APD/GBA (Belgium) - 48/2022

From GDPRhub
APD/GBA (Belgium) - 48/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Article 9(2)(g) GDPR
Article 12 GDPR
Article 13(1)(c) GDPR
Article 13(2)(e) GDPR
Article 24 GDPR
Article 35(1) GDPR
Article 35(3) GDPR
Article 35(7)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.04.2022
Published: 04.04.2022
Fine: 200,000 EUR
Parties: Brussels airport
Ambuce Rescue Team
National Case Number/Name: 48/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD (in NL)
Initial Contributor: n/a

The Belgian DPA fined the Brussels Airport and a medical company €200,000 and €20,000 respectively for carrying out temperature checks with thermal cameras on passengers without a valid legal basis, adequate information provided to data subjects, and an appropriate data protection impact assessment.

English Summary

Facts

The inspection service of the Belgian DPA conducted an inspection on the temperature checks carried out by the Brussels Airport, as instructed by the Board of Directors of the DPA.

As a first step, the passengers' temperature was measured with thermal cameras. In a second step, all passengers with a temperature above 38°C were invited to be examined by a medical service, to carry out a diagnosis (performed by a doctor and using a form). The information was stored on paper and electronically and potentially shared for contact tracing.

Holding

The DPA issued a €200,000 fine against the airport for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 12, 13(1)(c), 13(2)(e), 35(1), 35(3) and 35(7)(b) GDPR. It also fined the medical service €20,000 for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 35(3) and 35(7)(b) GDPR. Finally, it issued a a reprimand against the airport for violation of Articles 5(2), 24 and 35(1) GDPR.

1. Controllership

The DPA concluded that the airport was the controller for the processing of data in the context of the first step. The airport and the medical service were considered as joint controllers for the second line of processing. The DPA considered that the qualification under the contractual agreement was not binding upon the DPA (in accordance with the EDPB guidelines on the same).

2. The legal basis (Articles 6 and 9 GDPR)

During the procedure, the airport stated that it relied on Article 6(1)(e) and 9(2)(g) GDPR for the processing.

The DPA considered that the decrees and the protocol on which the airport relied as a legal basis were not creating any legal obligation to check the temperatures of the passengers. Moreover, the texts the airport relied upon did not refer, as required by Article 6(3) GDPR, to the purpose of the processing, to the description of the processing operations, nor did the text mention the measures to ensure a lawful and fair processing of the data. The DPA also noted that the airport itself remarked in its data protection impact assessment (DPIA) that no legal text provides for an obligation to carry out temperature checks.

Finally, the DPA found that the necessity was not demonstrated since the protocol itself referred to the recommendations of the European Union Aviation Safety Agency and European Centre for Disease Prevention and Control that considered that the temperature control was not proven to be efficient. Also, the alleged legal basis did not contain any reference to a duration or retention period.

The DPA concluded to a violation of Articles 5(1)(c), 6(1)(e), 6(3) and 9(2)(g) GDPR both by the airport and the medical service acting as joint controllers.

3. Transparency and information

The DPA found that the lack of reference to the specific legal provision(s) that allegedly created a legal obligation amounts to a violation of Article 13 GDPR. The DPA also emphasised that the legal basis should be announced in the privacy policy and not during the procedure before the DPA. It further pointed out that the lack of mention of the consequences for the data subjects also violated Article 13 GDPR.

The same lack of transparency could also be observed regarding the medical service, but since these elements were not investigated by the inspection service, the litigation chamber did not conclude in this regard.

4. DPIA

The DPA considered that the DPIA was not carried out appropriately since some information was missing, such as a clear legal basis for the processing (the DPIA even identified the risk that no clear legal basis existed) and the lack of risk assessment in the DPIA.

It also considered that the procssing of data in the second step (by the medical service) was different from a visit to the doctor, considering that a legal decision would be taken on the diagnosis from the medical service.

Moreover, the fact that the number of potential passengers who could have been subject to the processing was unknown at the time of the DPIA does not affect this conclusion. In order to assess that the processing would be done at a large scale, it should have been considered that all passengers could see their data processed.

5. Competence and independence of the data protection officer (DPO)

The DPA did not follow the inspection report regarding the alleged lack of competence of the airport's DPO and did not find a violation of Article 37(5) GDPR.

Regarding the independance of the DPO, the DPA considered that the position of the DPO in the hierarchy and the collaboration with other privacy experts within the airport were not to be considered as a violation of Article 38 GDPR since it was not demonstrated that the DPO could not act independently.


Comment

This decision was taken together with another decision against the airport of Charleroi for similar facts

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.