Commissioner for Personal Data Protection on Thermal Cameras

The Commissioner for Personal Data Protection has reverted with regards to the use of Thermal Cameras as follows:

“In the context of COVID-19, the Office of the Personal Data Protection Commissioner receives, on a daily basis, questions regarding the legality of the installation and operation of various applications and measures such as the use of thermal cameras in workplaces, supermarkets and public places.

The following are clarified:

  • In any case the use of applications and measures must have a legal basis. The use of application and measures which necessitates the use of special categories of personal data such as Health Data is allowed only if it obeys the principles of Scope Limitation and Data Minimization and the provisions of Article 9(2) of the General Data Protection Regulation (GDPR) which by exception allow the processing of such data.
  • Regarding the use of thermal cameras, it is noted that there are different types and not all of them work in the same way. Therefore, the persons responsible, before making a decision, should know exactly the technical capabilities they have and what data the cameras they intend to install will collect.
  • The Data Protection Authorities, through their collective body, the European Data Protection Board , express the view that it is understandable and justified to use some measures that will contribute to the fight against the pandemic, as long as they are in accordance with GDPR. However, the pandemic should not be an occasion for the use of applications that blatantly violate the privacy and privacy rights of citizens.
  • With regard to applications under COVID-19, which are “downloaded” to mobile phones and other smart devices, the Data Protection Council has issued Guidelines which are available on its website. Data processing experts responsible for using such applications should read these Guidelines carefully.
  • These Guidelines outline, among other things, the need for a legal basis and compliance with the Basic Principles of GDPR, and explain that data subjects must receive transparent information on the purposes of the processing and the retention time of their data. The information must be easily accessible and understandable. There should also be appropriate security measures and policies to ensure data confidentiality. The need to use such applications must be duly substantiated.”

Further and additional new information from the EDPB can be found HERE.