APD/GBA (Belgium) - 48/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(3 intermediate revisions by 3 users not shown)
Line 21: Line 21:
|Date_Published=04.04.2022
|Date_Published=04.04.2022
|Year=2022
|Year=2022
|Fine=200000
|Fine=200,000
|Currency=EUR
|Currency=EUR


Line 67: Line 67:
}}
}}


The Belgian DPA issued fines of €200,000 against the Brussels airport and €20,000 against a medical company for carrying out temperature checks with thermal cameras on passengers without a valid legal basis, adequate information provided to data subjects, and an appropriate data protection impact assessment.  
The Belgian DPA fined the Brussels Airport and a medical company €200,000 and €20,000 respectively for carrying out temperature checks with thermal cameras on passengers without a valid legal basis, adequate information provided to data subjects, and an appropriate data protection impact assessment.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The inspection service of the BE DPA conducted an inspection on the temperature checks carried out by the Brussels airport, as instructed by the Board of Directors of the BE DPA.  
The inspection service of the Belgian DPA conducted an inspection on the temperature checks carried out by the Brussels Airport, as instructed by the Board of Directors of the DPA.  


A first line of check was performed with thermal cameras. All passengers whose temprature was measure above 38 degrees were invited to be abalysed by a medical service, acting in second line, to carry out a diagnosis (performed by a doctor and using a form). The information was strored on paper and electronically and potentially shared for contact tracing.  
As a first step, the passengers' temperature was measured with thermal cameras. In a second step, all passengers with a temperature above 38°C were invited to be examined by a medical service, to carry out a diagnosis (performed by a doctor and using a form). The information was stored on paper and electronically and potentially shared for contact tracing.  


=== Holding ===
=== Holding ===
1. the DPA concluded that the airport was the controller foprp the processing of data in the context of the first line.  
The DPA issued a €200,000 fine against the airport for violation of [[Article 5 GDPR|Articles 5(1)(c)]], [[Article 6 GDPR|6(1)(e)]], [[Article 9 GDPR|9(2)(g)]], [[Article 12 GDPR|12]], [[Article 13 GDPR|13(1)(c), 13(2)(e)]], [[Article 35 GDPR|35(1)]], [[Article 35 GDPR|35(3)]] and [[Article 35 GDPR|35(7)(b) GDPR]]. It also fined the medical service €20,000 for violation of [[Article 5 GDPR|Articles 5(1)(c)]], [[Article 6 GDPR|6(1)(e)]], [[Article 9 GDPR|9(2)(g)]], [[Article 35 GDPR|35(3) and 35(7)(b)]] GDPR. Finally, it issued a a reprimand against the airport for violation of [[Article 5 GDPR|Articles 5(2)]], [[Article 24 GDPR|24 and]] [[Article 35 GDPR|35(1) GDPR]].


The airport and the medical service were considered as joint-controllers for the second linde processing. The DPA considreed that the qualification under the contractual agreement was not bindingi upon the DPA (in accordance with the EDPB guidelines on the same).  
==== 1. Controllership ====
The DPA concluded that the airport was the controller for the processing of data in the context of the first step. The airport and the medical service were considered as joint controllers for the second line of processing. The DPA considered that the qualification under the contractual agreement was not binding upon the DPA (in accordance with the EDPB guidelines on the same).


==== 2. The legal basis (Articles 6 and 9 GDPR) ====
During the procedure, the airport stated that it relied on [[Article 6 GDPR|Article 6(1)(e)]] [[Article 9 GDPR|and 9(2)(g) GDPR]] for the processing.


The DPA considered that the decrees and the protocol on which the airport relied as a legal basis were not creating any legal obligation to check the temperatures of the passengers. Moreover, the texts the airport relied upon did not refer, as required by [[Article 6 GDPR|Article 6(3) GDPR]], to the purpose of the processing,  to the description of the processing operations, nor did the text mention the measures to ensure a lawful and fair processing of the data. The DPA also noted that the airport itself remarked in its data protection impact assessment (DPIA) that no legal text provides for an obligation to carry out temperature checks.
Finally, the DPA found that the necessity was not demonstrated since the protocol itself referred to the recommendations of the European Union Aviation Safety Agency and European Centre for Disease Prevention and Control that considered that the temperature control was not proven to be efficient. Also, the alleged legal basis did not contain any reference to a duration or retention period.
The DPA concluded to a violation of [[Article 5 GDPR|Articles 5(1)(c)]], [[Article 6 GDPR|6(1)(e), 6(3)]] and [[Article 9 GDPR|9(2)(g) GDPR]] both by the airport and the medical service acting as joint controllers.
==== 3.  Transparency and information ====
The DPA found that the lack of reference to the specific legal provision(s) that allegedly created a legal obligation amounts to a violation of [[Article 13 GDPR]]. The DPA also emphasised that the legal basis should be announced in the privacy policy and not during the procedure before the DPA. It further pointed out that the lack of mention of the consequences for the data subjects also violated [[Article 13 GDPR]].
The same lack of transparency could also be observed regarding the medical service, but since these elements were not investigated by the inspection service, the litigation chamber did not conclude in this regard.
==== 4. DPIA ====
The DPA considered that the DPIA was not carried out appropriately since some information was missing, such as a clear legal basis for the processing (the DPIA even identified the risk that no clear legal basis existed) and the lack of risk assessment in the DPIA.
It also considered that the procssing of data in the second step (by the medical service) was different from a visit to the doctor, considering that a legal decision would be taken on the diagnosis from the medical service.
Moreover, the fact that the number of potential passengers who could have been subject to the processing was unknown at the time of the DPIA does not affect this conclusion. In order to assess that the processing would be done at a large scale, it should have been considered that all passengers could see their data processed.
==== 5. Competence and independence of the data protection officer (DPO) ====
The DPA did not follow the inspection report regarding the alleged lack of competence of the airport's DPO and did not find a violation of [[Article 37 GDPR|Article 37(5) GDPR]].
Regarding the independance of the DPO, the DPA considered that the position of the DPO in the hierarchy and the collaboration with other privacy experts within the airport were not to be considered as a violation of [[Article 38 GDPR]] since it was not demonstrated that the DPO could not act independently.






== Comment ==
== Comment ==
''Share your comments here!''
''This decision was taken together with another decision against the airport of Charleroi for similar facts''


== Further Resources ==
== Further Resources ==

Latest revision as of 16:47, 6 April 2022

APD/GBA (Belgium) - 48/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Article 9(2)(g) GDPR
Article 12 GDPR
Article 13(1)(c) GDPR
Article 13(2)(e) GDPR
Article 24 GDPR
Article 35(1) GDPR
Article 35(3) GDPR
Article 35(7)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.04.2022
Published: 04.04.2022
Fine: 200,000 EUR
Parties: Brussels airport
Ambuce Rescue Team
National Case Number/Name: 48/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD (in NL)
Initial Contributor: n/a

The Belgian DPA fined the Brussels Airport and a medical company €200,000 and €20,000 respectively for carrying out temperature checks with thermal cameras on passengers without a valid legal basis, adequate information provided to data subjects, and an appropriate data protection impact assessment.

English Summary

Facts

The inspection service of the Belgian DPA conducted an inspection on the temperature checks carried out by the Brussels Airport, as instructed by the Board of Directors of the DPA.

As a first step, the passengers' temperature was measured with thermal cameras. In a second step, all passengers with a temperature above 38°C were invited to be examined by a medical service, to carry out a diagnosis (performed by a doctor and using a form). The information was stored on paper and electronically and potentially shared for contact tracing.

Holding

The DPA issued a €200,000 fine against the airport for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 12, 13(1)(c), 13(2)(e), 35(1), 35(3) and 35(7)(b) GDPR. It also fined the medical service €20,000 for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 35(3) and 35(7)(b) GDPR. Finally, it issued a a reprimand against the airport for violation of Articles 5(2), 24 and 35(1) GDPR.

1. Controllership

The DPA concluded that the airport was the controller for the processing of data in the context of the first step. The airport and the medical service were considered as joint controllers for the second line of processing. The DPA considered that the qualification under the contractual agreement was not binding upon the DPA (in accordance with the EDPB guidelines on the same).

2. The legal basis (Articles 6 and 9 GDPR)

During the procedure, the airport stated that it relied on Article 6(1)(e) and 9(2)(g) GDPR for the processing.

The DPA considered that the decrees and the protocol on which the airport relied as a legal basis were not creating any legal obligation to check the temperatures of the passengers. Moreover, the texts the airport relied upon did not refer, as required by Article 6(3) GDPR, to the purpose of the processing, to the description of the processing operations, nor did the text mention the measures to ensure a lawful and fair processing of the data. The DPA also noted that the airport itself remarked in its data protection impact assessment (DPIA) that no legal text provides for an obligation to carry out temperature checks.

Finally, the DPA found that the necessity was not demonstrated since the protocol itself referred to the recommendations of the European Union Aviation Safety Agency and European Centre for Disease Prevention and Control that considered that the temperature control was not proven to be efficient. Also, the alleged legal basis did not contain any reference to a duration or retention period.

The DPA concluded to a violation of Articles 5(1)(c), 6(1)(e), 6(3) and 9(2)(g) GDPR both by the airport and the medical service acting as joint controllers.

3. Transparency and information

The DPA found that the lack of reference to the specific legal provision(s) that allegedly created a legal obligation amounts to a violation of Article 13 GDPR. The DPA also emphasised that the legal basis should be announced in the privacy policy and not during the procedure before the DPA. It further pointed out that the lack of mention of the consequences for the data subjects also violated Article 13 GDPR.

The same lack of transparency could also be observed regarding the medical service, but since these elements were not investigated by the inspection service, the litigation chamber did not conclude in this regard.

4. DPIA

The DPA considered that the DPIA was not carried out appropriately since some information was missing, such as a clear legal basis for the processing (the DPIA even identified the risk that no clear legal basis existed) and the lack of risk assessment in the DPIA.

It also considered that the procssing of data in the second step (by the medical service) was different from a visit to the doctor, considering that a legal decision would be taken on the diagnosis from the medical service.

Moreover, the fact that the number of potential passengers who could have been subject to the processing was unknown at the time of the DPIA does not affect this conclusion. In order to assess that the processing would be done at a large scale, it should have been considered that all passengers could see their data processed.

5. Competence and independence of the data protection officer (DPO)

The DPA did not follow the inspection report regarding the alleged lack of competence of the airport's DPO and did not find a violation of Article 37(5) GDPR.

Regarding the independance of the DPO, the DPA considered that the position of the DPO in the hierarchy and the collaboration with other privacy experts within the airport were not to be considered as a violation of Article 38 GDPR since it was not demonstrated that the DPO could not act independently.


Comment

This decision was taken together with another decision against the airport of Charleroi for similar facts

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.