APD/GBA (Belgium) - 47/2022
From GDPRhub
| APD/GBA (Belgium) - 47/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(3) GDPR Article 9(2)(i) GDPR Article 12(1) GDPR Article 13(1)(c) GDPR Article 13(2)(a) GDPR Article 13(2)(d) GDPR Article 13(2)(e) GDPR Article 30(1)(a) GDPR Article 30(1)(d) GDPR Article 35(1) GDPR Article 35(7) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 04.04.2022 |
| Published: | 04.04.2022 |
| Fine: | 100000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 47/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | APD (in FR) |
| Initial Contributor: | n/a |
The Belgian DPA fined Brussels South Charleroi Airport €100,000 for carrying out temperature checks with thermal cameras on passengers without legal basis, without adequate information, and without an appropriate data protection impact assessment.
English Summary
Facts
The Brussels South Charleroi Airport (controller monitored passengers' temperature via thermal cameras between June and March 2021. All passengers with a temperature over 38°C detected by the camera had their temperature measured again manually by a medical service. Passengers suspected to be infected by COVID-19 were asked to leave the airport and were not allowed to board.
After having been alerted by the press, the Board of DIrectors have asked the inspection service of the Belgian DPA to investigate on the matter. The inspection service sent its report with the alleged violations to the litigation chamber.
Holding
The DPA issued a fine of €100,000 against the controller (0.34 % of the 2020 turnover).
Additionally, the DPA issues a reprimand for non-compliance with Article 30 GDPR.
1. Sensitive data
First, the DPA clarified that the processing of temperature of passengers via thermal cameras is a processing of sensitive data (health data) and the airport is the controller.
2. Legal basis
The DPA held that the airport relied on Articles 6(1)(c) and 9(2)(i) GDPR to process the data. Regarding Article 9(2)(i) GDPR, the DPA recognised that the the protection against COVID-19 was a matter of public interest in the area of public health. The DPA considered that no legal obligation existed since the protocol invoked by the controller to justify the processing was not legally binding and did not contain the obligation to conduct a monitoring of the temperature of the passengers. Moreover, the protocol was not precise enough regarding the purposes pursued and the circumstances of the monitoring. Additionally, it was not published and therefore not accessible to the passengers. The DPA also decided that the necessity was not demonstrated since the protocol itself referred to the recommendations of the European Union Aviation Safety Agency and European Centre for Disease Prevention and Control that considered that the temperature control was not proven to be efficient.
3. Transparency principle
The DPA also concluded that transparency principle was violated (Articles 5(1)(a), 12 and 13 GDPR). The fact that thermal cameras were used was not mentioned in the privacy policy or any other document. Also, the controller cannot rely on press articles to consider that passengers were properly informed. There was not reference to the exact and precise legal basis to which the airport referred as being basis for the legal obligation to monitor the temperature of passengers. The mere fact that the legal basis was available at the official journal is not sufficient (and such publication occured after the beginning of the processing).
4. Purpose limlitation
The DPA found that the purpose was, though explained, not sufficiently and explicitly defined, finding a violation of Article 5(1)(b) GDPR.
5. Obligation to conduct a data protection impact assessment (DPIA)
The DPA agreed with the inspection service and considered that a DPIA was required prior to the start of the processing operation. The fact that there was an alleged emergency is not exception to this obligation. The DPA also concluded that the quality of the DPIA was not meeting the requirements of the GDPR since the consequences and risks for rights and freedoms for the data subjects were not mentioned. The DPA concluded that the DPIA did not assess correctly the necessity of the processing. The lack of tools provided by the DPA for DPIAs is not an excuse to have a DPIA that is not meeting the requirements of the GDPR. Consequently, the DPA found a violation of Article 35 GDPR.
6. Security and integrity of the data
The DPA did not consider that the security of the data was compromised due to the low risk of illegal access to the images. It still advised to hold the password and the login to access the images in a different document (Articles 5(1)(g) and 32 GDPR).
7. Data protection by default and data minimisation
The DPA concluded that there was no violation of Articles 25 and 5(1)(c) GDPR, since the images were deleted every day, no names of the persons were stored, and the period of storage of the images was limited to what was necessary to find a person in the airport.
8. Records of processing activities
The DPA considered that the record of prcessing activities (Article 30(1) GDPR) was not complete enough, considering that the categories of recipient were not mentioned in the record.
9. Involvement and independance of the data protectio officer (DPO)
Finally, the DPA did not share the conclusion of the inspection service that the controller's DPO was not independent enough (considering the position of the DPO in the hierarchy of the controller). The fact that the DPO needs to report every two weeks to the legal director is not incompatible with the requirement of independence, as it is accepted that a DPO has to report to a superior. However, the DPA expressed concerns regarding the suspension of the activities of the DPO due to the crisis, which could prevent the DPO from being fully involved in the in all issues relating to the processing operations of the airport. The DPA thus did not find a violation of Article 38 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/82
Litigation Chamber
Decision on the merits 47/2022 of 4 April 2022
File number: DOS-2020-04002
Subject:UseofthermalcamerasatBrusselsSouthCharleroiAirportin
the framework of the fight against COVID-19
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans,
Chairman, and Messrs. Jelle Stassijns and Romain Robert;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection
of natural persons with regard to the processing of personal data and to the free movement
of this data, and repealing Directive 95/46/EC (General Data Protection Regulation),
hereinafter “GDPR”;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);
Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to the processing of
personal data;
Having regard to the internal regulations as approved by the House of Representatives on December 20, 2018
and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
made the following decision regarding:
.
The defendant: BSCA SA, whose head office is located at 8 rue des Frères Wright, 6041 Charleroi, registered
under company number 0444.556.344, represented by Me Frédéric Deschamps.
and Me Nathan Vanhelleputt, hereinafter: "the defendant", Decision on the merits 47/2022 - 2/73
I. Facts and procedure
1. On August 28, 2020, the Inspection Service decided to take action on its own initiative in accordance with
Article 63, 6° of the law of December 3, 2017 creating the Data Protection Authority.
2. This decision follows serious indications of the use, by the public limited company Brussels South
Charleroi Airport (hereinafter “BSCA S.A.”), thermal imaging cameras to combat the
spread of COVID-19. The decision was justified on the basis of the following elements in particular:
- Articles and publications in various Belgian newspapers and media sites referring to
thermal cameras used by BSCA S.A.;
- Frequently asked questions (FAQs) published on the website of the Data Protection Authority
data (hereinafter “APD”) concerning the control of body temperature within the framework of the
fight against COVID-19;
1
- The press release published by the APD on its website dated 17 June 2020 concerning
contacting Brussels Airport regarding the temperature control carried out by this
last ;
- The possible processing of data concerning health which, according to the terms of the GDPR, "deserves
higher protection”; 2
- The possible large-scale processing carried out;
- The importance given by the DPA to processing concerning "the use of photos and cameras
3
and “sensitive data” in accordance with its 2020-2025 strategic plan.
3. On March 18, 2021, the investigation by the Inspection Service is closed, and its report is sent by
the Inspector General to the President of the Litigation Chamber (art. 91, § 2 of the LCA).
4. The report includes findings and retains the following offences:
Finding 1: Violation of the principle of lawfulness of processing and necessity of the measure under
of articles 5.1.a, 5.1.c., 6 and 9 of the GDPR
Finding 2: Violation of the principle of limitation of the purpose of the data in accordance with
Article 5.1.b. GDPR
Finding 3: Violation of the principle of transparency and the obligation to inform
in accordance with articles 5.1.a., 12 and 13 of the GDPR:
1 Available here: https://www.autoriteprotectiondonnees.be/citoyen/controles-de-temperature-lapd-prend-contact-avec-brussels-
airport
2
GDPR, Recital 53.
3Data Protection Authority, “Strategic Plan 2020-2025”, p.23., Decision on the substance 47/2022 - 3/73
Finding 4: Violation of the obligation to carry out an impact study relating to the protection of
data before processing (violation of Article 35.1.):
Finding 5: Violation of the principle of confidentiality and the obligation to put in place
technical and organizational measures to secure the data (article 5.1.f and 32 of the
GDPR)
Finding 6: Violation of the principle of data protection by design and by default
(Article 25 of the GDPR):
Finding 7: Violation of the obligation to maintain a complete record of processing activities
Finding 8: Violation of the obligation to guarantee the independence of the Data Protection Officer
data in accordance with article 38.3. GDPR
5. On May 5, 2021, the Litigation Division decides, pursuant to Article 95, § 1, 1° and Article 98 to
the ACL, that the case can be dealt with on the merits. The defendant is informed of this by sending
recommended provisions as set out in article 95, § 2 as well as in article 98 of the LCA.
They are also informed, under article 99 of the LCA, of the deadlines for submitting their
conclusions.
6. The deadline for receipt of the defendant's submissions in response was set for June 16
2021.
7. On May 20, 2021, the defendant requested a copy of the file (art. 95, §2, 3° LCA), which was
transmitted on May 31, 2021.
8. The Defendant agrees to receive all communications relating to the matter via
electronically and expresses its intention to make use of the possibility of being heard, in accordance with
in Article 98 of the LCA. It also requests an extension of the deadline for conclusions to September 1
2021.
9. In the letter sent on May 31, 2021, the Litigation Chamber accepts a postponement of the submission deadline
er
to July 9, 2021. By email dated June 1, 2021, the defendant again requests an extension of the deadline
er
conclusions as of September 1.
10. By email from the registry of the Litigation Chamber of June 4, 2021, the concluding party is invited to conclude
for July 23, 2021.
11. On July 23, 2021, the Litigation Chamber received the defendant's submissions in response.
12. On September 6, 2021, the parties are informed that the hearing will take place on October 6, 2021.
er
13. On October 1, 2021, the Litigation Chamber sends the defendant a list of
questions in preparation for the hearing., Decision on the merits 47/2022 - 4/73
14. At the request of the defendant, the hearing is postponed to October 22, 2021.
15. On October 18, 2021, the defendant sends its answers to the questions of the Chamber
contentious.
16. On October 22, 2021, the parties are heard by the Litigation Chamber. Beyond the Elements
already set out in its pleadings, the defendant puts forward additional elements,
in particular on transparency and the Privacy Policy.
17. On November 18, 2021, the minutes of the hearing are submitted to the parties.
18. On November 25, 2021, the Litigation Chamber receives the defendant's remarks relating to
in the minutes.
19. On February 15, 2022, the Litigation Division informed the defendant of its intention to
impose an administrative fine and the amount thereof.
20. On March 9, 2022, the Litigation Chamber received the defendant's reaction concerning
the intention to impose an administrative fine and the amount thereof. These arguments are
summarized under point “III. Penalty”.
II. Motivation
II.1.Preliminary considerations
21. The Litigation Chamber first emphasizes that this decision concerns the processing of
personal data in the context of the COVID-19 pandemic.
22. In the context of this health crisis, unprecedented measures involving the treatment of
(particular categories of) personal data have been and are being taken.
23. Given this crisis situation, the Litigation Chamber understands the urgency with which
some of these measures had to be taken by the competent authorities and bodies and had to be
implemented by the data controllers concerned. She also heard the
difficulties inherent in this situation. However, it should be emphasized that this does not detract from the fact
GDPR and other personal data protection legislation,
which constitute essential protection for the rights and freedoms of data subjects,
remain applicable. Crisis situations do not justify derogating from the requirements of the GDPR. At
On the contrary, in such circumstances, where individual freedoms are often threatened, it is
should comply with the legal framework which precisely makes it possible to avoid abuses and infringements of
fundamental rights., Decision on the merits 47/2022 - 5/73
24. The monitoring role of ODA concerning technological, commercial or other developments, as well as 4
that the prior opinions given by the knowledge center are without prejudice to the obligation
for data controllers to comply with the legislation in force and, if applicable, of a
sanction by the Litigation Chamber when this is not the case.
II.2.Preliminary questions regarding the quality of administrative authority of the Litigation Chamber of
the Data Protection Authority
25. In these conclusions, the respondent raises three preliminary questions which will be addressed
before questions on the merits.
II.2.1. Lack of reasoning for the decision activating the processing of the case on the merits
26. The defendant indicates in its submissions that “the decision to deal with the case on the merits is not
legally justified within the meaning of the law of July 29, 1991 relating to the formal motivation of acts
administrative and case law of the Court of Appeal of Brussels, section Court of Markets”.
27. The case law of the Markets Court to which reference is made requires the
Litigation Chamber that "the motivation as it appears in the act sets out the considerations
legal and factual basis on which the decision is based and this rationale must be
enough to make the decision. This obligation to state reasons exists both from a formal point of view
that material. The Court of Markets adds that "it is enough that the reasons are clearly, if necessary
concisely set out in the decision itself. » 5
28. The Litigation Chamber finds that these conditions are met in the present case. Indeed, the
decision to deal with the case on the merits was communicated to the defendant by letter dated May 5
2021. The letter expressly indicates that the decision to deal on the merits follows the
findings made by the investigation report of the Inspection Service. The letter takes up the eight
findings of possible breaches of the GDPR noted by the Inspection Service and indicates that
these are subject to substantive review. The investigation report is also annexed to the
mail. In addition, the letter of May 5, 2020 indicates that the decision to deal with the case on the merits
is taken on the basis of articles 95, §1, 1° and 98 of the LCA.
II.2.2. The lack of independence and impartiality of the Data Protection Authority
29. The defendant maintains in its submissions that the Data Protection Authority in its
together fails in its duties of impartiality and independence. The defendant bases this
4
Article 10 of the ACL.
5Brussels, (sect. Cour des Marchés), (19th chamber A), 21 January 2021, point 7.3, available at
https://www.autoriteprotectiondonnees.be/publications/arret-du-27-janvier-2021-de-la-cour-des-marches-ar-1333.pdf., Decision on the merits 47/2022 - 6/73
argument on various press articles, relating conflicts within the Protection Authority
data as well as the opening of an infringement procedure by the European Commission.
30. The Litigation Chamber first notes that the Respondent invokes impartiality and
lack of independence of the Data Protection Authority in a very general way, without
refer to specific facts, a specific body or member of the Authority, and without linking its considerations
to any decision or administrative act taken by the Data Protection Authority in the
this file.
31. However, the defendant does not indicate at any time in what way the independence or the impartiality of
the Litigation Chamber could be called into question.
II.2.3. Misappropriation of power
Criticism of the content of the standard in the inspection report, the finding drawn therefrom and the
resulting misuse of power
32. The defendant disputes in its submissions that the Inspection Service can call into question
the form or substance of a legal norm enforceable in cases other than those provided for in Article 6
of the law of December 3, 2017. It formulates this criticism as follows:
“Therefore, by openly criticizing and questioning the legality of the Ministerial Order and
of the Protocol to draw therefrom the finding of a violation on the part of the conclusive, the service
of inspection calls into question the substance of the legal basis on which the conclusive relied for
process personal data. In fact, the inspection service
therefore calls into question the content of a standard enacted by the executive power in times of crisis
sanitary. »
33. As part of its tasks set out in Article 4 of the LCA, the Data Protection Authority is
“responsible for monitoring compliance with the fundamental principles of data protection at
personal character”. One of the fundamental principles of the right to data protection
personal data is the principle of lawfulness, established in articles 5.1.a and 6 of the GDPR. This principle conditions
any processing of personal data to the existence of a basis of lawfulness, of which the
data controller must be able to demonstrate the existence under the principle of liability
listed in Article 24 of the GDPR.
34. In the present case, during the investigation by the Inspection Service and in its conclusions, the party
Defendant invoked Article 6.1.c) as a basis of lawfulness, which article is worded as follows:
“processing is necessary for compliance with a legal obligation to which the data controller
treatment is submitted”
6
Defendant's submissions, § 23., Decision on the merits 47/2022 - 7/73
35. The Litigation Division recalls in this regard that, while the Inspection Service is the main body
of investigation of the APD, and that only the Litigation Chamber has the competence to take
a decision based on the findings of the Inspection Service. There can therefore be no question of
misuse of power on the part of the Inspection Service, which has no decision-making power
at the bottom of the file.
36. In addition, compliance with the principle of lawfulness consists in examining whether the legal obligation claimed by the
data controller exists and if the processing is necessary to comply with this obligation
legal. It is therefore not a question, as the defendant maintains, of calling into question the Decree
ministerial and the Protocol, but to verify that the processing implemented by the person in charge
of processing are lawful and fall within the legal framework laid down by these legal instruments. If in
As part of its examination, the Litigation Chamber considers that the standard which would allegedly base
processing does not comply with the requirements of the GDPR, it may conclude that the processing is
illicit.
37. This approach is also followed in the investigation report produced by the Inspection Service
which indicates in particular that “during an examination aimed at knowing whether the processing is lawful, it is
necessary to assess whether:
- There is a reason of public interest in the field of public health in accordance with Article
9.2.i. GDPR;
- There is a legal provision that can be validly invoked by the person responsible for the
processing in accordance with Articles 6.1.c., 6.3. and 9.2.i. GDPR;
- The processing operations concerned are necessary for:
▪ Comply with the legal obligation invoked in accordance with article 6.1.c. and ;
▪ Reasons of public interest in the field of public health in accordance with article
9.2.i. GDPR." 9
38. This wording makes it clear that it is indeed the processing whose lawfulness will be
examined and not the validity of the standards themselves. This is confirmed by the wording of
findings of the Inspection Service in its investigation. Indeed, the Inspection Service finds
that the defendant processes personal data without an adequate legal framework in
violation of Articles 6.1, 6.3 and 9.2.i of the GDPR, which clearly demonstrates that it is the processing that is
considered contentious.
7Article 28 of the law of 3 December 2017 establishing the Data Protection Authority.
8
FPS Mobility and Transport of Belgium, “Commercial Passenger Aviation” Protocol (see point 62 et seq.).
9Investigation report, p 25., Decision on the merits 47/2022 - 8/73
39. On the basis of these considerations, the defendant's argument based on a possible misappropriation of
power must be discarded.
The fact that any financial fine would constitute a misuse of power
40. Based on the case law of the Court of Markets, the defendant indicates that "since the
conclusive has never received a compliance injunction or any other sanction and that the
processing concerned by this procedure has ended since October 15, 2020 for the controls
arrivals and March 21, 2021 for departure controls, it should be considered that any
financial penalty would constitute, on the part of the Litigation Chamber, a misappropriation of
power within the meaning of the case law of the Court of Appeal of Brussels, Market Court section”.
41. The Data Protection Authority, like all supervisory authorities, has the power to impose
administrative fines to ensure the effective application of the GDPR, under the text-
even GDPR. As can be seen from recital 148, an administrative fine can be
imposed in addition to or instead of the appropriate measures that are imposed. Room 10
Contentieux acts in this case pursuant to Article 58.2.i) of the GDPR. The possibility of imposing
an administrative fine is therefore in no way subordinated to an injunction
prior compliance. This would call into question the effectiveness of the application of the GDPR if the
data controllers could take refuge behind the absence of prior formal notice
to escape a fine. To this end, the GDPR and the LCA provide for several measures
corrections, including the orders cited in Article 100, § 1, 8° and 9° of the LCA. It is for the authority to
control to choose the appropriate measure to guarantee an effective application of the GDPR, in
exercising its discretionary power in this respect, framed in particular by the procedural safeguards
12
and the fact that fines must be “effective, proportionate and dissuasive”.
10 Recital 148 provides the following: "In order to strengthen the application of the rules of this Regulation, sanctions including
administrative fines should be imposed for any violation of this Regulation, in addition to or instead of the
appropriate measures imposed by the supervisory authority under this Regulation. In the event of a minor violation or if the fine
liable to be imposed constitutes a disproportionate burden for a natural person, a call to order may be issued
rather than a fine. However, due account should be taken of the nature, seriousness and duration of the violation,
intent of the breach and the measures taken to mitigate the damage suffered, the degree of responsibility or any breach
relevant previously committed, the manner in which the supervisory authority became aware of the breach, compliance with
measures ordered against the controller or processor, the application of a code of conduct, and any
other aggravating or mitigating circumstance. The application of sanctions including administrative fines should be subject to
appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including the right to a
effective legal protection and due process. See also guidelines of the European Protection Committee
data on the application of administrative fines of October 3, 2017, WP 253, which confirms that the authorities can
choose to combine several measures, including an administrative fine.
11 Market Court, NDPK t. GBA, 7 July 2021. Available at: https://www.autoriteprotectiondonnees.be/publications/arret-du-7-
july-2021-de-la-cour-des-marches-ar-320-available-in-dutch.pdf
12Article 83.1 of the GDPR., Decision on the substance 47/2022 - 9/73
II.3. As for the background
II.3.1 Identification of disputed processing and applicability of the GDPR
42. It appears from the documents in the file and from the investigation report of the inspection service that the file bears
on temperature checks carried out by the defendant at Brussels South airport
Charleroi in the context of the COVID-19 pandemic.
43. The system put in place consists of two distinct procedures: one at the level of departures, the other
at the arrivals level.
44. With regard to the level of departures, the defendant set up a control of the
temperature of all passengers and any accompanying persons on departure from the airport
of Brussels South Charleroi. Two thermal cameras are installed in the pre-check tent. A
first temperature is taken using these cameras. The device is monitored by X
and by the defendant's firefighters.
45. In the event of a temperature above 38°C, a second test is carried out on the person concerned by
personnel monitoring screens using a digital forehead thermometer. If the temperature is
again above 38°C, the passenger is invited to go to the infirmary or a new outlet
temperature will be taken using a digital thermometer under the arm. If on this third occasion
the temperature again exceeds 38°C, the fire department is notified by radio or by 112. A
firefighter intervenes to take the anamnesis of the person concerned. This consists of putting
additional questions to the passenger to determine if they are suffering from other symptoms of
type COVID 19. The exchange takes place orally without taking notes.
46. If this leads to a suspicion of COVID and if the airline he is flying with prohibits
boarding to passengers with a fever, the passenger will not be able to access the terminal.
47. The system was put in place from June 15, 2020. It was operational during business hours
airport opening hours (between 4:00 a.m. and 9:00 p.m.). Until November 6, X intervened in the
process. From that date, the task was taken over by the firefighters-ambulance of the
defendant. Controls ended on March 22, 2021. Between June 15, 2020 and October 31
2020, approximately 457,000 departing passengers were screened.
48. X also had to complete a document every day showing the number of passengers whose
temperature was above 38°C, as well as the temperature of these same passengers. The document
did not contain the surnames or first names of these people and it was destroyed every week.
49. At the arrivals level, the system was operational from September 7, 2020 to October 15, 2020. It
consisted of using 6 thermal cameras to monitor the temperature of passengers coming
of a red zone. The device was under the supervision of X and the fire-paramedics. In case, Decision on the merits 47/2022 - 10/73
temperature above 38°C, the passenger received a document inviting him to pay attention to
other potential symptoms of COVID and to contact a doctor if desired.
50. According to the defendant, the system was only put in place when there was a return flight from a
Red zone. The defendant indicates that it is unable to determine the number of people
concerned returning from a red zone and having undergone a temperature check
bodily.
51. Thermal cameras are equipped with software that sends an alert when a temperature
greater than or equal to 38°C is detected. An image of the passenger with his mask then appears
in the computer's event center. At the request of the defendant, the cameras are configured
for a pre-alert at 37.5°C and an alert at 38°C.
52. Camera software temporarily caches the last twenty
alert images. These are deleted at the end of each day.
53. The Inspection Service notes that the thermal camera system as set up by
BSCA S.A. must therefore be considered as an automated personal data process
personnel falling within the material scope of the GDPR in accordance with Article 2.1. from
GDPR, as it involves taking an image of passengers with a temperature
above 38°C using thermal imaging cameras.
54. The Inspection Service also notes that the processing concerned in the context of this
report involve health data within the meaning of Article 4.15. of the GDPR, since they
reveal an aspect relating to the physical health of people, i.e. fever.
also believes that the oral history is likely to contain other information to
medical character.
55. The defendant did not dispute these two findings made by the Service
of Inspection. The Litigation Chamber specifies, however, that the disputed data processing is
limited to images taken by thermal cameras. The subsequent stages of the process (taking
temperature without image and the anamnesis), do not constitute data processing to
personal character within the meaning of articles 2.1, 4.1 and 4.2 of the GDPR. Indeed, taking the temperature via
manual thermometer does not constitute a processing of personal data within the meaning of article 4.2
of the GDPR, since it was not, to the knowledge of the Litigation Chamber, the subject of any
operation mentioned in this article .13
13 The recording and/or communication of information resulting from manual temperature taking and anamnesis to any
recipient (such as an airline) would however constitute such processing., Decision on the merits 47/2022 - 11/73
II.3.2 Identification of the data controller
56. The Inspection Department finds that BSCA S.A. must be considered to be responsible for the
processing for the processing examined in the context of this file in accordance with Article
4.7. of the GDPR. To reach this conclusion, the Inspection Service relies on the fact that the
defendant itself recognizes this quality and that it concluded a contract with X, that with
I-CARE SPRL for the supply of thermal cameras.
57. This finding has not been contested by the defendant. The Litigation Chamber follows
moreover the Inspection Service in this regard.
II.3.3 Finding 1: Violation of the principle of lawfulness of processing and necessity of the measure
under Articles 5.1.a, 5.1.c., 6 and 9 of the GDPR
Findings of the Inspection Service
58. It appears from the investigation report that the defendant claims Articles 6.1.c) and 9.2.i) of the GDPR
as bases for the lawfulness of the processing. These two articles are reproduced below:
“Clause 6
Lawfulness of processing
1. Processing is only lawful if and insofar as at least one of the following conditions is
filled:
[…]
c) processing is necessary for compliance with a legal obligation to which the data controller
treatment is submitted; »
“Clause 9
Processing of special categories of personal data
1. The processing of personal data which reveals racial or ethnic origin,
political opinions, religious or philosophical beliefs or trade union membership, as well as
that the processing of genetic data, biometric data for the purpose of identifying a
natural person in a unique way, data concerning health or data
concerning a natural person's sex life or sexual orientation is prohibited.
2. Paragraph 1 does not apply if one of the following conditions is met:, Decision on the merits 47/2022 - 12/73
[…]
i) the processing is necessary for reasons of public interest in the field of health
public, such as protection against serious cross-border threats to the
health, or for the purpose of ensuring high standards of quality and safety of health care
and medicinal products or medical devices, on the basis of Union law or the law of
the Member State which provides appropriate and specific measures for the safeguarding of
rights and freedoms of the data subject, in particular professional secrecy”.
59. Regarding the legal obligation of Article 6.1.c, the investigation report indicates that the respondent
is based on Article 4 of the Ministerial Order on emergency measures to limit the
spread of the coronavirus COVID-19 from June 30, 2020. This ministerial decree followed
several similar ministerial orders and was subsequently replaced by a succession of other
ministerial orders. The most recent at the time of writing the investigation report is the decree
15
ministerial meeting of October 28, 2020. It was only during the investigation by the Inspection Service that the
reference to these legal bases was put forward by the complainant.
60. Article 4 of the ministerial decree of June 20 was worded as follows:
“Without prejudice to Article 5, companies and associations offering goods or services to
consumers and, from 1 September 2020, the organizers of trade fairs, in
including lounges, operate in accordance with protocol or minimum rules
which have been communicated on the website of the competent public service. […]”.
61. This article was repealed by a ministerial decree of 18 October 2020, article 5 of which reproduced article
4 of the ministerial decree of June 30, 2021. This decree was then replaced by a ministerial decree of
October 28, 2020, Article 5 of which reads as follows:
“Without prejudice to Article 8, companies and associations offering goods or services to
consumers operate in accordance with the protocol or minimum rules that
have been communicated on the website of the competent public service. ".
62. These ministerial orders successively provide that companies and associations offering
goods or services to consumers, operate in accordance with the protocol
or the minimum rules that have been communicated on the website of the competent public service. the
Protocol applicable to the defendant is a protocol entitled “Commercial Aviation
passengers” which emanates from the FPS Mobility and Transport of Belgium (hereinafter: the Protocol).
14
Ministerial decree of June 30, 2020 on emergency measures to limit the spread of the coronavirus COVID-19.
15 Ministerial Order of October 28, 2020 on emergency measures to limit the spread of the COVID-19 coronavirus., Decision on the merits 47/2022 - 13/73
63. The Protocol contains on page 5 specific sanitary measures applicable to airports and
in particular, the following measure:
64. The Inspection Service also notes that the Protocol contains the following provision:
65. The paragraph regarding passenger temperature checks copied above can be found
under Chapter 2 of the Protocol.
66. The Inspection Service noted that on 12 October 2020, the Protocol was published on the
FPS Mobility and Transport website.
67. It emerges from the investigation report that with regard to the grounds of public interest in the field of health
public in accordance with Article 9.2.i. of the GDPR, the defendant specifies that this concerns in particular
“protection against serious cross-border threats to health, in this case the epidemic
of COVID-19”. In this regard, it indicates that recital 46 of the GDPR explicitly mentions the
fight against epidemics.
68. In addition, the defendant indicated (exhibit 7) that this processing falls within the legislative framework put in place
place, namely the Ministerial Order of 30 June 2020 and the Protocol.
69. Based on Articles 5.1.a, 6.1, 6.3 and 9.2.i) of the GDPR, the Inspection Service considers that in order to
to ensure the lawfulness of the processing, it is necessary to assess the elements below., Decision on the merits 47/2022 - 14/73
70. Firstly, the Inspection Service considers that the fight against the spread of COVID-19 must
be considered a public interest in the field of public health in accordance with
Article 9.2.i of the GDPR.
71. Secondly, the Inspection Service considers that the data is processed without a framework
legal, in violation of articles 6.1.c, 6.3 and 9.2.i) of the GDPR and that it is therefore
illicit. To reach this conclusion, the Inspection Service relies on the following elements:
- The purpose of the norm invoked has not been determined by law and the Protocol defines by
elsewhere a purpose different from that of the ministerial decree;
- The basic methods of measuring body temperature have not been defined by the
law ;
- The predictability of the Protocol is problematic given the lack of publication;
- The standards invoked are not a law in the proper sense;
- The standards invoked do not provide any supervision of the processing by guarantees.
72. Thirdly, the Inspection Service considers that the medical necessity of the checks
passenger body temperature is disputed.
Position of the defendant
73. In its submissions, the defendant recalls the legal framework for data processing which is
made up of successive ministerial decrees, as well as the Protocol, the latter being binding on the
defendant.
74. The defendant also considers that the existence of a public interest in the field of health
public on the basis of Article 9.2.i is well proven in this case.
75. It also considers that there is a legal provision which can be validly invoked by the
controller in accordance with Articles 6.1.c, 6.3 and 9.2.i) of the GDPR.
76. It relies on the following four elements to support this:
- First of all, as already explained above (point 32 et seq.), the defendant considers that it
it is not for the Inspection Service to comment on the validity of a legal standard or
enforceable. It is solely up to him to verify that a legal obligation exists, making the
valid processing according to article 5.1.c (sic) of the GDPR.
- Then, she indicates that the temperature checks were imposed on her by the Protocol, itself
even made compulsory by Ministerial Orders. The defendant expresses for the
first time that these ministerial decrees are based on article 4 of the law of December 31, Decision on the merits 47/2022 - 15/73
1963 (hereafter, law relating to civil protection) and the law of 15 May 2007 (hereafter, law relating
civil security). The defendant indicates that these laws have been validated by the Council of State
as a legal basis for ministerial decrees. The defendant also indicates, for the
first time in its conclusions, relying on the decree of June 23, 1994 (hereinafter, the decree
Walloon). It adds that the ministerial orders were validated by the Council of State in a judgment
19
from October 30, 2020. The defendant points out that it participated in the workshops for the development of the
Protocol, with the FPS Mobility, the airports and the main Belgian airlines.
- With regard to the purpose, the basic modalities and the delay of the publication, the
defendant considers that it cannot be held responsible for compliance with these obligations
(which are not required by Article 9.2.i) of the GDPR) and that these do not affect its
obligation to implement the measures laid down in the Protocol.
- As for the requirement of necessity of the processing, the defendant considers, like the Service
of Inspection that it is not up to the DPA to decide on the medical necessity of the
thermal cameras to fight COVID-19. The defendant also wonders
on the possibility of carrying out such an analysis a posteriori, recalling the uncertainty that prevailed at
the time. She adds that no other pragmatic solution existed at the time for him
allow him to comply with the prescriptions of the Protocol imposed on him. She indicates
also that it was not carrying out COVID tests as such, but rather
temperature controls. According to her, the term “positive/negative test” has no reason to exist.
She adds that no less than 65 other European airports have implemented such systems.
and that these have, moreover, been interrupted at her home for months (see paragraphs 47 and 49). She
adds that it does not derive any interest from the processing of its data and that the risk that these
present is otherwise very limited. She concludes that the treatment was at the time
necessary and proportional to the purposes of such processing.
77. During the hearing, the defendant clarified in particular that the cessation of the temperature measurement was
decided due to greater use of PCR tests, the establishment of quarantines as well as
20
only for financial considerations.
78. The defendant specifies that with regard to departures, only three people have, following the
temperature taking process, were asked not to enter the terminal. If these people
16Law of 31 December 1963 on civil protection.
17Law of 15 May 2007 on civil security.
18
Decree of 23 June 1994 relating to the creation and operation of airports and aerodromes within the Walloon Region
19
Decision of the Council of State of October 30, 2020, 248.818, available at http://www.raadvstconsetat.
be/arr.php?nr=248818.
20Comments on the minutes of the hearing of October 22, 2021, p. 1., Decision on the merits 47/2022 - 16/73
had nevertheless wished to do so, their identity would have been communicated to the company
Aerial. The final decision whether or not to allow boarding would have belonged to the captain
board, under international law.
79. Then concerning the legal basis and the Protocol, the respondent argued during the hearing
that it was subject to a legal obligation on the basis of the Protocol, although it considers that this
Protocol suffers from drafting blunders which could give rise to interpretations
different. The defendant adds that it was not, moreover, involved in the drafting of the
21
Protocol and also believes that a law would have been more appropriate. She adds that the lines
EASA guidelines are also not always the clearest. 22She adds that she has
requested intervention from the public authorities as to the lawfulness of the processing following the launch of
investigation by the Inspection Service.
Examination by the Litigation Chamber
80. The Litigation Chamber emphasizes that the processing of personal data is only lawful
only if it is carried out on a legal basis provided for in Article 6.1 of the GDPR.
81. Since it has been found in this case (see above) that the screening system has also
involved the processing of special categories of personal data (more
specifically data concerning the health of the persons concerned within the meaning of article 4.15 of the
GDPR), data controllers must also demonstrate that one of the grounds for exception
the principle of the prohibition of processing for this type of personal data, set out in
article 9.2 of the GDPR, applies. As the Litigation Chamber has already estimated, 23
processing of special categories of personal data within the meaning of Article 9 of the
GDPR must indeed be based on Article 9.2 of the GDPR, read in conjunction with Article 6.1 of the GDPR.
24
This has been established by the European Commission and the EDPB and is also confirmed by the
recital 51 of the GDPR, which provides the following regarding the processing of special categories of
personal data: "In addition to the specific requirements applicable to this processing, the
21
Comments on the minutes of the hearing of October 22, 2021, p. 2.
22See also the response to the Inspection Service of November 24, 2020.
23Cf. substantive decision 76/2021, point 33, available at: https://www.autoriteprotectiondonnees.be/publications/decision-
as-to-fund-n-76-2021.pdf.
24
See on this subject GEORGIEVA, L. and KUNER, C., "Article 9. Processing of special categories of personal data” in KUNER, C., BYGRAVE,
L.A.enDOCKSEY,C.,TheEUGeneralDataProtectionRegulation(GDPR).Acommentary,OxfordUniversityPress,Oxford,p.37:"The
Commission has stated that the processing of sensitive data must always be supported by a legal basis under Article 6 GDPR, in
additiontocompliancewithone ofthesituationscoveredinArticle9(2).TheEDPBhasalso statedthat‘Ifavideosurveillancesystem
is used in order to process special categories of data, the data controller must identify both an exception for processing special
categories of data under Article 9 (i.e. and exemption from the general rule that one should not process special categories of data)
and a legal basis under Article 6’., Decision on the merits 47/2022 - 17/73
general principles and the other rules of this Regulation should apply, in particular in
with regard to the conditions of lawfulness of the processing”. 25
Regarding the application of Articles 6.1.c) and 9.2.i) of the GDPR to the present case
82. In the present case, during the exchanges with the DPA, the controller claims to rely
on Article 6.1.c) of the GDPR and Article 9.2.i).
83. The Litigation Chamber emphasizes that in order to be able to validly invoke the basis of lawfulness of
Article 6.1.c) and the exception provided for in Article 9.2.i) of the GDPR, the controller must
to prove :
(i) there is an important reason for public interest in the field of public health (Article 9.2.i)
;
(ii) that there is a legal provision which can be validly invoked by the controller
processing in accordance with Articles 6.1.c, 6.3 and 9.2.i) of the GDPR.
(iii) That the processing operations concerned are necessary for
o Comply with the legal obligation invoked in accordance with Article 6.1.c and
o Reasons of public interest in the field of public health in accordance with
Article 9.2.i.
84. With regard to the first constituent element of Article 9.2.i) of the GDPR, namely the existence of a
"important public interest in the field of public health", the Inspection Service does not
does not question in his investigation report the presence of such an interest in this case. Bedroom
Litigation observes in this respect that it is indeed a question of a "significant public interest in the
field of public health" within the meaning of Article 9.2.i) of the GDPR. The Litigation Chamber considers
indeed that there can be no doubt that the fight against the Covid-19 pandemic
should be considered as such. As also invoked by the defendant, this is explicitly
formulated in recital 46 of the GDPR, which mentions "[monitoring] epidemics and their spread"
as an "important cause of public interest".
85. The second constituent element concerns the existence of a legal provision on which the
processing in accordance with Articles 6.1.C and 9.2.i) of the GDPR.
86. In accordance with Article 6.3 of the GDPR, read in the light of recital 41 of the GDPR, the processing of
26
personal data which is necessary for compliance with a legal obligation and/or to
the performance of a task in the public interest or in the exercise of official authority
25
It is the Litigation Chamber which highlights.
26Article 6.1.c) of the GDPR., Decision on the merits 47/2022 - 18/73
27
vested in the data controller must be governed by clear and precise regulations whose
the application must be foreseeable for the persons concerned.
87. Article 6.3 of the GDPR provides more precisely the following in this regard: "The basis for the processing
referred to in points (c) and (e) of paragraph 1 is defined by: (a) Union law; or (b) the law of the Member State
to which the controller is subject. The purposes of the processing are defined in this
legal basis or, with regard to the processing referred to in paragraph 1, point e), are necessary to
the performance of a task in the public interest or in the exercise of official authority
vested in the controller."
88. Recital 41 of the GDPR specifies in this respect: "Where this Regulation refers to a
legal basis or to a legislative measure, this does not necessarily mean that the adoption of a
legislative act by a parliament is required, without prejudice to the obligations provided for under the order
constitution of the Member State concerned. However, this legal basis or measure
legislation should be clear and precise and its application should be foreseeable for litigants,
in accordance with the case law of the Court of Justice of the European Union (hereinafter referred to as
"Court of Justice") and the European Court of Human Rights. »
89. As regards the legal basis invoked by the defendants, it must be noted that neither the decree
relating to the creation and operation of airports and aerodromes, nor the ministerial decree or the law
on civil security (see points 59 and s. and 76 and s. above) do not govern the disputed processing
as such. This processing is provided for in the Commercial Aviation Protocol, adopted by the
Federal Public Service Mobility and Transport (DG Air Transport), after negotiation with the sector
concerning. This emerges from the wording of article 1, 3° of the ministerial decree: "protocol": the
document determined by the competent minister in consultation with the sector concerned (…)". This
also emerges from the documents in the file as well as from the email sent by the Minister's office
competent to airport operators, airlines and regional authorities on 11
June 2020. The Litigation Chamber argues that in the context of Article 6.3 and considering
41 of the GDPR, cooperation and consultation with the sector are not in themselves a hindrance, provided
that the obligation is imposed explicitly by a law in the broad sense. However, this was not the case in
species (see below).
90. The Litigation Division refers more particularly in this respect to the Privacy International judgment
of the Court of Justice of 6 October 2020, in which the Court affirms that the legislation in question must
contain clear and precise rules "governing the scope and application of the measure in question and
imposing minimum requirements, so that persons whose personal data
personnel are concerned have sufficient guarantees to effectively protect
these data against the risk of abuse." And the Court added: "This regulation must be
legally binding in domestic law and, in particular, indicate in what circumstances and under
27Article 6.1.e) of the GDPR., Decision on the merits 47/2022 - 19/73
under which conditions a measure providing for the processing of such data may be taken,
thereby ensuring that the interference is limited to what is strictly necessary. (…) These considerations are valid
particular when the protection of this particular category of personal data is at stake.
personal sensitive data".
91. With regard to the aforementioned standards, the Respondent asserts in its submissions in response that
by its judgment of October 30, 2020, the Belgian Council of State "approved the legal basis of article 4 of
the law of December 31, 1963 and articles 181, 182 and 187 of the law of May 15, 2007."
point out, however, that the judgment in question does not concern the use of this legislation as
legal basis for the processing of (special categories of) personal data and not
does not constitute a verification of the aforementioned standards in the light of the GDPR. The judgment concerns
the closure imposed on restaurants and drinking establishments in the context of Covid-19 and is no longer
therefore not relevant to the present case. More importantly, the judgments of the Council of State bear
on the legality of the measures imposed by ministerial decree. However, it is clear that the decrees
ministerial positions have a clear normative value on the Belgian right. This is not the case with the Protocol
in question.
92. This is confirmed by the Belgian Council of State in its opinion no. 69.253/AG of 23 April 2021, issued by
the general meeting of the legislation section, which takes a position as follows:
93. “Indeed, one of two things: either the protocols do not have a regulatory character, but in
In this case, the concrete measures they contain are not binding, the protocols do not
cannot derogate from the ministerial decree and their respect cannot be controlled or maintained by
the initiation of public action in the event of non-compliance; either the protocols are actually
of a regulatory nature and the measures they contain are quite binding, but in
28
In this case, these measures must be included in the decrees of the competent authority in the matter. »
94. This position of the Council of State follows the response of the minister's delegate, who asked about the
legal quality of the protocol replied as follows:
95. “De protocollen en gidsen vormen een indicatief beoordelingskader. From protocollen to gidsen
kunnen enkel verordenende maatregelen, zoals bepaald in het MB, concretiseren, maar zijn zelf niet
verordenend”. 29
96. The Litigation Chamber further notes that the French Council of State stated the following with regard to
the processing of special categories of personal data by means of cameras
28 This paragraph was repeated by the Council of State in Opinion 69.305 of 6 May 2021. Opinion No. 69.253/AG of 23 April 2021 is the first
opinion issued by the Council of State on successive ministerial decrees (see point 62 et seq.). The opinion of the Legislation Section of the Council
of status not having been requested before, in view of the urgency. This is therefore the first opinion issued by the Council of State on the question.
protocols provided for by this succession of ministerial decrees.
29 Legislation Section of the Council of State, n°69.253/AG du 23 avril 2021, p.42.
an indicative assessment framework. Protocols and guides can only concretize regulatory measures, such as
stipulated in AM [Ministerial Order], but are not themselves regulatory"., Decision on the merits 47/2022 - 20/73
thermal without a valid legal basis: "it is not possible to estimate that the legal conditions of a
processing of personal health data provided for in g) under 2. of Article 9 of the GDPR are
met, for lack of text governing the use of thermal cameras deployed by the municipality and
30
specifying the public interest which may make it necessary".
97. During the hearing, the respondent also indicated that it considered that the legal basis
was not the clearest and that a law would have been more judicious .31
98. The Litigation Division therefore finds that the Protocol does not provide a valid legal basis for the
processing within the meaning of Article 6.1 of the GDPR.
99. As a superabundant point, concerning the non-binding nature of the protocol invoked, the Chamber
litigation finds, on the basis of the documents, the following elements:
- The Protocol specifies that “EASA and ECDC do not recommend taking the temperature of
passengers to allow them to travel with 'immunity passports'. The agency recalls
that the relevance of this test is not supported by current scientific knowledge about
of SARS-CoV-2. Nevertheless, EASA and ECDC monitor scientific developments and
will update their recommendations as appropriate if a suitable test becomes available.
Charleroi Airport (Brussels South Charleroi Airport), on request from airlines
airlines operating there, however, took the decision to implement the tests for taking
temperature of people entering the terminal. The airport guarantees that the method
chosen will not lead to delays or concentration of people at the entrance to its
infrastructure. »32
- The airport took the initiative twice to interrupt treatment. This emerges from his
answer to the questions of January 6, 2021 where it indicates that the temperature measurement on arrivals has
was interrupted on October 15, 2020 at the initiative of the airport. With regard to arrivals, the
defendant indicated in its letter of October 18, 2021 that "The defendant interrupted
the temperature control system at the departures level from March 22, 2021 due to the
additional measures to combat the spread of the coronavirus put in place by the
different national governments. This was repeated during the hearing, since the defendant
y clearly states that when treatment is discontinued in March 2021, “the discontinuation is a
33
decision of BSCA”.
30 French Council of State, order of 26 June 2020, n° 441065. Available at: https://www.conseil-etat.fr/decisions-de-
justice/latest-decisions/council-of-state-june-26-2020-thermal-cameras-in-lisses
31
See paragraph 79 above.
32It is the Litigation Chamber which underlines.
33Comments on the minutes of the hearing of October 22, 2021, p. 1., Decision on the merits 47/2022 - 21/73
100. For the Litigation Chamber, these elements demonstrate, beyond the question of the existence of a
legal basis, the absence of a binding nature of the Protocol as regards specifically
temperature taking.
101. In addition, the Litigation Chamber considers that the Protocol does not meet the requirements imposed
by Article 6.3 of the GDPR and by European case law for the reasons listed below.
The purpose(s) of the disputed processing is (are) not mentioned in any way
sufficiently clear and consistent in the standards invoked
102. As mentioned above, under Article 6.3 of the GDPR, the basis for the processing referred to in
paragraph 1, points c) and e) must be defined by Union law or by the law of the Member State
to whichthecontrollerissubject. Recital 45 specifies that: "It should also
belong to Union law or to the law of a Member State to determine the purpose of the processing.
In addition, this law could specify the general conditions of this regulation governing the
lawfulness of the processing of personal data, establish the specifications aimed at
determine the data controller, the type of personal data subject
of the processing, the persons concerned, the entities to which the personal data
personal data can be communicated, the limitations of the purpose, the retention period and
other measures to ensure lawful and fair processing. It should also belong to the
Union law or the law of a Member State to determine whether the controller performing
a task carried out in the public interest or in the exercise of official authority should be an authority
34
or another natural or legal person governed by public law (...)”.
103. The Litigation Division notes, however, that the standards invoked by the defendants do not
clearly and unequivocally contain the precise purpose of the processing. They do not contain
nor the basic processing methods as listed in paragraph
previous.
104. With regard to the ministerial decree of June 5, 2020, the decree relating to the creation and operation
of airports and aerodromes and the law relating to civil security, it is clear that none of
these three standards do not mention the disputed processing. It is apparent from the wording of the decree
ministerial that the purpose of the measures included therein is to "limit the spread of
coronavirus COVID-19”.
105. Even the Commercial Aviation Protocol – which does refer to the disputed processing – does not
does not include a clear description of the purpose of the aforementioned processing. At most we can deduce
of the title of the document that the purpose of the measures it contains is "the resumption of activities relating to
commercial aviation for passengers".
34
Emphasis by the Litigation Chamber., Decision on the merits 47/2022 - 22/73
The terms of the treatment have not been defined by the Protocol
106. As indicated above, in accordance with Article 6.3 of the GDPR, read in conjunction with Article 22
of the Constitution and with Articles 7 and 8 of the Charter of Fundamental Rights of the Union
European Union, a legislative standard must define the essential characteristics of the processing of
data, necessary for the performance of a mission of public interest or relating to the exercise of the authority
public authority vested in the controller. In the aforementioned provisions, it is emphasized
In this regard, the processing in question must be framed by a sufficiently clear and
precise, the application of which must be foreseeable for the persons concerned.
107. However, the Commercial Aviation Protocol in no way sets out the essential elements of the
disputed processing. This leaves those responsible for processing a wide margin of appreciation
how body temperature measurement should be performed. The Protocol leaves from
airport managers the freedom to carry out this screening with or without processing
personal data and even to define the other modalities, such as the number of
temperature measurements, the technology used, the type and quantity of data processed and the duration
retention of their data.
The predictability (or unpredictability) of the Commercial Aviation Protocol
108. European case law imposes the requirement of predictability of legislation. Standards
invoked must also be sufficiently accessible for the persons concerned thanks to
their publication, in particular also with regard to the nature and legal consequences for
the person concerned.
109. In this regard, it should be noted that the Protocol does not define the consequences for the
data subject who refuses to submit to temperature screening. This element does not stand out
as common EASA and ECDC operational guidelines. The purpose of the identification and
the principle of control with image recording does not come out of the Protocol either. In
Furthermore, the Protocol was not published on time and correctly. It was indeed published on the website
Internet of the Federal Public Service Mobility and Transport after its implementation.
110. The fact of not determining these modalities in the standard or the instrument invoked generates
significant derived risks for the rights and freedoms of data subjects (e.g.
confusion of purposes as well as an obstacle to the exercise of the rights of the persons concerned).
In accordance with the aforementioned case law of the Court of Justice (the Privacy International judgment), this does not
does not meet the requirement to provide by law (even in the broad sense) measures, Decision on the merits 47/2022 - 23/73
appropriate and specific for the safeguard of fundamental rights and freedoms
fundamentals of the person concerned.
111. The Litigation Chamber takes note of the urgency with which the measures were taken in the
framework of the fight against the Covid-19 pandemic. She stresses, however, that this does not bear
prejudice to the fact that the requirements of the aforementioned provisions, which constitute
essential protection for the rights and freedoms under the law relating to the protection
personal data.
112. As data controllers, the Respondent is responsible, under the principle of
responsibility set out in Articles 5.2 and 24 of the GDPR (“accountability”), compliance with the principles of
protection of personal data (including the principle of lawfulness and necessity) and must
be able to demonstrate compliance with its legal obligations. The Litigation Chamber reminds
again that the defendant has recognized the lack of clarity of the Protocol. 35
113. The Litigation Chamber emphasizes that the defendant therefore had to ensure, from the start of the
disputed processing, to have a reason for lawfulness and a valid exception within the meaning respectively
of Articles 6.1 and 9.2 of the GDPR. The analysis of the documents in the file shows that this basis of legality
was not explained at the start of the treatment. This is also apparent from the absence
concrete reference to the legal basis in question in the privacy statement of the
defendant (see below).) It was only during the investigation by the Inspection Service that it was
mentioned for the first time, then integrated in an incomplete way in the policy of
confidentiality from December 2.
114. It should also be emphasized that the legal norms invoked by those responsible for the
processing do not entail any obligation and do not create any legal framework for the performance
temperature control with recording of personal data.
115. The Litigation Chamber therefore concludes that the second constituent element is therefore not established.
116. With regard to the third constituent element, namely that the processing operations concerned must
be necessary to comply with the legal obligation invoked in accordance with Article 6.1.c and to
grounds of public interest in the field of public health in accordance with Article 9.2.i..
117. The Litigation Division considers above all that the reference to other similar processing in
65 other European airports is not relevant as proof of compliance with the requirement of
necessary in this case. In this respect, it is pointed out that the enumeration included in the
conclusions of the first defendant also implies that a (significant) number of airports (including
Belgian airports too) made no use of the temperature control system. The
Litigation Chamber further notes that the Protocol indicates that the processing was to be carried out
35
See point 76 above., Decision on the merits 47/2022 - 24/73
place in only two airports in Belgium (Charleroi airport and Zaventem airport) without
mention the other airports present on Belgian territory.
118. As regards compliance with the principle of necessity in the context of the processing at issue, the
Litigation Chamber points out, like the defendant, that it cannot rule on
the medical necessity of this measure in the context of the fight against Covid-19 as such,
nor as to the scientific accuracy of the views and reports cited above. This analysis is not
however not necessary to be able to consider the necessity of the processing from a point of view
legal.
119. The Litigation Chamber notes, however, that the Commercial Aviation Protocol of the
Minister of Mobility – both in its version of June 11, 2020 and in that of July 31, 2020 –
mentions the following on page 5:
“"Measuring the body temperature of passengers so that they can travel with a
"immunity passport" is not recommended by EASA and ECDC. EASA recalls that the
relevance of this measure is not supported by current scientific knowledge of the
36
SARS-CoV-2. (…)"”.
120. The Litigation Division therefore finds that the legal basis invoked by the defendant
itself mentions that the necessity of the processing concerned has not been established. She therefore concludes
that the necessity of the processing, as required by Articles 6.1 c), 6.3 and 9.2.i) of the GDPR is not
established.
121. Therefore, the Litigation Chamber holds in this case that the Commercial Aviation Protocol and
the other standards invoked by the defendant do not constitute a valid basis for treatment
and finds a violation of Articles 6.1.c), 6.3 and 9.2.i) of the GDPR.
37
II.3.4 Finding 3: Violation of the principle of transparency and of the obligation
information in accordance with articles 5.1.a., 12 and 13 of the GDPR
122. The Inspection Department notes that the persons concerned by the processing may be
divided into two categories: passengers and any accompanying persons (on departure) and people
arriving from a red zone (on arrival).
123. The methods of communicating information may also vary, since part of the information
methods of communication are used vis-à-vis all the persons concerned, whereas
36Commercial Aviation Protocol, p. 5. It is the Litigation Chamber that highlights.
37For reasons of readability and understanding of the decision, finding 3 is considered before finding 2., Decision on the merits 47/2022 - 25/73
certain additional information is communicated only to passengers and potential
companions on departure. This information is provided via the four means of communication
following:
- An information banner published on the defendant's website;
- A “frequently asked questions” page on the defendant's website;
- The internal rules published on the site and displayed before the temperature checks
bodily injury of passengers;
- The privacy statement published on the defendant's website.
124. With regard to departures, the defendant also indicated that it had posted a poster
containing an infographic indicating a temperature above 38°C, with the mention “noaccess
to the terminal”. The poster also shows a face in profile whose temperature is taken using
a forehead thermometer.
125. The Inspection Service finds breaches of Articles 5.1.a), 12 and 13 of the GDPR with regard to
concerns the information communicated to the persons concerned at the outset. Violations can
be distinguished according to whether they took place between June 15, 2020 and December 2, 2020 (date of the
posting of the new privacy policy) or that they are subsequent to this
last date.
126. In general, during the hearing, the defendant agreed that certain points could have been
be improved, in particular with regard to the retention period and the reference to DPA. For
the defendant, the Inspection Service adds a criterion to the GDPR by requiring the database to be taken over
precise legal information, but she understands that this could improve the quality of the information. The policy of
privacy was amended in November 2020 (with publication on December 2, 2020) more
aspects, but it does not yet contain a reference to Article 9 of the GDPR.
127. For the defendant, the fact that there was not a single request to exercise the rights, or
clarifications when the contact details of the DPO were available at several places is a
proof that transparency was guaranteed.
128. To the extent that the information provided to data subjects has varied over time and
depending on the circumstances, the Inspection Service has chosen to examine compliance with these principles in
three different situations, which are listed below.
a) Violations that occurred between June 15 and December 2, 2020 for departures
IS Findings, Decision on the Merits 47/2022 - 26/73
129. With regard to the violations that took place between 15 June and 2 December 2020 for the
departures, the Inspection Service considers that they relate to the following elements 38 :
- The fact that the temperature control is done by means of thermal cameras is not indicated
in any of the means of communication (violation of Article 5.1.a);
- The legal basis of the processing is never announced (violation of Article 13.1.c), nor is
the regulatory framework for the obligation to monitor body temperature (violation of article
13.2.e));
- The retention period is not determined or the criteria used to determine these
ci are not mentioned (violation of Article 13.2.a));
- The right to lodge a complaint with the DPA is also not mentioned (13.2.d)).
- The purpose of the processing is not mentioned (Article 13.1.c))
Position of the defendant
130. The defendant considers that the Inspection Service did not take into account certain
documents published in order to verify compliance with its legal obligations.
131. It considers that the information concerning the taking of body temperature by means of
thermal cameras was not necessary as this information was already available
through the national press and an airport press release dated June 10, 2020 and that
the persons concerned therefore already had this information (Article 13.4 of the GDPR).
132. Furthermore, on the basis of this same exception, the defendant considers that the persons
concerned should already be aware of the existence of the legal obligation governing the processing being
given that this results from the Protocol, itself imposed by ministerial decrees, which are
39
published in the Belgian Official Gazette. The defendant considers that it cannot be held responsible for the
delay in publication of the Protocol.
133. With regard to the retention period, the defendant acknowledges that it should have indicated this
precisely. It also recognizes that the existence of the right to lodge a complaint
with ADP, is not included in the Privacy Policy.
134. She puts forward the same arguments as those presented with regard to Finding 2 which concerns
specifically the question of purpose (see points 187 and following below).
38
The privacy statement does not explicitly mention the temperature screening of the data subjects, it
has not been examined by the Inspection Service. The findings of violations therefore relate to the three other means of
communication.
39 The conclusive again insists that it cannot be held responsible for the delay in the publication of the protocol., Decision on the merits 47/2022 - 27/73
Examination by the Litigation Chamber
135. The principle of transparency is established in Article 5.1.a) of the GDPR which indicates that “the data to be
personal character must be processed in a lawful, fair and transparent manner with regard to the
data subject (lawfulness, fairness, transparency); »
136. This principle is implemented, among other things, by Article 12.1 of the GDPR, which specifies that the person responsible
processing “take appropriate measures to provide any information referred to in Articles 13
and 14 as well as to carry out any communication under Articles 15 to 22 and Article 34 in
regarding the processing to the data subject in a concise, transparent,
understandable and easily accessible, in clear and simple terms (...)”.
137. Recitals 58 and 60 of the GDPR specify that "the principle of fair and transparent processing
requires that the data subject be informed of the existence of the processing operation and its
purposes" and that "the principle of transparency requires that any information sent to the public or to the
data subject is concise, easily accessible and easy to understand, and formulated in
plain and simple terms (...)".
138. As Advocate General P. Cruz Villalón and the Court of Justice of the European Union have pointed out
European Union in the Bara case, compliance with the provisions on transparency and
information is essential because it is a prerequisite for the exercise by people
data subjects of their rights, which are one of the foundations of the GDPR. 40
139. In the event that the personal data concerned have been collected from the person
data subject itself, Article 13 of the GDPR specifies what information must be provided to it.
140. In its guidelines on transparency, Working Party 29 clarified that Article 13 of the
GDPR applies both where personal data is transferred
knowingly by the data subject to the controller and in cases where
the data is collected by the data controller by observation (for example by
the use of automated data collection equipment or data capture software
data such as cameras). 41
141. With regard to the first element, i.e. processing on the basis of cameras
heat, the Litigation Chamber finds that the defendant claims the application
of Article 13.4 of the GDPR and indicates that it was not subject to the obligation to inform the persons
concerned since they already had the information through the media and a
Airport press release.
40
CJEU, 1 October 2015, Bara, C-201/14, par. 33 (Conclusions of Advocate General P. Cruz Villalón, July 9, 2015, par. 74).
41 Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, 11 April 2018, p. 14-15, par 26., Decision on the merits 47/2022 - 28/73
142. Article 13.4 of the GDPR makes it clear that paragraphs 1, 2, 3 do not apply where, and
insofar as the data subject already has this information. Article 13.4 does not
therefore does not constitute an exception to the principle of transparency as formulated in Article 5.1.a of the
GDPR. However, it was indeed on the basis of this article that the Inspection Service noted a breach of
the obligation to inform the persons concerned of the existence of thermal cameras. For the
Litigation Chamber, a distinction must indeed be made between the principle of loyalty and
of transparency on the one hand (Article 5.1.a) and the obligations arising from this principle (in particular the
sections 13 and 14).
143. The principle of fairness and transparency established in Article 5.1(a) is not limited to simple
information and transparency obligations listed in the articles of the GDPR, but consists of
a general principle, the scope and philosophy of which must be respected for any treatment.
144. This point of view was formally adopted by the EDPS in his decision 01/021 concerning
Whatsapp, in which he indicates that:
“Based on the above considerations, the EDPB emphasizes that the principle of transparency is not
not circumscribed by the obligations arising from Articles 12 to 14 of the GDPR, although the latter
are a concretization of the first. Indeed, the principle of transparency is a general principle
which not only reinforces other principles (e.g. fairness, accountability), but whose
result from many other provisions of the GDPR.
83(5) of the GDPR provides for the possibility of finding a violation of the transparency obligations
regardless of the violation of the principle of transparency. Thus, the GDPR distinguishes the dimension
of the principle of more specific obligations. In other words, the obligations of
transparency do not define the full scope of the principle of transparency. » 42
145. It is therefore right that the Inspection Service bases itself on the principle of transparency of Article
5.1.a) to consider that the persons concerned should have been informed of the existence of the
thermal cameras, although this obligation is not expressly found in the obligations
of transparency of article 13 of the GDPR.
146. However, recital 60 of the GDPR indicates that “The principle of fair and transparent processing
requires that the data subject be informed of the existence of the processing operation and its
purposes. The controller should provide the data subject with any other
information necessary to ensure fair and transparent processing, taking into account the
particular circumstances and the context in which the personal data is
processed”.
42EDPB, Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp
Ireland under Article 65(1)(a)GDPR, 28 July 2021, §192. Free translation., Decision on the merits 47/2022 - 29/73
147. The fact that the temperature is taken by means of thermal cameras is an element
important for data subjects to be informed about the processing of their data. In
Indeed, the principle of fairness and transparency of Article 5.1.a) requires by its essence that the
data subjects know when their data is being processed or not.
148. The Litigation Chamber finds that during the period examined, the control of the temperature
was mentioned in two different documents provided by the defendant: the Rules of Order
Interior (hereafter: ROI) and the FAQ page which was accessible via the banner on the website. Any
of these two sources of information does not mention that the processing would or could be carried out
using thermal cameras.
149. As the defendant points out, the fact that thermal cameras are used at the airport
is information that was included in several press articles. For the Litigation Chamber,
the defendant cannot, however, rely sufficiently on the existence of information in
the press to dispense with its obligations of transparency with regard to the GDPR and with regard to
persons concerned. Indeed, it cannot be presumed that any passenger in transit at the airport
has read a press article allowing them to be fully informed of the existence and conditions of the
processing. In addition, data controllers cannot transfer their responsibility by
matter of transparency to the press and must assume them personally and directly.
150. The use of thermal imaging cameras was also made public by the defendant in
a press release published on June 10, 2020 on its website. If this initiative is in itself
commendable, it is insufficient for the Litigation Chamber. Indeed, the principle of transparency
requires that information be accessible in a centralized and consolidated way, for example through the
43
ROI or privacy policy, which are easily accessible. A press release,
which must, after a certain period, be the subject of a search in the web archives of a manager
treatment cannot be described as “easily accessible”.
151. Furthermore, the Litigation Chamber finds that the poster affixed by the defendant (see
point 124) indicates that the temperature is taken using a manual forehead thermometer,
while the first temperature is taken using thermal cameras.
152. In view of the elements presented above, the Litigation Chamber considers that the persons
concerned were not properly informed that their temperature might be taken
by thermal cameras and that it would therefore have been possible that the temperature of a person
concerned is taken without his knowledge
The Litigation Chamber therefore finds a violation of Article 5.1.a) of the GDPR.
43Recital 58: “[…] The principle of transparency requires that any information sent to the public or to the data subject be
concise, easily accessible and easy to understand, and formulated in clear and simple terms and, in addition, where appropriate, illustrated
using visual elements[…]”., Decision on the merits 47/2022 - 30/73
153. The second element to be examined concerns information about the legal basis of the processing
(article 13.1.c), and the regulatory framework for the obligation to monitor body temperature (article
13.2.e)). The Inspection Service found that this information was not available in any of the
sources of information available to data subjects. In this regard, the defendant
claims the applicability of Article 13.4, indicating that the persons concerned could not
ignoring the existence of this obligation, since it is based on the Protocol, expressly provided
by ministerial decrees published in the Belgian Official Gazette.
154. The Litigation Division cannot accept this argument put forward by the defendant. this
would imply that controllers should never inform individuals
concerned of the legal basis of the processing as soon as this has been published in the Belgian Official Gazette.
This logic obviously goes against Articles 13.1c), 13.2.e) and recital 58 which
require that this information be provided in a manner that "is concise, easily accessible and easily
to understand, and formulated in clear and simple terms. 44
155. Furthermore, the exception provided for in Article 13.4 only applies “where and to the extent that the
data subject already has this information", which implies that the data subject
must actually have this information. The mere fact that the information is available at the
Belgian Monitor does not meet this criterion. In any case, the Protocol on which the
defendant to base the disputed processing had not even made the obligation of a publication
45
before mid-August 2020, when it was supposed to apply from June 8.
156. In addition, contrary to what the defendant claims, the data controller must firstly
inform the data subject on which paragraph of Article 6 the data processing is based and,
in another time, what is the text and the precise provision which bases the legal obligation on which
would be based on the processing carried out under Article 6.1.c) of the GDPR. A pure reference to an "obligation
legal” without reference to the latter cannot be sufficient for the information of the persons
concerned is considered sufficient. The persons concerned could not, in these
circumstances, never verify whether a legal obligation within the meaning of Article 6.1.c actually exists and
derives from the legal provision in question.
157. The Chamber finds that this is not the case here since the Respondent did not
reference neither to the Protocol in question nor to the ministerial decrees at the time of the implementation of the
processing as the basis of its legal obligation to base the processing. By
moreover, the data processed being health data, the defendant must be able to justify a
exceptions provided for in Article 9.2 of the GDPR, which must be reflected in the information provided to the
concerned person. This reference to specific legal norms is essential for the
44
GDPR, recital 58.
45Investigation report, p. 32. The Inspection Service points out that this publication by the FPS only took place following its intervention
in another similar file., Decision on the merits 47/2022 - 31/73
data subject can be aware of the rights available to him and the obligations
to which it is subject for each treatment.
158. The Litigation Chamber therefore finds a violation of Articles 13.1c) and 13.2.e) of the GDPR.
159. With regard to the third and fourth element, i.e. the retention period of the
data, and the right to lodge a complaint with a data protection authority, the
Litigation Chamber finds that these breaches are admitted by the defendant. The violation
of Articles 13.2.a) and 13.2.d is established.
160. With regard to the fifth question, which is that of purpose, the Litigation Chamber
refers to these considerations below, in which it believes that the purpose was not
sufficiently explained in the information documents, before the modification of the policy
of confidentiality on December 2, 2020 (point 195 et seq.). It therefore finds a violation of Article
13.1c) on this point.
161. The Litigation Chamber therefore finds a violation of Articles 5.1.a, 13.1c), 13.2.d, 13.2.a, and
13.2.e) between June 15 and December 2, 2020 for departures.
b) violations that occurred on or after December 2, 2020 for departures
Findings of the Inspection Service
46
162. With regard to the violations that had from December 2, 2020 for departures, the
Inspection Service considers that they relate to the following elements:
- The basis of lawfulness invoked is not sufficiently precise (violation of Article 13.1.c));
- The fact that the temperature control is done through thermal cameras is never
stated (violation of Article 5.1(a));
- The possible consequences of non-provision of data are not indicated any more
that there is no reference to the ROI (violation of Article 13.2.e));
- Insufficiently precise mention of the purpose of the processing (see points 184 et seq.);
- The privacy notice always refers to the law of 8 December 1992 which has been repealed.
Position of the defendant
163. The defendant considers that the amendment to its privacy notice (dated November 23
2020, published December 2, 2020) clearly indicates the basis of legality. She believes that the
46
Date on which the amended privacy statement was posted., Decision on the merits 47/2022 - 32/73
Inspection Service adds a condition to Article 13.1.c requiring that the provision(s)
legal basis for the processing is clearly cited.
164. Regarding the lack of information on the use of cameras, as well as the question of the
purpose, the defendant refers to its considerations above (see point 141 et seq. and 160) and
dispute the grievances.
165. Regarding the reference to the ROI, she considers that this could indeed have been done better, but this
does not in itself constitute a breach of its duty to inform, especially since the ROI is present
inside the enclosure before any temperature control.
166. The defendant acknowledges a material error as to the reference to the law of 1992 which will be
corrected.
Position of the Litigation Chamber
167. The first element concerns compliance with Article 13.1.c) which requires mention of the legal basis
treatment. As indicated by the Inspection Service and by the defendant, from
of December 2, 2020, the defendant's privacy policy contained the statement
next :
168. “When we are in times of epidemic or pandemic, we are likely to
take the temperature to check if it is above 38°C. This temperature measurement
is only done on the basis of a legal obligation and this data is not stored or reused at
purposes other than to ensure the health security of persons passing through the airport. The duration
conservation is a few minutes. »
169. The defendant considers that this meets the requirements of Article 13.1c) of the GDPR while the
Inspection Service considers that the specific legal provision(s) should have been included,
same as the exception listed in article 9.2 of the GDPR allowing it to justify the processing of
health data.
170. For the Litigation Division, compliance with Article 13.1.c) implies that the person concerned must
to be informed in an exhaustive manner both of the precise basis of lawfulness on which the processing is based
but also of the text and the precise provision of the latter which creates the legal obligation which
bases the processing under Article 6.1.c). It refers on this subject to points 153 et seq.
above and finds a violation of Article 13.1.c) of the GDPR.
171. The second question relates to the fact that the temperature control is done through
thermal cameras would never be indicated (violation of article 5.1.a)). The Litigation Chamber, Decision on the merits 47/2022 - 33/73
refers on this subject to its position expressed above and which remains valid in the present case (see paragraphs 141 and
s.) and finds a violation of Article 5.1.a) of the GDPR.
172. The third question relates to the absence of any mention of the possible consequences of not
provision of the data due to the absence of reference to the ROI (violation of Article 13.2.e)). the
Inspection Service considers that the obligation to indicate the regulatory nature of the obligation to
provide the data and the possible consequences of not providing the character data
personnel, which are a requirement set out in Article 13.2.e) of the GDPR are not met. The
defendant considers that, since this information is in the ROI, Article 13.2.e) is complied with,
although a reference to ROI could have been made in the privacy policy.
173. The Litigation Chamber notes discrepancies between the information provided to persons
concerned according to the document examined. Indeed, the privacy policy mentions that
the processing is based on a legal obligation (even if this statement is incomplete, see point 153
and s.). On the other hand, it does not mention at any time the consequences of a refusal of treatment.
As far as the ROI is concerned, it clearly mentions that access to the terminal will be refused "to any
person refusing to submit to temperature screening or whose body temperature
is higher than 38°C after at least two readings”. However, it does not indicate the source of this
obligation.48The same is true for the “Frequently Asked Questions (FAQ)” page, which indicates
the consequences of a temperature above 38°C, but not the source of this obligation.
None of these three documents refers to the other, which implies that a data subject
who would have consulted only one document would not have had all the information available to them.
was entitled to receive. For the Litigation Chamber, this contravenes the requirements of a
information "concise, easily accessible and easy to understand, and formulated in clear terms
and simple”. It therefore finds a violation of Article 13.2.e) of the GDPR.
174. The fourth question relates to the mention of the purpose. On this point, the Litigation Chamber
notes that from December 2, 2020, the purpose was explained in the confidentiality policy
of the defendant in the form of "ensuring the health security of people passing through
the airport”. However, this purpose is not found as such in the ROI.
175. The fifth question relates to the reference to the law of 8 December 1992 (which has been repealed) in the
privacy policy. This element is not disputed by the Respondent and the Chamber.
litigation therefore finds that this statement is inaccurate and must be updated.
176. The Litigation Division therefore finds a violation of Articles 5.1.a, 13.1c) and 13.2.e).
47ROI, Article 8 and FAQ
48
ROI, Article 8: “The airport is under an obligation”.
49 GDPR, recital 58., Decision on the substance 47/2022 - 34/73
c) Arrivals from a red zone
Findings of the Inspection Service
177. With regard to arrivals from a red zone, the Inspection Service found a violation
Articles 5.1a, 12.1 and 13 of the GDPR based on the elements below:
- The information contained in the ROI and on the website indicates that the purpose of these
controls is to limit access to the terminal to people with a higher temperature
at 38°C, which in the context of checks on arrivals is incorrect (see point 49);
- The fact of not mentioning at any time that the temperature control is done by means of
thermal cameras;
- The fact that the information communicated to passengers returning from the red zone does not reflect
the conditions under which the control is carried out (article 5.1.a).
Position of the defendant
178. The defendant considers first of all that the initial premise of the Inspection Service is incorrect,
since he considers that he is wrongly limiting himself to only two documents when he should have considered
all sources of information.
179. She adds that only a version of the ROI has been put online for reasons of economy and efficiency. By
elsewhere, the ROI clearly states that passengers' temperatures will be taken.
180. Finally, the defendant challenges the innovative nature of thermal cameras.
Position of the Litigation Chamber
181. On the first question, which concerns the purpose of taking the temperature, the Litigation Chamber
indeed notes that the ROI mentions that temperature control is compulsory and that the
people who refuse to submit to it or who have a temperature higher than 38°C after
at least two controls will be refused access to the terminal. The ROI does not mention the case of
returns from the red zone, or the only consequence of a temperature above 38°C is that the
person concerned is given an awareness document. Delivery of this document is
without major consequences for the rights of the person concerned. However, by not specifying
that the control described only applies to departures, the text of the ROI implies that a person
could be refused access to the air terminal upon arrival, which creates confusion and poses a problem
with regard to the principle of transparency., Decision on the merits 47/2022 - 35/73
182. With regard to the wording of the information banner and the “Frequently Asked Questions”
questions (FAQ)” published, these do not specify either that the prohibition of access to the terminal does not
applies only to departures, which could lead the persons concerned to think that they can
be denied access to the terminal upon arrival as well. This again poses a problem for
with regard to the principle of transparency (article 5.1.a) of the GDPR).
183. On the second question, the Chamber refers to its considerations above, which remain valid.
It also notes that, as pointed out by the Inspection Service, the posters which were
affixed to departures (see point 124), are not present at arrivals, which implies that
the information available to passengers arriving from the red zone is even more incomplete than that
provided to departing passengers.
184. The Litigation Chamber therefore finds a violation of Articles 5.1.a), and 12.1.
50
II.3.5Finding 2: Violation of the principle of limitation of the purpose of the data
in accordance with article 5.1.b. GDPR
Findings of the Inspection Service
185. The Inspection Service considers that the purpose of the processing is the “health safety of
people transiting through the airport and employees working in the terminal”, since this is the
answer given to it by the defendant during the investigation and which recalled in the Analysis
of impact relating to the protection of personal data that the defendant transmitted
to the Inspection Service
186. The Inspection Service notes that the defendant did not determine with sufficient
specifies the purpose of the processing concerned in accordance with article 5.1.b of the GDPR in the sense
or the processing manager did not specify that the processing had a different objective and
different consequences for the persons concerned depending on the type of control
made (on departure or on arrival).
Position of the defendant
187. The defendant recalls first of all that the notion of purpose is not defined in the GDPR and
that it is therefore based on a definition of the CNIL. It considers that the purpose of the processing is
sufficiently determined: the aim is to ensure the health security of people passing through
the airport and employees in the terminal. The definition of the consequences of processing is not
50As previously indicated, the Litigation Division decided to reverse the examination of findings 2 and 3 of the Report
investigation., Decision on the merits 47/2022 - 36/73
a condition of regulatory validity of the principle of purpose limitation. The defendant adds
that the difference in treatment between departures and arrivals was justified by their situations
distinct and follows from common sense. People arriving from a red zone cannot be
sent home. She adds that she has never had to refuse access to the entrance to the terminal to people
concerned whose temperature was above 38°C, since they have decided in full
thank you for not continuing on their way.
188. She concludes that the purposes of the processing were clear, defined and legitimate and that she has always
complied with the principle of proportionality by balancing the health interests of
public and the privacy of the persons concerned.
Examination by the Litigation Chamber
189. Article 5.1.b of the GDPR specifies that the data must be processed for specified purposes,
explicit and legitimate. For the Litigation Chamber, in the present case, the question of the finality
of the treatment announced by the defendant can be analyzed separately from the question
the purpose stated in the legal basis (see points 102 and following above). The legal basis
invoked does not specify the purpose or does not specify it sufficiently clearly (see points 195 and
s.). It is therefore necessary to examine the purpose announced by the data controller.
190. For the interpretation of this principle, the Litigation Chamber refers to the opinion of the Working Group
51 52
Article 29, which details what is meant by an explicit purpose under Directive 95/46.
It is important to note that the main features of the purpose limitation principle
have remained identical between Directive 95/46 53 and the GDPR.
191. Regarding the determined nature of the purpose, the Litigation Chamber notes that this purpose
is clearly indicated by the defending party in its response to questions from the Service
inspection as being “the health security of people transiting through the airport” and is by
the follow-up recalled in the Impact Assessment relating to data protection carried out by the party
defendant. It is also indicated in a shortened form in the Register of
processing activities in the form of “health security”.
192. The Litigation Chamber therefore considers that the purpose is sufficiently determined.
51 "ARTICLE 29" Data Protection Working Group, "Opinion03/2013onpurposelimitation", op.cit., p.17.Translation
free.
52Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons
with regard to the processing of personal data and the free movement of such data
53Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons at
with regard to the processing of personal data and on the free movement of such data, Decision on the substance 47/2022 - 37/73
193. Regarding the explicit nature of the purpose, the opinion of the Article 29 Working Party explains this
following :
"The purposes of the collection must not only be specified in the minds of the people
responsible for data collection. They must also be explained. […]
The ultimate objective of this requirement is to ensure that the objectives are specified unambiguously
or vagueness as to their meaning or intent. The meaning must be clear and must not
leave no doubt or difficulty in understanding. […]
The obligation to specify the objectives "explicitly" contributes to transparency and predictability.
It makes it possible to unambiguously determine the limits of the use that those responsible for the
processing may make personal data collected, with a view to protecting the
persons concerned. It helps anyone who processes data on behalf of the data controller
processing, as well as data subjects, data protection authorities and other
stakeholders, to have a common understanding of how data can be
used. This reduces the risk that the expectations of the people concerned differ from
54
those of the controller”.
194. The opinion of the working group therefore insists on the need for an explanation of the purpose that
allows anyone to understand the purpose of the data processing and to avoid the
misunderstandings. Regarding the way in which this purpose should be explained, the opinion underlines the
following elements:
"In terms of responsibility, the specification of the objective in writing and the production of documents
adequate will help demonstrate that the controller has complied with the requirement of
55
Article 6(1)(b) . This would also allow data subjects to exercise
their rights more effectively - for example, this would provide evidence of the original purpose and
would allow a comparison with the subsequent processing purposes. » 56
195. The Litigation Chamber considers that this point is therefore closely linked to the question of the
transparency and information. As such, it refers to the observations made above (see point
162 and 174), which she also completes here. It appears from the various sources of documentation that
54 "ARTICLE 29" Data Protection Working Group, "Opinion03/2013onpurposelimitation", op.cit., p.17.Translation
free.
55Directive95/46/ECoftheEuropeanParliamentandCouncilof24October1995relatingtotheprotectionofindividuals
with regard to the processing of personal data and the free movement of such data.
56 "ARTICLE 29" Data Protection Working Group, "Opinion03/2013onpurposelimitation", op.cit., p.18.Translation
free., Decision on the merits 47/2022 - 38/73
the privacy policy did not contain any information about the purpose of the processing
before its modification on December 2, 2020. It was only during this modification that the purpose was
added, drafted in the following form: "ensure the health security of people transiting through
the airport”.
196. The ROI did contain an article 8 indicating that access to the terminal will be refused “to any person
refusing to submit to temperature screening or whose body temperature is
above 38°C after at least two readings”. The purpose can be deduced from the text of the ROI, but
it is not clearly explained or linked to a particular treatment. The FAQ page contains
also a similar phrase.
197. In view of the above elements, the Litigation Division concludes that the purpose of the processing was not
not explicit. Not only was it not announced when the treatment was set up,
but it was only following an answer to a question from the Inspection Service, the modification of the
privacy policy in December 2020 and at the completion of the DPIA, three months after the start
processing that this purpose was articulated, explicitly formulated and communicated to the DPA as well as
only to the persons concerned.
198. As to the legitimacy of the purpose, the Litigation Chamber considers that the purpose “to ensure the
health security of people transiting through the airport and employees working in the
terminal" is quite legitimate, particularly in view of the fact that the processing has been recognized as
justified by reasons of public interest in the field of public health in accordance with Article
9.2.i. of the GDPR (see point 84)
199. The Litigation Division therefore finds a violation of Article 5.1.b) of the GDPR due to the
non-explicit nature of the purpose.
II.3.6 Finding 4: violation of the obligation to carry out an impact study relating to the
data protection prior to processing (violation of Article 35.1.)
200. Based on its investigation, the Inspection Service comes to the conclusion that Article 35.1 of the GDPR has
been violated, due to the items below.
a) On the obligation to carry out a DPIA
Findings of the Inspection Service
201. The Inspection Service considers that a DPIA was necessary on the basis of the following criteria:, Decision on the merits 47/2022 - 39/73
- The processing concerns sensitive data, namely data concerning health;
- It is a large-scale treatment;
- The processing involves systematic monitoring of certain passengers via the submission
mandatory body temperature check;
- The processing includes an innovative use or application of new technologies
or organizational;
- The processing concerns, in part, vulnerable people and in particular
minors;
- Article 23 of the law of 30 July 201857 explicitly provides that “in execution of article
35.10 of the Regulation, a specific data protection impact analysis is
carried out before the processing activity, even if a general impact analysis relating to the
data protection has already been carried out in the context of the adoption of the legal basis. ".
Position of the defendant
202. The defendant first of all specifies that only the data of persons whose temperature is
above 38°C are processed, since only these are the subject of an image taken by camera.
203. Regarding the notion of large scale, the defendant considers that the Inspection Service does not
not based on the right figures, since it takes into consideration all the people who have
transited through the airport and not people who had a temperature above 38°C. He is at
it is currently impossible to know this number of people since the summary files
number of interventions were destroyed each week.
204. In addition, with regard to passengers returning from the red zone, the Inspection Service
would consider, without any reason, that it is a large-scale treatment.
205. The defendant considers that only the criterion of systematic surveillance of certain passengers
is relevant in the present case. It was this criterion alone that forced him to undertake a DPIA.
206. Finally, the defendant disputes the innovative nature of the cameras, which are old technology
according to her.
Examination by the Litigation Chamber
207. Article 35 specifies the circumstances in which it is necessary for a person responsible for
processing to carry out a DPIA. This article is reproduced in part below:
57
Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data., Decision on the merits 47/2022 - 40/73
“Rule 35
Data Protection Impact Assessment
1. Where a type of processing, in particular through the use of new technologies, and account
given the nature, scope, context and purposes of the processing, is likely to generate
a high risk to the rights and freedoms of natural persons, the controller
carry out, before the processing, an analysis of the impact of the planned processing operations on the
protection of personal data. One and the same analysis can relate to a
set of similar processing operations that present similar high risks.
2. When carrying out a data protection impact assessment, the data protection officer
processing shall seek advice from the data protection officer, if such a officer has been appointed.
3. The data protection impact assessment referred to in paragraph 1 shall, in particular,
required in the following cases:
a) the systematic and thorough evaluation of personal aspects concerning persons
physical, which is based on automated processing, including profiling, and on the basis of
which are taken decisions producing legal effects with regard to a person
physical or significantly affecting it in a similar way;
(b) processing on a large scale of special categories of data referred to in Article 9,
paragraph 1, or personal data relating to criminal convictions and
offenses referred to in Article 10; Where
(c) systematic large-scale monitoring of an area accessible to the public. »
208. The Litigation Division also specifies that the DPA has adopted a list of processing operations for
which a DPIA is required. She also notes that with regard to the use of cameras
thermal data, the European Data Protection Supervisor (EDPS) has already been able to confirm in
59
a position paper dated February 1, 2015 that the completion of a DPIA is indeed required.
209. Furthermore, the Litigation Division considers that recital 91 of the GDPR corroborates the
need to carry out a DPIA in this situation, since it indicates in particular that “An analysis
impact statement relating to data protection should also be carried out when data
58 Data Protection Authority, Decision No. 01 2019 of January 16, 2020. Available at:
https://www.autoriteprotectiondonnees.be/publications/decision-n-01-2019-du-16-janvier-2019.pdf
59 EDPS, Letter of 1 February 2015. Available at: https://edps.europa.eu/sites/default/files/publication/16-02-
01_letter_klimowski_2015_fr.pdf, Decision on the merits 47/2022 - 41/73
of a personal nature are processed for the purpose of making decisions relating to persons
specific physical features following a systematic and thorough assessment of personal aspects
specific to natural persons on the basis of the profiling of said data or following the
processing of special categories of personal data, data
biometrics or data relating to criminal convictions and offences, or to
related security measures”. 60
210. It has been established that the processing in question relates to special categories of data
(health data) and that it has the consequence, in any case for the processing taking place at the
departures, to decide whether or not passengers and accompanying persons can enter the terminal.
211. The Litigation Chamber notes that the defendant does not dispute the fact that a DPIA
was mandatory for the processing in question. His criticisms relate essentially to the criteria
retained by the Inspection Service, the relevance of which it sometimes contests (points 202-206 below).
above) .
212. For the Litigation Chamber, the defendant makes a retrospective and erroneous assessment
criteria for determining whether a DPIA is required. Indeed, when the party
defendant had to carry out its DPIA (see points 261 et seq. below) it was unaware of the percentage
passengers who would have a temperature above 38°C and therefore could not at this stage
61
determine that he was “extremely weak”, as she does a posteriori in her conclusions.
The defendant should have considered that all the expected passengers could
potentially be a data subject. It is therefore this figure that should be taken into account.
consideration to judge whether it was a large-scale treatment or not.
213. Moreover, although the images temporarily stored only concern persons with a
temperature above 38°C, it is indeed all the passengers and accompanying persons at the
departure and all passengers returning from the red zone who are subject to verification of the
temperature. The IS therefore relies on correct reasoning by determining that to determine
“the nature, scope, context” of the processing, it had to be considered that it applied to
all the passengers concerned and not only those whose temperature was higher than
38°C.
214. As for the innovative nature of thermal cameras, the Litigation Chamber considers that this
criterion, assuming that it is not established, does not change the conclusion that follows, namely that a DPIA
was needed.
215. The Inspection Service also considered that a DPIA was required under article 23 of the law
of July 30, 2018 (see point 201), which specifies that “a specific impact analysis for the protection of
60
It is the Litigation Chamber that highlights.
61 Defendant's submissions, p. 45, Decision on the merits 47/2022 - 42/73
data is carried out before the processing activity, even if a general impact analysis relating
to data protection has already been carried out in the context of the adoption of the legal basis”. The
Litigation Chamber points out, however, that this article only applies to the public sector,
as specified in Article 19 of the same law and is therefore not applicable in this case.
b) On the obligation to carry out a DPIA prior to processing
Findings of the Inspection Service
216. The Inspection Department notes that the DPIA of BSCA S.A. was carried out on 18 September 2020 whereas
that the processing operations concerned were implemented on June 15, 2020 concerning the persons
concerned on departure and on 7 September 2020 for passengers returning from a red zone. According to
the Inspection Service, the DPIA must be carried out prior to the implementation of the processing and
no exception is provided for by Article 35 of the GDPR.
Position of the defendant
217. The defendant emphasizes the exceptional nature of the situation in which it found itself. If he
is true that no exception exists to this obligation in the GDPR, the defendant
considers that this is clearly a case of force majeure which could not have been foreseen by the legislator.
It indicates that the DPO had been laid off, like the majority of his staff.
It was only when the health situation calmed down that the defendant was able to carry out the DPIA, at
posterior. She also recalls that she had no choice but to set up the system of
control and that although this does not release it from its obligation, it carried out this one as soon as it
been able to do that.
Examination by the Litigation Chamber
218. For the Litigation Division, it is clear from the text of the GDPR, as admitted by the part
defendant that the DPIA must be carried out before the processing is implemented. The text does not provide
no exceptions. The Litigation Chamber notes that the DPIA was only carried out on September 18
2020, i.e. three months after the start of the treatment (June 15, 2020).
219. The defendant does not demonstrate how the conditions for such force majeure would have existed.
220. The Litigation Chamber therefore finds a violation of Article 35.1 of the GDPR.
62 GDPR, article 35.1° and recital 90., Decision on the substance 47/2022 - 43/73
c) On the quality of the DPIA carried out by the defendant in accordance with Article 35.7 of the GDPR
On the description of the processing operations and the purposes of the processing of the DPIA (article
35.7.a GDPR)
Findings of the Inspection Service
221. The Inspection Service notes, as indicated above (see point 186), that the
purpose of the processing is not sufficiently specified.
222. It also considers that the DPIA does not describe, in a sufficiently precise manner, the procedure
in place surrounding passenger body temperature screening and more specifically
concerning the consequences that such a control could have for the persons concerned.
223. In addition, the Inspection Service considers that the DPIA contains certain inconsistencies, in particular
concerning the recording/retention of personal data from the cameras
nor does it highlight the analysis as to the quality of the legal basis
invoked in accordance with Articles 6.1., 6.3. and 9.2.i. of the GDPR.
Position of the defendant
224. In general, the defendant is surprised by certain criticisms leveled at it, given
that it referred to the CNIL model to carry out its DPIA, since the DPIA does not have any
tool about it.
225. The defendant points out that there is no definition of the notion of purpose in the GDPR and that it
has chosen to define it as follows: “the health security of people transiting through
the airport and employees working in the terminal”. The defendant considers that this definition
is very clear.
226. As regards the type of procedure employed, the defendant considers that this is left to the
discretion of the data controller and that several methodologies exist. The
defendant argues that it is difficult to conceive that the use of a tool from a
another authority leads to a finding of breach even though the DPA does not provide a tool to
arrangement.
227. The defendant adds that the consequences for the persons concerned are well known to the
data controller – and of the persons concerned with regard to the information provided to them, Decision on the substance 47/2022 - 44/73
provided – and therefore it is not, per se, necessary to state every consequence in the DPIA as long as
the final result indicates the risks for the rights and freedoms of the data subjects.
228. Regarding the inaccuracies mentioned, the defendant argues that the DPIA contains
all the information relating to the processing with an explanation as to the fact that the
software keeps the last 20 images and that this information is in the AIPD at various
points. It therefore considers that this information is not missing, because it is mentioned
in other places in the DPIA.
229. With regard to the legal basis, the defendant considers that it is not for the IS to reproach a
data controller potential shortcomings of the executive responsible for applying the laws and
put in place implementing decrees for these laws.
Examination by the Litigation Chamber
230. Article 35.7 contains an enumeration of the elements that a DPIA must contain. It is reproduced below
below:
“7. The analysis shall contain at least:
a) a systematic description of the processing operations envisaged and the purposes of the
processing, including, where applicable, the legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations with regard to
purposes;
c) an assessment of the risks to the rights and freedoms of data subjects in accordance with
in paragraph 1; and
d) the measures envisaged to deal with the risks, including guarantees, measures and
security mechanisms aimed at ensuring the protection of personal data and
provide proof of compliance with these regulations, taking into account the rights and interests
legitimate interests of data subjects and other affected persons. »
231. With regard to the purpose of the processing, the Litigation Division refers to the considerations
above (see points 189 and following) and considers that the purpose identified by the defendant
is determined and legitimate. In the context of the DPIA, it can be considered sufficiently
described.
232. With regard to the description of the procedure put in place for taking the temperature
passages, the Litigation Division cannot subscribe to the defendant's argument
complainant of the lack of guidance from the DPA which would oblige him to use the tool provided by a
other authority. The Litigation Chamber recalls that at the beginning of 2018, the DPA published a Decision on the merits 47/2022 - 45/73
DPIA Recommendation. Furthermore, the Litigation Chamber considers that a manager of
processing cannot rely on a lack of guidance from a supervisory authority
since this would be contrary to the liability principle of Article 24 of the GDPR. He is quite
free for a data controller to use tools made available to the public by
supervisory authorities of other member states of the European Union. This use is, however, left
at the discretion of the data controller who must ensure that the tool used complies with the
prescribed by the supervisory authority to which it is subject.
233. This recommendation contains in particular the following paragraph:
“Among other elements relevant to determining the nature, scope and context of
processing, we can cite: the categories of persons concerned, the scale of the processing of
data, the origin of the data, the relationship between the controller and the persons
concerned, the possible consequences for the persons concerned and the degree of ease
with which the persons concerned can be identified”. 64
234. In this case, the DPA had indicated as early as 2018 that the DPIA should contain a description of the
possible consequences for the persons concerned. This is all the more important in the
current file since the consequences for the persons concerned were the objective of this
treatment, namely preventing people with a temperature above 38°C from entering
in the terminal and take their flight. Since this objective is the very reason for the processing, it does not
could be concealed in the description of the processing under the DPIA.
235. With regard to the mention of the data retention period, the Litigation Chamber
indeed notes that the DPIA drawn up by the defendant mentions both "no
storage of data locally on the PC, nor on paper “65,” the captured images are not
recorded. This is real-time monitoring” 66 whereas the procedure provides that the 20
last images are accessible. For the Litigation Chamber, this lack of consistency affects
the clarity of the description of the processing operations.
236. Finally, with regard to the quality of the legal basis, the Litigation Chamber considers that it
it is up to the data controller, within the framework of the DPIA, to assess the impact of the choices
concerning the processing that has been carried out on the legal basis or, in the event of an incomplete legal basis,
describe the treatment methods that have been chosen (as well as their reasons) in order to meet
63 Data Protection Authority, Recommendation No. 01/2018 of 28 February 2018. Available at
https://www.autoriteprotectiondonnees.be/publications/recommandation-n-01-2018.pdf
64
Ibid, p. 17.
65
Respondent's Data Protection Impact Assessment, p. 4.
66Ibid, p. 5.
67Ibid, p. 3 and 7., Decision on the merits 47/2022 - 46/73
breaches of the legal basis. This is all the more the case here, since the
68
defendant acknowledged the vagueness of the Protocol and the fact that a law would have been preferable.
237. Based on the above considerations, the Litigation Chamber finds a violation of Article
35.7.a) GDPR.
On the assessment of the necessity and the proportionality of the processing operations with regard to the
purposes ((article 35.7.b) of the GDPR)
Findings of the Inspection Service
238. The Inspection Service notes that, insofar as the purpose of processing has not been
correctly determined within the meaning of Article 5.1.b) of the GDPR, the exercise of assessing the need
and proportionality of the measure cannot be considered to have been properly
carried out.
239. The Inspection Service also notes that the analysis is rather summary or even incorrect
concerning the retention of personal data and that the analysis of the necessity and
proportionality of the processing was simply limited to assessing how the collection of the
body temperature is limited, adequate and relevant to the purpose, whereas it would have
had to take into account the number as well as the locations of the cameras installed in order to
collect the body temperature of the persons concerned, the permanent nature or not of the
processing concerned, the categories of persons concerned by the collection.
240. The Inspection Service adds that the adequacy and limited nature of the personal data
as well as the relevance of the collection of these categories of data are not proven.
Position of the defendant
241. The defendant regrets that the DPA did not set up a more comprehensive tool than that of the CNIL
to indicate the information that would be missing according to the IS. She notes that she must
complete this tool because the elements that the inspection service mentions are not requested,
sensu stricto, within the framework of the CNIL tool.
242. She reiterated her criticisms already formulated indicating that, unless she is mistaken, neither the DPA nor she has any
in-house scientific competence to analyze the relevance of temperature collection
bodily as a potential indicator of a person's infection with the coronavirus.
68See point 79., Decision on the merits 47/2022 - 47/73
243. She adds that it is not appropriate to carry out, a posteriori, a scientific analysis of this
need. The choice of this way of working was made by the concluding party on the basis of a
pragmatic analysis of the possibilities which were his and, as already stated, of the practices
used at 65 other airports around the world.
244. She insisted on the fact that it is not the responsibility of the Inspection Service to validate or not the choice of a
methodology in order to achieve the health safety objective pursued by the conclusive.
Examination by the Litigation Chamber
245. The Litigation Division has already considered that the purpose expressed by the defendant was
sufficiently determined within the meaning of Article 5.1.b) of the GDPR (points 189 and following). So she can
be validly used as a starting point to assess the necessity and proportionality of the
processing.
246. However, for the Litigation Chamber, the analysis of the relevance, adequacy and character
limited data collected is insufficient. Indeed, it is limited to a few lines which do not
in no way demonstrate an in-depth analysis of the necessity and proportionality of the operations
treatment. As previously indicated, the information is also inaccurate with regard to
relates to the retention period of the data. The examination carried out by the defendant does not
mentions that the temperature data and does not at any time examine the question
recording an image of the data subject. However, it is in itself quite possible to
measure people's temperature without photographing them. The purpose of the DPIA
being precisely to assess the impact of the choices made regarding the processing methods.
247. Moreover, as the Inspection Service points out, the defendant does not take any
take into account certain processing methods such as the number of cameras, their location and
does not substantiate some of these assertions. At no time does it examine the need for
collection of these data, even though the text of the Protocol which constitutes the legal basis
claimed states that “EASA and ECDC do not recommend taking the temperature of
passengers to allow them to travel with 'immunity passports'. The agency recalls
that the relevance of this test is not supported by current scientific knowledge about
69
of SARS-CoV-2. (see point 99).
248. In other words, the DPIA carried out by the defendant does not constitute a genuine
analysis of processing operations and all their modalities from the point of view of the necessity and
proportionality. However, this review was particularly important given the lack of a framework
69
Protocol p. 5., Decision on the merits 47/2022 - 48/73
provided by the claimed legal basis which granted significant leeway to the party
defendant in the choice of processing operations.
249. Based on the above considerations, the Litigation Chamber finds a violation of Article
35.7.b) GDPR.
On the assessment of the risks to the rights and freedoms of data subjects (Article 35.7.c of the
GDPR)
Findings of the Inspection Service
250. BSCA S.A. analyzed the risks with regard to the confidentiality, availability and integrity of data,
but not the risks associated with “false positives” and “false negatives” given the impact that such
risk may have on the persons concerned
251. The IS also considers that the risk of data availability and integrity has not been
sufficiently taken into account and that the RT could not correctly assess the risk of availability
that could arise in the event of unavailability of data.
252. In addition, BSCA S.A. was unable to correctly assess the risk that could arise in the event
unavailability of data.
253. BSCA S.A. has also not assessed the integrity risk that could arise in a situation where the
parameters of the device used were to be modified (calibration at a lower temperature
at 38°C).
254. The risk analysis carried out by the concluding party is not, according to the inspection report, sufficient
since the DPIA is content to analyze the risks in relation to confidentiality, the availability
and data integrity.
Position of the defendant
255. For the defendant, the DPIA limits its analysis to just a few points, on the grounds that the tool
proposed by the CNIL does not provide for the analysis of the other questions mentioned in the report
inspection. The concluding party believes that it has chosen an official methodology, validated and provided by a
Data protection authority recognized at European level. She legitimately couldn't
knowing that the tool in question was going to be considered incomplete by the inspection service of
DPA., Decision on the merits 47/2022 - 49/73
256. The defendant adds that the risks of false positives or false negatives are not to be analyzed in
the framework of this procedure because it does not see how these risks are within its remit or should
impact the processing of body temperature data. The defendant states that it did not have
carried out PCR tests, and that the notions of false positives or negatives therefore did not exist in the
treatment she was doing.
257. The defendant recalls that after the third body temperature test (the anamnesis), she did not
never prevented someone from accessing the terminal. The persons concerned have themselves
decided not to enter the terminal.
258. Concerning the inaccuracies or lack of completeness mentioned by the inspection service
as to the risks of availability and integrity, the defendant notes that the inspection service
considers that its analysis is not sufficiently substantiated and takes due note of the improvements to be made
place in the framework of the next DPIA that it will have to carry out.
Examination by the Litigation Chamber
259. For the Litigation Division, it appears that the risk analysis carried out by the party
defendant is deficient. For example, to the question “2.1 What could be the main
impacts on data subjects if the risk [of illegitimate access to data] occurs? »,
the defendant responds “limited impact”. This extremely brief answer
demonstrates in any way that the defendant has thought about the risks of illegitimate access to
Datas. In other words, the defendant does not indicate the risks that could
weigh on an affected person if a photo of themselves showing a higher temperature
at 38°C had just been obtained by a third party.
260. Similarly, during the assessment of risk 4: “disappearance of data”, the information given by
the defendant are equally sketchy. The defendant states on several occasions that
the risk is “not applicable (no storage)”, which is incorrect information
since there is indeed a recording of the images, even if this is limited in time.
The Litigation Chamber also considers here that the defendant has not demonstrated that it
has carried out a correct and complete risk analysis.
261. The Litigation Chamber also considers that the defendant failed to examine
certain risks in its DPIA. The defendant indicates that the risks examined are those
which are contained in the tool made available by the CNIL. This cannot, however, excuse the absence
taking into account certain identified risks. Indeed, Article 35.7.c) also mentions
expressly “an assessment of the risks to the rights and freedoms of data subjects”.
We do not see how an additional document could confirm what the legal text
already mentioned. In addition, in its Recommendation No. 01/2018, the DPA indicates in particular that the, Decision on the merits 47/2022 - 50/73
following elements must be considered as risks: financial losses, the situation
where data subjects cannot exercise their rights and freedoms or are prevented
to exercise control over their personal data; and any other economic damage
70
or socially significant.
262. Recommendation No. 01/2018 indicates that “the loss of an opportunity” and the “denial or limitation
access to places or events that are usually accessible to the public" are examples
violations of rights and freedoms. For the Litigation Chamber, the fact of refusing access to the terminal
to data subjects and preventing them from taking a flight may constitute an infringement
rights identified or a risk as identified in the recommendation. As such, these risks
should have been considered by the defendant. The Litigation Chamber considers that a
example of such an analysis was carried out by the defendant in its pleadings
responding to finding 5 of the Inspection Service regarding the violation of the principle of
confidentiality and the obligation to put in place technical and organizational measures in
with a view to securing data (see points 274 et seq.) and finding 6 on the principle of data protection
data from design and by default (point 291 et seq.) . The Litigation Chamber regrets
that this analysis was not included in the DPIA as it should have been.
263. The Litigation Division also finds no impact analysis carried out at the time of
the elaboration of the legal basis allegedly founding the processing. It was all the more important
71
for the defendant to do a full risk analysis.
264. The Litigation Chamber therefore finds a violation of Article 35.7.c).
On the measures envisaged to deal with the risks (article 35.7.d of the GDPR)
Findings of the Inspection Service
265. In view of the foregoing, the Inspection Service notes that, having failed to assess the
risks to the rights and freedoms of the persons concerned, BSCA S.A. was unable to analyze the
measures likely to deal with these risks in accordance with Article 35.7.d. of the GDPR.
70 Data Protection Authority, Recommendation n° 01/2018 of February 28, 2018, §46. Available on
https://www.autoriteprotectiondonnees.be/publications/recommandation-n-01-2018.pdf.
71Article 35.10 of the GDPR provides that a data controller may be exempted from carrying out an impact analysis if
this has already been carried out during the drafting of the standard provided for in Article 6.1.c), which does not seem to be the case here., Decision on the merits 47/2022 - 51/73
Position of the defendant
266. For the defendant, this assertion is not entirely correct. In fact, she says she has
carried out an analysis of the measures based on the criteria included in the CNIL tool. It is so
It is wrong to say that this assessment is impossible without further supporting it.
267. For the defendant, it would have been desirable for the Inspection Service to check how and why
the measures envisaged were not sufficient in view of the risks which emerged from the DPIA
made by the defendant.
268. Without foundation, it considers that it is not possible to consider that a breach is to be deplored
on the part of the defendant.
Examination by the Litigation Chamber
269. Like the IS, the Chamber finds that breaches of Rule 35.7(a), (b) and (c) render
impossible to correctly assess the measures to deal with the risks, which have not been
assessed. For the Litigation Chamber, Article 35.7.d has therefore been violated.
Concluding remarks
Findings of the Inspection Service
270. Furthermore, the Inspection Service wishes to emphasize that, given the findings made, it
did not consider it appropriate to analyze each of the elements of BSCA S.A.’s DPIA insofar as the
Inspection Service considered that these findings alone were sufficient to establish the
violation of section 35.7. of the GDPR.
Position of the defendant
271. The defendant does not respond to the findings of the Inspection Service on this point.
Examination by the Litigation Chamber
272. In conclusion and in view of the elements specified above, the DPIA carried out by the defendant
does not constitute a sufficiently detailed and complete exercise to fulfill the conditions of
Article 35.7 of the GDPR. Indeed, the document presented is more like a description and validation, Decision on the merits 47/2022 - 52/73
of the treatment that was already in place rather than a real risk assessment exercise for the
rights and freedoms of the persons concerned and an overall reflection on the implementation of this
system. On the basis of the above points, the Litigation Chamber therefore finds a violation of
section 35.7.
II.3.7 Finding 5: Violation of the principle of confidentiality and of the obligation to
put in place technical and organizational measures to secure the data
(article 5.1.f and 32 of the GDPR)
Findings of the Inspection Service
273. The Inspection Service finds that BSCA S.A. has breached the principle of confidentiality and the obligation to
put in place appropriate measures to guarantee the security of data in violation of the
articles 5.1.f. and 32 GDPR. This observation is based on the fact that the identifiers and passwords
passwords used to access the computer controlling the thermal cameras are included in the
Memo communicated to X and to the defendant's firefighters, which entails a risk
consultation of the data by a person other than those authorized.
Position of the defendant
274. For the defendant, a risk can be defined as “a scenario which describes an event and its
effects, estimated in terms of severity and probability”.
275. The analysis of the risk underlying unauthorized access to the computer connected to the cameras imposes the
conclusion that the measures in place reduce this risk to an extremely low level (or even zero)
both in terms of likelihood and severity and therefore the measures in place are
adapted to the risk as required by Article 32 of the GDPR.
276. The defendant considers that the PC in question is never accessible by anyone other than
firefighters or X staff and even if a person had access to this room and
to this computer, even if she had to have access to the codes available in the memo kept
by firefighters. But this is highly unlikely according to her.
277. With regard to the risk, the defendant argues that an unauthorized person would have had access
to this computer by possessing the access codes, but she would not have had access to any data
personal since the system erases the data during a reboot. Now, as the staff of X
was present during all opening hours of the airport, with the fire brigade, no other
no one would have had access to the room in which the data was processed during the day., Decision on the merits 47/2022 - 53/73
Examination by the Litigation Chamber
278. Article 5.1.f) of the GDPR establishes the principle of integrity and confidentiality. It is reproduced below
below:
“1. Personal data must be:
[…]
f) processed in a way that ensures appropriate security of personal data, including the
protection against unauthorized or unlawful processing and against loss, destruction or damage
of accidental origin, using appropriate technical or organizational measures (integrity and
confidentiality); »
Recital 39 of the GDPR adds that “Personal data should be processed as
manner to ensure appropriate security and confidentiality, including to prevent unauthorized access
authorized to this data and to the equipment used for their processing as well as the unauthorized use
of this data and this equipment”
279. This principle is further detailed in Article 32 which concerns the security of processing and which
is worded as follows:
“Rule 32
Processing security
1. Considering the state of knowledge, the costs of implementation and the nature, scope,
the context and purposes of the processing as well as the risks, including the degree of probability and
gravity varies, for the rights and freedoms of natural persons, the controller and the
subcontractor implement the appropriate technical and organizational measures in order to
guarantee a level of security appropriate to the risk, including among others, as required:
(a) pseudonymization and encryption of personal data;
b) the means to guarantee the confidentiality, integrity, availability and
ongoing resilience of processing systems and services;
c) means to restore the availability of personal data and
access to them within appropriate timeframes in the event of a physical or technical incident;, Decision on the merits 47/2022 - 54/73
(d) a procedure for regularly testing, analyzing and evaluating the effectiveness of
technical and organizational measures to ensure the security of the processing.
2. When assessing the appropriate level of security, particular account shall be taken of the risks that
presents the processing, resulting in particular from the destruction, loss, alteration,
unauthorized disclosure of personal data transmitted, stored or otherwise processed
otherwise, or unauthorized access to such data, accidentally or unlawfully.
3. The application of an approved code of conduct as provided for in Article 40 or a mechanism for
certification approved as provided for in article 42 can be used as an element to demonstrate compliance
of the requirements provided for in paragraph 1 of this article.
4. The controller and the processor shall take measures to ensure that any
natural person acting under the authority of the data controller or that of the subcontractor,
who has access to personal data, does not process them, except on instructions from the
controller, unless required to do so by Union law or the law of a Member State. »
280. According to the IS, the data concerned is at risk of consultation by an unauthorized person from the
means that the password and login to access the computer connected to the thermal cameras are all
two available on the Memo communicated to X of Belgium.
281. On the basis of the elements provided by the defendant, the Litigation Chamber considers that this
risk is unlikely. Unauthorized access could only take place if all
following circumstances were encountered:
- Have access to X's memo;
- Have access to the premises with the PC. According to the defendant, the PC is still occupied by
a team during the opening hours of the airport for departures, and during arrivals from
passengers coming from red zone at arrivals. . It therefore seems impossible for a person
third party to use the computer given the presence of the teams.
- Can connect with logins and password.
The Litigation Chamber therefore considers that the probability of the risk of unauthorized access is very
weak.
282. Furthermore, the Litigation Division agrees with the defendant's conclusion, which indicates
that even in the event of unauthorized access to the PC, the third party would at best only have access to the 20
latest photos of people with a temperature above 38°C. This personal data,
apart from the specific context of its treatment and a possible refusal of entry into the terminal, Decision on the merits 47/2022 - 55/73
is a fact that in itself involves little risk and is not very intimate, the vast majority of
people who have had a fever at some point in their life. Furthermore, if a non-access
authorized took place after the PC was shut down at the end of the day, all images would then already have
been erased. The Litigation Chamber therefore considers that the security risk is very low, and
that a violation of article 5.1.f and 32 of the GDPR cannot be accepted.
283. However, it generally recommends, as a security measure, to avoid
keep the login and password on the same document. Thus, if the password can be
kept on the memo, it is clearly more secure to send it by a communication mode
different (email, SMS, etc.) which also makes it possible to ensure more frequent renewal and
password easy.
284. For the Litigation Chamber, the Respondent should have demonstrated its correct assessment
security risks when carrying out the DPIA. She can only regret that the three pages
arguments and explanations found in the conclusions of the defendant did not
incorporated into the corresponding part of the DPIA. It refers in this respect to these conclusions below.
above (see point 262).
II.3.8 Finding 6: Violation of the principle of data protection by design
and by default (article 25 of the GDPR)
Findings of the Inspection Service
285. For the Inspection Service, given the potentially serious risks to the rights and
freedoms of data subjects implied by the use of smart cameras whose
thermal cameras are part of it, it is essential that the data controller takes
appropriate measures to guarantee the effectiveness of the principles of data protection from the
design and default. This is all the more important if the processing in question involves
sensitive data, namely data concerning health.
286. First of all, the Inspection Service considers that by not carrying out the DPIA before the establishment of the
processing, the defendant was unable to properly document and analyze the various
appropriate measures. It refers in that regard to those findings above (see paragraph 262).
287. The Inspection Service notes that the thermal cameras retain the last twenty images
alert in the cache memory (RAM) of the thermal camera management software that is
erased gradually as well as when the computer is shut down (which takes place every evening). For the
Inspection Service, this temporary storage is not necessary to isolate people
and carry out additional checks (on arrival) or to inform them of the symptoms, Decision on the merits 47/2022 - 56/73
potentials of COVID-19 (initially). A simple visualization of alerts in real time would be
sufficient.
288. Furthermore, the Inspection Service considers that the defendant did not inquire about the
storage with the camera supplier, when it should have been and the supplier himself
even questioned the defendant about it.
289. Finally, the Inspection Service considers that checking the temperature of those accompanying
is not necessary to achieve the purpose described. It adds that the title of the Protocol referring
to temperature control only applies to passengers and not accompanying persons.
290. On the basis of these elements, the Inspection Service finds that BSCA S.A. violated both the principle of
minimization of data as well as the principle of data protection by the design of the
articles 5.1.c. and 25 GDPR.
Position of the defendant
291. The defendant considers first of all that the findings of the Inspection Service show a
lack of practicality. It considers that the analysis of the Inspection Service lacks an in-depth analysis
of the situation.
day, it is not possible to arrest all people with a temperature above 38°C
immediately at the precheck level. It is therefore necessary to record the images of the cameras
so that people can be recognized and identified. Without these records, there is a
risk of missing identified people. The defendant does not see how it could have
operate the system with a “simple visualization of alert images in real time”,
as suggested by the Inspection Service.
292. The defendant adds that the recorded images are limited to a maximum of 20 at a time and
that they are systematically erased at the end of a day, i.e. after a maximum of
5 p.m. (4 a.m. to 9 p.m.).
293. It refutes the finding that it did not question the subcontractor about the deadline for
conservation, indicating that this conclusion cannot be drawn from the very brief exchange of emails quoted.
294. The defendant also fails to see how it could have avoided processing the data of the
accompanying persons as soon as they arrive at the airport, except to sort between the
accompanying persons and travellers, which does not seem reasonable to him either in human terms or in terms of
organizational. It indicates that it has also communicated on its website that access to the
terminal is reserved for travelers in possession of a valid plane ticket, but it was difficult for them
to refuse an accompanying adult to accompany their child in the terminal. She adds that, Decision on the merits 47/2022 - 57/73
they also constitute a health risk from the moment they enter the airport.
The concluding party considered, for the purposes of the application of the Mandatory Protocol which was
imposed and given its organization, that anyone passing through the precheck was
a passenger within the meaning of the Protocol.
Examination by the Litigation Chamber
295. The findings of the Inspection Service are based on Articles 5.1.c) and 25 of the GDPR, which
relate respectively to the principle of data minimization and the principle of data protection.
data by design and by default. They are reproduced below:
“Clause 5
Principles relating to the processing of personal data
1. Personal data must be:
[…]
a) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed (data minimization); »
“Rule 25
Data protection by design and data protection by default
1. Considering the state of knowledge, implementation costs and the nature, scope,
the context and purposes of the processing as well as the risks, including the degree of probability and
severity varies, whether the processing presents for the rights and freedoms of natural persons, the
controller implements, both at the time of determining the means of the
processing only at the time of the processing itself, the technical and organizational measures
appropriate, such as pseudonymization, which are intended to implement the principles
relating to data protection, for example data minimization, in an effective and
to provide the processing with the guarantees necessary to meet the requirements of this
regulation and to protect the rights of the data subject., Decision on the merits 47/2022 - 58/73
2. The controller implements the technical and organizational measures
appropriate to ensure that, by default, only personal data that is
necessary with regard to each specific purpose of the processing are processed. This applies to the
amount of personal data collected, the scope of their processing, their duration of
preservation and accessibility. In particular, these measures ensure that, by default,
personal data are not made accessible to an indefinite number of
natural persons without the intervention of the natural person concerned.
3. A certification mechanism approved under Article 42 may serve as an element for
demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this article. »
296. The principle of minimization is a key principle in the implementation of the principle of protection of
data from design and by default, being directly referenced in the first and second
paragraph of article 25.
297. These articles impose various obligations on the data controller which may be
summarized as follows. First of all, only the data necessary to carry out the
purpose must be processed (article 5.1.c of the GDPR). Then, the data controller must put
put in place appropriate technical and organizational measures intended to implement
implements the principles relating to data protection (Article 25.1 of the GDPR) . Finally, the manager
processing must put in place appropriate technical and organizational measures to
ensure that, by default, only personal data that is necessary in relation to
each specific purpose of the processing are processed (Article 25.2 of the GDPR).
298. Firstly, the Litigation Division concurs with the Inspection Service on the fact that compliance with
these obligations should have been demonstrated in the DPIA that the data controller had to
performed before starting treatment. The Litigation Chamber refers in this respect to these
findings above (see paragraph 262). However, it will base its analysis on the elements
additional information provided by the defendant in its pleadings.
299. It appears from the documents in the file that the data being processed was the temperature
and a photo taken by cameras of people with a temperature above 38°C who
wish to enter the terminal or who are passengers returning from the red zone. She notices
also that a maximum of 20 photos were kept simultaneously and that these were
gradually replaced by older photos according to the “first in, first out” principle.
According to the defendant, these photos were deleted at the end of the day, which implies that
the photos were kept for a theoretical maximum duration of 17 hours. This treatment should
identify people wishing to enter the terminal or arriving from a zone flight
red and having a temperature above 38°C., Decision on the merits 47/2022 - 59/73
300. In its investigation report, the Inspection Service considers that this retention period is too
long and that it is not necessary to isolate people and carry out checks
(initially) or to inform them of potential symptoms of COVID-19 (at
the arrival). A simple visualization of alerts in real time would be sufficient.
301. The Litigation Chamber finds that the data controller limited himself to the collection of two
types of data: temperature, as well as a photo to identify the person with a
temperature above 38°C. The photos are kept for a maximum of 17 hours. The
temperature is the data collected and the photo the data allowing the identification of the person
having a temperature above 38°C. The Litigation Chamber judges that in this situation,
the temporary preservation of the photo is necessary to allow the correct identification of the
concerned person. Indeed, limiting oneself to a single visualization in real time would require that the
person concerned can be arrested immediately, which could prove to be very complex
in the event of an influx of passengers. In addition, the temporary preservation of a photo can be
necessary to ensure that the person arrested is indeed the person concerned by the
processing. As such, the duration and methods of storing images are necessary to
achieve the purpose of the processing, since a more restrictive method could lead to
disproportionate practical difficulties in pursuing the purpose.
For the Litigation Chamber, the defendant has indeed implemented technical measures
and organizational in order to limit the risks of processing.
302. The Litigation Chamber also notes that particular attention seems to have been paid to
minimization of data, since no registration of the identity of the persons concerned
takes place and that the only anonymous register of the number of persons concerned was destroyed
weekly.
303. With regard to the processing of data of accompanying persons, who are therefore not
passengers, the Litigation Chamber refers to its conclusions under finding 2 regarding the
purpose of the processing. It recalls that the purpose declared by the defendant consists in "ensuring the
health security of people transiting through the airport and employees working in the
terminal” (see points 191 et seq.). The purpose of the processing is therefore not limited to taking
temperature of passengers, but of all people wishing to enter the terminal.
As such, the taking of the temperature of the accompanying persons is in accordance with the purpose.
304. The Chamber finds that there was no violation of the data minimization principle (Article
5.1.c of the GDPR) and the principle of data protection by design and by default (article 25
of the GDPR)., Decision on the merits 47/2022 - 60/73
II.3.9Finding 7: Violation of the obligation to keep a register of processing activities
complete (article 30.1 GDPR)
Findings of the Inspection Service
305. The Inspection Service finds that the register does not contain all the mandatory information
to be mentioned in a register of processing activities in accordance with Article 30.1.
of the GDPR, the information below being missing:
- The name and contact details of the data controller, namely BSCA S.A. The document
includes a column "controller" which mentions the person(s)
natural person(s) in charge of the processing within BSCA S.A.;
- The name and contact details of the data protection officer;
- The categories of recipients to whom the personal data have been sent
communicated.
Position of the defendant
306. The defendant admits the breach concerning the name and contact details of the person responsible for
processing, and of the Data Protection Officer and provided an updated version of its
register.
307. With regard to the categories of recipients, the defendant considers that the Service
inspection adds categories that are not provided for by the GDPR, since the latter does not impose
not to specify the entity concerned or the category of subcontractor concerned.
Examination by the Litigation Chamber
308. The Inspection Service criticizes the defendant for not having complied with Article 30.1 of the
GDPR. This article is reproduced below:
“Rule 30
Register of processing activities
1. Each controller and, where applicable, the controller's representative
keep a record of the processing activities carried out under their responsibility. This register
includes all of the following information:
a) the name and contact details of the controller and, where applicable, the joint controller
processing, the representative of the controller and the data protection officer
data;, Decision on the merits 47/2022 - 61/73
b) the purposes of the processing;
c) a description of the categories of data subjects and the categories of personal data
staff;
d) the categories of recipients to whom the personal data have been or will be
communicated, including recipients in third countries or organizations
international;
e) where applicable, transfers of personal data to a third country or to a
international organisation, including the identification of this third country or this organization
international community and, in the case of transfers referred to in the second subparagraph of Article 49(1), the
documents attesting to the existence of appropriate guarantees;
f) as far as possible, the deadlines provided for the erasure of the different categories of
data;
g) as far as possible, a general description of the technical security measures and
organizational arrangements referred to in Article 32(1).
309. The Litigation Chamber finds that the defendant admits the breach concerning the name
and the contact details of the data controller and the data protection officer (article
30.1.a) and provided an updated version of its register. The name and contact details of the manager
of processing as well as the data protection officer appear.
310. With regard to the categories of recipients to whom the personal data have
been or will be communicated, the Chamber notes that Article 30.1d of the GDPR requires the mention
“categories of recipients to whom the personal data have been or will be
communicated”. The term recipient is defined in article 4.9 of the GDPR as being “the person
natural or legal person, the public authority, the service or any other body which receives communication
personal data, whether or not it is a third party”.
311. The question presented for consideration by the Litigation Chamber is that of the degree of precision with
which the categories of recipients must be identified in the Register of the activities of
processing.
312. The register of the defendant's processing activities contains a heading entitled “Recipient? ".
This title contains several tabs structured as follows:
- a "subcontractor" tab containing two options "yes" and "no";
- an "application used" tab, under which the name of the application is entered;
- an "internal or external application" tab, allowing you to select one of these two
options;
- a "digital/paper" tab allowing you to select one of these two options;
- a tab "Country 1/3 (outside the EU)" under which the answer "no" systematically appears., Decision on the merits 47/2022 - 62/73
313. Recommendation No. 06/2017 of 14 June 2017 of the CPP, relating to the Register of activities of
processing (Article 30 of the GDPR) addresses this issue . It specifies that are therefore covered,
both potential internal and external recipients (such as subcontractors or third parties), established in
the European Union or outside it. By way of example, the explanatory note of the declaration
prior to processing mentions: the personal relationships of the data subject, the
employers, other departments or companies of the data controller, social security,
police and justice, brokers of personal data or direct marketing etc.
(Annex 1). »
73
314. It therefore appears from the text of the GDPR, supported by a recommendation from the CPP and the doctrine
that if it is not necessary to indicate the individual recipients of the data, it is on the other hand
necessary to group them by category of recipients. The simple fact of only indicating whether it
whether it is a subcontractor or not therefore does not meet this requirement.
315. Based on the elements above, the Litigation Chamber finds a violation of Articles 30.1a
and 30.1.d GDPR.
II.3.10 Finding 8: Violation of the obligation to guarantee the independence of the delegate
data protection in accordance with article 38.3. GDPR
Findings of the Inspection Service
316. The Inspection Department notes that BSCA S.A. did not ensure that the DPO did not receive any
instruction with regard to the exercise of its missions in violation of Article 38.3. GDPR,
in particular because of its position in the organization chart of the company, and its obligation
to report to the General Counsel.
Position of the defendant
317. The defendant considers that the conclusions of the Inspection Service are not correct. She
considers, citing the supporting guidelines, that the Inspection Service has not carried out an analysis
of the independence of the DPD, but was content to take information from the organizational chart and
does not demonstrate how he receives instructions concerning the performance of his duties. This one
should have been made on concrete shortcomings. For the defendant, the fact of participating in
“inter-departmental” meetings does not constitute a demonstration of its lack of independence, but
72
Available at: https://www.autoriteprotectiondonnees.be/publications/recommandation-n-06-2017.pdf
73W. Kotschy, “Article 30: records of processing activities”, in Ch. Kuner The EU General Data Protection Regulation (GDPR), a
commentary, 2020, p. 621., Decision on the merits 47/2022 - 63/73
good for his involvement in the business. The defendant refers to the answer it already had
sends to the Inspection Service and which establishes that the DPO is part of the legal service,
reports annually to Management and receives an annual budget.
318. During the hearing, the respondent’s DPO made it known that his position in the company is
clear and that he had a listening direction. He added that he previously reported to the legal director
and worked in the legal department. Today the legal director has become the number 2 of
the company and the DPO is therefore directly under his authority, even if he remains on the payroll of the
Legal Department.
Examination by the Litigation Chamber
319. The Inspection Service finds a violation of Article 38.3 of the GDPR. This is reproduced below
below:
“Rule 38
Function of the data protection officer
1. The controller and the processor shall ensure that the data protection officer
data is involved, in an appropriate and timely manner, in all questions relating to
the protection of personal data.
2. The controller and the processor assist the data protection officer in
carry out the tasks referred to in Article 39 by providing the resources necessary to carry out
these tasks, as well as access to personal data and processing operations,
and allowing him to maintain his specialized knowledge.
3. The controller and the processor shall ensure that the data protection officer
data does not receive any instructions with regard to the performance of the tasks. The delegate to the
data protection cannot be relieved of his duties or penalized by the person responsible for the
processing or the subcontractor for the exercise of its missions. The delegate for the protection of
data reports directly to the highest level of management of the head of the
processor or processor. »
320. According to the IS, the data controller failed to fulfill the obligations provided for in Article 38.3,
since the positioning of the DPO under the direction of the Respondent's General Counsel, Decision on the merits 47/2022 - 64/73
and the fact that he must report to her every two weeks contravenes the prohibition on receiving
“instruction[s] regarding the exercise of the missions. ".
321. The Article 29 Working Party has drafted guidelines on the DPO which have been taken up by
the EDPS. On the question of the independence of the DPO, the guidelines contain the
following paragraphs:
“This means that, in the exercise of their tasks under Article 39, DPOs must not
receive instructions on how to handle a case, for example, what outcome should be
obtained, how to investigate a complaint or whether to consult the supervisory authority. Besides,
they cannot be required to adopt a certain point of view on a question relating to the legislation in question.
data protection, for example, a particular interpretation of the law.
[…]
If the controller or processor makes decisions that are incompatible with
the GDPR and the opinion of the DPO, the latter should have the possibility to clearly indicate his opinion
diverge at the highest level of management and decision makers. » 75
322. It therefore appears from the guidelines that the question of the independence of the DPO is based on two
different criteria: first, its independence must be assessed in a contextual and independent manner.
situ, i.e. it must be ensured that the DPO has not been subjected to any influence or pressure
on how he must exercise the duties imposed on him under the GDPR. It would therefore be
here of an obligation to refrain from interference with its missions and the absence of imposition of
retaliatory measures. A second obligation that comes from the text of the GDPR and the guidelines
is a positive obligation this time, and which requires the data controller to guarantee that the
DPD can account for its opinions and its work at the highest level of the hierarchy. It's about
here of an additional form of protection which should allow the DPO to make his voice heard within
organisation.
323. The Litigation Chamber finds in this case that the second obligation, which is to be able to
reporting to the highest level of the hierarchy is not called into question by the IS.
324. On the other hand, the Inspection Service considers that the position in the organization chart of the DPO is detrimental
to his independence since he contravenes the first obligation, which is that of not undergoing
interference in his work. The Litigation Chamber, as explained above, considers
however, it cannot be deduced from a position in the organizational chart and from an obligation to
74
Article 29 Data Protection Working Party, Guidelines for Data Protection Officers
(DPD), adopted on 13 December 2016. Available at: https://ec.europa.eu/newsroom/article29/items/612048.
75Ibid, p. 18. It is the Litigation Chamber which highlights., Decision on the merits 47/2022 - 65/73
report to the General Counsel every two weeks that the DPO receives instructions that
jeopardize his independence. This evaluation must be made on the basis of concrete indices
interference which is not brought here. The GDPR does not prohibit the DPO from having a superior
hierarchical.
325. Article 38.3 of the GDPR also specifies that “the data protection officer cannot be
relieved of his duties or penalized by the controller or processor for
the performance of its duties”. However, it appears from the documents in the file and in particular from the response that the
defendant brought to the questions of the Litigation Chamber in preparation for
the hearing, that the DPD was very frequently on technical unemployment between May and August 2020. The
defendant provides the following statement in this respect:
“In fine, here is the total count of the days worked by the DPO of the defendant between April 2020
and August 2020:
- Three (3) days during the month of April 2020;
- Five (5) days during the month of May 2020;
- Three (3) days during the month of June 2020;
- Nine (9) days during the month of July 2020; and finally
76
- Thirteen (13) days during the month of August 2020.”
326. It appears from these documents that, between April 2020 and August 2020, the DPO only worked 33 days at
total.77
327. The Respondent's response indicates that a large part of its staff was in
technical unemployment at that time. The Litigation Chamber cannot therefore conclude that the DPD has
been particularly targeted by this economic unemployment and “penalized for the exercise of his
assignments” within the meaning of Article 38.3.
328. However, it is clear from the figures given above that during preparation for the commissioning
processing (in June 2020-, the DPO only had very few working days
workforce. The Litigation Chamber therefore doubts that he could have been "associated, in a way
appropriately and in a timely manner, to all questions relating to the protection of personal data
personnel” as required by Article 38.1 of the GDPR. The Litigation Chamber has duly taken note
the fact that a note was requested from the DPO on April 30, 2020 on the legality of the processing of catches
temperature and that the latter responded the same day to this request with a brief note of 2.5
pages. She also noted that the file contained certain email exchanges involving the DPO
76
Letter of October 18, 2021, p. 5.
77Ibidem., Decision on the merits 47/2022 - 66/73
during the period concerned. However, it considers that this does not in itself constitute proof
adequate and timely association of the DPO.
329. On the contrary, the Litigation Chamber questions the fact that the DPO was laid off
technical during the period of implementation of the disputed processing, which could have
78
impairment of his ability to be "involved, in an appropriate and timely manner" in the reflection
regarding such processing. The Litigation Chamber considers that the decision to put the DPD
on technical unemployment is likely to prevent him from carrying out his duties in accordance with
GDPR Article 38.1. However, the Trial Chamber does not have sufficient information to
rule in this regard in the particular case and find a violation.
III. Violations and Penalties
330. Under Article 100 LCA, the Litigation Chamber has the power to:
1° dismiss the complaint without follow-up;
2° order the dismissal;
3° order a suspension of the pronouncement;
4° to propose a transaction;
5° issue warnings or reprimands;
6° order to comply with the data subject's requests to exercise
his rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of the
processing ;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the
notification of these to the recipients of the data;
11° order the withdrawal of accreditation from certification bodies;
12° impose periodic penalty payments;
13° to impose administrative fines;
14° order the suspension of cross-border data flows to another State
or an international body;
15° forward the file to the public prosecutor's office in Brussels, which
informs him of the follow-up given to the file;
78
Article 38.1 GDPR., Decision on substance 47/2022 - 67/73
16° decide, on a case-by-case basis, to publish its decisions on the Authority's website
data protection.
331. As to the administrative fine that may be imposed under Articles 58.2.i) and 83 of the GDPR
and articles 100, 13° and 101 LCA, article 83 of the GDPR provides:
“1. Each supervisory authority shall ensure that the administrative fines imposed in
under this article for breaches of this Regulation referred to in paragraphs 4,
5 and 6 are, in each case, effective, proportionate and dissuasive.
Depending on the specific characteristics of each case, administrative fines are imposed
in addition to or instead of the measures referred to in points (a) to (h) of Article 58(2), and
j). To decide whether to impose an administrative fine and to decide the amount
of the administrative fine, due account shall be taken, in each case, of the
following elements:
(a) the nature, gravity and duration of the breach, taking into account the nature, scope
or the purpose of the processing concerned, as well as the number of persons
concerned affected and the level of damage they have suffered;
b) whether the breach was committed willfully or negligently;
(c) any action taken by the controller or processor to
mitigate the damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor, taking into account
the technical and organizational measures they have implemented under the articles
25 and 32;
e) any relevant violation previously committed by the person in charge of the
processor or processor;
(f) the degree of cooperation established with the supervisory authority with a view to remedying the
violation and to mitigate any adverse effects;
g) the categories of personal data affected by the breach;
h) how the supervisory authority became aware of the breach, including
whether, and to what extent, the controller or processor has notified the
violation;, Decision on the merits 47/2022 - 68/73
(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or processor concerned
for the same purpose, compliance with these measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved under Article 42; and
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as the financial advantages obtained or the losses avoided,
directly or indirectly, by reason of the breach.”
332. The Litigation Chamber recalls that the purpose of the fine is not to put an end to an offense
committed but to effectively enforce the rules of the GDPR. As it appears
clearly from recital 148, the GDPR indeed provides that sanctions, including fines
administrative, be imposed for any serious violation - therefore including at the first
finding of a violation -, in addition to or instead of the appropriate measures which are
79
imposed. This same recital provides for two cases in which it is possible to waive a
fine, i.e. for minor violations or where the fine would constitute a charge
disproportionate to a natural person within the meaning of recital 148 of the GDPR, two cases which
would waive a fine. The fact that this is a first finding of a
violation of the GDPR committed by a data controller does not affect the possibility for the
Litigation Chamber to impose an administrative fine. The instrument of the fine
administrative action is in no way intended to put an end to the violations. To this end, the GDPR and the LCA
provide for several corrective measures, including the orders cited in Article 100, § 1, 8° and 9° of the LCA.
333. In the present case, the Litigation Division found that the defendant had violated the
following items:
a) Violation of Articles 6.1.c), 6.3, and 9.2.i), since it is not demonstrated that the
processing of the personal data in question is necessary for reasons
of public interest in the field of public health, such as protection against
serious cross-border threats to health or for the purpose of ensuring standards
high standards of quality and safety of health care and medicines or devices
medical conditions, on the basis of Union law or the law of the Member State which provides for
7 Recital 148 states: "In order to strengthen the application of the rules of this Regulation, sanctions including
administrative fines should be imposed for any violation of this Regulation, in addition to or instead of the
appropriate measures imposed by the supervisory authority under this Regulation. In the event of a minor violation or if the fine
likely to be imposed constitutes a disproportionate burden for a natural person, a call to order may be sent
rather than a fine. However, due account should be taken of the nature, seriousness and duration of the violation,
intent of the breach and the measures taken to mitigate the damage suffered, the degree of responsibility or any breach
relevant previously committed, the manner in which the supervisory authority became aware of the breach, compliance with
measures ordered against the controller or processor, the application of a code of conduct, and any
other aggravating or mitigating circumstance. The application of sanctions including administrative fines should be subject to
appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including the right to a
effective judicial protection and due process. [underlining by the Litigation Chamber], Decision on the merits 47/2022 - 69/73
appropriateandspecificmeasuresforsafeguardinghumanrightsandfreedoms
concerned, in particular professional secrecy. In addition, the legal bases invoked by the
defendant (namely the Decree of 23 June 1994 relating to the creation and operation
airports and aerodromes within the Walloon Region, the ministerial decree of 30 June
2020 on urgent measures to limit the spread of the Covid-19 coronavirus,
the law of 31 December 1963 on civil protection (as replaced by the law of 15 May
2007) and the "Commercial Aviation Passengers" Protocol of June 11, 2020) do not meet
the requirements of Article 6.1 c) read in conjunction with Article 6.3 of the GDPR.
b) Violation of Articles 5.1.a), 12.1, 13.1c), 13.2.a), 13.2.d), and 13.2 for failing to
transparency vis-à-vis the persons concerned by not informing them that the taking of
temperature would be done using thermal cameras; for not having informed
correctly passengers returning from the red zone for not having correctly
informed of the legal basis of the processing, its purpose and the regulatory framework
the obligation to monitor body temperature; for not having correctly
informed of the data retention period and the right to lodge a complaint
with the Data Protection Authority.
c) Violation of Article 5.1.b), since the purpose of the processing was not
sufficiently explicit when the treatment began, since it was not
expressly stated in any source of information used by the defendant. The
purpose of the processing has only been explained in the answers to questions from the Inspection Department
and after the modification of the privacy policy in December 2020.
d) Violation of Articles 35.1 and 35.7 for not having carried out the Impact Assessment of the
protection of the data before the implementation of the processing. Furthermore, the impact analysis
is incomplete since it does not contain an adequate description of the operations of
processing envisaged and the purposes of the processing, it does not sufficiently analyze the
necessityandproportionalityoftreatmentanddoesnotcorrectlyassesstherisksfor
the rights and freedoms of data subjects.
e) Violation of articles 30.1.a) and 30.1.d) due to the absence, in the register of activities
processing, mention of the name and contact details of the processing manager as well as
than the data protection officer at the time of the investigation and for lack of
sufficient precision as to the categories of data recipients.
334. Pursuant to Article 101 of the LCA, it decides to impose a fine of EUR 100,000 on the defendant
for violations of Articles 5.1.a, 5.1.b, 6.1.c), 6.3, and 9.2.i), 12.1, 13.1c), 13.2.a), 13.2.d), 13.2.e), 35.1 and
35.7., Decision on the merits 47/2022 - 70/73
335. In view of Article 83 of the GDPR, the Litigation Chamber justifies the imposition of an administrative sanction
80
in a concrete way, by retaining the following criteria, taken from this article, which it deems relevant
in the present case:
- the nature, gravity and duration of the violation (art. 83.2.a) — The violations found are
in particular a violation of the provisions of the GDPR relating to the principles of the protection of
data (Article 5 of the GDPR) and the lawfulness of the processing (Article 6 of the GDPR). A breach of
aforementioned provisions is, in accordance with Article 83 (5) of the GDPR, liable
the highest monetary penalties.
The infringements noted also concern the violation of the provisions relating to
information and transparency obligations (articles 5.1.a), 12.1 and 13 of the GDPR). Respect for
above-mentioned provisions is essential and must take place at the latest at the start of the processing of
personal data. This is also necessary to facilitate the exercise of rights
of the persons concerned.
The infringements noted also concern the performance of the Impact Assessment relating to the
Data protection. This obligation was only fulfilled after the start of the treatment, so
that it should have been carried out before (article 35.1 of the GDPR) and was not carried out in accordance with
to the criteria of article 35.7, which considerably affected the credibility of the exercise and the
potential rights benefits.
- Any relevant breach previously committed by the controller or sub-
(art.83.2.e) GDPR)— The defendant has never been the subject of infringement proceedings
before the Data Protection Authority.
- the categories of personal data affected by the breach (art.83.2.g) GDPR)—
The breaches identified relate to a category of personal data within the meaning of Article 9
of the LCA (data relating to the health of the persons concerned).
- any other aggravating or mitigating circumstance applicable to the circumstances of the case (art.
83.2 k) GDPR): the defendant did not derive any benefit from the processing operations or the
offenses committed.
336. All the elements set out above justify an effective, proportionate and
dissuasive, as referred to in Article 83 of the GDPR, taking into account the assessment criteria that it
contains.
337. A sanction form was sent on February 15, 2022 to which the defendant replied on March 9
2022. These arguments can be summarized as follows:
80
Brussels Court of Appeal (Cour des Marchés section), X. v APD, Judgment 2020/1471 of February 19, 2020, Decision on the merits 47/2022 - 71/73
at. It was subject to the obligation to implement the processing. She had no choice
and could not count on the guidance of the APD.
b. The fine must remain an exceptional means, in particular in view of the case of force majeure
in which the airport found itself and considering the fact that the treatment was very limited
over time and is no longer in place today.
vs. The airport suffered extremely high losses due to COVID and had to be
recapitalized to avoid bankruptcy. This recapitalization was conditional on the conclusion
a social agreement which provides for reductions in remuneration for employees (agreement
reported in the press).
338. The Litigation Division considers that the argument developed in point a) below has been the subject of
developments in the body of the decision (see points 58 et seq.). The Litigation Chamber reiterates
that the Protocol does not constitute a valid legal basis within the meaning of the GDPR and the defendant has
recognized the lack of clarity of the Protocol and the fact that a law would have been preferable . She returns
also to point 232 regarding the lack of guidance.
339. The Litigation Division has also already responded to point b) above (see points 217 et seq.) in
the body of the decision. Regarding the fact that the processing was limited in time and is no longer
currently in place, the Litigation Chamber points out that it extended over a period
approximately 9 months (between June 2020 and March 2021) for all departing passengers and companions,
thus for a period of just over a month for people arriving from the red zone (September-
October 2020). It also recalls that if the defendant was unable to provide a total number of
data subjects, it indicated that for the sole period between June 15, 2020 and October 31,
2020, approximately 457,000 departing passengers were screened. The processing can therefore neither be
considered to have been very limited in time, nor in the number of people involved.
340. With regard to point c), the Litigation Chamber recalls that it is indeed the turnover that
is used as the criterion for determining the maximum amount of fines in the GDPR and not
the income statement. This choice by the European legislator was made on purpose in order to prevent
variations in the income statement do not limit the ability of the supervisory authorities to
data to impose effective fines.
341. The Litigation Chamber also emphasizes that the other criteria set out in Article 83.2 of the
GDPR are not relevant in this case and therefore do not lead to an administrative fine other than
than that determined by the Litigation Division in the context of this decision.
81
The Litigation Chamber will also send a copy of this decision to the competent minister., Decision on the merits 47/2022 - 72/73
342. In accordance with the foregoing, the Litigation Division finds that it can rely on the
annual figures from Brussels South Charleroi Airport SA to determine the amount of the fine
administrative procedure which it intends to impose on the defendant.
343. The Litigation Chamber refers to the conclusions of the defendant filed with the
Litigation Chamber as well as the annual accounts filed with the National Bank of
Belgium (BNB) on July 5, 2021, which report a turnover for the financial year 2020 of
EUR 28,859,291.41.
344. The planned administrative fine of 100,000.00 euros corresponds in this case to 0.34% of the
annual business of the defendant for the year 2020. The Litigation Chamber refers
the submissions of the defendant filed with the Litigation Chamber as well as the
annual accounts filed with the National Bank of Belgium (BNB) on July 5, 2021, which are
statement of turnover for the 2020 financial year of EUR 28,859,291.41.
345. The planned administrative fine of 100,000 euros corresponds in this case to 0.34% of the
defendant's annual business for the year 2020.
346. The Litigation Division indicates that the maximum amount of the administrative fine for a
violation is determined by Articles 83.4 and 83.4 GDPR. The amount of the fine imposed in
this Decision is significantly lower than the maximum amount foreseen (which could have reached a
maximum of EUR 1,154,371.65), given that the Litigation Chamber took into account all
the relevant criteria set out in Article 83.2 LCA. In addition, the Litigation Chamber assesses the
concrete elements of each case individually in order to impose an appropriate sanction.
347. For violations of Articles 30.1.a) and 30.1.d), the Litigation Chamber decides, under Article
100, §1, 5° of the ACL, to impose a reprimand. Indeed, the violations found relate to
relatively minor elements, the violation of which does not in itself justify the imposition of a fine.
IV. Publication of the decision
348. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the Authority for the protection of
data in accordance with article 95, §1, 8° LCA by mentioning the identification data of the
defendant and this because of the specificity of this decision - which leads to the fact that
even in the event of omission of identification data, re-identification is unavoidable - as well as
public interest of this decision., Decision on the merits 47/2022 - 73/73
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation:
- Pursuant to Article 101 of the ACL, impose a fine of EUR 100,000 on the defendant for
violationsofArticles5.1.a,5.1.b,6.1.c),6.3,and9.2.i),12.1,13.1c),13.2.a),13.2.d),13.2.e),35.1and35.7;
- Pursuant to Article 100, §1, 5° of the LCA, to impose a reprimand for violations of the
Articles 30.1.a) and 30.1.d);
er
Under Article 108, § 1 of the LCA, this decision may be appealed to the
Court of Markets within thirty days of its notification, with the Authority of
data protection as defendant.
(Sr.) Hielke Hijmans
President of the Litigation Chamber
Categories:
- APD/GBA (Belgium)
- Belgium
- Article 5(1)(b) GDPR
- Article 5(1)(a) GDPR
- Article 6(1)(c) GDPR
- Article 6(3) GDPR
- Article 9(2)(i) GDPR
- Article 12(1) GDPR
- Article 13(1)(c) GDPR
- Article 13(2)(a) GDPR
- Article 13(2)(d) GDPR
- Article 13(2)(e) GDPR
- Article 30(1)(a) GDPR
- Article 30(1)(d) GDPR
- Article 35(1) GDPR
- Article 35(7) GDPR
- 2022
- French
