APD/GBA (Belgium) - 48/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 77: Line 77:


=== Holding ===
=== Holding ===
1. the DPA concluded that the airport was the controller foprp the processing of data in the context of the first line.  
'''1. The DPA concluded that the airport was the controller foprp the processing of data in the context of the first line.'''


The airport and the medical service were considered as joint-controllers for the second linde processing. The DPA considreed that the qualification under the contractual agreement was not bindingi upon the DPA (in accordance with the EDPB guidelines on the same).  
The airport and the medical service were considered as joint-controllers for the second linde processing. The DPA considreed that the qualification under the contractual agreement was not bindingi upon the DPA (in accordance with the EDPB guidelines on the same).  


'''<br />2. The legal basis (articles 6 and 9 GDPR)'''
During the procedure, the airport stated to rely on Article 6(1)(e) and 9(2)(g) GDPR for the processing.
The DPA considered that the decrees and the protocol on which the airport relied as a legal basis was not creating any legal obligation to check the temperatures of the passengers.
Moreover, the texts on which the airport relied upon did not refer, as required by Article 6.3, to the purpose of the processing,  to the description of the processing operations, nor did the text mention the measures to ensure a lawful and fair processing of the data. The litigation chamber also noted that the airport itself remarked in its DPIA that no legal text provides for an obligation to carry out temperature checks.
Finally, the DPA found that the necessity was not demonstrated since the protocol itself referred to the recommendations of the European Union Aviation Safety Agency and European Centre for Disease Prevention and Control that considered that the temperature control was not proven to be efficient. Also, the elleged legal basis dit not contain any reference to a duration or retention period.
The litigation chamber concluded to a violation of Articles 5(1)(c), 6(1)(e), 6(3) and 9(2)(g) GDPR both by the airport and the medical service acting as joint controller.
'''3.  Transparency and information'''
The litigation chamber found that the lack of reference to the specific legal provision(s) that allegedly created a legal obligation amounts to a violation of Article 13 GDPP. The litigationc hamber also reminds that the legal basis should be announced at in the privacy policy and not during the procedure before the DPA. The litigation also pointed that the lack of mention of the consequences for the data subjects also violated Article 13 GDPR.
The same lack of transparency could also be ovserved regaring the medical service, but since these elements were not investigated by the inspection service, the litigation chamber did not conclude in this regard.
'''4. DPIA'''
The litigation chamber considreed that the DPIA was not carried out appropriately since some information was missing in the DPIA, like a clear legal basis for the processing (the DPIA even identified the risk that no clear legal basis existed) and the lack of risks assessment in the DPIA.
The litigation chamber also considered that the procssing of data in the second line (by the medical service) was different from a visit to the doctor, considering that a legal decision would be taken on the diagnosis from the medical service.
Moreover, the fact that the number of potential passengers that could have been subject to the processing  was unknown at the time of the DPIA does not affect this conclusion, since in order to asess that the processing would be done at a large scale, it should have been consiudered that all passangers could see their dat aprocessed.
'''5. Competence and independance of the DPO'''
The litigation chambre did not follow the inspection report regarding the alleged lack of competence of the DPO and did nto find a violation of Article 37(5) GDPR.
Regarding the independance of the DPO, the litigation chamber considered that the position of the DPO in the hierarchy and the collaboration with other privacy experts within the airport were not to be considered as a violation of Article 38 GDPR since it was not demonstrated that the DPO could not act independently.
'''Sanction'''
Based on the above: the litigation chambre issued:
- a 200 000 € fine against the airport for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 12 juncto 13(1)(c), 13(2)(e), 35(1), 35(3) and 35(7)(b) GDPR
- a 20000 € fine against the medical service for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 35(3) and 35(7)(b) GDPR
- a reprimand against the airport for violation of Articles 5(2), 24 and 35(1) GDPR.




Line 86: Line 127:


== Comment ==
== Comment ==
''Share your comments here!''
''This decision was taken together with another decision against the airport of Charleroi for similar facts''


== Further Resources ==
== Further Resources ==

Revision as of 15:46, 6 April 2022

APD/GBA (Belgium) - 48/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Article 9(2)(g) GDPR
Article 12 GDPR
Article 13(1)(c) GDPR
Article 13(2)(e) GDPR
Article 24 GDPR
Article 35(1) GDPR
Article 35(3) GDPR
Article 35(7)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.04.2022
Published: 04.04.2022
Fine: 200000 EUR
Parties: Brussels airport
Ambuce Rescue Team
National Case Number/Name: 48/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD (in NL)
Initial Contributor: n/a

The Belgian DPA issued fines of €200,000 against the Brussels airport, and €20,000 against a medical company, for carrying out temperature checks with thermal cameras on passengers without a valid legal basis, adequate information provided to data subjects, and an appropriate data protection impact assessment.

English Summary

Facts

The inspection service of the BE DPA conducted an inspection on the temperature checks carried out by the Brussels airport, as instructed by the Board of Directors of the BE DPA.

A first line of check was performed with thermal cameras. All passengers whose temprature was measure above 38 degrees were invited to be abalysed by a medical service, acting in second line, to carry out a diagnosis (performed by a doctor and using a form). The information was strored on paper and electronically and potentially shared for contact tracing.

Holding

1. The DPA concluded that the airport was the controller foprp the processing of data in the context of the first line.

The airport and the medical service were considered as joint-controllers for the second linde processing. The DPA considreed that the qualification under the contractual agreement was not bindingi upon the DPA (in accordance with the EDPB guidelines on the same).


2. The legal basis (articles 6 and 9 GDPR)

During the procedure, the airport stated to rely on Article 6(1)(e) and 9(2)(g) GDPR for the processing.

The DPA considered that the decrees and the protocol on which the airport relied as a legal basis was not creating any legal obligation to check the temperatures of the passengers.

Moreover, the texts on which the airport relied upon did not refer, as required by Article 6.3, to the purpose of the processing, to the description of the processing operations, nor did the text mention the measures to ensure a lawful and fair processing of the data. The litigation chamber also noted that the airport itself remarked in its DPIA that no legal text provides for an obligation to carry out temperature checks.

Finally, the DPA found that the necessity was not demonstrated since the protocol itself referred to the recommendations of the European Union Aviation Safety Agency and European Centre for Disease Prevention and Control that considered that the temperature control was not proven to be efficient. Also, the elleged legal basis dit not contain any reference to a duration or retention period.

The litigation chamber concluded to a violation of Articles 5(1)(c), 6(1)(e), 6(3) and 9(2)(g) GDPR both by the airport and the medical service acting as joint controller.

3. Transparency and information

The litigation chamber found that the lack of reference to the specific legal provision(s) that allegedly created a legal obligation amounts to a violation of Article 13 GDPP. The litigationc hamber also reminds that the legal basis should be announced at in the privacy policy and not during the procedure before the DPA. The litigation also pointed that the lack of mention of the consequences for the data subjects also violated Article 13 GDPR.

The same lack of transparency could also be ovserved regaring the medical service, but since these elements were not investigated by the inspection service, the litigation chamber did not conclude in this regard.

4. DPIA

The litigation chamber considreed that the DPIA was not carried out appropriately since some information was missing in the DPIA, like a clear legal basis for the processing (the DPIA even identified the risk that no clear legal basis existed) and the lack of risks assessment in the DPIA.

The litigation chamber also considered that the procssing of data in the second line (by the medical service) was different from a visit to the doctor, considering that a legal decision would be taken on the diagnosis from the medical service.

Moreover, the fact that the number of potential passengers that could have been subject to the processing was unknown at the time of the DPIA does not affect this conclusion, since in order to asess that the processing would be done at a large scale, it should have been consiudered that all passangers could see their dat aprocessed.

5. Competence and independance of the DPO

The litigation chambre did not follow the inspection report regarding the alleged lack of competence of the DPO and did nto find a violation of Article 37(5) GDPR.

Regarding the independance of the DPO, the litigation chamber considered that the position of the DPO in the hierarchy and the collaboration with other privacy experts within the airport were not to be considered as a violation of Article 38 GDPR since it was not demonstrated that the DPO could not act independently.

Sanction

Based on the above: the litigation chambre issued:

- a 200 000 € fine against the airport for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 12 juncto 13(1)(c), 13(2)(e), 35(1), 35(3) and 35(7)(b) GDPR

- a 20000 € fine against the medical service for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 35(3) and 35(7)(b) GDPR

- a reprimand against the airport for violation of Articles 5(2), 24 and 35(1) GDPR.



Comment

This decision was taken together with another decision against the airport of Charleroi for similar facts

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.