Court of Appeal of Brussels - 2022/AR/560 & 2022/AR/564
From GDPRhub
| Court of Appeal of Brussels (Belgium) - 2022/AR/560 & 2022/AR/564 | |
|---|---|
 | |
| Court: | Court of Appeal of Brussels (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | |
| Decided: | 07.01.2023 |
| Published: | {{{Date_Published}}} |
| Parties: | |
| National Case Number/Name: | 2022/AR/560 & 2022/AR/564 |
| European Case Law Identifier: | |
| Appeal from: | APD/GBA (Belgium) 48/2022 |
| Appeal to: | |
| Original Language(s): | Dutch |
| Original Source: | GBA (in Dutch) |
| Initial Contributor: | elsjegold |
The Belgian Court of appeal of Brussels upheld a decision by the Belgian DPA to fine Brussels airport for using temperature scanners at the airport to detect potential COVID-19 infections without a legal basis. However, the Court reduced the original fine.
English Summary
Facts
On 4 April 2022, the Belgian DPA issued decision 48/2022, in which it fined Brussels Airport €200,000 for the use of thermal cameras and temperature checks for COVID-19 detection purposes. It also fined the Ambuce Rescue Team €20,000 for carrying out a second test (second-line control) for passengers at Brussels Airport with a temperature of 38°C or higher. The DPA held these controllers lacked a lawful ground for processing these special personal data. For more information on this decision, see the GDPRhub summary.
Ambuce and the Airport both appealed this decision with the Market Court, where they were jointly decided. Both parties questioned the impartiality of the DPA, because one of its members was also the ‘program director’ at a non-profit focused on digital data protection (NOYB). This was supposedly incompatible with his mandate as a member of the Dispute Chamber of the DPA and in violation with Articles 52(1) and 52(2) GDPR and Article 44(1) WOG.
Ambuce and the Airport also questioned their qualification as joint controllers as far as the second-line control was concerned.
Lastly, they argued that the fines imposed on them were not adequately justified.
Brussels Airport further argued that the DPA misused its power. According to the Airport, the purpose of the contested decision was to set an example and to denounce the practice of not consulting the DPA in any legislative initiative. In addition, the DPA allegedly breached the principles of reasoning and due care.
Further, Ambuce stated that the publication of the press release of 17 June 2020 infringed Article 54(2) GDPR and Article 48(1) and Article 64(3) WOG. This press release described that the DPA was 'worried' about the installation of these thermal camera's.
In addition, Ambuce held that it's rights of defence and article 92(3) WOG were not respected by the DPA. A number of GDPR violations were found in the contested decision on the part of Ambuce, whereas the Inspection Service Report only held Brussels Airport responsible for the GDPR violations committed in the context of the second-line inspection. The DPA upheld infringements on Ambuce’s behalf without any rebuttal, violating Ambuce's right of defence. It would also make the contested decision incompatible with Article 92(3) WOG, as that provision would imply that the DPA may not find infringements other than those that in the Inspection Report.
Holding
On the impartiality of the litigation chamber, the Market Court held that it was only for the Parliament to remove one of its members from office. The Court had no jurisdiction to do so. It further noted that the decision is collegial, and no element proved that the member was irregularly appointed or biased in a way that could lead to the annulment of the decision.
Regarding the press release, the Court again stated that it had no jurisdiction to rule on the legitimacy of the publication of the press release. It was only competent to rule on the decisions of the DPA. Insofar that the parties invoked Article 54(2) GDPR, the Court stated that this merely stipulated that members and staff of national supervisory authorities were bound by professional secrecy. However, this provision was not to be interpreted so broadly that it would prevent the DPA from communicating (possible) breaches of the GDPR to the general public.
Regarding the alleged abuse of power, the Court reminded that this can only be the case when a public authority used its power, meant to serve the public interest, for another purpose. The unauthorised purpose must moreover be the sole purpose of the contested act. Since both parties didn’t demonstrate that the DPA pursued an objective other than the enforcement of the right to data protection, this plea was unfounded.
Regarding Ambuce’s right of defence, the Court found that Ambuce was made aware of all the issues that could cause a debate before the litigation chamber. Furthermore, Ambuce was sufficiently heard during the hearing based on the official report. There was therefore no violation of its right to defence. Regarding the violation of Article 92(3) WOG, the Court held that the DPA cannot be bound by what was stated in the Inspection Report for the establishment of potential violations and sanctions.
On the qualification by the DPA of the parties as joint controllers, the Court noted that this qualification was not in line with the inspection report and the conclusions of Ambuce and Brussels Airport. The Court stated that the DPA could have, for example, invited the Inspection Service to the hearing and/or ask it to conduct an additional investigation, which the DPA did not do. Therefore, the contested decision was not carefully prepared on this point and the reasoning of the DPA was inadequate. Thus, no sanction could in any event be imposed on Ambuce since the alleged infringement was not established with due care and was not adequately reasoned.
The Court reduced the amount of the fine on the Airport. In particular, the court stated that the DPA should have paid more attention to the following factors: (Article 83 GDPR)
- The Airport had fully cooperated with the DPAs during the procedure
- The controller had not profited economically from these temperature checks.
- The sole purpose of the temperature checks was to support public health.
Therefore, it reduced the fine given to Brussels Airport to €50,000.
Comment
Similar temperature checks were performed at Brussels Charleroi Airport. This was the subject of a separate decision of the DPA (47/2022), also issued on 4 April 2022 and appealed at the Market Court (2022/AR/556). Both the decision of the DPA and the decision of the Market Court are summarised on the GDPRhub.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/82
Disputes Chamber
Decision on the merits47/2022 of 4 April 2022
This decision was partially set aside by the judgment
2022/AR/556 of the Market Court dated 7 December 2022
File number: DOS-2020-04002
Subject:Use of thermal imaging cameras at Brussels South Charleroi Airport
in the fight against COVID-19
The Disputes Chamber of the Data Protection Authority, consisting of Mr Hielke Hijmans,
chairman, and Mr Jelle Stassijns and Mr Romain Robert;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation), hereinafter 'AVG';
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter
'WOG';
Having regard to the Act of 30 July 2018 on the protection of natural persons with regard to
the processing of personal data (hereinafter 'WVP');
Having regard to the Rules of Internal Procedure, as approved by the House of Representatives
on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019;
Having regard to the documents on file;
has taken the following decision regarding:
.
The defendant: BSCA SA, with its registered office at Rue des Frères Wright 8, 6041 Charleroi,
.
registered with company number 0444.556.344, represented by Mr .
Frédéric Deschamps and Mr. Nathan Vanhelleputt, hereinafter referred to as 'the defendant'. Decision on the merits 47/2022 - 2/73
I. Facts and procedure
1. On 28 August 2020, the Inspectorate decided to file the case on its own initiative
in accordance with Article 63, 6° of the Act of 3 December 2017 establishing the
Data Protection Authority.
2. This decision was taken following serious indications about the use of
thermal imaging cameras by the public limited company Brussels South Charleroi Airport (hereafter
'BSCA SA') to combat the spread of COVID-19. In particular, the decision was
justified on the basis of the following elements:
- Articles and publications by several Belgian newspapers and media sites that referred to the
use of thermal imaging cameras by BSCA SA;
- The FAQ (Frequently Asked Questions) on the website of the Data Protection Authority
(hereinafter 'GBA') on body temperature monitoring as part of the fight against
COVID-19;
1
- The press release dated17 June 2020 published by the GBA on its website regarding the contact
made with Brussels Airport regarding the temperature checks carried out by the latter
temperature controls;
- The possible processing of data related to health 'for which better
protection is required' as stated in the AVG; 2
- The possible processing on a large scale;
- The importance the GBA attaches to processing related to 'the use of photographs and
3
cameras' and 'sensitive data' in line with its 2020-2025 strategic plan.
3. On18april2021the Inspectorate completed the investigation and the report was finalised by the inspector-
General to the President of the Disputes Chamber (art. 91, §2 WOG).
4. The report contains the following findings and refuted the following violations:
Finding 1: Violation of the principle of lawfulness of processing and the
necessity of the measure in accordance with Articles 5.1.a, 5.1.c, 6 and 9 of the AVG
Finding 2: Violation of the principle of purpose limitation in accordance with Article 5.1.b of the AVG
1Available at the following link: https://www.gegevensbeschermingsautoriteit.be/burger/temperatuurcontroles-de-gba-neemt-
contact-with-brussels-airport
2
AVG, recital 53.
3Data Protection Authority, 'Strategic plan 2020-2025',page 23. Decision on the merits 47/2022 - 3/73
Finding 3: Violation of the principle of transparency and the duty to disclose information in accordance with the
Articles 5.1.a, 12 and 13 of the AVG
Finding 4: Violation of the obligation to provide a pre-processing
data protection impact assessment (breach of Article 35.1)
Finding 5: Violation of the confidentiality principle and of the obligation to carry out technical
and organisational measures to secure the data (Articles 5.1.f and 32
AVG)
Finding 6: Violation of data protection principle by design and by
default settings (Article 25 AVG)
Finding 7: Breach of the obligation to keep a full register of the
processing activities
Finding 8: Breach of the obligation to ensure the independence of the officer for
data protection officer in accordance with Article 38.3 of the AVG
5. On 5 October 2021, the Disputes Chamber decided on the basis of article 95, §1, 1°and article 98 of the
CPC that the file could be dealt with on the merits. The defendant was informed of this by
registered letter, as article 95, §2 and article 98 of the CPC
Pursuant to Article 99 of the CPC, the defendant was also informed of the time limits for processing the case.
to submit his claim.
6. The deadline for receipt of the respondent's submission was
set at 16 June 2021.
7. On 20 May 2021, the defendant requested a copy of the file (art. 95, §2, 3° WOG), which was provided to him on 31
May 2021 was transmitted to him.
8. The defendant agreed to send all communications concerning the case electronically to
and informed that he wished to avail himself of the opportunity to be heard
pursuant to Article 98 of the CPC. He also requested an extension of the deadline to conclude
until 1 September 2021.
9. In its letter of 31 May 2021, the Disputes Chamber agreed to extend the
conclusion period until9July2021. In an e-mail message dated1June2021, the Respondent requested a new
for an extension of the conclusion period until 1 September.
10. In an e-mail message from the clerk of the Dispute Chamber dated 4 June 2021, the concluant was
requested to file his submission by 23 July 2021.
11. On 23 July 2021, the Disputes Chamber received the respondent's brief. Decision on the merits 47/2022 - 4/73
12 On 6 September 2021, all parties were informed that the hearing would be held on 6 October
2021 would take place.
13. On 1 October 2021, the Dispute Chamber sent the Respondent a list of questions for preparation
of the hearing.
14. At the Respondent's request, the hearing was postponed until 22 October 2021.
15. On 18 October 2021, the Disputes Chamber received the Respondent's Statement of Reply.
16. On 22 October 2021, the parties were heard by the Dispute Chamber. In addition to the elements
already set out in its conclusion, the Respondent submitted additional elements, with
particularly in relation to transparency and confidentiality policy.
17. On 18 November 2021, the transcript of the hearing was submitted to the parties.
18. On 25 November 2021, the Disputes Chamber received the Respondent's comments on
the minutes.
19. On 15 February 2022, the Dispute Chamber informed the Respondent of its intention to issue a
administrative fine, as well as the amount of this fine.
20. On 9 March 2022, the Disputes Chamber received the Respondent's response regarding the
intention to impose an administrative fine and the amount of the fine. This
arguments are summarised under point 'III. Penalty'.
II. Justification
II.1.Preliminary considerations
21. The Disputes Chamber first notes that this decision concerns the processing of
personal data within the context of the COVID-19 pandemic.
22. In the context of this health crisis, unprecedented measures have been and are being taken that will increase the
involve the processing of (special categories of) personal data.
23. Given this crisis situation, the Dispute Chamber understands the urgency with which some of the
these measures had to be taken by competent authorities and services and implemented by the
concerned controllers had to be implemented. It also listens to the
difficulties inherent in this situation. However, it should be stressed that this is nothing
detracts from the fact that the AVG and other legislation on the protection of
personal data, which provide essential protection for the rights and freedoms of the
data subjects, still apply. Crisis situations do not justify Decision on the merits 47/2022 - 5/73
On the contrary, such circumstances, in which a crisis situation occurs, do not justify a deviation from the provisions of the AVG.
individual freedoms are often threatened, it is important to respect the legal framework
with which abuses and violations of fundamental rights can just be prevented.
24. The Data Protection Authority's monitoring of technological, commercial or other
4
developments and the prior opinions of the Knowledge Centre shall not affect the
duty of data controllers to comply with applicable law, nor the
that they may be sanctioned by the Dispute Resolution Chamber where appropriate.
II.2.Preliminary questions regarding the capacity of the Disputes Chamber of the
Data Protection Authority as an administrative authority:
25. In its conclusions, the defendant raises three preliminary questions that will be addressed
before the case will be heard on the merits.
II.2.1. Failure to state reasons for the decision to hear the case on the merits for
merits
26. In its briefs, the defendant states that "the decision to take the file on the merits
was not legally justified within the meaning of the Act of 29 July 1991 on formal
reasoning of administrative acts and the case-law of the Brussels Court of Appeal, section
Market Court." [free translation]
27. According to the Market Court case law referred to, the Disputes Chamber is
is obliged "to state in its statement of reasons the legal and factual considerations on which
on which the decision is based, whereas such reasoning must be sufficient to justify the decision.
substantiate the decision." [free translation] This duty to state reasons exists from both formal and substantive
point of view. The Markets Court added that "it is sufficient to make the rationale clear, so
succinctly, if necessary, in the decision itself." [free translation]
28. The Disputes Chamber finds that these conditions have been met in this case. The decision to
hear the case on the merits was in fact communicated to the defendant in a letter dated 5
May 2021. The letter expressly stated that the decision to hear the case on the merits was
is based on the findings of the Inspectorate's investigation report. The
letter lists the eight possible breaches of the AVG identified by the Inspectorate and explains
that these are the subject of a substantive investigation. The investigation report was
incidentally also attached to the letter. The letter dated 5 May 2020 also further states that the decision
4
Article 10 WOG.
5Brussels, (Markets Court section), (19th Chamber A), 21 January 2021, paragraph 7.3, available in French at
https://www.autoriteprotectiondonnees.be/publications/arret-du-27-janvier-2021-de-la-cour-des-marches-ar-1333.pdf. Decision on the merits 47/2022 - 6/73
to hear the case on the merits was taken on the basis of Articles 95, §1, 1° and 98 of
the CPC.
II.2.2. Lack of independence and impartiality of the
Data Protection Authority
29. The defendant argues in its brief that the Data Protection Authority as a whole
fails in its duty of impartiality and independence. The
Respondent bases this argument on several press articles, reporting on
conflicts within the Data Protection Authority and the initiation of infringement proceedings
by the European Commission.
30. The Disputes Chamber notes first of all that the Respondent relies in very general terms on
a lack of impartiality and independence of the Data Protection Authority
invokes, without referring to specific facts or a specific member of the Authority, and without
linking its considerations to any decision or administrative act of the
Data Protection Authority in this case.
31. At no point does the Respondent indicate how the independence or impartiality of
the Dispute Chamber could be called into question.
II.2.3. Misuse of power
Criticism of the content and format of the inspection report, the assertion made on that basis
and the resulting misuse of powers
32. In its conclusion, the Respondent disputes that the Inspectorate has changed the form or content of a
enforceable legal standard may be questioned in cases other than those in which Article 6 of the
Act of 3 December 2017. He formulates this criticism as follows:
"By openly criticising the ministerial decision and the protocol and its legality
and then, on that basis, establishing that there has been an infringement of
under concluant, the Inspectorate thus questions the substance of the legal basis
on which concluant relied for the processing of personal data. Actually, the
inspection thus questioning the content of a standard issued by the
executive branch." 6
33. Within the framework of its missions set out in Article 4 of the CPC, the
Data Protection Authority "responsible for monitoring compliance with the
fundamental principles of personal data protection." One of the fundamental principles of
the right to protection of personal data is the principle of lawfulness, which is
6Conclusion of the defendant, §23. [free translation] Decision on the merits 47/2022 - 7/73
laid down in Articles 5.1.a and 6 of the AVG. This principle establishes any processing of
personal data subject to a basis for lawfulness, the
controller must be able to demonstrate the existence of that basis on the basis of the principle of accountability laid down in Article 24 of
the AVG.
34. In this case, during the Inspectorate's investigation and in its
conclusion, relied on Article 6.1.c as the basis for lawfulness. This article reads as follows:
"The processing is necessary for compliance with a legal obligation imposed on the
controller."
35. In this regard, the Disputes Chamber recalls that, although the Inspectorate's
investigating body of theGBA,onlytheDispute Chamber has the power to take a decision
on the basis of the Inspectorate's findings. There can therefore be no abuse of
jurisdiction by the Inspectorate, which is not competent to decide on the merits of the case.
36. Furthermore, compliance with the principle of legality consists in verifying whether the land granted by
the controller invoked legal obligation does exist and whether the
processing is necessary to fulfil this legal obligation. It is therefore not the
8
intention, as the respondent argues, to challenge the ministerial decision and the protocol, but rather to examine whether the processing carried out by the controller is necessary to comply with that legal obligation.
but rather to ascertain whether the processing operations carried out by the controller are
are lawful and fall within the legal framework established by those legal instruments.
established. If, during its investigation, the Dispute Resolution Chamber finds that the standard on which a
processing would be based on does not meet the requirements of the AVG, it may conclude
that the processing is unlawful.
37. This approach is also followed in the Inspectorate's investigation report in which with
notably stating that "an investigation into the lawfulness of processing should include
consider whether:
- there is a public health reason in accordance with Article
9.2.i of the AVG;
- there is a legal provision on which the controller can validly rely
invoke in accordance with Articles 6.1.c, 6.3 and 9.2.i of the AVG;
- the processing operations in question are necessary:
▪ to fulfil the legal obligation invoked in accordance with Article 6.1.c;
and
7
Article 28 of the Act of 3 December 2017 establishing the Data Protection Authority.
8Belgian FPS Mobility and Transport, Protocol 'Commercial Aviation Passengers' (see paragraph 62 et seq.). Decision on the merits 47/2022 - 8/73
▪ for public health reasons in accordance with
Article 9.2.i of the AVG. "9
38. It is clear from this wording that the lawfulness of the processing will be examined
and not the validity of the standards themselves. This is confirmed by the wording in which the
Inspectorate describes the findings of its investigation. The Inspectorate states
indeed, that the defendant is processing personal data without an appropriate legal framework, which in
violates Articles 6.1, 6.3 and 9.2.i of the AVG. This shows that it is indeed processing
itself that is deemed problematic.
39. Based on these considerations, the defendant's argument regarding a possible
abuse of discretion must be rejected.
The fact that any fine would constitute an abuse of discretion
40. Relying on the jurisprudence of the Market Court, the defendant cites that "since
concluant never received a compliance order or any other sanction, and the
processing subject to these proceedings was discontinued on 15 October 2020 for the
controls on arrival and on 21 March 2021 for the controls on departure, it should be
assumed that any possible financial penalty under the Dispute Chamber is a form of
abuse of power would be, within the meaning of the case-law of the Brussels Court of Appeal,
Markets Court section." [free translation]
41. The Data Protection Authority, like all supervisory authorities, has the
power to impose administrative fines to prevent the effective application of the
AVG, in accordance with the text of the AVG itself. As can be seen from recital 148, in addition to or
instead of some appropriate measures, an administrative fine may be imposed. 10
The Disputes Chamber applies Article 58.2.i of the AVG in this case. The possibility of imposing an
administrative fine is thus in no way dependent on a prior order to
comply with the rules. The effectiveness of the application of the AVG would be compromised,
if controllers were to hide behind the lack of a prior
9Investigation report, p. 25. [free translation]
10
Recital 148 reads as follows: "In order to strengthen the enforcement of the rules of this Regulation, sanctions, including administrative fines, should be imposed for any breach of the Regulation in addition to, or instead of, the imposition of fines.
Penalties, including administrative fines, should be imposed for any breach of the Regulation, in addition to or instead of any
appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If the infringement is
a minor infringement or if the likely fine would impose a disproportionate burden on a natural person, a fine may be chosen instead of a fine.
instead of a fine, a reprimand may be chosen. However, the nature, seriousness
and duration of the breach, the intentional nature of the breach, harm reduction measures, the degree of
responsibility, or previous relevant breaches, how the breach came to the attention of the supervisory
authority, with compliance with measures taken against the controller or the
processor, with adherence to a code of conduct and with any other aggravating or mitigating factors. The imposition of
penalties, including administrative fines, should be subject to appropriate procedural safeguards
in accordance with general principles of Union law and the Charter, including effective remedy and
due process of law. See also the guidelines of the European Data Protection Board on the application of
administrative fines of 3 October 2017, WP 253, which confirms that authorities may choose to apply
cumulate several measures, including an administrative fine." Decision on the merits 47/2022 - 9/73
default notice could hide in order to escape a fine. Therefore, the
AVG and WOG provide for various remedies, including the remedies provided for in Article 100, §1, 8° and 9°
of the WOG. The supervisory authority must always take appropriate
measure to ensure the effective application of the AVG, using
haardiscretionarycompetencedefinedbytheprocedural safeguardsand the fact that
fines must be 'effective, proportionate and dissuasive'.12
II. 3. Tengronde
II.3.1 Identification of the processing operations at issue and applicability of the AVG
42. The documents in the file and the investigation report of the Inspectorate show that the file
relates to temperature measurements taken by the defendant at Brussels South Airport.
Charleroi in the context of the COVID-19 pandemic.
43. The system used involves two separate procedures: one for departing flights and
one for arriving flights.
44. For the departing flights, the defendant introduced a temperature check for all
passengers departing from Brussels South Charleroi and their companions. In the pre-checking tent
two thermal imaging cameras were installed. With these cameras, an initial
temperature measurement was taken. The aircraft was monitored by the Red Cross and the
fire services of the defendant.
45. If the temperature exceeded 38°C, the person concerned was subjected to a second test
This was carried out by the person who held the screens in the holes, with the help of
of a digital forehead thermometer. If the temperature again exceeded 38°C, the
the passenger was requested to proceed to the sickbay where a new temperature reading
was taken with adigital thermometer under the arm. If the temperature at this third measurement
was again above 38°C, the fire brigade was informed by radio or telephone on the
number 112. A fireman was responsible for taking the anamnesis of the affected
person. This involved asking the passenger additional questions to ascertain whether he was
11Market Court, NDPK t. GBA, 7 July 2021. Available at: https://www.autoriteprotectiondonnees.be/publications/arret-du-7-juillet-
2021-de-la-cour-des-marches-ar-320-disponible-en-neerlandais.pdf
12Art. 83.1of the AVG. Decision on the merits 47/2022 - 10/73
had other typical symptoms of COVID-19. The information was exchanged orally
without notes being taken of it.
46. If this led to a suspicion of COVID and the airline with which the passenger was
flew did not allow people with fever on board, the passenger was denied access to the terminal
denied.
47. The system was introduced on 15 June 2020. It was operational during the opening hours of the
airport (between 04:00 and 21:00). The Red Cross was at the procedure until 6 November
involved. From that date, this task was taken over by the fire service of the
defendant. Controls ended on 22 March 2021. Between 15 June 2020 and 31
October 2020, about 457,000 passengers were checked on departure.
48. TheBelgianRed Cross had to fill in a document each day which had to state
how many passengers had a temperature above 38°C and the body temperature of
these passengers was. The document did not contain the first or last names of these people and was
destroyed every week.
49. On arrivals, the system was operational from 7 September 2020 to 15 October 2020. The
included the use of 6 thermal imaging cameras to monitor the temperature of the
passengerswho arrived from a red zone.The aircraft was kept under surveillance by theRed Cross
and fire services. If the temperature exceeded 38°C, the passenger received a
document asking him to watch for other possible symptoms of COVID and to
contact a doctor if required.
50. According to the defendant, the system was only used for incoming flights from a red
zone. The defendant states it cannot say how many affected persons from a red zone
returned and underwent a body temperature check.
51. The thermal imaging cameras are equipped with software that sounds an alarm when a
temperature of 38°C or higher is detected. At that time, an image of the
passenger with his mask in the computer's event centre. At the request of the defendant
the cameras were configured for a pre-alarm at 37.5°C and an alarm at 38°C.
52. The cameras' software temporarily stores the most recent twenty alarm images in the
cache memory. At the end of each day, they are deleted.
53. The Inspectorate notes that the thermal imaging camera system installed by BSCA nv
used must therefore be regarded as an automated process for processing
of personal data falling within the material scope of the AVG pursuant to Article
2.1 of the AVG, as images of
passengers with a temperature above 38°C. Decision on the merits 47/2022 - 11/73
54. The Inspectorate also notes that the processing operations covered by this report involve
data on health within the meaning of Article 4.15 of the AVG, as they are an aspect of
a person's physical health, namely fever. The Inspectorate also considers that the
oral history may contain other information of a medical nature.
55. The defendant has not disputed these two determinations by the Inspectorate. The
Disputes Chamber specifies, however, that the data processing at issue is limited to the
images taken with the thermal imaging cameras. The subsequent steps in the
procedure (taking the temperature without images and anamnesis) do not involve any processing
of personal data within the meaning of Articles 2.1, 4.1 and 4.2 of the AVG. Measuring the
temperature using a manual thermometer does not constitute processing of
personal data within the meaning of Article 4.2 of the AVG, since this measurement - as far as the
Disputes Chamber is aware - was not subjected to any of the processing mentioned in that article. 13
II.3.2 Identification of the controller
56. The Inspectorate notes that BSCA nv has been identified for the
processing operations must be regarded as the controller in accordance with Article 4.7of
the AVG. The Inspectorate bases this conclusion on the fact that the Respondent is itself
asdusdanigansandhasconcludedanagreementwithboththeBelgianRedKruisand
I-CARE SPRL for the supply of the thermal imaging cameras.
57. This finding is not disputed by the Respondent. The Disputes Chamber follows the
Inspectorate on this point, moreover.
II.3.3 Finding 1: Breach of the principle of lawfulness of processing and
necessity of the measure in accordance with Articles 5.1.a, 5.1.c, 6 and 9 of the AVG
Findings of the Inspectorate
58. The investigation report shows that the Respondent relies on Articles 6.1.c and 9.2.i of the
AVGas the basis for legitimacy of processing. The two articles are reproduced below
reproduced:
"Article 6
13The recording and/or communication of data resulting from the manual temperature measurement and anamnesis to an
arbitrary recipient (such as an airline) would, however, constitute such processing. Decision on the merits 47/2022 - 12/73
Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the following
conditions are met:
[...]
(c) the processing is necessary to comply with a legal obligation imposed on the
controller;"
"Article 9
Processing of special categories of personal data
1. Processing of personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and
processing of genetic data, biometric data for the purpose of unique
identification of a person, or data concerning health, or data relating to
a person's sexual behaviour or sexual orientation are prohibited.
2. Paragraph 1 shall not apply if any of the following conditions are met:
[...]
(i) the processing is necessary for reasons of public interest regarding the
public health, such as protection against serious cross-border threats to the
health or ensuring high standards of quality and safety of the
healthcare and of medicinal products or medical devices, under Union law
or Member State law providing for appropriate and specific measures to
protect the rights and freedoms of the data subject, in particular the
professional secrecy."
59. With regard to the legal obligation ofarticle6.1.c, the investigation report states that the
Respondent invokes Article 4 of the Ministerial Decree of 30 June 2020 containing
urgent measures to limit the spread of coronavirus COVID-19. 14This
ministerial order followed several similar ministerial orders and was subsequently
replaced by a succession of other ministerial decrees. The most recent on the
time of writing the research report is the ministerial order of 28 October 2020. 15
It was only in the course of the Inspectorate's investigation that the complainant referred to the legal grounds.
14Ministerial Decree of 30 June 2020 on urgent measures to limit the spread of the coronavirus COVID-19
limit.
15Ministerial decree of 28 October 2020 on urgent measures to limit the spread of coronavirus COVID-19.
limit. Decision on the merits 47/2022 - 13/73
60. Article 4 of the Ministerial Decree of 20 June read as follows:
"Without prejudice to Article 5, the companies and associations that exercise goods or services
offer to consumers and, from 1 September 2020, organisers of trade fairs.
including fairs, shall carry on their activities in accordance with the Protocol or the arrangements made for that purpose at the
website of the competent government department published minimum general rules. [...]"
61. This article was repealed by Ministerial Decree of 18 October 2020, Article 5 of which reads as follows
of Article 4 of the Ministerial Decree of 30 June 2021. This decree was subsequently
replaced by a ministerial order of 28 October 2020, article 5 of which read as follows:
"Without prejudice to Article 8, companies and associations that offer goods or services
offer goods or services to consumers shall carry out their activities in accordance with the Protocol or the arrangements made for that purpose on the
website of the competent public authority."
62. Theseministerialdecisionsrequirethatcompaniesandassociationswhich
offer goods or services to consumers must carry out their activities in
accordance with the protocol or minimum rules published on the website of the competent
public administration published. The protocol applicable to the defendant is a
protocol entitled 'Commercial Aviation Passengers' of the Belgian FPS Mobility and
Transport (hereinafter 'the Protocol').
63. The Protocol contains on page 5 specific health measures applicable to
airports, including the following measure:
64. The Inspectorate also notes that the Protocol contains the following provision: Decision on the merits 47/2022 - 14/73
65. The paragraph copied above on checking the temperature of passengers
comes from Chapter 2 of the Protocol.
66. The Inspectorate noted thattheProtocolwaspublishedon12October2020onthewebsite
of the FPS Mobility and Transport.
67. The investigation report shows that with regard to the reasons of general
public health interest in accordance with Article 9.2.i of the AVG specifies that the
more specifically, "the protection against serious cross-border threats
to health, in this case the COVID-19 epidemic." [free translation] In this context, he points out
that recital 46 of the AVG explicitly mentions the control of epidemics.
68. Furthermore, the Respondent indicated (Exhibit 7) that the processing within the established legislative framework
i.e. the Ministerial Decision of 30 June 2020 and the Protocol.
69. On the basis of Articles5.1.a,6.1,6.3and9.2.ivof theAVG, the Inspectorate considers that, in order to be
of the lawfulness of the processing, it is necessary to verify the following
elements below.
70. Firstly, the Inspectorate considers that the fight against the spread ofCOVID-19shouldbe
a matter of general public health concern in accordance with Article .
9.2.i of the AVG.
71. Second, the Inspectorate believes that the data were collected without an appropriate legal framework
processed, in violation of Articles 6.1.c, 6.3 and 9.2.i of the AVG, so the processing was therefore
was unlawful. To reach this conclusion, the Inspectorate relies on the following
elements:
- the purpose of the invoked standard was not established by law and, moreover, the Protocol has
a different purpose than the ministerial decree;
- the basic modalities for measuring body temperature were not defined
by law;
- the foreseeability of the Protocol is problematic as it was not published;
- the legal norms invoked are not laws in the strict sense; Decision on the merits 47/2022 - 15/73
- the legal norms invoked do not provide for the necessary safeguards that the processing
framing.
72. Third, the Inspectorate believes that the extent to which it was medically necessary is disputed
to check the passengers' body temperature.
Position of the defendant
73. In its conclusion, the Respondent recalls the legal framework for data processing: the
successive ministerial decisions and the Protocol, which is binding on the Respondent.
74. The Respondent further considers that the existence of a public interest in the field of the
public health under Article 9.2.i is clearly demonstrated in this case.
75. He is also of the view that there is a statutory provision on which the
controller can validly invoke in accordance with Articles6.1.c,6.3and9.2.i
of the AVG.
76. He argues the following four elements to demonstrate this:
- First, as already explained above (para. 32
et seq.), that it is not for the Inspectorate to rule on the validity of a
legal or enforceable standard. The Service is only required to verify whether a legal
obligation exists that makes the processing valid under Article 5.1.c (sic) of the
AVG.
- He then argues that the temperature measurements were imposed on him by the
Protocol, which was itself mandated by the ministerial decisions. The defendant argues
for the first time expressly that these ministerial decisions were based on Article 4 of the
16
Act of 31 December 1963 (hereinafter 'the Civil Protection Act') and the Act of 15 May
17
2007 (hereinafter 'the Civil Security Act'). The defendant states that these
laws were endorsed by the Council of State as the legal basis for the ministerial
decrees. The defendant also states, for the first time in its conclusion, that it relies on the
18
Decree of 23 June 1994 (hereinafter 'the Walloon Decree'). He adds that the ministerial
19
decrees were ratified by the Council ofState in a judgment of30 October 2020. The
16Law of 31 December 1963 on civil protection.
17Law of 15May 2007 on civil security.
18Decree of 23 June 1994 on the creation and operation of airports under the Walloon Region.
19Arrestnr.248.818oftheCouncilofStateof30October2020,availableathttp://www.raadvstconsetat.be/arr.php?nr=248818. Decision on the merits 47/2022 - 16/73
The defendant reports having participated in the workshops for the drafting of the
Protocol, together with FPS Mobility, the airports and the main Belgian
airlines.
- Regarding the purpose, basic modalities and delay in publication, the
Respondent that it cannot be held responsible for compliance with these
obligations (which are not imposed by Article 9.2.ivof theAVG)and that these matters are not
affect its obligation to implement the measures set out in theProtocol.
- With regard to the condition that the processing must be necessary, the
defendant - like the Inspectorate - that it is not for the GBA to pronounce on
the medical necessity of thermal imaging cameras to prevent the spread of COVID-19
counter. The Respondent also questions whether it is possible to make this retrospective analysis
and recalls the uncertainty at the time. He adds that at that time
no other pragmatic solution was available to meet the requirements of the imposed
Protocol. He also notes that no actual COVID tests were being
performed, but only temperature checks. The term 'positive/negative tests' is
irrelevant, according to him. He adds that as many as 65 other European
airports introduced such systems and that at his airport they have not been
being used anymore (see paragraphs 47 and 49). He adds that he has no interest in
in the processing of the data and notes the risk involved,
is very limited. He concludes that the processing was necessary at the time and proportionate
was proportionate to the purposes of the processing.
77. At the hearing, the Respondent stated that the decision to stop the temperature measurements was
was taken because of the increased use of PCR tests and the introduction of the
quarantines, as well as due to financial considerations.20
78. The defendant explains that,as far as the departing flights are concerned, only three people after the
taking their temperature were requested not to enter the terminal. If they did
wanted to do so, their identity would have been communicated to the airline. The
final decision to allow them to board or not, according to the international
law would have rested with the flight commander.
79. In relation to other legal basesthe Protocol, the defendant maintained during the hearing that
he was subject to a legal obligation under the Protocol, even though he believes that
the Protocol was clumsily drafted which could give rise to various
20Notes to the PV of the hearing held on 22 October 2021, p. 1. Decision on the merits 47/2022 - 17/73
interpretations.The defendant added that he was not involved in the drafting of
Protocol and believes that a law would have been more appropriate. He adds
that the EASA guidelines are not always clear either. 22 He also notes to have
requested government intervention regarding the legality of the
processing after the Inspectorate opened an investigation.
Assessment by the Disputes Chamber
80. The Dispute Chamber underlines that a processing of personal data is only lawful
if it is done on a legal basis as referred to in Article 6.1 of the AVG.
81. Sinceinthiscaseitwasfound(seeabove)thatthescreeningsystemalsotheprocessingof
special categories of personal data (more particularly of data
concerning the health of data subjects within the meaning of Article 4.15 of the AVG), the
controllers must also demonstrate that one of the conditions set out in
Article 9.2 of the AVG that prohibit the processing of this type of
personal data does not apply. As the Disputes Chamber has previously
held, 23the processing of special categories of personal data within the meaning of
Article 9 of the AVG must indeed be based on Article 9.2 of the AVG, read in conjunction with
Article 6.1 of the AVG. This was established by the European Commission and the EDPB. 24 It becomes
also confirmed by recital 51 of the AVG which states the following about the processing of
special categories of personal data: "In addition to the specific requirements for those
processing, the general principles and other rules of this Regulation should be
applied, in particular as regards the conditions for lawful processing." 25
Application of Articles 6.1.c and9.2.i of the AVG to this case
82. In this case, during the discussion with the GBA, the controller stated that it was
based on Articles 6.1.c and 9.2.i of the AVG.
21Notes to the PV of the hearing held on 22 October 2021, page 2.
22See also the Inspectorate's response dated 24November 2020.
23Cfr the decision on the merits 76/2021, paragraph 33, available at:
https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-76-2021.pdf.
24
In this regard, see: GEORGIEVA, L. and KUNER, C., "Article 9. Processing of special categories of personal data" in KUNER, C.,
BYGRAVE,L.A.andDOCKSEY,C.,TheEUGeneralDataProtectionRegulation(GDPR).ACommentary,OxfordUniversityPress,Oxford,
page 37: "The Commission has stated that the processing of sensitive data must always be supported by a legal basis under Article 6
GDPR,inadditiontocompliancewithoneofthesituationscoveredinArticle9(2).TheEDPBhasalsostatedthat'Ifavideo surveillance
systemisusedinordertoprocessingspecialcategoriesofdata,thedatacontrollerermustidentifybothanexceptionforprocessingspecial
categories of data under Article 9 (i.e. and exemption from the general rule that one should not process special categories of data)
and a legal basis under Article 6."
25Especially vetoed by the Disputes Chamber. Decision on the merits 47/2022 - 18/73
83. The Disputes Chamber emphasises that the controller can only rely on
the legality basis of Article 6.1.c and to the exception provided for in Article 9.2.i of the AVG
if it demonstrates:
(i) that there is an important public health reason
(Article 9.2.i.);
(ii) that a legal provision exists on which the controller relies
may validly invoke in accordance with Articles 6.1.c, 6.3 and 9.2.i of the AVG;
(iii) that the processing operations in question are necessary
o to fulfil the legal obligation invoked in accordance with Article
6.1.c; and
o for reasons of public interest in the field of public health
in accordance with article 9.2.i.
84. With regard to the first constitutive element of Article 9.2.i of the AVG, namely the
existence of a 'compelling public health interest',doubts
in its investigation report, the Inspectorate does not doubt the existence of such an interest in this case.
In this regard, the Disputes Chamber finds that there is indeed a 'substantial
public health interest' within the meaning of Article 9.2.i of the AVG. The
Disputes Chamber indeed finds that there can be no doubt that combating the
COVID-19 pandemic should be considered as such. As also argued by the Respondent,
this is expressly stated in recital 46 of the AVG which refers to "[the
monitoring] of an epidemic and its spread" as a "weighty reason of general
interest".
85. The second constitutive element relates to the existence of a legal provision
on which the processing in question is based in accordance with Articles 6.1.c and 9.2.i of the AVG.
86. In accordance with Article 6.3 of the AVG, viewed in the light of recital 41 of the AVG, the
processing of personal data necessary for the fulfilment of a legal
26
obligation and/or for the performance of a task of public interest or a task within the framework of
27
the exercise of official authority vested in the controller,
be based on clear and precise rules, the application of which is foreseeable for
those to whom it applies.
87. Article 6.3 of the AVG stipulates more specifically in this regard: 'The legal basis for the data referred to in paragraph 1,
points (c) and (e), must be established by: a) Union law; or b) the
26
Article 6.1.c of theAVG.
27Article 6.1.e of theAVG. Decision on the merits 47/2022 - 19/73
Member State law applicable to the controller. The purpose of the
processing shall be established by the Member State law or shall be in relation to the
processing is necessary for the performance of a task carried out in the public interest or for the performance of
public authority vested in the controller."
88. Recital 41 of the AVG specifies in this regard, "Where reference is made in this Regulation to a
legal basis or a legislative measure, it does not necessarily require that a
legislative act adopted by a parliament is necessary, without prejudice to the requirements
in accordance with the constitutional order of the Member State in question. This legal basis or
legislative measure must, however, be clear and precise, and its application must be
foreseeable for those to whom it applies, as required by the case law of
the Court of Justice of the European Union ('Court of Justice') and the European Court of Human Rights
of Human Rights."
89. With regard to the legal basis invoked by the defendants, it should be noted that
the processing at issue as such is not subject to the Decree on the Establishment
and Operation of Airports and Aerodromes, nor to the Ministerial Decree or the Law
on civil security (see points 59 et seq. and 76 et seq. above).This processing is foreseen
intheProtocolCommercialAir Navigation,whichisprovidedforbytheFederalGovernment ServiceMobilityTransport
(DG Aviation) after negotiations with the industry concerned. This is reflected in the
wording of article 1, 3° of the ministerial decree: "protocol: the document determined by the
competent minister in consultation with the sector concerned (...)". This is also evident from the documents in the
file and from the e-mail message sent by the competent minister's office on 11 June 2020 to the
airport operators, airlines and regional authorities. The
Disputes Chamber argues that in the context of Article 6.3 and recital 41 of the AVG
cooperation and consultation with the industry is not a problem in itself, provided that the
obligation is expressly imposed by a law in the broad sense. This is not the case here (see
below).
90. In this regard, the Disputes Chamber refers in particular to the Privacy International judgment of the
Court of Justice of 6 October 2020, in which the Court stated that the regulation in question was clear and
must contain clear and precise rules 'on the scope and application of the measure concerned'.
[and impose minimum requirements], so that those whose personal data are at issue
have sufficient guarantees that those data are effectively protected
against the risk of misuse." And the Court added: "That regime must be legally binding
be binding under domestic law and specify, in particular, the circumstances and conditions in which
conditions under which a measure providing for the processing of such data may be
and thus ensure that interference is limited to what is strictly necessary.
considerations apply in particular where the protection of a special
category of personal data, namely sensitive data. Decision on the merits 47/2022 - 20/73
91. In relation to the said standards, the defendant in its reply states that the
Council ofState with its judgment of30October2020 "the legal basis ofarticle4oftheLaw of
31december1963endeartikelen181,182en187vandeWetvan15mei2007[heeft]goedgekeurd.”
It should be noted, however, that the aforementioned judgment does not cover the use
of this legislation as a legal basis for the processing of (special categories of)
The judgment
relates to the closure to which restaurants and public houses in the context of COVID-
19 were required and is therefore not relevant to this case. More importantly, the judgments
of the Council ofState concern the legality of the measures adopted by ministerial
order were imposed. However, it should be pointed out that ministerial decisions in the
Belgian law have a clear normative character. However, this is not the case for the
Protocol in question.
92. This was moreover confirmed by the Council of State in its Opinion No 69.253/AG of 23 April 2021,
issued by the General Assembly of the Legislative Section, in which it stated the following
position:
93. "Of two after all, one: either the protocols have no ordained character but then the
concretisations they contain are not binding, the protocols cannot deviate from the
ministerial decree, and their compliance cannot be monitored and enforced by the
instituting criminal proceedings for non-compliance with them; alternatively, the protocols are, however, regulatory
and the measures they contain are binding, but then these measures must be
28
included in decisions of the competent authority for that purpose."
94. With this position, the Council of State responds to the question of the Minister's deputy
regarding the legal value of the Protocol:
95. "The protocols and guides constitute an indicative assessment framework. The protocols and guides
can only concretise ordinance measures, as stipulated in the MB, but are not themselves
ordinative." 29
96. Moreover, the Disputes Chamber notes that the French Council of State stated the following about
the processing of special categories of personal data using
thermal imaging cameras without a valid legal basis: 'It can be assumed that compliance with
the legal conditions for processing personal data concerning health
as referred to inarticle9.2.goftheAVG,asthereisnotextthattheuseofthehehemedicatedhealthcameras
28The Council of State reiterated this paragraph in its opinion 69.305 of 6 May 2021. Opinion no. 69.253/AG of 23 April 2021 is the
first opinion issued by the Council of State on the successive ministerial decrees (see paragraph 62 et seq.). Due to the
urgency, the opinion of the Legislative Section of the Council of State had not been sought in advance. This is therefore the first
opinion of the Council of State on the issue of protocols provided for in these successive ministerial decrees.
29Department of Legislation of the Council of State, No 69.253/AG of 23 April 2021, p. 42. Decision on the merits 47/2022 - 21/73
regulates thermal imaging cameras deployed by the municipality and specifies that the public interest so
makes it necessary." 30[free translation]
97. During the hearing, the defendant also stated that he considered the legal basis unclear
and that a statute would have been more appropriate.31
98. Accordingly, the Disputes Chamber finds that the Protocol does not provide a valid legal basis for the
processing within the meaning of Article 6.1 of the AVG.
99. Further, as regards the non-binding nature of the invoked Protocol, the
Disputes Chamber notes the following on the basis of the documents:
- The Protocol says: "Measuring the body temperature of the passengers so that they can communicate with
an "immunity passport" is not recommended by EASA and the ECDC. The
EASA recalls that the relevance of such measurement is not substantiated by current
scientific knowledge of SRAS-CoV-2. Nevertheless, EASA and ECDC follow the
scientific developments and will update their recommendations as appropriate if a
suitable test becomes available.
At the request of airlines operating flights there, the airport of
Charleroi (Brussels South Charleroi Airport), however, has decided to make tests for measuring
body temperature for persons entering the airport building.
entering. The airport guarantees that the method chosen will not cause any
delay, nor a concentration of persons at the entrance to its infrastructure will
cause." 32
- The airport has twice taken the initiative to stop processing. This is evident from
its reply to the question of 6 January 2021 in which it stated that measuring the
temperature on arrival was stopped at the airport's initiative on 15 October 2020. In
relation to arrivals, the Respondent, in its letter of 18 October 2021, stated the
following: "The Respondent has implemented the temperature measurement system for the departing
flights on 22 March 2021 due to the additional measures taken by the
variousnationalgovernmentswereimplementedtocontrolthespreadofcoronavirusagainst
"[free translation]This was reiterated during the hearing as the defendant clearly
indicated that, when processing ceased in March 2021, "the cessation was a decision of
33
BSCA."
30French Council of State, ordinance of 26 June 2020, no. 441065. Available at: https://www.conseil-etat.fr/decisions-de-
justice/dernieres-decisions/conseil-d-etat-26-juin-2020-cameras-thermiques-a-lisses
31
See paragraph 79 above.
32End veto mark of the Disputes Chamber.
33
Notes to the PV of the hearing held on 22 October 2021, p. 1. Decision on the merits 47/2022 - 22/73
100. For the Disputes Chamber, these elements demonstrate - quite apart from the question whether there is a legal
basis exists - that the Protocol specifically for temperature measurement has no binding character.
101. Furthermore, the Disputes Chamber is of the opinion that, for the reasons stated below, the Protocol is not
meets the requirements of Article 6.3 of the AVG and European case law.
The purpose(s) of the contested processing(s) is (are) not stated in the invoked
standards do not state in a sufficiently clear and coherent manner
102. As mentioned above, under Article 6.3 of the AVG, the legal basis of the standards set out in paragraph 1,
points (c) and (e) must be determined by Union law or Member State
law applicable to the controller.Recital 45 specifies that: "The
should also be Union law or Member State law which determines the purpose of the processing. Furthermore
that law could specify the general conditions of such
Regulation that personal data processing must fulfil in order to be lawful, and
could lay down specifications for determining the controller, the type of
personal data processed, the data subjects, the entities to which the personal data
may be disclosed, the purpose limitation, the storage period and other measures to
ensure lawful and proper processing. Also, Union law or member state
law should establish whether the controller entrusted with a task of
public interest or a task carried out in the exercise of official authority, a
public authority or another person governed by public law (...)."
103. However, the Disputes Chamber finds that the standards invoked by the Respondent do not
unambiguously and clearly set out the precise purpose of the processing. Nor do they contain
them the basic modalities of the processing, as listed in the previous paragraph.
104. With regard to the Ministerial Decree of5 June 2020, the decree on the establishment and
operation of airports and airfields, and law on civil security should be
none of these three standards mention the processing at issue. From the
wording of the ministerial decree shows that the purpose of the
measures is to "limit the spread of coronavirus COVID-19."
105. The Commercial Aviation Protocol - which does refer to the processing at issue - also contains
no clear definition of the purposes of pre-trial processing. The title of the protocol
of the document that the objective of the measures it contains is "to ensure the
restart of activities related to commercial aviation passengers".
The processing modalities were not defined in the Protocol
34Specific boldface mark of the Disputes Chamber. Decision on the merits 47/2022 - 23/73
106. As explained above, in accordance with Article 6.3 of the AVG, read in
conjunction with Article 22 of the Constitution and Articles 7 and 8 of the Charter of the
Fundamental Rights of the European Union, a legislative norm should lay down the essential characteristics
of a data processing operation necessary for the performance of a task of general
interest or in the exercise of official authority vested in the controller.
is entrusted with. In this regard, the aforementioned provisions emphasise that the processing in question must be
be framed by a sufficiently clear and precise standard whose application for
the persons concerned is foreseeable.
107. The Commercial Aviation Protocol lays out the essential elements of the processing at issue
however, in no way defines it. It leaves a wide margin of appreciation to processors
as to how the measurement of body temperature should be
carried out. Consequently, the Protocol leaves airport controllers free to carry out this screening already
or not with processing of personal data and even to determine the other modalities
determine, such as the number of temperature measurements, the technology used, the type and the
amount of data processed and the retention period of the data.
The foreseeability (or unforeseeability) of the Commercial Aviation Protocol
108. TheEuropean Court of Justice imposes the requirement of foreseeability of legislation.Theappeals
standards should further be made sufficiently accessible to those concerned by their publication
particularly as regards their nature and legal effects on the person concerned.
109. In this regard, it should be noted that the Protocol does not determine the consequences for
a data subject who refuses to submit to temperature control. This element appears
only from the joint operational guidelines of EASA and ECDC. The purpose of the
identification and the principle of monitoring by imaging are also not apparent from the
Protocol. Moreover, the Protocol was not published timely and correctly. Indeed, it was published on the
website of the Federal Public Service of Mobility and Transport after it applied
became applicable.
110. Because these modalities are not defined in the invoked standard or instrument,
create important derivative risks to the rights and freedoms of data subjects (e.g.
finality blurring and complicating the exercise of data subjects' rights).
In accordance with the case-law of the Court of Justice cited above (Privacy
International), this does not satisfy the condition that a law (even in a broad sense)
provide for appropriate and specific measures to protect fundamental rights and the
fundamental rights and freedoms of data subjects. Decision on the merits 47/2022 - 24/73
111. The Disputes Chamber notes the urgency with which the measures were taken in the
context of the fight against theCOVID-19 pandemic. However, it stresses that this does not alter the
that the requirements of the above-mentioned provisions must be complied with. They constitute a
essential protection for the rights and freedoms under the regulation of the
protection of personal data.
112. As a controller, under the principle of the
accountability obligation under Articles 5.2and24oftheAVG('accountability'), the defendant is responsible for
compliance with personal data protection principles (including
lawfulness and necessity) and must be able to demonstrate that it has complied with its legal
obligations.The Disputes Chamber reiterated that the defendant's failure to
lack of clarity of the Protocol.
113. The Disputes Chamber stresses that, from the outset of the disputed
processing should have ascertained the existence of a valid legality and
ground for exception within the meaning of Articles 6.1 and 9.2 of the AVG. From the analysis of the documents
of the file shows that this ground of lawfulness at the start of the processing was not
explicitly established. This is also evidenced by the absence of any concrete reference to the
relevant legal basis in the defendant's privacy notice (cf. infra). Only during the
Inspectorate's investigation, mention was first made of this legal basis, which was
was then incompletely included in the privacy policy from 2 December onwards.
114. It should also be stressed that the legal standards on which the
controllers invoke do not impose any obligation and do not impose any
legal framework for the implementation of a temperature control involving personal data
are recorded.
115. The Disputes Chamber therefore concludes that the second constitutive element has not been demonstrated.
116. With regard to the third constitutive element, namely that the processing operations in question were
must be necessary to fulfil the invoked legal obligation pursuant to Article 6.1.c
as well as for reasons of public interest in the area of public health in accordance with Article 9.2.i.
117. The Disputes Chamber firstly considers that the reference to other similar processing operations
in 65 other European airports is not relevant as evidence that the
necessity requirement has been met in this case. In this regard, it points out that the enumeration in the
conclusion of the first defendant also implies that a (significant) number of airports
(including Belgian airports) have not used the
The Disputes Chamber also notes that the Protocol indicates that
processing would be implemented at only two airports in Belgium (the airports
35See paragraph 76 above. Decision on the merits 47/2022 - 25/73
of Charleroi and Zaventem), without affecting the other airports on the Belgian territory.
mention.
118. With regard to compliance with the principle of necessity in the context of the disputed
processing, the Disputes Chamber, like the Respondent, stresses that it cannot express an opinion
on the medical necessity of this measure in the context of combating COVID-19 as
as such, nor on the scientific accuracy and correctness of the quoted
views and reports. However, this analysis is not necessary to make a judgment on the necessity of the
processing from a legal point of view.
119. The Disputes Chamber did note, however, that theProtocolCommercialAir TransportoftheMinisterof
Mobility - both in its version of 11 June 2020 and that of 31 July 2020 - states on page 5 the following
states:
"Measuring the body temperature of passengers so that they can use a
'immunity passport' is not recommended byEASAandECDC. TheEASA
recalls that the relevance of that measurement is not substantiated by current
36
scientific knowledge of SARS-CoV-2. (...)."
120. The Disputes Chamber therefore finds that the legal basis put forward by the defendant itself is
states that the need for the processing in question has not been demonstrated. It therefore concludes
that the necessity of the processing as required by Articles 6.1.c, 6.3 and 9.2.i of the AVG is not
been demonstrated.
121. In this regard, the Disputes Chamber notes that the Commercial Aviation Protocol and the other
standards invoked by the Respondent do not constitute a valid basis for processing and
concludes that there was a breach of Articles 6.1.c, 6.3 and 9.2.i of the AVG.
37
II.3.Finding 3 : Breach of the principle of transparency and the obligation to provide information
in accordance with Articles 5.1.a, 12 and 13 of the AVG
122. The Inspectorate notes that the individuals involved in the processing fall into two categories
can be divided into: passengers and any accompanying persons (at departure) and persons coming from
returning from a red zone (on arrival).
123. The modalities for providing information may also differ, since part of
communication modalities apply to all stakeholders, whereas certain additional information
36
Commercial Aviation Protocol, page 5. Dispute Chamber's own boldface mark.
37For the sake of readability and for proper understanding of the decision, finding 3 is discussed before finding 2. Decision on the merits 47/2022 - 26/73
communicated only to the departing passengers and their escorts, if any. This
information is provided using the following four means of communication:
- an information banner on the defendant's website;
- an FAQ page on the Respondent's website;
- the internal regulations published on the website and displayed before the
passengers' body temperature checks;
- the privacy statement on the defendant's website.
124. As for departing flights, the defendant also stated that a poster was
hung with an informative illustration of a temperature of over 38°C and the words
'no access to the terminal'. The poster also showed a face in profile showing the temperature being
measured with a forehead thermometer.
125. The Inspectorate finds deficiencies in relation to Articles 5.1.a, 12 and 13 of the
AVG as regards the information provided to data subjects at the time of departure. There may
A distinction is made between the breaches according to whether they occurred
between15June2020and2december2020(date on which the newprivacypolicywasonline)
or date from after the latter date.
126. In general, the Respondent agreed at the hearing that some points
could be improved, particularly in terms of the detention period and the reference to
According to the Respondent, the Inspectorate was adding a criterion to the SAA by requiring
that the exact legal basis be stated, but he understands that this could improve the quality of the
information may improve. The privacy policy was amended in several respects in November 2020
(with publication on 2 December 2020), but it does not yet include a reference to Article 9 of the AVG.
127. The fact that no request for clarification or exercise of rightswas received,
although the contact details of the data protection officer on various
were available, proves to the defendant that transparency was ensured.
128. As the information provided to data subjects varied depending on the
time and circumstances, the Inspectorate chose to monitor compliance with these
principles in three different situations. These are listed below.
(a) Breaches that took place between15 June and 2 December 2020 at the time of departure
Findings of the Inspectorate Decision on the merits 47/2022 - 27/73
129. With regard to the breaches committed between 15 June and 2 December 2020 at the time of departure
took place, the Inspectorate considers that they are related to the following
38
elements:
- None of the communications mention that temperature using
thermal imaging cameras (breach of Article 5.1.a);
- The legal basis for the processing is never communicated (breach of Article 13.1.c), neither
as is the regulatory framework for the obligation to monitor body temperature
(breach of Article 13.2.e);
- There is no defined retention period or the criteria for determining it are not stated
(breach of Article 13.2.a);
- The right to complain to the GBA is also not mentioned (13.2.d);
- The purpose of processing is not stated (article 13.1.c).
Position of the defendant
130. The defendant is of the opinion that the Inspectorate, in checking compliance with its statutory
obligations did not take into account certain published documents.
131. Indeed, he believes that it was not necessary to provide information on measuring the
body temperature with thermal imaging cameras, as this information was already available through
the national press and a press release issued by the airport on 10 June 2020, and thus those concerned were already
had this information at their disposal (Article 13.4 AVG).
132. Under the same exception, the Respondent further considers that data subjects were already on the
had to be aware of the existence of the legal obligation regarding the processing, since
this obligation arises from the Protocol which in turn was imposed by ministerial
decrees published in the Belgian Official Gazette. 39The Respondent considers that it did not
can be held responsible for the delay in publishing the Protocol.
133. In relation to the retention period, the Respondent acknowledges that it should have accurately
specified. He also acknowledges that the existence of the right to complain to the GBA does not
mentioned in the privacy policy.
134. He makes the same arguments as these in relation to finding 2 that specifically about the purpose
(see paragraph 187 et seq.)
38Because the privacy notice does not explicitly mention temperature monitoring among the data subjects, it was not investigated by the
Inspectorate not investigated.The breaches identified therefore relate to the three other means of communication.
39Concluant reiterates that he cannot be held responsible for the delay in disclosing the
Protocol. Decision on the merits 47/2022 - 28/73
Assessment by the Disputes Chamber
135. The transparency principle is enshrined in Article 5.1.a of the AVG which says that personal data must be
must be processed "in a manner which is lawful, proper and
transparent ('lawfulness, fairness and transparency')";
136. This principle is applied, inter alia, in Article 12.1 of the AVG. This says that the
controller "shall take appropriate measures to ensure that the data subject receives the information referred to in
Articles 13 and 14 and the information referred to in Articles 15 to 22 and Article 34
communications relating to the processing in a concise, transparent, intelligible and
easily accessible form and in clear and plain language (...)."
137. Recitals 58 and 60 of the AVG specify: "In accordance with the principles of proper and
transparent processing, the data subject should be informed that there will be
processing is taking place and of its purposes" and "In accordance with the
principle of transparency, information intended for the public or the data subject must be
concise,easily accessible and understandablemust be provided in clear and simple language[...].
used."
138. As highlighted by Advocate General P. Cruz Villalón as well as by the Court of Justice of the
European Union in the Bara case, compliance with the provisions relating to transparency and
disclosure is essential, as it is a prerequisite for the exercise
40
by data subjects of their rights, which is one of the foundations of the AVG.
139. Article 13 of the AVG specifies what information must be provided to the data subject in the
cases where the personal data concerned are collected from him/her.
140. In its guidelines on transparency, the Data Protection Working Party clarified
Article 29 that Article 13 of the AVG applies both in cases where the
personal data are knowingly transferred by the data subject to the
controller as well as in cases where the data are collected by the
controller are collected by observation (e.g. by means of the
useofautomateddata-gatheringapparatusor softwarefordata-gathering
such as cameras).1
141. In relation to the first element, i.e. thermal imaging camera-based processing,
the Disputes Chamber notes that the Respondent relies on the application of Article 13.4 of
40
ECJ, 1 October 2015, C-201/14, para 33 (Opinion of Advocate General P. Cruz Villalón, 9 July 2015, para 74).
4GroupData Protection Article 29, Guidelines on transparency under Regulation 2016/679,11 April 2018, pp. 14-15, para. 26. Decision on the merits 47/2022 - 29/73
the AVG and indicating that he was not obliged to inform data subjects as they were already
had the information through the media and a press release from the airport.
142. Article 13.4 of the AVG clearly states that paragraphs 1, 2 and 3 do not apply
when and insofar as the data subject already has the information. Article 13.4 provides
derhalvendoesnotprovideanexceptiontothetransparencyprincipleasformulatedinarticle
AVG. However, it is on the basis of this article that the Inspectorate has identified a shortcoming
established with regard to the obligation to inform data subjects about the existence
of the thermal imaging cameras. In the opinion of the Disputes Chamber, a
distinction must be made between, on the one hand, the principle of fairness and transparency (article
5.1.a) and, on the other hand, the obligations arising from this principle (in particular Articles 13 and
14).
143. The principle of propriety and transparency laid down in Article 5.1.a goes beyond the
simple information and transparency obligations set out in the articles of the AVG
and constitutes a general principle, the scope and philosophy of which apply to every processing operation.
must be complied with.
144. This position was formally adopted by the EDPS in its Decision 01/021 on WhatsApp,
in which the regulator stated:
"Based on the above considerations, the Committee underlines that the
principle of transparency is not limited to obligations under Articles 12 to
to 14 AVG, even if they are a concretisation of that principle. The transparency principle is
indeed an overarching principle that not only reinforces other principles (i.e. fairness,
accountability), but from which numerous other provisions of the AVG also flow.
Moreover, as already noted, Article 83(5) AVG contains the possibility of a breach of
transparency obligations independently of the breach of the transparency principle.
determination. The AVG thus distinguishes between the broader dimension of the
principle and the more specific obligations. In other words, with the
transparency obligations do not cover the full scope of the transparency principle
42
delineated."
145. The Inspectorate thus rightly relies on the transparency principle of Article 5.1.a to
judging that the interested parties should have been informed of the existence of the
thermal imaging cameras, although this obligation is not expressly included in the
transparency obligations under Article 13 of the AVG.
42EDPB, Binding Decision 1/2021 on the dispute arising over the draft decision of the Irish Supervisory Authority
on WhatsApp Ireland under Article 65(1)(a) of the AVG, 28 July 2021, §192. Decision on the merits 47/2022 - 30/73
146. However, recital 60 of the AVG says: "In accordance with the principles of proper and
transparent processing, the data subject should be informed that there will be
processing is taking place and of its purposes. The controller should provide the
provide the data subject with such further information as is necessary to enable him/her to contact
ensure fair and transparent processing, having regard to the specific
circumstances and context in which the personal data are processed."
147. The fact that temperature is measured using thermal imaging cameras is so important
that data subjects should be informed about the processing of their data. The in
Article 5.1.a in fact requires, by definition, that
data subjects know when their data are or are not being processed.
148. The Disputes Chamber notes that during the period under review, in two different documents
provided by the Respondent mentioned temperature controls: the internal
regulations (hereinafter IR) and the FAQ page accessible via the banner on the website. None of
thetwo sources of information mentioned that the processing would or could be carried out with
using thermal imaging cameras.
149. As highlighted by the Respondent, the fact that thermal imaging cameras are used at the airport is
used, information that was covered in several press articles. In the opinion of the
Disputes Chamber, it is not sufficient for the Respondent to rely on the existence of
informationin the press to evade its transparency obligations under theAVG
and with regard to the persons concerned. Indeed, it cannot be assumed that every
passenger in transit at an airport has read a press article which fully informs him/her about the
existence and conditions of the processing. Furthermore, controllers may
not transfer their responsibility for transparency to the press and should
take it personally and directly.
150. The use of thermal imaging cameras was also disclosed by the defendant in a
press release published on10June2020onitswebsite.While this is in itself a commendable
initiative but it is insufficient for the Disputes Chamber. The principle of transparency requires
after all, that information be accessible in a centralised and consolidated manner,
for example, through the IR or the privacy policy that can be easily consulted. 43 A
press release, which after some time in the digital archives of a data controller should be
be looked up, cannot be described as 'easily accessible'.
43Recital 58: "[...] In accordance with the principle of transparency, information intended for the public or for the
data subject should be concise, easily accessible and comprehensible, and clear and simple language and, where appropriate
supplementary visualisation should be used. [...]" Decision on the merits 47/2022 - 31/73
151. In addition, the Disputes Chamber finds that the poster displayed by the defendant (see para.
124) states that the temperature is measured with a manual forehead thermometer, while
the initial temperature measurement is carried out using thermal imaging cameras.
152. In view of the foregoing, the Disputes Chamber finds that the parties concerned did not properly
were informed that their temperature could be monitored with thermal imaging cameras
recorded, and that it is therefore possible that a data subject's temperature was recorded
without his/her knowledge.
The Disputes Chamber therefore found a breach of Article 5.1.a of the AVG.
153. The second element under assessment concerns the information on the legal basis
of the processing (Article 13.1.c) and the regulatory framework for the obligation to provide the
body temperature monitoring (Article 13.2.e). The Inspectorate noted that these
information could not be found in any of the information sources available to data subjects.
In this regard, the Respondent invoked the applicability of Article 13.4, arguing that the
data subjects could not have been unaware of the existence of this obligation, as it was
based on the Protocol expressly provided for by the ministerial decisions adopted in
the Belgian Official Gazette.
154. The Disputes Chamber cannot accept this argument of the defendant.This would imply that a
controller never has to inform data subjects about the legal basis
ofprocessing,ifitispublishedintheBelgian Official Journal.Thislogicisclear
contrary to Articles 13.1.c, 13.2.e and Recital 58 which require such information to be
should be provided in a manner that is 'concise, easily accessible and comprehensible' and that for this purpose
clear and simple language' should be used.44
155. Incidentally, the exception provided for in Article 13.4 of the AVG applies only
'where and insofar as the data subject already has the information', which implies that the
data subject must effectively have that information. The mere fact that the information
is available in the Belgian Official Gazette does not meet this criterion. In any event, the Protocol
on which the Respondent relies for the processing at issue was not even required before mid
August 2020, although it was supposed to apply from 8
45
June.
156. Moreover, contrary to the Respondent's contention, the Controller is
obliged to inform the data subject not only on which paragraph of Article 6 the
data processing is based on, but also on exactly which text and provision forms the basis
44AVG, recital 58.
45Investigation report, page 32. The Inspection Service reports that the FPS only proceeded with publication after the intervention of the
Inspection Service in another similar case. Decision on the merits 47/2022 - 32/73
of the legal obligation on which the processing is based under Article 6.1.
is. A mere reference to 'a legal obligation' without mentioning it cannot
sufficient to assume that data subjects were adequately informed. The data subjects
would in such a case never be able to ascertain whether a legal obligation within the meaning of Article
6.1.c effectively exists and follows from the relevant legal provision.
157. The Disputes Chamber finds that, in this case, those concerned could indeed not do so, as
the Respondent did not refer to the relevant Protocol nor to the ministerial decisions on the
at the time of processing as the basis for its legal obligation to process
carry out. Because the data processed is health data, the defendant must rely
additionally be able to justify any of the grounds set out in Article 9.2 of the AVG
exceptions. This justification must also be included in the information provided to the
data subject. Reference to the precise legal standards is essential
important to ensure that the data subject is aware of their rights and obligations in any
processing.
158. The Disputes Chamber therefore finds a breach of Articles 13.1.c and 13.2.e of the AVG.
159. In relation to the third and fourth elements, i.e. the data retention period and the
right to lodge a complaint with a data protection authority, the Disputes Chamber states
finds that the Respondent acknowledges these shortcomings. The breach of Articles 13.2.a and 13.2.d is
demonstrated.
160. With regard to the fifth element, i.e. purpose, the Disputes Chamber refers to its
considerations below in which it considers that the purpose was not sufficiently explained in
the information documents before the amendment of the privacy policy on 2 December 2020 (para. 195
et seq.). It therefore finds a breach of Article 13.1.c on this point.
161. The Disputes Chamber thus finds a violation of Articles 5.1.a, 13.1.c, 13.2.d, 13.2.a and 13.2.e
between 15 June and 2 December 2020 as regards departures.
(b) infringements that took place from 2 December 2020 as regards departures
Findings of the Inspectorate
46
162. With regard to the breaches that took place as of 2 December 2020 on departure, the
Inspectorate considers that they are related to the following elements:
46Date on which the amended privacy notice was posted online. Decision on the merits 47/2022 - 33/73
- The appealed court's ground of justification is insufficiently specified (infringement of Article
13.1.c);
- it is nowhere mentioned that the temperature using thermal imaging cameras is being
monitored (breach of Article 5.1.a);
- the possible consequences of failing to provide the data are not mentioned and there are
no reference is made to the IR (breach of Article 13.2.e);
- the purpose of the processing is insufficiently defined (see paragraph 184 et seq.);
- the privacy notice still refers to the law of 8 December 1992, which has since become
repealed.
Position of the defendant
163. The Respondent believes that the amendment to its privacy notice (on 23 November 2020, with
publication on 2 December 2020) clearly indicates the legality basis. He believes that the
Inspectorate is adding a condition to Article 13.1.c by requiring the statutory
provision(s) on which the processing is based is clearly stated.
164. Regarding the lack of information on the use of cameras and the issue of the
purpose, the Respondent refers to its aforementioned considerations (see paragraph 141 et seq. and paragraph
160) and contests the grievances.
165. With regard to the reference to IR, he believes that this could indeed have been better, but that this in itself
does not constitute a failure in respect of his duty to inform, especially as the IR in the premises
present before any temperature control.
166. The defendant acknowledges that the reference to the 1992 Act is a material error, which will be
corrected.
Position of the Disputes Chamber
167. The first element concerns compliance with Article 13.1.c, which prescribes that the legal basis for
processing must be stated. As both the Inspectorate and the Respondent have
stated, as of 2 December 2020, the Respondent's privacy policy contained the following
statement:
168. "At the time of an epidemic or pandemic, we may measure temperature to check whether
it exceeds38°C.This is done only on the basis of a legal obligationthese data
are not stored or reused for purposes other than protecting the
health of people in transit at the airport. The data will be kept
for a few minutes." [free translation] Decision on the merits 47/2022 - 34/73
169. The Respondent believes that this satisfies the requirement of Article 13.1.c of the AVG, while the
Inspectorate believes that the exact statutory provision(s) should have been mentioned,
as well as the exception contained in Article 9.2 of the AVG to prevent the processing of
health data.
170. For the Dispute Resolution Chamber, compliance with Article 13.1.c implies that the data subject must fully
be informed of both the precise legal basis for the processing and the text and
precise provision creating the legal obligation on which the processing under article
6.1.c is based on. In this regard, it refers to paragraphs 153 et seq. above and notes a
breach of Article 13.1.c of the AVG.
171. The second issue concerns the fact that temperature measurement using thermal imaging cameras
would not have been mentioned anywhere (breach of Article 5.1.a). In this regard, the Disputes Chamber refers to
its view expressed above, which remains valid on this point (see paragraph 141 et seq.) and states a
breach of Article 5.1.a of the AVG.
172. The third issue concerns the failure to mention the possible consequences of not providing
the data by failing to refer to the IR (breach of Article 13.2.e). The
Inspectorate considers that the obligation to refer to the
regulatory nature of the obligation to provide the data and the possible
consequences of not providing the personal data, as Article 13.2.e of the AVG
The defendant is of the opinion that, since this information is included in theIR, the
the obligation of Article 13.2.e was met, although a reference to the IR in the privacy policy would have
could have been included.
173. TheGeschillenkamer findsdiscrepanciesbetweentheinformationprovidedinvariousinvestigated
documents were provided to data subjects. Indeed, the privacy policy states that the
processing is based on a legal obligation (this statement is also incomplete, see point
However, it says nothing about the consequences of refusing processing.
TheIR does indeed state that access to the terminal will be refused "to any person who refuses to comply with
to a temperature check and in whom a body temperature of more than 38°C
is detected after at least two measurements." 47 However, it does not mention the source of this
obligation. The same applies to the "Frequently asked questions(FAQ)" page: it mentions which
consequences are when a temperature of more than 38°C is detected, but not the
is the source of this obligation. None of these three documents refers to the other
documents, implying that a data subject who had consulted only one document did not
had all the information to which he was entitled. The Disputes Chamber considers this to be contrary to the
requirement that information be "concise, easily accessible and comprehensible" and that for this
47
IR, article8 and FAQ [free translation]
48IR, Article8: "The airport is obliged to do so." [free translation] Decision on the merits 47/2022 - 35/73
49
'clear and simple language' must be used." It therefore finds a breach of Article
13.2.e of the AVG.
174. The fourth element concerns the statement of purpose. In this regard, the Disputes Chamber notes
that, as of 2 December 2020, the purpose was described in the Respondent's privacy policy as
"to protect the health of people in transit at the airport". This purpose
however, is not reflected as such in the IR.
175. The fifth element is the reference to the Act of 8 December 1992 (which has been repealed) in the
privacy policy. This element is not disputed by the defendant and the Disputes Chamber states
therefore finds that this privacy policy is incorrect and should be updated.
176. The Disputes Chamber thus finds a breach of Articles 5.1.a, 13.1.c and 13.2.e.
(c) Arrivals from a red zone
Findings of the Inspectorate
177. With regard to arrivals from a red zone, the Inspectorate found an infringement
of Articles 5.1.a, 12.1 and 13 of the AVG on the basis of the following elements:
- according to the information in the IR and on the website, the purpose of these controls is to control access
to the terminal for people with a temperature above 38°C, which in the
context of arrival checks is incorrect (see paragraph 49);
- nowhere is it mentioned that temperature is checked with thermal imaging cameras;
- the information provided to passengers returning from a red zone says
nothing about the conditions under which the check is carried out (Article 5.1.a).
Position of the defendant
178. First, the Respondent is of the view that the Inspectorate is of the wrong
starting point, because it wrongly based its views on only two documents instead of
considering all sources of information.
179. He added that one version of the IR had been put online for reasons of efficiency and
cost savings. Moreover, the IR clearly states that the temperature of passengers will be
be measured.
180. Finally, the defendant disputes the innovative nature of the thermal imaging cameras.
49AVG, recital 58. Decision on the merits 47/2022 - 36/73
Position of the Disputes Chamber
181. On the first point - the purpose of temperature control - the
Disputes Chamber notes that the IR states that temperature control is mandatory and that access
to the terminal will be refused to those who refuse to submit to it or a temperature
exceeds 38°C after at least two measurements. The IR says nothing about returning from a
red zone, where the only consequence of a temperature of more than 38°C is that the person concerned may be refused admission.
receives an awareness document. The handing over of this document has no significant
implications for the data subject's rights. By not specifying that the control described
applies only to the departures, however, the text of the IR suggests that a person may be subject to the document at
arrival may be denied access to the terminal, which creates confusion and is
problematic with regard to the principle of transparency.
182. Regarding the wording of the information banner and the published 'Frequently Asked
Questions (FAQs)', it is noted that these do not specify that the ban on access to the terminal
only applies at departures,which could lead people to believe that they would also be prohibited from entering the
access to the terminal can be denied. This also poses a problem in terms of the
transparency principle (Article 5.1.a AVG).
183. As regards the second question, the Disputes Chamber refers to its above-formulated
considerations, which remain valid. It also notes that, as reported by the Inspectorate, the posters that are
were displayed at the departures (see paragraph 124 above) are not present at the arrivals, so that the
information for passengers arriving from a red zone is even more deficient than those arriving at
departing passengers.
184. The Disputes Chamber therefore finds a breach of Articles 5.1.a and 12.1.
II.3.5 Finding 2: 50 Violation of the principle of purpose limitation in accordance with Article 5.1.b
of the AVG
Findings of the Inspectorate
185. According to the Inspectorate, the purpose of the processing is to "protect the health of the
persons in transit at the airport and of employees working in the terminal",
as this is the answer given by the Respondent during the investigation and repeated in
50 As indicated earlier, the Disputes Chamber decided to reverse the assessment of findings 2 and 3 of the
investigation report to be reversed. Decision on the merits 47/2022 - 37/73
The data protection impact assessment submitted by the defendant to the Inspectorate
transmitted.
186. The Inspectorate notes that the defendant's purpose of the relevant processing operations
insufficiently and accurately determined the purpose of the processing in question in accordance withArticle5.1.b of theAVG,as
the controller did not indicate that the processing had different purposes and effects for the data subjects
different purposes and had different effects according to the type of monitoring that was
carried out (on departure or on arrival).
Position of the defendant
187. The Respondent first recalls that the term 'purpose' is not defined in the AVG and
that he therefore relies on a definition provided by the CNIL (French Data Protection Authority). He
considers that the purpose of the processing was sufficiently defined: to protect the health of the
persons in transit at the airport and of staff at the terminal. Defining
the effects of processing is not, according to the regulations, a condition for the validity of
the purpose limitation principle. The defendant added that the difference in treatment at departure
and on arrival was justified in view of the different situations and resulted from the healthy
People coming from a red zone cannot be sent back.
added that it had never been necessary to deny access to the terminal to persons
whose temperature was higher than 38°C, as they freely decided not to continue their journey.
continue.
188. He concluded that the purposes of the processing were clear, well-defined and justified
and that he had always respected the principle of proportionality by maintaining the balance
between the interests of public health and the private life of the data subjects.
Assessment by the Disputes Chamber
189. Article 5.1.b of the AVG requires the data to be used only for specified, explicitly
defined and legitimate purposes. The Disputes Chamber considers
that the issue of the defendant's stated processing purpose and the issue of the
legal basis of this purpose can be analysed separately in this case (see paragraphs 102 et seq.
above). The legal basis invoked does not - or not clearly enough - provide for a purpose (see
paragraph 195 et seq. above). Therefore, the purpose stated by the controller must be
examined.
190. For the interpretation of this principle, the Disputes Chamber refers to the opinion of the Working Party
Data Protection Article 29 which further defines what is meant by a Decision on the merits 47/2022 - 38/73
expressly defined purpose within the meaning of Directive 95/46. 52It is important to note that the
main features of the purpose limitation principle have remained identical between Directive 95/46 53and
the AVG.
191. In relation to the well-defined nature of the purpose, the Disputes Chamber notes that the
Respondent, in its response to the Inspectorate's questions, clearly defines this purpose as
being "to protect the health of persons in transit at the airport",
which is subsequently repeated in the
data protection impact assessment. This is also reflected in the Register of
processing activities where it is abbreviated as 'protection of health'.
192. The Disputes Chamber therefore finds that the purpose is sufficiently defined.
193. With regard to the expressly defined nature of the purpose, the opinion of the
Data Protection Working Party Article 29 explains the following:
"The purposes of the collection should not only be clearly known by the persons who
responsible for collecting the data. They must also be explicitly
formulated. [...]
The ultimate purpose of this requirement is to ensure that the purposes are meaningful and
intention are stated unambiguously and accurately. The meaning must be clear and may
not raise doubts or be difficult to understand. [...]
The obligation to state the objectives 'explicitly' contributes to transparency and
predictability. It allows unambiguous definition of the boundaries within which the
controllers may use the personal data collected, with the aim of
protecting data subjects. It helps anyone processing data on behalf of the
controller, as well as data subjects, data protection authorities and
other concerned parties, to have a common understanding of how data may be
be used. This reduces the risk that data subjects' expectations differ from
those of the controller." 54
5Group on Data Protection Article 29, 'Opinion 03/2013 on purpose limitation', op. cit., p. 17.
52
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data
53Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural
individuals with regard to the processing of personal data and on the free movement of such data
54
Article 29 Data Protection Working Party, 'Opinion 03/2013 on purpose limitation', op. cit., p. 17. Free translation. Decision on the merits 47/2022 - 39/73
194. The working group's opinion thus emphasises the need for the explicit disclosure of
purpose, so that everyone understands the reason for data processing and misunderstandings are avoided.
avoided. In relation to how that purpose should be formulated, the
opinion highlights the following elements:
"In terms of accountability, the written statement of purpose and creation will
appropriate documents help to demonstrate that the controller has
55
complied with the requirement in Article 6(1)(bThis will also allow data subjects to
to exercise their rights more effectively - it will, for example, serve the original purpose
56
prove and allow comparison with subsequent purposes of processing."
195. In the opinion of the Disputes Chamber, this point is thus closely related to the issue of
transparency and information.In this regard, it refers to the comments made above(see
paragraphs 162 and 174) which she also adds here. The various sources of documentation show that
the privacy policy contained no information on the purpose of the processing before it was issued on 2
December2020were amended.Only in response to this amendment was the purpose added and
described as "to protect the health of persons passing through the airport."
196. The IR did contain an Article 8 stating that access to the terminal will be denied
to "any person who refuses to submit to a temperature check and in whom a
body temperature of more than38°C is detected after at least two measurements." The purpose
can be inferred from the text of the IR, but it is not explicitly defined and the
is not linked to any particular processing. The FAQ page also contains a similar sentence.
197. Based on the foregoing points, the Disputes Chamber concludes that the purpose of the
processing was not explicitly defined. Not only was the purpose not defined at the start of the
processing, it was also only drafted, expressly formulated and submitted to the GBA
and data subjects after answering a question from the Inspectorate, the
adaptation of the privacy policy in December2020and the completion of the GBA three months after the
commencement of processing.
198. In relation to the lawfulness of the purpose, the Disputes Chamber considers that the purpose is "the
protect the health of persons in transit in the airport and staff
working in the terminal" is indeed lawful, particularly in view of the fact that the processing
was recognised as being justified for reasons of public interest in the field of the
public health in accordance with Article 9.2.i of the AVG (see paragraph 84 above).
55From Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data.
56GroupData Protection Article 29, 'Opinion 03/2013 on purpose limitation', op. cit., p. 18. Freetranslation. Decision on the merits 47/2022 - 40/73
199. The Disputes Chamber therefore finds a breach of Article 5.1.b of the AVG on account of the non
express nature of the purpose.
II.3.6Conclusion 4: breach of the obligation to carry out a data protection impact assessment before processing
data protection impact assessment in respect of the
data protection (breach of Article 35.1)
200. Based on its investigation, the Inspectorate concludes that Article 35.1 of the AVG was
breached for the following reasons.
(a) In connection with the obligation to carry out a GEB
Findings of the Inspectorate
201. The Inspectorate believes that a GEB was necessary based on the following criteria:
- the processing involves sensitive data, i.e. data related to the
health;
- the processing is large-scale;
- the treatment implies systematic monitoring of certain passengers who will be
required to submit to a monitoring of their body temperature;
- the treatment involves the use or application of innovative technological or
organisational systems;
- the processing involves vulnerable persons and more particularly
minors;
- Article 23 of the Law of 30 July 2018 57 expressly provides, "In implementation of Article 35.10
of the Regulation, a specific data protection impact assessment shall be carried out
prior to the processing activity, even if a general
data protection impact assessment was carried out in the context of establishing the
legal basis."
Position of the defendant
202. The Respondent first argues that only the data of those with a temperature of
above 38°C are processed, as only they are recorded with a camera.
5Law of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data. Decision on the merits 47/2022 - 41/73
203. In relation to the concept of 'large scale', the Respondent considers that the Inspectorate is not
based on the correct figures as it takes into account everyone who was at the airport in
rather than those with a body temperature above 38°C. It is currently
impossible to ascertain the exact number, as the summary files with the
number of interventions were destroyed on a weekly basis.
204. For passengers returning from a red zone, the Inspectorate assumes without any
motivation that this would be large-scale processing.
205. The Respondent considers that only the criterion of systematic monitoring of certain
passengers is relevant to the matter. Only this criterion obliged the Respondent to issue an GEB
conduct.
206. Finally, the Respondent disputes the innovative nature of the cameras. According to him, they involve
an old technology.
Assessment by the Disputes Chamber
207. Article 35 sets out the circumstances in which it is appropriate for a controller
necessary to carry out an EIO. This article is reproduced in part below:
"Article 35
Data protection impact assessment
1. Where a type of processing, in particular one involving new technologies
is likely, having regard to its nature, size, context and purposes, to involve a
presents a high risk for the rights and freedoms of natural persons, the
controller shall, prior to the processing, carry out an assessment of the impact of the intended processing activities on the protection of personal data.
processing activities on the protection of personal data. One assessment may include a series of
similar processing operations that pose similar high risks.
2. Where a data protection officer has been appointed, the
controller when carrying out a data protection impact assessment
seek his or her advice.
3. A data protection impact assessment referred to in paragraph 1 shall be required in particular in the
following cases: Decision on the merits 47/2022 - 42/73
(a) a systematic and comprehensive assessment of personal aspects of natural
individuals, which is based on automated processing, including profiling, and on which
decisions which produce legal effects concerning natural persons
or which substantially affect the natural person in a similar way;
(b) large-scale processing of special categories of personal data as referred to in
Article 9(1) or of data relating to criminal convictions and offences
offences referred to in Article 10; or
(c) systematic and large-scale monitoring of publicly accessible areas."
208. The Disputes Chamber further specifies that the GBA has established a list of processing
for which an EIO is required. 58 It also notes that, as for the use of thermal imaging cameras
regarding the use of thermal imaging cameras, the European Data Protection Supervisor (EDPS), in a position paper of 1
February 2015, it was already able to confirm that an EIO is indeed required. 59
209. The Disputes Chamber considers, moreover, that recital 91 of theAVGdemonstrates the necessity of an AGEBin this
case. Indeed, it reads as follows: "A data protection impact assessment should also
be made when personal data are processed for the purpose of taking
decisions relating to specific and natural persons after a systematic and comprehensive
assessment of personal aspects of natural persons based on profiling
of these data, or after the processing of special categories of personal data,
biometric data,or data relating to criminal convictions and criminal offences
60
or related security measures."
210. It was shown that the processing in question concerns special categories of
data (health data) and that, at least at the time of departure, it has the effect of deciding
whether or not passengers and escorts are allowed to enter the terminal.
211. The Disputes Chamber notes that the Respondent does not dispute that an AET for the relevant
processing was mandatory. Its criticism mainly concerns the Inspectorate's use of the
criteria, the relevance of which he disputes in certain cases (see paragraphs 202-206 above).
212. According to the Dispute Chamber, the Respondent assesses the criteria for determining whether or not a GEB is
not required,after the factand not in the correct way.When the defendant had to carry out its GEB(see
paragraph261ff. below), it did not know what percentage of passengers had a temperature of
58Data Protection Authority, Decision No. 01/2019 of 16 January 2020. Available at:
https://gegevensbeschermingsautoriteit.be/publications/beslissing-nr.-01-2019-van-16-januari-2019.pdf
59 EDPS, Letter of 1 February 2015 Available at: https://edps.europa.eu/sites/default/files/publication/16-02-
01_letter_klimowski_2015_en.pdf
60
Dispute Chamber's own veto mark. Decision on the merits 47/2022 - 43/73
would have more than 38°C and therefore could not establish that this was 'extremely low', as he does a
posteriori in his conclusion.The defendant should have taken into account that all the
expected passengers could potentially be an affected person. This was therefore the figure by which
had to be taken into account in assessing whether or not it was a large-scale
processing was involved.
213. Although the temporarily stored images only relate to individuals with a temperature
of more than 38°C, in addition, all passengers and attendants on departure and all
passengers returning from a red zone are subjected to a temperature check. The
Inspectorate thus ruled, based on sound reasoning, that for the purpose of determining 'the
nature,scope and context' of the processing, it was necessary to start from the assumption
that it applied to all passengers concerned and not only those with a
temperature above 38°C.
214. Due to the innovative nature of thermal imaging cameras, the Disputes Chamber of
considers that this criterion, even if not demonstrated, does not detract from the following
conclusion, namely that a GEB was necessary.
215. The Inspectorate also held that a GEB was required under section 23 of the Act
of30July2018(see point201)which says that "a specific data protection impact assessment
[shall] be carried out prior to the processing activity, even if a general
data protection impact assessment has already been carried out in the context of establishing the
legal basis." However, the Dispute Chamber points out that this article only applies
to the public sector, as specified in Article 19 of the same law, and that in this case it is therefore
does not apply.
(b) In connection with the obligation to carry out an EIA prior to processing
Findings of the Inspectorate
216. TheInspection Service finds thatBSCAnv'sGEB was implemented on18September2020,while
the relevant processing operations were implemented on 15 June 2020 for the persons concerned
on departure and on 7 September 2020 for passengers on arrival from a red zone. According to
the Inspectorate, the GEB must be implemented before the start of processing and provides for
Article 35 of the AVG no exception.
6Conclusion of the defendant, p. 45. Decision on the merits 47/2022 - 44/73
Position of the defendant
217. The Respondent stresses the exceptional nature of the situation it found itself in. The
AVG does not contain any exception to this obligation, but the Respondent considers
considers that this is clearly a case of force majeure that the legislature could not have
foreseen. He notes that the data protection officer had been dismissed, as had the
majority of the staff. It was only when the health crisis was somewhat under control that the
defendant was able to implement the GEB, albeit in hindsight. He also recalls that he had no other choice
than to set up the control system - which obviously does not relieve him of this obligation - but
that he fulfilled this obligation as soon as he was able to do so.
Assessment by the Disputes Chamber
62
218. For the Disputes Chamber, it is clear from the text of theAVG,as the defendant acknowledges, that the
GEB must be carried out before processing takes place. The text does not provide for
exceptions. The Disputes Chamber notes that the GEB was not implemented until 18 September 2020
implemented, i.e. three months after the start of processing (15 June 2020).
219. The Respondent does not demonstrate what the circumstances of such force majeure would be
been.
220. The Disputes Chamber therefore finds a breach of Article 35.1 of the AVG.
(c) In relation to the quality of the GEB provided by the Respondent under Article 35.7 of
the AVG was carried out
In connection with the description of the data processing operations and the purposes of the
processing in the GEB (article 35.7.a AVG)
Determinations of the Inspectorate
221. The Inspectorate notes, as above (see paragraph 186), that the purpose of processing is not
sufficiently specified.
222. It also considers that the GEB does not describe with sufficient precision the procedure used in connection with the
monitoring of passengers' body temperature, and specifically the consequences
that this check may have on the persons concerned.
62AVG, article 35.1 and recital 90. Decision on the merits 47/2022 - 45/73
223. Furthermore, the Inspectorate considers that the GEB contains a number of inconsistencies (in particular regarding
the recording/storage of personal data derived from the thermal imaging cameras) and does not contain any
analysis regarding the soundness of the legal basis established under Articles 6.1,
6.3 and 9.2.i of the AVG is invoked.
Position of the defendant
224. In general, the defendant is surprised at some of the criticisms expressed,
as he relied on the CNIL model for the implementation of his GEB, as
the GBA does not have any tool for this purpose.
225. The Respondent recalls that the GBA does not contain a definition of the term 'purpose' and that it ensures that
chose to define it as 'to protect the health of people travelling through the territory'.
The defendant is of the opinion that
This definition is very clear.
226. In relation to the type of procedure, the Respondent believes that this is left to the appreciation of the
controller and that there are different methods. The
Respondent argues that it is hardly imaginable that the use of an instrument of a
other authority leads to the finding of a deficiency, while the GBA itself does not have an instrument
available.
227. The Respondent adds that the effects on data subjects are well known to
the controller - and to the data subjects, given the information provided to them -, and
that it is therefore not in itself necessary to include every consequence in the CGE as long as the end result is the
risks to the rights and freedoms of the data subjects.
228. In connection with the said inaccuracies, the Respondent argues that the GEB has made all the
information about the processing, including why the software keeps the last 20 images
retains,and that this information can be found in various places in the GEB.He is therefore
considers that this information is not missing, as it is found in other places in the GEB.
mentioned.
229. As for the legal basis, the Respondent considers that it is not up to the
Inspectorate to blame a data controller for any
gaps in the executive branch charged with applying the laws and issuing
of the corresponding implementing decrees.
Assessment by the Disputes Chamber Decision on the merits 47/2022 - 46/73
230. Article 35.7 lists the elements to be included in a GEB. This
provision is reproduced below:
"7. The assessment shall include at least:
(a) a systematic description of the intended processing operations and the processing purposes,
including, where applicable, the legitimate interests pursued by the
controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to
the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards,
safeguards and mechanisms to ensure the protection of personal data
and to demonstrate compliance with this Regulation, taking into account the
rights and legitimate interests of data subjects and other persons concerned."
231. In relation to the purpose of the processing, the Dispute Chamber refers to recitals
above (see paragraph 189 et seq.) and considers that the purpose stated by the Respondent is
defined and justified.Within the framework of the CGE, the purpose can be considered to be sufficient
defined.
232. With regard to the description of the procedure put in place to determine the temperature of the
passengers,the Disputes Chamber cannot agree with the defendant's argument
complaining about the lack of guidance from the GBA which required him to use
instrument made available by another body.
recalls that the GBA published a recommendation on CDEs at the beginning of 2018.63Further believes
The Disputes Chamber considers that a controller cannot invoke a lack of
guidelines of a supervisory authority, as this would be contrary to the principle of
responsibility under Article 24 of the AVG. A controller is free to
to use tools that supervisory authorities in other EU member states make available
make available to the public. However, their use is left to the discretion of
the controller, who must ensure that the tool used is
meets the requirements of the supervisory authority to which it is subject.
233. This recommendation includes the following paragraph:
"Other elements relevant to determine the nature, extent and context of the processing
include: the categories of data subjects, the scale of data processing, the
origin of the data, the relationship between controller and data subjects.
63 Data Protection Authority Recommendation No 01/2018 of 28 February 2018. Available at:
https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.-01-2018.pdf Decision on the merits 47/2022 - 47/73
the potential impact on data subjects, and how easy it is for data subjects to
64
identify."
234. Here, the GBA had already indicated in 2018 that the GEB would provide a description of the potential impact on
those affected. This is all the more important in the present case, as the
consequences for data subjects are just the purpose of the processing, i.e. preventing people with
a temperature above 38°C enter the terminal and take their flight. Since this purpose
is the raison d'être of the processing, it was not to be concealed in the description of the
processing under the GEB.
235. In relation to the statement regarding the duration of data storage, the Disputes Chamber notes
notes that the GEB executed by the defendant both states "no local retention of data at
65
PC or on paper" and "the images taken are not stored. They are real time
66 67
monitoring" , while the procedure provides that the most recent 20 images are accessible. To the
opinion of the Disputes Chamber, this inconsistency detracts from the clarity of the
description of the processing.
236. Finally, regarding the quality of the legal basis, the Disputes Chamber considers that the
is for the controller to assess, in the context of the GEB, the impact of the
processing choices made on the legal basis or, in the case of a
insufficient legal basis, to describe which processing methods were chosen (and
why)for the purpose of remedying the deficiencies of the legal basis.This appliesthe more
in this case, as the defendant acknowledged the inaccuracy of the Protocol and admitted that
68
a law would have been preferable.
237. Based on the above considerations, the Disputes Chamber finds a breach of Article
35.7(a) of the AVG.
In connection with the assessment of the necessity and proportionality of the processing operations with
in relation to the purposes(Article 35.7.b AVG)
Determinations of the Inspectorate
64Ibid., pg. 17.
65
Respondent's data protection impact assessment, pg. 4. [free translation]
66Ibid., pg. 5. [free translation]
67Ibid, pp. 3 and 7.
68See paragraph 79. Decision on the merits 47/2022 - 48/73
238. The Inspectorate finds that, if the purpose of processing is not correctly determined within the meaning of
ofArticle5.1.bvoftheAVG,theassessmentofnecessityand proportionalityofthemeasureisnot
can be deemed to have been carried out correctly.
239. The Inspectorate also notes that the analysis of the storage of personal data is quite
summary and even incorrect, and that the analysis of the necessity and proportionality of the
processing was limited to assessing the extent to which the collected
body temperature data are adequate and relevant and limited to what is necessary for
the intended purpose, whereas it should also have taken into account the number of cameras and the location
where they were installed to measure the body temperature of the data subjects, whether or not
permanent nature of the processing operations, and the categories of data subjects whose data are
are collected.
240. The Inspectorate added that it was not demonstrated that the personal data was adequately
and limited to what is necessary, nor that the collection of these categories of data is
is relevant.
Position of the defendant
241. The Respondent regrets that the GBA does not have a more comprehensive tool than that of the CNIL
prepared to indicate what information would be lacking according to the Inspectorate.He points out
that it must supplement this tool because the elements listed by the Inspectorate are strictly
strictly speaking, are not requested in the CNIL's tool.
242. He reiterates his earlier criticism that, unless he is mistaken, neither the GBA nor himself are internally about the
scientific expertise to analyse the extent to which it is relevant to
collect data on body temperature as a factor potentially indicating infection with
the coronavirus.
243. He adds that it is not appropriate to retrospectively conduct a scientific analysis of these
necessity. The concluant chose this course of action based on a
pragmatic analysis of the options available to him and, as already mentioned, of the
practices used at 65 other airports around the world.
244. He stressed that it was not for the Inspectorate to approve or disapprove a method that was
was chosen by the concluant to achieve its intended purpose - to protect the
health - to be achieved.
Assessment by the Disputes Chamber Decision on the merits 47/2022 - 49/73
245. The Disputes Chamber already ruled that the purpose stated by the defendant was sufficiently
definedinthesenseofarticle5.1.boftheAVG(point189ff.).Theotherwouldneverbevalidlybecome
used as a starting point for assessing the necessity and proportionality of the
processing.
246. The analysis of the extent to which the data collected is relevant and sufficient, as well as
limited to what is necessary, however, is deemed insufficient by the Disputes Chamber. It remains
namely limited to a few lines that in no way demonstrate an in-depth assessment
of the necessity and proportionality of the processing operations. As mentioned earlier, the information in
relating to the storage period of the data is furthermore inaccurate.The assessment carried out by the defendant
analysis relates only to the temperature data and at no point does it address
the fact that images are taken of those involved. Yet it is perfectly possible to assess the
temperatureofpeoplewithoutphotographing.AGEBisjustintendedtoincreasetheeffect
of the choices made with regard to processing modalities.
247. Moreover, as the Inspectorate underlines, the defendant does not take into account at all
certain modalities of processing, such as the number of cameras and their location, and does not justify
he does not justify some of his claims. At no point does he examine the need for these
data, even though the text of the Protocol states that the invoked legal basis is
is: "To measure the body temperature of passengers so that they can be taken with a
'immunity passport' is not recommended by EASA and the ECDC. The
Agency recalls that the relevance of this test is not supported by current
69
scientific knowledge on SARS-CoV-2." (see paragraph 99)
248. In other words, the GEB carried out by the defendant is not a genuine analysis of the
processing operations and all their modalities from the point of view of necessity and proportionality.
However, it was important to carry out these investigations, particularly because of the lack of a framework in
the legal basis invoked, which gave the defendant a great deal of latitude in choosing
of processing activities.
249. Based on the above considerations, the Disputes Chamber finds a breach of Article
35.7.b of the AVG.
In connection with the assessment of risks to the rights and freedoms of data subjects
(Article 35.7.c of the AVG)
Findings of the Inspectorate
69Protocol, p. 5. Decision on the merits 47/2022 - 50/73
250. BSCA nv analysed the risks relating to confidentiality, availability and the
integrity of data, but not the risks related to 'false positive' and 'false negative'
results,taking into accounttheimpactthata similarriskmayhave.
251. The Inspectorate also believes that the risk associated with the availability and integrity of the
data was insufficiently taken into account and that the controller could not correctly assess the
risk that could arise in the event of non-availability of the data could not correctly
assess.
252. The risk that could arise in case of non-availability of the data could
furthermore not be correctly assessed by BSCA nv.
253. BSCA nv also did not assess the integrity risk that could arise if the
settings of the device used in a given situation would be changed (adjustment
to a temperature lower than 38°C).
254. The risk analysis conducted by the concluant, according to the inspection report, is
inadequate, as the GEB is limited to an analysis of risks related to the
confidentiality, availability and integrity of data.
Position of the defendant
255. According to the Respondent, the GEB's analysis is limited to a few points because the instrument proposed by the
CNIL proposed instrument does not provide for the analysis of the other aspects referred to in the
inspection report. The concluer believes it has opted for an official
methodology that was approved and made available by a European-level
recognised data protection authority. He had valid reasons for not knowing that the
GBA Inspectorate would consider the instrument in question incomplete.
256. The defendant adds that the risks of false positive and false negative results in the
need not be analysed under these proceedings because he does not understand how these
risks could be his responsibility or should affect
on the processing of the body temperature data. The Respondent states that he did not perform PCR-
tests and that the terms 'false positive' and 'false negative' were used in his
processing performed, therefore, did not occur.
257. The defendant recalls that after the third test to measure body temperature (the
anamnesis)nooitiemandetheaccesstotheterminal.Thepartiesinvolveddecidedbythemselves to take the
terminal. Decision on the merits 47/2022 - 51/73
258. With regard to theinaccuraciesincompleteness to which theInspection Service referred
in relation to the availability and integrity risks, the Respondent notes that the
Inspection Service finds its analysis insufficiently substantiated and takes due note of what it
needs to improve in the AGEs it is required to conduct in the future.
Assessment by the Disputes Chamber
259. For the Disputes Chamber, it is clear that the risk analysis conducted by the defendant was flawed
is. To the question "2.1 What could be the main consequences for those affected if
the risk [unlawful access to data] occurs?" the Respondent replied
for example, "Limited consequences." This extremely brief answer in no way shows that the
Respondent has considered the risks of unauthorised access. The defendant points out with
in other words, does not point out the risks that a data subject might face if a third party were to access a photograph
of him/her were to obtain one showing a temperature of more than 38°C.
260. The information provided by the defendant in assessing risk4('data loss')isaleven
sparse. The defendant repeatedly states that the risk is 'not applicable (no storage)', which is
incorrect as images are indeed stored, albeit limited in time. The
Disputes Chamber also finds on this point that the Respondent has not demonstrated that it has a
correct and complete risk analysis.
261. The Disputes Chamber also considers that the Respondent failed in its GEB to
examined certain risks. The Respondent states that the risks examined are those that are
included in the tool provided by CNIL. However, this is not a
excuse forthefactthatenumberofidentifiedriskswasnotcovered.Article35.7.c
of the AVG in fact explicitly refers to an "assessment of the risks to the rights and
freedoms of data subjects." It is not clear how an additional document could
confirm what is already mentioned in the legal text.Moreover, the GBA mentions in its Recommendation
No 01/2018 specifically mentions the following elements to be considered as risk: financial
losses, the circumstance that data subjects cannot exercise their rights and freedoms or
are prevented from exercising control over their personal data, and any other significant
70
economic or social disadvantage.
262. Recommendation No 01/2018 states that "loss of an opportunity" and "denying or limiting access
to spaces or events otherwise open to the public" are examples of
infringements of rights and freedoms. In the opinion of the Disputes Chamber, the fact that the
concerned is denied access to the terminal and that he is prevented from boarding a
70 Data Protection Authority Recommendation No 01/2018 of 28 February 2018, §46. Available at:
https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.-01-2018.pdf Decision on the merits 47/2022 - 52/73
escape, an infringement of identified rights or a risk as referred to in the
recommendation. Therefore, the defendant should have examined these risks. The
Disputes Chamber considers that the Respondent has provided an example of such an analysis
in its conclusion responding to finding 5 of the Inspectorate concerning the breach
breach of confidentiality and the obligation to implement technical and organisational
measures to protect the data (see paragraph 274 et seq.) and finding 6 regarding
the principle of data protection by design and by default (paragraphs 291 et seq.).
The Disputes Chamber regrets that this analysis was not included in the GEB, as it should have been
been done.
263. The Disputes Chamber also notes that in establishing the alleged legal basis for the
no impact assessment was carried out.It was nevertheless very important for the defendant
71
to prepare a full risk analysis.
264. The Disputes Chamber therefore finds a breach of Article 35.7.c.
In connection with the measures envisaged to address the risks (Article 35.7.d
AVG)
Findings of the Inspectorate
265. Taking into account the above, the Inspectorate finds that BSCA nv, due to the risks
to the rights and freedoms of the data subjects, it was not able to assess the
analyse possible measures by which these risks could be addressed in accordance with
Article 35.7.d of the AVG.
Position of the defendant
266. According to the Respondent, this is not entirely correct. Indeed, he says he has the measures
analysed based on the criteria included in the CNIL tool. It is therefore
incorrect to claim that without further substantiation this assessment cannot possibly be
used.
71Article 35.10 of the AVG provides that a controller may be exempted from carrying out an
impact assessment if it was already carried out when the legal basis was established in accordance with Article 6.1.c, which does not seem to be the case here
case appears to be. Decision on the merits 47/2022 - 53/73
267. The defendant would like the Inspectorate to consider how and why the
proposed measures are not sufficient given the risks revealed by the GEB
conducted by the Respondent.
268. He believes that without substantiation, it cannot be held that the defendant's
failed to fulfil its obligations.
Assessment by the Disputes Chamber
269. Like the Inspectorate, the Disputes Chamber is of the opinion that the shortcomings regarding
Article 35.7.a, b and c make it impossible to carry out a proper assessment of the measures to address the risks that were not assessed.
measures to address the risks which were not assessed.
opinion of the Disputes Chamber, there is therefore a breach of Article 35.7.d.
Concluding remarks
Findings of the Inspectorate
270. The Inspectorate wishes to emphasise that, in view of the determinations made, it does not consider it necessary to
considered it necessary to analyse each of the elements of the GEB of BSCA SA, as the
Inspection Service believed that these findings were in themselves sufficient to prove the infringement of Article 35.7 of
the CGU.
Position of the defendant
271. The defendant does not respond to the Inspectorate's findings on this point.
Assessment by the Disputes Chamber
272. In conclusion and in view of the above, it can be stated that the Respondent's GEB does not have any
constitute a sufficiently detailed and complete impact assessment to satisfy the requirements of
Article 35.7 of the AVG. Indeed, the submitted document looks more like a description and
validation of the processing system that is widely applied,rather than a genuine assessment of
risks to the rights and freedoms of data subjects and a general reflection on the
application of this system. On the basis of the above points, the Disputes Chamber therefore states
a breach of Article 35.7. Decision on the merits 47/2022 - 54/73
II.3.Finding 5: Breach of confidentiality and obligation
to take technical and organisational measures to secure the data
(Articles 5.1.f and 32 AVG)
Findings of the Inspectorate
273. The Inspectorate finds that BSCA nv, in breach of Article 5.1.f and Article 32 of the AVG, violated the
confidentiality principle and failed to comply with the obligation to provide appropriate
measures to ensure data security. This finding is
based on the fact that the identification data and passwords used to access
to the computer controlling the thermal imaging cameras were included in the Note
communicated to the BelgianRed Cross and to the defendant's fire brigade, which made the
risk that the data could be accessed by persons other than those authorised to do so.
consulted.
Position of the defendant
274. Forthedefendant,ariskcanbedefinedas "acenariodateofeventrequirements.
consequences estimated in terms of severity and probability."
275. In analysing the risk inherent in unauthorised access to the computer with which
the cameras, it must be concluded that the measures taken reduce this risk to an extremely low level
reduce (or even eliminate) this risk to an extremely low level, both in terms of probability and of
severity, and that they are therefore proportionate to the risk, as required by Article 32 of the AVG.
276. The defendant believes that the PC in question is never accessible to people other than the
employees of the fire brigade or the Red Cross and that, even if someone could have gained access
been able to gain access to this room and computer, this person should also have had the codes
had the codes that are in the Note kept by the fire service. This, according to him, is highly
unlikely.
277. On risk, the defendant argues that an unauthorised person who had the
access codes would have had access to the computer but not to the
personal data,since the system knew the data when it was restarted.
However, given that Red Cross staff were on duty during airport opening hours, the
were always present, along with the fire brigade, no other person would be able to access the data during the day's
have had access to the room where the data was processed. Decision on the merits 47/2022 - 55/73
Assessment by the Disputes Chamber
278. Article5.1.fof theAVG establishes the principle of integrity and confidentiality.This provision
is reproduced below:
"1. Personal data must:
[...]
(f)bythe adoptionofappropriatetechnicalororganisationalmeasuresinaningthat
be processed in such a way that appropriate security is ensured and that, inter alia, they are protected.
against unauthorised or unlawful processing and against accidental loss, destruction or accidental damage
damage (integrity and confidentiality)."
Recital 39 of the AVG adds, "Personal data should be processed in a
manner that ensures appropriate security and confidentiality of that data, including for the purpose of
preventing any unauthorised access to or use of personal data and
the equipment used for processing."
279. This principle is further elaborated in Article 32 on security of processing. It reads as
as follows:
"Article 32:
Security of processing
1. Taking into account the state of the art, the implementation costs, as well as the nature, the
extent, context and purposes of processing and varying degrees of probability and gravity of
risks to the rights and freedoms of individuals, the controller and the
processor shall implement appropriate technical and organisational measures to ensure a risk-adapted
security level, which shall include, where appropriate, the following:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure, on an ongoing basis, the confidentiality, integrity, availability
and resilience of processing systems and services;
(c) the ability, in the event of a physical or technical incident, to restore the availability of and
access to personal data in a timely manner; Decision on the merits 47/2022 - 56/73
(d) a procedure for periodically testing, assessing and evaluating the
effectiveness of technical and organisational measures to secure the
processing.
2. In assessing the appropriate level of security, particular account shall be taken of the
processing risks, in particular those resulting from the destruction, loss, alteration or unauthorised
disclosure of or unauthorised access to transmitted, stored or otherwise processed
data, whether accidental or unlawful.
3. Joining an approved code of conduct as referred to in Article 40 or an approved
certification mechanism referred to in Article 42 may be used as an element to demonstrate
compliance with the requirements referred to in paragraph 1 of this Article.
4. The controller and the processor shall take measures to ensure that
any natural person acting under the authority of the controller or the
processor and has access to personal data, does so only on the instructions of the
controller, unless he is required to do so pursuant to Union or Member State law
obliged to do so."
280. According to theInspection Service, the risk exists that the data in question will be held by an unauthorised person
person, because both the password and the login to access
the computer to which the thermal imaging cameras are connected can be read in the Note attached to the
Belgian Red Cross was communicated.
281. Based on the elements presented by the Respondent, the Dispute Chamber considers that this risk is
unlikely. An unauthorised entry is possible only if all the following
conditions are met:
- Having access to the Red Cross note;
- Having access to the room with the personal computer. According to the defendant, the PC is always manned
by a team during airport opening hours at departure and during the
arrivals of passengers from a red zone on arrival. Consequently, it seems impossible
that a third party could use the computer given the presence of the teams;
- Being able to log in with login and password.
The Disputes Chamber therefore finds that the likelihood of the risk of unauthorised
access is very limited.
282. Moreover, the Disputes Chamber agrees with the Respondent's conclusion that a third party, even
if he managed to gain unauthorised access to the PC, would at best only Decision on the merits 47/2022 - 57/73
would have access to the most recent 20 photographs of people with a temperature of more than
38°C. These are personal data which, outside the specific context of their processing and the
possible refusal to enter the terminal, present little risk and only slightly personal
are, as the vast majority of people have had a fever at some point in their lives. In the case of a non-
authorised access to the PC after it was switched off at the end of the day, all images would
would, moreover, have already been erased. The Disputes Chamber is therefore of the opinion that the security risk is very
minor and that no breach of Articles 5.1.f and 32 of the AVG can be established.
283. In general, however, it recommends that, as a security measure, logins and passwords
For example, a password can be kept in a single document,
but it is clearly safer to send it via another communication channel (e-mail, SMS,
etc.), which also allows the password to be renewed more often and more easily.
284. In the Disputes Chamber's view, in implementing the GEB, the Respondent should have
demonstrate that it had correctly assessed the safety risks. It can only regret that the
three pages of arguments and explanations in the Respondent's conclusion were not included in the
relevant section of the GEB were included. In this regard, she refers to her earlier
conclusions above (see paragraph 262).
II.3.8Conclusion 6: Violation of the data protection principle by
designs by standard institutions (Article 25 AVG)
Determinations of the Inspectorate
285. Because the use of smart cameras, which include thermal imaging cameras, can pose serious risks
may pose serious risks to the rights and freedoms of data subjects, the Inspectorate considers it of
essential that the controller take appropriate measures to protect the
effectiveness of the principle of data protection by design and by
default settings. This is all the more important when the processing in question is
involves sensitive data, namely data relating to health.
286. In the first place, the Inspectorate considers that the Respondent, by prior to processing
not carrying out an EIA, it was not in a position to properly implement the various appropriate measures
document and analyse them. In this regard, it refers to the findings above (see
paragraph 262).
287. TheInspection Service finds thatderecenttwenty alarm images are in the cache memory (RAM) of
the management software of the thermal imaging cameras and that they are stored one by one
deleted, even when the computer is shut down (which happens every evening). In the opinion of Decision on the merits 47/2022 - 58/73
the inspectorate, this temporary storage is not necessary to single out certain people and to
additional checks (on arrivals) or to inform them of the possible
symptoms of COVID-19 (at departures). A simple representation of the warnings in
real time on the screen would be sufficient.
288. The Inspectorate further believes that the Respondent did not make any
inquired about the storage period, although it should have done so and the
supplier itself made enquiries about this to the Respondent.
289. Finally, the Inspectorate is of the opinion that the control of the temperature of the conductors does not
necessary to achieve the objective described. It adds that the heading of the
Protocol which refers to temperature control refers only to the
passengers and not the attendants.
290. On the basis of these elements, the Inspectorate finds that BSCA nv has both the principle of the
minimum data processing as well as the principle of data protection by
design of Articles 5.1.c and 25 of the AVG.
Position of the defendant
291. First, the Respondent considers that the Inspectorate's findings reflect a lack of
practical sense. He believes that the Inspectorate's analysis lacks insight into the concrete
situationin practice.Given the large number of people who pass through the terminal every day,it is
namely impossible to immediately check everyone with a temperature above 38°C at the pre-
check immediately. It is therefore necessary to record camera images so that people
can be recognised and identified. Without these recordings, there is a risk that
identified people can walk through anyway. The defendant fails to see how it had the system
work with a "simple real-time display of warnings on the
screen", as the Inspectorate suggests.
292. The Respondent adds that the recorded images are limited to a maximum of 20 at a time
and that they are systematically weighted at the end of the day, i.e. after a maximum of 17 hours (between 4.00am
hours and 9pm).
293. He denies the finding that he did not check with the processor about the storage period
and says that this cannot be concluded from the very brief e-
e-mail correspondence referred to.
294. Nor does the defendant see how it could have avoided processing the data from the
attendants who presented themselves at the airport, except by separating them from the passengers, which Decision on the merits 47/2022 - 59/73
he considers neither humanly nor organisationally reasonable. He further states that on his
website reported that access to the terminal was reserved for travellers with a valid
plane ticket, but that it was difficult to refuse an adult to allow his child into the terminal
He added that they were also a health risk from the moment they were
entering the airport. With a view to applying the compulsory protocol which he was
imposed and taking into account his organisation, the concluant considered that all those who passed
the pre-check was a passenger within the meaning of the Protocol.
Assessment by the Disputes Chamber
295. The Inspectorate's findings are based on Articles 5.1.c and 25 of the AVG, which
relate respectively to the principle of minimum data processing and the
principle of data protection by design and by default settings. The text is
shown below:
"Article 5:
Principles relating to the processing of personal data
1. Personal data must:
[...]
(a) adequate, relevant and limited to what is necessary for the purposes
for which they are processed (minimum data processing);"
"Article 25:
Data protection by design and by default settings
1. Taking into account the state of the art, implementation costs, and nature, scope,
context and purpose of the processing as well as the likelihood and seriousness
varying risks to the rights and freedoms of natural persons resulting from the processing
processing, the controller shall, both in determining the
means of processing and the processing itself, the controller shall implement appropriate technical and organisational measures, both when determining the means of processing and at the time of the processing itself.
measures, such as pseudonymisation, which are designed with the aim of ensuring the
data protection principles, such as minimal data processing, in an effective
manner and to build the necessary safeguards into the processing to comply with the
requirements of this Regulation and to protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures
to ensure that, in principle, only personal data necessary
for each specific purpose of processing. That obligation shall apply to the amount of personal data collected
personal data, the extent to which they are processed, the period for which they are stored
and their accessibility. In particular, these measures ensure that personal data
in principle not accessible without human intervention to an unlimited number of natural persons
are made accessible.
3. A certification mechanism approved in accordance with Article 42 may be used if
element to demonstrate compliance with the requirements of paragraphs 1 and 2 of this Article."
296. The principle of minimum data processing is afundamental principle for the application
oftheprincipleofdataprotectionbydesignbystandardinstitutions.Thereare
directly referred to in the first and second paragraphs of Article 25.
297. These articles impose various obligations on the controller, which are as follows
can be summarised. First, only the data necessary for the purpose must be
be processed (Article 5.1.c AVG). Secondly, the controller must process appropriate
technical and organisational measures to implement the principles of data protection
implementation (Article 25.1 AVG). Finally, the controller must implement appropriate
technical and organisational measures to ensure that, in principle, only
personal data are processed that are necessary for each specific purpose of the processing
(Article 25.2 AVG).
298. First, the Disputes Chamber agrees with the Inspectorate that compliance with this
obligations should have been demonstrated in the GEB that the controller should have
should have carried out prior to the start of processing. In this regard, the Disputes Chamber refers
to the findings above (see paragraph 262 above). However, it relies for its analysis on the
additional elements that the Respondent provided in its submission.
299. The documents on file show that the data processed were the temperature and a photograph taken by the
cameras were photographs taken of persons with a temperature above 38°C that the
terminal or passengers returning from a red zone. He also notes that
up to 20 photographs were kept at a time and that these were replaced one by one with
older photographs according to the 'first in, first out' principle. According to the defendant, these photographs were attached to Decision on the merits 47/2022 - 61/73
erased at the end of the day, meaning that the photos were theoretically kept for a maximum of 17 hours.
This processing was to allow individuals with temperatures above 38°C
who wanted to enter the terminal or were on a flight from a red zone
were returning.
300. Initsinvestigationreport,theInspection Service judgedthatthisstorageisoftenlongandthatitisnot
necessary to pick out people and carry out additional checks (on departure) or to make them
inform them about the possible symptoms of COVID-19 (on arrival). A simple
display of real-time alerts on the screen would suffice.
301. The Disputes Chamber finds that the controller has limited itself to the
two types of data: the temperature and a photograph identifying the person with a temperature of more than38°C.
The photographs were kept for a maximum of 17 hours.
The temperature is the data collected and the photograph is the data enabling identification
of the person with a temperature of more than 38°C. The Disputes Chamber considers that in
this situation, the temporary retention of the photograph is necessary in order to correctly identify the
person concerned. Limiting oneself to a simple screen display in real time would
indeed mean that it should be possible to address the data subject immediately, which
could be very complex with a large influx of passengers. Furthermore, temporarily retaining
of a photograph may be necessary to ensure that the person being stopped does
is indeed the person to whom the processing relates. In this context, the storage duration and -
modalities are necessary to achieve the purpose of the processing, since a more restrictive
methodcouldprovideexcessivepracticalproblemsin pursuing the purpose.
In the Disputes Chamber's view, the Respondent did have technical and
organisational measures to mitigate the risks of the processing.
302. The Disputes Chamber also notes that particular attention appears to have been paid to the principle of
of minimum data processing, as the identity of the data subjects was not
recorded and the only anonymous register of the number of data subjects was destroyed weekly.
303. In connection with the processing of the data of escorts,who are thus not passengers, refers
the Disputes Chamber refers to its conclusions under determination 2 regarding the purpose of processing.
It recalls that the purpose stated by the defendant is "to protect the health of
persons in transit in the airport and of terminal staff." (see paragraph 191
et seq.).The purpose of processing is therefore not limited to recording the temperature of
passengers, but of all persons wishing to enter the terminal. In this respect, the
taking the temperature of escorts is consistent with the purpose. Decision on the merits 47/2022 - 62/73
304. The Disputes Chamber finds that the principle of minimum
data processing (Article 5.1.c AVG) or the principle of data protection by design
and by default settings (Article 25 AVG).
II.3.Finding 7: Breach of the obligation to keep a complete register of the
processing activities(Article 30.1 AVG)
Findings of the Inspectorate
305. The Inspectorate notes that the register does not contain all the mandatory information required by Article
30.1 of the AVG must be included in a register of processing activities, as the
following information is missing:
- the name and contact details of the controller, i.e. BSCA SA. The
document contains a column 'processing manager' in which the natural
person(s) responsible within BSCA nv for the
data processing;
- the name and contact details of the data protection officer;
- the categories of recipients to whom the personal data have been or will be
disclosed.
Position of the defendant
306. The defendant admits the deficiency in relation to the name and contact details of the
controller and the data protection officer, and has provided a
updated version of its register.
307. In relation to the categories of recipients, the Respondent considers that the Inspectorate
adds categories not provided for by the AVG, as the latter does not require the
relevant entity or category of processor to be listed.
Assessment by the Dispute Resolution Chamber
308. The Inspectorate alleges that the defendant failed to comply with article30.1oftheAVG.Thisarticle
is reproduced below:
"Article 30. Decision on the merits 47/2022 - 63/73
Register of processing activities
Each controller and, where applicable, the representative of the
controller shall keep a register of processing activities that take place under their
responsibility. That register shall contain all of the following information:
(a) the name and contact details of the controller and any joint
controllers, and, where applicable, the representative of the controller and of the data protection officer
controller and of the data protection officer;
(b) the processing purposes;
(c) a description of the categories of data subjects and the categories of
personal data;
(d) the categories of recipients to whom the personal data are or will be disclosed, including recipients in
including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international
organisation, indicating that third country or international organisation and, in the case of
the transfers referred to in the second subparagraph of Article 49(1), the documentation of the appropriate
safeguards;
(f) if possible, the time limits envisaged for the different categories of data
must be erased;
(g) if possible, a general description of the technical and organisational
security measures referred to in Article 32(1)."
309. The Disputes Chamber notes that the Defendant's deficiency with regard to the name and
contact details of the controller and the officer for
admits (Article 30.1.a), and that it has provided an updated version of its register
has provided. The name and contact details of the controller and the
data protection officer are included therein.
310. In relation to the categories of recipients to whom personal data have been or will be
provided, the Disputes Chamber notes that Article 30.1.d of the AVG requires "the categories of
of recipients to whom personal data have been or will be disclosed".The
term 'recipient' is defined in Article 4.9 of the AVG as "a natural or
legal person, public authority, agency or any other body, whether a third party or not, to
whom/to which personal data are disclosed."
311. The Disputes Chamber should rule on how precise the categories of
recipients should be identified in the register of processing activities.
312. The defendant's register of processing activities contains a title 'Recipient?'. This title
contains several tabs structured as follows:
- a 'processor' tab with two options: 'yes' or 'no'; Decision on the merits 47/2022 - 64/73
- a tab 'application used', under which the name of the application is listed;
- an 'internal or external application' tab, where either option can be selected;
- a tab 'digital/paper', where either option can be chosen;
- a tab 'third country (non-EU)' under which the answer 'no' appears systematically.
313. CBPL Recommendation No 06/2017 of 14 June 2017 on the register of the
72
processing activities(article30oftheAVG)deals with this issue. It clarifies: "Here are
thus refers to both possible internal and external recipients (such as processors or third parties) who are in or
outside the European Union. The explanatory note to the pre-processing declaration
gives as examples: the personal relationships of the person concerned, employers, other
services or companies of the controller, social security, police and
judiciary, personal data brokers or direct marketing, etc. (Annex 1)."
314. From the text of the AVG, axed by a CBPL recommendation and the doctrine, 73
thus shows that it is admittedly not necessary to specify the individual recipients of the data,
but it is necessary to group them by category of recipients. By stating only whether
it is or is not a processor, this requirement is therefore not met.
315. Based on the above elements, the Disputes Chamber concludes that there is a
breach of Articles30.1.a and 30.1.d of the AVG.
II.3.10Findings 8: Breach of the obligation to ensure the independence of the
data protection officer in accordance with Article 38.3 of the AVG
Findings of the Inspectorate
316. The Inspection Service finds that BSCA nv, contrary to what Article 38.3 of the AVG
prescribes, failed to ensure that the data protection officer did not have a
receive instructions regarding the performance of his duties, particularly in view of his function
within the company's organisational chart and his duty to report to the legal
director.
Position of the defendant
72Available at: https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.-06-2017.pdf
73W. Kotschy, "Article 30: records of processing activities", in Ch. Kuner The EU General Data Protection Regulation (GDPR), a
commentary, 2020, p. 621. Decision on the merits 47/2022 - 65/73
317. The defendant believes that the Inspectorate's conclusions are incorrect. He considers - and
refers to the Guidelines in support of his argument - that the Inspectorate's
independence of the Data Protection Officer has not analysed but
merely adopted the information from the organisation chart and did not demonstrate how he then
would have received instructions regarding the performance of his duties. For that, the
service should have relied on concrete deficiencies. According to the defendant, the
attending meetings 'between departments' does not constitute proof of a lack of independence,
but rather of involvement within the company. The defendant refers to the reply
he already sent to the Inspectorate stating that the officer for
data protection is part of the legal department, reports annually to the
management and receives an annual budget.
318. At the hearing, the defendant's data protection officer stated that his
position within the company is clear and that the management listens to him. He added
that he used to report to the legal director and work in the legal department. Meanwhile,
become the legal director's number 2 in the company and the officer stands for
data protection officer is therefore directly under his authority, even though he is still on the payroll
of the legal department.
Assessment by the Disputes Chamber
319. The Inspectorate finds a breach of Article 38.3 of the AVG. This article is reproduced below
reproduced:
"Article 38.
Position of the data protection officer
The controller and the processor shall ensure that the data protection officer
is properly and timely involved in all matters that are
related to the protection of personal data.
2. The controller and the processor shall support the officer for
Data Protection Officer in performing the tasks referred to in Article 39 by providing him with access
personal data and processing operations and by providing him with the necessary
providing him with the resources necessary to perform these tasks and maintain
his expertise. Decision on the merits 47/2022 - 66/73
3. The controller and the processor shall ensure that the officer for
receives no instructions regarding the performance of those duties.
He shall not be dismissed or penalised by the controller or processor for the
performance of his duties. The data protection officer shall report directly
to the most senior manager of the controller or processor."
320. According to the Inspectorate, the controller met the obligations of Article
38.3, as the position of the data protection officer under the authority
of the Respondent's legal director and the fact that every fortnight he had to report to the latter
report to the latter, are contrary to the prohibition on receiving "instructions relating to the performance of his duties".
of his duties".
321. The Article 29 Data Protection Working Party drafted guidelines in relation to the officer
Data Protection Officer which were adopted by the EDPS. 74About independence
of the data protection officer, the guidelines contain the following paragraphs:
"This means that data protection officers, in performing their duties, should
under Article 39 may not receive instructions in connection with the handling of a case.
such as as as to the result to be achieved, the manner in which a complaint is to be investigated or the
whether or not to consult the supervisory authority. Furthermore, they should not be required
to take a particular position on a matter relating to legislation on
data protection law such as a particular interpretation of the law.
[...]
If a controller or processor takes decisions that are incompatible
with the AVG and the advice of the data protection officer, the latter must be
dissenting opinion to the highest management level and to the
75
decision-makers."
322. The guidelines thus show that the issue of the independence of the officer for
data protection officer is based on two different criteria. First, his
independence should be assessed within the context and in situ: one should make sure of
that he is not influenced or pressurised to perform the tasks assigned to him under the AVG
entrusted to him in a certain way. This is therefore an obligation to
74 Data Protection Working Party Article 29, Guidelines on Data Protection Officers, WP 13 rev 2016. Available at:
https://ec.europa.eu/newsroom/article29/items/612048.
75Ibid. pg. 18. [free translation] Own boldface mark of theGeschillenkamer. Decision on the merits 47/2022 - 67/73
refrain from any interference with its duties and the absence of retaliatory measures. From the
text of the AVG and the guidelines, a second - this time positive - obligation arises.
This entails that the controller must ensure that the data protection officer
data protection officer is accountable at the highest hierarchical level for his
advice and work. This is an additional form of protection that the officer for
data protection officer should be able to make his voice heard within the organisation.
323. The Disputes Chamber notes that the Inspectorate has no comments on the second
obligation, i.e. being able to report to the highest hierarchical level.
324. However, the Inspectorate does consider that the position of the Data Protection Officer according to
the organisational chart impairs his independence, as it conflicts with the first
obligation, namely that there should be no interference with his work. As
it explained above, however, the Disputes Chamber considers that from the position on the
organisational chart and the obligation to report biweekly to the legal director
cannot be inferred that the data protection officer receives instructions which are
This should be assessed on the basis of concrete indications of
interference which were not presented in this case. The AVG does not prohibit the Data Protection Officer from
data protection officer having a hierarchical superior.
325. Article 38.3 of the AVG also specifies that the data protection officer "shall not be dismissed or punished by the
controller or processor shall not [be] dismissed or penalised for performing
of his duties." From the documents on file and, in particular, the defendant's response to the
questions posed by the Disputes Chamber in preparation for the hearing, however, show that the
data protection officer between MayandAugust2020was very vague and technically unemployed
was. The Respondent provides the following breakdown in this regard:
"In conclusion, the full settlement of the number of working days of the officer for
Data Protection Officer of the Respondent between April 2020 and August 2020:
- Three (3) days in April 2020;
- Five (5) days in May 2020;
- Three (3) days in June 2020;
- Nine (9) days in July 2020; and
- Thirteen (13) days in August 2020. "76
76Brief of 18 October 2021, p. 5. [free translation] Decision on the merits 47/2022 - 68/73
326. These documents show that between April 2020 and
77
August 2020 only worked a total of 33 days.
327. The Respondent's response shows that a large proportion of its staff at that time were
was technically unemployed. Thus, the Disputes Chamber cannot conclude that the officer for
data protection officer was particularly affected by this technical unemployment and was
"penalised for performing his duties" within the meaning of Article 38.3.
328. However, it is clear from the above figures that the data protection officer is very
few effective working days when the implementation of processing was
prepared (in June 2020). The Dispute Chamber therefore doubts whether he "could [be] properly and timely involved
be] involved in all matters relating to the protection of
personal data" as required by Article 38.1 of the AVG. The Disputes Chamber is aware
aware that on 30 April 2020, the data protection officer was requested to submit a note
on the lawfulness of the processing of temperature measurements, and that the
data protection officer had the same note with a shortfall of 2.5 pages.
replied. It also noted that the file contains some e-mail messages that were sent in the relevant
period with the data protection officer. However, she is of
considers that this in itself does not constitute conclusive evidence of the appropriate and timely involvement of the
data protection officer.
329. On the contrary, the Disputes Chamber questions the fact that the officer for
data protection officer was placed on technical unemployment during the period in which the disputed
processing operations were introduced, which may have affected his ability to 'properly
and timely' to be involved in the reflection on the said processing. 78The
Disputes Chamber considers that the decision to place the data protection officer on
technical unemployment could prevent him from performing his duties in accordance with
with Article 38.1 of the AVG. However, the Chamber does not have sufficient evidence to conclude
rule on this in this case and establish a breach.
III. Infringements and sanctions
330. According to Article 100 of the CPC, the Disputes Chamber has the power to:
1° dismiss the complaint;
2° order the exclusion of proceedings;
77
Ibidem.
78Art. 38.1AVG. Decision on the merits 47/2022 - 69/73
3° order a stay of judgment;
4° propose a settlement;
5° issue warnings and reprimands;
6° order that the requests of the person concerned for his rights be complied with
exercise his rights;
7° order that the data subject be informed of the security problem;
8° order that the processing be temporarily or definitively frozen, restricted or
prohibited;
9° order that the processing be brought into compliance;
10° the rectification, restriction or deletion of data and the
order their notification to the recipients of the data;
11° order the withdrawal of the accreditation of certification bodies;
12° impose periodic penalty payments;
13° impose administrative fines;
14° suspend cross-border data flows to another State
or an international institution;
15° transfer the file to the public prosecutor's office in Brussels,
which shall inform it of the action taken on the file;
16° decide on a case-by-case basis to publish its decisions on the website
of the Data Protection Authority.
331. With regard to the administrative fine that may be imposed under Articles
58.2.i and 83 of the AVG and Articles 100.13 and 101 of the WOG, Article 83 of the AVG provides:
"1. Each supervisory authority shall ensure that administrative fines resulting from
imposed under this Article for the breaches of
this Regulation are effective, proportionate and dissuasive in each case.
Administrative fines shall be imposed, depending on the circumstances of the case,
imposed in addition to or instead of the fines provided for in points (a) to (h) and (j) of Article 58(2),
measures referred to. When deciding whether an administrative fine shall be
imposed and on the amount thereof, due account shall be taken for each specific case
account of the following:
(a) the nature, gravity and duration of the breach, taking into account the nature, extent
or purpose of the processing in question as well as the number of data subjects affected
and the extent of the harm suffered by them; Decision on the merits 47/2022 - 70/73
(b) the intentional or negligent nature of the infringement;
(c) the measures taken by the controller or processor
measures taken to mitigate the harm suffered by data subjects;
(d) the extent to which the controller or processor is responsible
in view of the technical and organisational measures it has implemented
in accordance with Articles 25 and 32;
(e) previous relevant breaches by the controller
or the processor;
(f) the degree of cooperation with the supervisory authority in order to
remedy the breach and mitigate its potential negative consequences;
(g) the categories of personal data affected by the breach;
(h)the manner in which the supervisory authority became aware of the breach, with
in particular
whether, and if so to what extent, the controller or processor had knowledge of the breach
reported;
(i) compliance with the measures referred to in Article 58(2), to the extent previously
in respect of the controller or processor in question
with respect to the same matter;
(j) adherence to approved codes of conduct in accordance with Article 40 or
to approved certification mechanisms in accordance with Article 42; and
(k) any other aggravating or
mitigating factor, such as financial gains made, or losses avoided,
arising directly or indirectly from the infringement."
332. The Disputes Chamber recalls that a fine is not intended to put an end to a
committed infringement, but to effectively enforce the rules of the AVG. As is clear from
recital 148, the AVG indeed requires that for any serious breach - including the first
determination of a breach-sanctions(including administrative monetary fines)shall be imposed in addition to
or instead of the appropriate measures imposed. 79 This same recital
79Recital148 states that in this context: "In order to strengthen the enforcement of the rules of this Regulation
penalties, including administrative fines, should be imposed for any breach of the Regulation, in addition to or instead of any
appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If
the infringement is minor or if the likely fine would impose a disproportionate burden on a natural
A reprimand may be chosen instead of a fine.
nature, seriousness and duration of the infringement, the intentional nature of the infringement, damage limitation measures, the degree of responsibility, or previous relevant
degree of responsibility, or previous relevant breaches, the manner in which the breach came to the notice of the
supervisory authority, with the compliance with the measures taken against the
controller or processor, with adherence to a code of conduct and with any other aggravating or
mitigating factors. The imposition of penalties, including administrative fines, should be subject to Decision on the merits 47/2022 - 71/73
provides for two cases in which it is possible to waive a fine, namely in the case of small
infringementsorwhenthefinewouldbeunreasonablyburdensomeforthenaturalperson,
meaning of recital 148 of the AVG. In both cases, a fine could be waived.
That it concerns the first finding of a data controller's breach of the
AVG, does not alter the fact that the Dispute Resolution Chamber may impose an administrative fine.
An administrative fine is not intended to put an end to infringements. To this end
the AVG and the WOG provide for a number of remedies, including orders
referred to in Article 100, §1, 8° and 9° of the CPC.
333. In this case, the Disputes Chamber found that the Respondent had infringed the
following articles:
(a) Infringement of Articles 6.1.c, 6.3 and 9.2.i, as it was not shown that the
processing is necessary for reasons of public interest in the field of the
public health,such as protection against serious cross-border threats to the
health or ensuring high standards of quality and safety of the
healthcare and of medicines or medical devices, on the basis of
Union law or Member State law laying down appropriate and specific measures
to protect the rights and freedoms of the data subject, in particular the
professional secrecy. Moreover, the arguments put forward by the defendant
legal bases (namely the Decree of 23 June 1994 on the establishment and
operation of airports and airfields under the Walloon Region, the
Ministerial Decree of 30 June2020containing urgent measures to spread the
coronavirus COVID-19, the law of 31 December 1963 on civil
Protection (as replaced by the law of 15 May 2007) and the Protocol on Commercial
Aviation Passengers" of 11 June 2020) do not meet the requirements of Article 6.1c, read in
in conjunction with Article 6.3 of the AVG.
(b) Breach of Articles 5.1.a, 12.1, 13.1.c, 13.2.a, 13.2.d and 13.2.e due to non-compliance
of the obligation of transparency towards the persons concerned by failing to inform them
of the fact that the temperature measurement would be done with thermal imaging cameras;
for failing to properly inform passengers leaving a red area
about the legal basis of the processing, the purpose of the processing and
the regulatory framework for the obligation to monitor body temperature;
For failing to properly inform these passengers about the period during
for which the data will be kept and on the right to complain to the
data protection authority.
appropriate procedural guarantees in accordance with general principles of Union law and the Charter, including an
effective remedy and due process. [own emphasis by theGeschillenkamer] Decision on the merits 47/2022 - 72/73
(c) Infringement of Article 5.1.b. as the purpose of the processing is not sufficiently explicit
was stated at the start of the processing, as it was not stated in any of the documents submitted by the defendant
sources of information used was expressly stated. The purpose of the processing was
explicitly stated only in the response to the Inspectorate's questions and after the
update of the privacy policy in December 2020.
(d) Breach of Articles35.1and35.7because no data protection impact assessment
was carried out before the start of processing. Moreover, the impact assessment is
incomplete in that it does not contain an adequate description of the processing operations envisaged
and the purposes of the processing, the necessity and proportionality of the
processing insufficiently analyses the risks to the rights and freedoms of the
data subjects not properly assessed.
(e) Breach of Articles30.1.aand30.1.dom in that the register of processing activities contains
at the time of the investigation, the name and contact details of the
controller and the data protection officer were missing,
and that the categories of recipients of the data were inadequate and inaccurate
specified.
334. In accordance with Article 101 of the CPC, the Disputes Chamber decides to impose a fine of
100,000uros for violations of Articles 5.1.a,5.1.b,6.1.c,6.3and9.2.i,12.1,13.1.c,
13.2.a, 13.2.d, 13.2.e, 35.1 and 35.7.
335. Taking into account Article 83 of the AVG, the Disputes Chamber justifies the imposition of a
administrative sanction in concreto0on the basis of the following criteria derived from this article
which it considers relevant in this case:
- the nature, gravity and duration of the infringement (Article 83.2.a) - The infringements established include
a breach of the provisions of theAVG relating to the principles of data protection
(Article 5 AVG) and lawfulness of processing (Article 6 AVG). According to article 83.5 of the
AVG, violations of the above provisions are subject to the highest fines.
The breaches identified also include a breach of the information and
transparency obligations (Articles 5.1.a, 12.1 and 13 AVG). Compliance with the above
provisions is essential. They must be notified no later than the start of the processing of the
personal data are complied with. This is also necessary to ensure the exercise of the rights of the
data subjects possible.
The breaches identified are also related to the implementation of the
data protection impact assessment. This obligation was fulfilled only after the start of
80Court of Appeal Brussels (Markets Court section), X. v. GBA, Judgment 2020/1471 of 19 February 2020 Decision on the merits 47/2022 - 73/73
of processing, whereas this should have been done earlier(Article 35.1 AVG). It was furthermore
not complied with the criteria of Article 35.7, which significantly impaired
the credibility of the exercise and the potential benefits for rights.
- Previous relevant breaches by the controller or processor (art. 83.2.e
AVG): The defendant has never previously been the subject of a breach procedure before the
Data Protection Authority.
- Categories of personal data affected by the breach (Article 83.2.g AVG): The
identified breaches relate to a category of personal data within the meaning of
Article 9 of the WOG (data concerning the health of data subjects).
- Other aggravating or mitigating circumstances applicable to this file
(Article 83.2.k AVG): the defendant did not benefit from the processing operations carried out or
infringements committed.
336. The totality of the elements set out above justifies an effective, proportionate
and deterrent sanction provided for in Article 83 of the AVG, taking into account the
defined assessment criteria.
337. A sanction form was also sent on 15 February 2022 to which the defendant replied on 9 March
2022. These arguments can be summarised as follows:
a. He was subject to the obligation to carry out the processing operations. He had no
choice and could not rely on guidance from the GBA.
b. A fine should remain an exceptional measure, especially given the state of
force majeure in which the airport found itself and taking into account that the
processing was very limited in time and is currently no longer taking place.
c. The airport suffered extremely high losses as a result of COVID and needed a
recapitalisation to avert bankruptcy. This recapitalisation was
made conditional on the conclusion of a social agreement that provided for wage cuts for the
employees (this agreement was reported in the press).
338. The Disputes Committee considers that the argument raised under point (a) in the decision section
of the decision was addressed (see paragraph 58 et seq.). The Disputes Chamber reiterates that the Protocol
is not a valid legal ground within the meaning of the AVG and that the Respondent has acknowledged that the Protocol
81
lacks clarity and that a law would have been preferable. She also refers to point 232 with regard to
the lack of guidance.
81The Disputes Chamber also sends a copy of this decision to the competent minister. Decision on the merits 47/2022 - 74/73
339. In the operative part of the decision, the Disputes Chamber also replied to point (b) already
above (see paragraph 217 et seq.). With regard to the fact that the processing was limited in time and
is no longer taking place at present, the Disputes Chamber recalls that it took place during a
period of approximately 9 months (between June 2020 and March 2021), it took place for all passengers
and attendants on departure, and for a period of just over a month for those from
returning from a red zone (September-October 2020). It also recalls that the defendant
although could not provide the total number of people involved, indicated that for the period alone
between 15 June 2020 and 31 October 2020, some 457,000 passengers were affected at departure
checked. Therefore, the processing cannot be considered to have been very limited in the
time nor in terms of the number of people involved.
340. With regard to point (c), the Disputes Chamber recalls that turnover is the criterion for the
calculation of the maximum amount of fines under the AVG, and not profit and
loss account. The European legislator deliberately chose this to avoid variations in the
profit and loss account the ability of data protection authorities to
impose effective fines.
341. The Disputes Chamber further emphasises that the other criteria of article83.2 of theAVGin this case
are not relevant and therefore do not lead to an administrative fine different from those imposed by the
Disputes Chamber has determined in the context of this decision.
342. In view of the above, the Disputes Chamber finds that it may rely on the annual figures of
Brussels South Charleroi Airport S.A. to determine the amount of the administrative fine imposed by
it intends to impose on the Respondent.
343. The Disputes Chamber refers to the claim filed by the Respondent with the Disputes Chamber
as well as to the financial statements filed with the National Bank of Belgium (BNB) on 5 July 2021 that
shows a turnover of €28,859,291.41 for the 2020 financial year.
344. The provided administrative fine of 100,000 euros in this case corresponds to 0.34 %
of the Respondent's annual turnover for the year 2020. The Disputes Chamber refers to the
conclusion filed by the Respondent with the Dispute Chamber as well as to the complaint filed on 5 July 2021 with the
National Bank of Belgium (BNB) financial statements filed for the 2020 financial year which show a turnover
of €28,859,291.41.
345. The provided administrative fine of 100,000 euros in this case corresponds to 0.34 %
of the defendant's annual turnover for the year 2020.
346. The Disputes Chamber states that the maximum amount of the administrative fine for a
infringement is determined by Articles 83.4 and 83.4 of the AVG. The amount of the fine imposed by these
imposed by this decision is significantly lower than the maximum amount provided for (which is a maximum of
1,154,371.65 euros), as the Disputes Chamber took into account Decision on the merits 47/2022 - 75/73
with all the relevant criteria listed in Article 83.2 of the CPC. Furthermore, the
Disputes Chamber considers the concrete elements of each case individually to impose an appropriate sanction.
impose.
347. For violations of Articles 30.1.a and 30.1.d, the Disputes Chamber, pursuant to Article
100,§1,5°oftheWOG,decides to impose a reprimand.The infringements found concern relatively minor elements
relatively insignificant elements, the violation of which does not in itself constitute justification
for the imposition of a fine.
IV. Publication of the decision
348. Having regard to the importance of transparency with regard to the decision-making of the Disputes Chamber
this decision is published on theData Protection Authority's website in accordance with
Article 95, §1, 8° of the CPC, indicating the identification details of the respondent, and
this due to the specific nature of the decision - making re-identification inevitable,
even if the identification data are omitted-also because of the general interest of
this decision.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority shall, after deliberation, decide to:
- Impose a monetary fine of €100,000 on the defendant under Article 101 of the WOG
for breaches of Articles 5.1.a, 5.1.b, 6.1.c, 6.3 and 9.2.i, 12.1, 13.1.c, 13.2.a, 13.2.d, 13.2.e,
35.1 and 35.7;
- Under Article 100, §1, 5° of the WOG, to impose a reprimand for the breaches of the
Articles 30.1.a and 30.1.d.
Pursuanttoarticle108,§1oftheWOG,thisdecisionmustbe takenwithin30daysofthenotification
appeal to the Market Court, with the data protection authority as
defendant. Decision on the merits 47/2022 - 76/73
(signed) Hielke Hijmans
President of the Disputes Chamber
