APD/GBA (Belgium) - 48/2022
|APD/GBA (Belgium) - 48/2022|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 6(1)(e) GDPR
Article 9(2)(g) GDPR
Article 12 GDPR
Article 13(1)(c) GDPR
Article 13(2)(e) GDPR
Article 24 GDPR
Article 35(1) GDPR
Article 35(3) GDPR
Article 35(7)(b) GDPR
Ambuce Rescue Team
|National Case Number/Name:||48/2022|
|European Case Law Identifier:||n/a|
|Original Source:||APD (in NL)|
The Belgian DPA fined the Brussels Airport and a medical company €200,000 and €20,000 respectively for carrying out temperature checks with thermal cameras on passengers without a valid legal basis, adequate information provided to data subjects, and an appropriate data protection impact assessment.
English Summary[edit | edit source]
Facts[edit | edit source]
The inspection service of the Belgian DPA conducted an inspection on the temperature checks carried out by the Brussels Airport, as instructed by the Board of Directors of the DPA.
As a first step, the passengers' temperature was measured with thermal cameras. In a second step, all passengers with a temperature above 38°C were invited to be examined by a medical service, to carry out a diagnosis (performed by a doctor and using a form). The information was stored on paper and electronically and potentially shared for contact tracing.
Holding[edit | edit source]
The DPA issued a €200,000 fine against the airport for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 12, 13(1)(c), 13(2)(e), 35(1), 35(3) and 35(7)(b) GDPR. It also fined the medical service €20,000 for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 35(3) and 35(7)(b) GDPR. Finally, it issued a a reprimand against the airport for violation of Articles 5(2), 24 and 35(1) GDPR.
1. Controllership[edit | edit source]
The DPA concluded that the airport was the controller for the processing of data in the context of the first step. The airport and the medical service were considered as joint controllers for the second line of processing. The DPA considered that the qualification under the contractual agreement was not binding upon the DPA (in accordance with the EDPB guidelines on the same).
2. The legal basis (Articles 6 and 9 GDPR)[edit | edit source]
The DPA considered that the decrees and the protocol on which the airport relied as a legal basis were not creating any legal obligation to check the temperatures of the passengers. Moreover, the texts the airport relied upon did not refer, as required by Article 6(3) GDPR, to the purpose of the processing, to the description of the processing operations, nor did the text mention the measures to ensure a lawful and fair processing of the data. The DPA also noted that the airport itself remarked in its data protection impact assessment (DPIA) that no legal text provides for an obligation to carry out temperature checks.
Finally, the DPA found that the necessity was not demonstrated since the protocol itself referred to the recommendations of the European Union Aviation Safety Agency and European Centre for Disease Prevention and Control that considered that the temperature control was not proven to be efficient. Also, the alleged legal basis did not contain any reference to a duration or retention period.
3. Transparency and information[edit | edit source]
The same lack of transparency could also be observed regarding the medical service, but since these elements were not investigated by the inspection service, the litigation chamber did not conclude in this regard.
4. DPIA[edit | edit source]
The DPA considered that the DPIA was not carried out appropriately since some information was missing, such as a clear legal basis for the processing (the DPIA even identified the risk that no clear legal basis existed) and the lack of risk assessment in the DPIA.
It also considered that the procssing of data in the second step (by the medical service) was different from a visit to the doctor, considering that a legal decision would be taken on the diagnosis from the medical service.
Moreover, the fact that the number of potential passengers who could have been subject to the processing was unknown at the time of the DPIA does not affect this conclusion. In order to assess that the processing would be done at a large scale, it should have been considered that all passengers could see their data processed.
5. Competence and independence of the data protection officer (DPO)[edit | edit source]
The DPA did not follow the inspection report regarding the alleged lack of competence of the airport's DPO and did not find a violation of Article 37(5) GDPR.
Regarding the independance of the DPO, the DPA considered that the position of the DPO in the hierarchy and the collaboration with other privacy experts within the airport were not to be considered as a violation of Article 38 GDPR since it was not demonstrated that the DPO could not act independently.
Comment[edit | edit source]
This decision was taken together with another decision against the airport of Charleroi for similar facts
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.