discretion and dignity in the treatment of the person being tested”.
Failure to comply with these measures may constitute, namely, a violation of the obligations foreseen in article 9 (1) (i) of the GDPR, subject to administrative fines up to €20,000,000.00 or in the case of a company, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.