Court of Appeal of Brussels - 2022/AR/556: Difference between revisions
No edit summary |
No edit summary |
||
| Line 86: | Line 86: | ||
}} | }} | ||
The Belgian Court of appeal of Brussels largely upheld a decision by the Belgian DPA to fine an airport for several GDPR violations. The DPA had previously fined the controller for the use of temerature scanner on the airport as a means of discovering potential COVID-19 infections. The Court only decided to | |||
== English Summary == | == English Summary == | ||
| Line 93: | Line 93: | ||
In its [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 decision 47/2022], the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provsions, which reuslted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras between June and March 2021. All passengers with a temperature over 38°C were requested to have their temperature measured again by a medical service. Passengers suspected to be infected by COVID-19 after this second check, wer were asked to leave the airport and were not allowed to board their plane. | In its [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 decision 47/2022], the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provsions, which reuslted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras between June and March 2021. All passengers with a temperature over 38°C were requested to have their temperature measured again by a medical service. Passengers suspected to be infected by COVID-19 after this second check, wer were asked to leave the airport and were not allowed to board their plane. | ||
For more information on this decision, see the original decision and the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 GDPRhub summary]. | For more information on this decision, see the original decision and the [https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_47/2022 GDPRhub summary]. In short, among other violations, the DPA determined that the controller processed health data without a legal basis. The protocol that the controller was using for its legal basis was not legally binding according to the DPA. | ||
The controller appealed the decision on several grounds, among others that the DPA had no jurisdiction to decide on the issue, that the DPA had missued its powers to investigate, that the DPA was not independent / impartial enough and that the fine issued by the DPA was not proportionate. | |||
=== Holding === | === Holding === | ||
<u>Non - GPDR related arguments</u> | |||
The court first decided that it had jurisdiction to annul or to reform the the contested decision ('''19'''). | |||
Contrary to what the controller had argued, there was also no lack of independence or impartiality at the side of the DPA. The controllers critisism was not targeted towards the DPA as a whole, but towards the legallity of the appointment of certain external membersof the knowledge centre. The court stated that these external members were not at any point invloved in the litigation chain. | |||
The court also determined that the DPA did not misuse its powers. According to the controller, the missue of powers was appearent from the DPA's choice to publish the decision in a non-anonymous manner. The controller also provided other indications, but the Court deemed the controllers arguments to be 'obscure' and decided not to examine htis argument by the controller any further. The court did not determine that there was a missue of powers. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA. | |||
<u>GDPR related arguments in relation with the proportionallity of the fine</u> | |||
''Lack of motivation and proportionality'' | |||
The controller had argued that the DPA did not properly apply the criteria described in Article 83 GDPR and had not consulted the EDPB Guidelines regarding Article 83 GDPR. The controller specifcally stated that the DPA should have paid more attention to the unintentional nature of the violation, the absence of previous offences by the controller, the exceptional circumstances of the pandemic and the fact that the fine was clearly overvalued when taking into account Article 83 GDPR and the EDPB Guidelines regarding this Article. | |||
''Is the aviation protocol a valid legal basis'' | |||
In contrast with the assessment of the DPA, the controller had argued that the aviation protocol was a valid legal basis for its processing. According to the controller, this protocol specified the sanitary measures that had to be implemented in airports specifically. | |||
== Comment == | == Comment == | ||
Revision as of 15:33, 18 January 2023
| Court of Appeal of Brussels (Belgium) - 2022/AR/556 | |
|---|---|
 | |
| Court: | Court of Appeal of Brussels (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(3) GDPR Article 9(2)(i) GDPR Article 12(1) GDPR Article 13(1)(c) GDPR Article 13(2)(a) GDPR Article 13(2)(d) GDPR Article 13(2)(e) GDPR Article 30(1) GDPR Article 30(1)(d) GDPR Article 35(1) GDPR Article 35(7) GDPR |
| Decided: | 07.12.2022 |
| Published: | 09.01.2023 |
| Parties: | |
| National Case Number/Name: | 2022/AR/556 |
| European Case Law Identifier: | |
| Appeal from: | APD/GBA (Belgium) 47/2022 |
| Appeal to: | |
| Original Language(s): | French |
| Original Source: | GBA (in French) |
| Initial Contributor: | n/a |
The Belgian Court of appeal of Brussels largely upheld a decision by the Belgian DPA to fine an airport for several GDPR violations. The DPA had previously fined the controller for the use of temerature scanner on the airport as a means of discovering potential COVID-19 infections. The Court only decided to
English Summary
Facts
In its decision 47/2022, the Belgian DPA (DPA) had determined that the Brussels South Charleroi Airport (controller) had violated several GDPR provsions, which reuslted in a fine of €100,000. The controller had monitored passengers' temperature using thermal cameras between June and March 2021. All passengers with a temperature over 38°C were requested to have their temperature measured again by a medical service. Passengers suspected to be infected by COVID-19 after this second check, wer were asked to leave the airport and were not allowed to board their plane.
For more information on this decision, see the original decision and the GDPRhub summary. In short, among other violations, the DPA determined that the controller processed health data without a legal basis. The protocol that the controller was using for its legal basis was not legally binding according to the DPA.
The controller appealed the decision on several grounds, among others that the DPA had no jurisdiction to decide on the issue, that the DPA had missued its powers to investigate, that the DPA was not independent / impartial enough and that the fine issued by the DPA was not proportionate.
Holding
Non - GPDR related arguments
The court first decided that it had jurisdiction to annul or to reform the the contested decision (19).
Contrary to what the controller had argued, there was also no lack of independence or impartiality at the side of the DPA. The controllers critisism was not targeted towards the DPA as a whole, but towards the legallity of the appointment of certain external membersof the knowledge centre. The court stated that these external members were not at any point invloved in the litigation chain.
The court also determined that the DPA did not misuse its powers. According to the controller, the missue of powers was appearent from the DPA's choice to publish the decision in a non-anonymous manner. The controller also provided other indications, but the Court deemed the controllers arguments to be 'obscure' and decided not to examine htis argument by the controller any further. The court did not determine that there was a missue of powers. It specifically mentioned that the decision to publish the decision was well reasoned by the DPA.
GDPR related arguments in relation with the proportionallity of the fine
Lack of motivation and proportionality
The controller had argued that the DPA did not properly apply the criteria described in Article 83 GDPR and had not consulted the EDPB Guidelines regarding Article 83 GDPR. The controller specifcally stated that the DPA should have paid more attention to the unintentional nature of the violation, the absence of previous offences by the controller, the exceptional circumstances of the pandemic and the fact that the fine was clearly overvalued when taking into account Article 83 GDPR and the EDPB Guidelines regarding this Article.
Is the aviation protocol a valid legal basis
In contrast with the assessment of the DPA, the controller had argued that the aviation protocol was a valid legal basis for its processing. According to the controller, this protocol specified the sanitary measures that had to be implemented in airports specifically.
Comment
Similar temperature checks were performed at Brussels Airport. This was the subject of a separate (Dutch) decision of the DPA (48/2022), also issued on 4 April 2022 and appealed at the Market Court (2022/AR/560 & 2022/AR/564). Both the decision of the DPA and the decision of the Market Court are summarised on the GDPRhub.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Brussels Court of Appeal -2022/AR/556 p. 2
IN REASON OF:
The SOCIÉTÉ ANONYME BRUSSELS SOUTH CHARLEROI AIRPORT (ei-after “CHARLEROI
AIRPORT"), whose registered office is located at rue des Frères Wright 8, 6041 Charleroi, registered with the
Crossroads Bank for Enterprises at number 0444.556.344,
Applicant port,
Having as counsel, Me Frédéric DECHAMPS, Lawyer at the Brussels Bar, whose Iecabine is located
[...] .
AGAINST:
THE DATA PROTECTION AUTHORITY, whose registered office is located at rue de la presse 35, at 1000
Brussels, registered with the Banque Carrefour des Entreprises at number 0694.67 9.950, represented by
Chairman of its Management Committee,
Portie opposite,
Having as counsel My Evrard de Lophem, Grégoire Ryelandt and Clara Delbruyère, lawyers, including
office is located [...]..
Having regard to the pleadings and in particular:
decision 47/2022 of April 4, 2022 of the Litigation Chamber of the Authority of
Data Protection (hereafter "the Impugned Decision");
the motion filed by the court registry on May 3, 2022;
The timetable for the exchange of submissions recorded by the Court at the introductory hearing of 18
May 2022;
the conclusions of CHARLEROI AIRPORT of September 28, 2022;
the summary conclusions of the DPA of October 26, 2022;
the records of exhibits filed by the parties;
r PAGE 01- □0□□ 3026574- □□□ 2-□□ 34-□6- □1- ;i
L_J
- Court of Appeal of Brussels (Belgium)
- Belgium
- Article 5(1)(b) GDPR
- Article 5(1)(a) GDPR
- Article 6(1)(c) GDPR
- Article 6(3) GDPR
- Article 9(2)(i) GDPR
- Article 12(1) GDPR
- Article 13(1)(c) GDPR
- Article 13(2)(a) GDPR
- Article 13(2)(d) GDPR
- Article 13(2)(e) GDPR
- Article 30(1) GDPR
- Article 30(1)(d) GDPR
- Article 35(1) GDPR
- Article 35(7) GDPR
- 2022
- French
