COVID-19 and GDPR: The use of thermal cameras and other applications

07 May 2020
The Cyprus Commissioner for the Protection of Personal Data has released an announcement regarding the legality of installation and use of thermal cameras and other applications in workplaces, supermarkets and other places accessible to the public as a result of the efforts to fight COVID-19.    

Thermal Cameras
The Cyprus Commissioner noted that the processing of special categories of personal data, such as health data, may only take place provided that one of the justifiable legal bases is satisfied and the principles of data minimisation and limitation of purpose are applied.

According to the European Data Protection Board, the use of thermal cameras is understandable and justifiable as a mechanism against the fight of a pandemic such as COVID-19, provided that the GDPR is applied. The Cyprus Commissioner states that there are many kinds of thermal cameras and each controller, before deciding to use them, must know exactly their technical abilities and what data they collect.

Geolocation/other tracking tools
The Cyprus Commissioner directed to the guidelines issued by the European Data Protection Board on geolocation and other tracing tools in the context of the COVID-19 outbreak. These guidelines aim to clarify the conditions and principles for the proportionate use of location data and contact tracing tools, for two specific purposes:

1. using location data to support the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures;
2. using contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, in order to break the contamination chains as early as possible.

The guidelines emphasise that both the GDPR and the ePrivacy Directive contain specific provisions allowing the use of anonymous or personal data to support public authorities and other actors at both national and EU level in their efforts to monitor and contain the spread of COVID-19. The general principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.

It is noteworthy that many Member State supervisory authorities were called by their governments or other relevant parties to issue opinions on such matters. For example, CNIL, the French supervisory authority, issued an opinion on “StopCovid” mobile application project which aims to alert people who have downloaded the application that they have been near people diagnosed with COVID-19 and who have the same application. As the use of the application will be voluntary by data subjects, application can be deployed, in accordance with the GDPR, if its usefulness for managing the crisis is sufficiently proven and if certain guarantees are provided. In particular, its use must be temporary and the data must be kept for a limited period.

The Greek and Spanish supervisory authorities have also issued general guidelines as a result of the COVID-19 since despite that the fight of COVID-19 is the main goal in this period of uncertainty, the importance of maintaining the same level of data protection is also shared by everyone. 

Prior measures
Despite the need for urgent measures to be taken, it must be stressed that if a controller intends to use thermal cameras or any tracking tools, a Data Protection Impact Assessment (DPIA) must be carried out prior to their installations and data protection safeguards must be implemented according to the outcome of the DPIA. Additionally, the Record of Processing Activities and all controller’s internal and external policies shall be amended to reflect the new processing activities. For example, the Privacy Notice shall be amended to inform data subjects, amongst others, of the legal basis of the new processing activities, how their data are being used and for how long.

Privacy Minders can assist businesses to tackle data protection issues emerging out of Covid-19 and support them in reaching or maintaining GDPR compliance during these challenged times.

GDPR Success: Commissioner fines newspaper for disclosing Turkish Cypriot property holders
Navigating the Digital Advertising Landscape: Latest Developments and Strategies for Success
Ireland’s DPC imposes a record GDPR fine of €1.2 billion for Meta's EU-U.S. data transfers
MEPs rejected the EU- U.S. Data Privacy Framework
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 99 470 484

Click here to Subscribe