Court of Appeal of Brussels - 2022/AR/560 & 2022/AR/564

From GDPRhub
Court of Appeal of Brussels (Belgium) - 2022/AR/560 & 2022/AR/564
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law:
Decided: 07.01.2023
Published: {{{Date_Published}}}
Parties:
National Case Number/Name: 2022/AR/560 & 2022/AR/564
European Case Law Identifier:
Appeal from: APD/GBA (Belgium)
48/2022
Appeal to:
Original Language(s): Dutch
Original Source: GBA (in Dutch)
Initial Contributor: elsjegold

The Belgian Court of appeal of Brussels upheld a decision by the Belgian DPA to fine Brussels airport for using temperature scanners at the airport to detect potential COVID-19 infections without a legal basis. However, the Court reduced the original fine.

English Summary

Facts

On 4 April 2022, the Belgian DPA issued decision 48/2022, in which it fined Brussels Airport €200,000 for the use of thermal cameras and temperature checks for COVID-19 detection purposes. It also fined the Ambuce Rescue Team €20,000 for carrying out a second test (second-line control) for passengers at Brussels Airport with a temperature of 38°C or higher. The DPA held these controllers lacked a lawful ground for processing these special personal data. For more information on this decision, see the GDPRhub summary.

Ambuce and the Airport both appealed this decision with the Market Court, where they were jointly decided. Both parties questioned the impartiality of the DPA, because one of its members was also the ‘program director’ at a non-profit focused on digital data protection (NOYB). This was supposedly incompatible with his mandate as a member of the Dispute Chamber of the DPA and in violation with Articles 52(1) and 52(2) GDPR and Article 44(1) WOG.

Ambuce and the Airport also questioned their qualification as joint controllers as far as the second-line control was concerned.

Lastly, they argued that the fines imposed on them were not adequately justified.

Brussels Airport further argued that the DPA misused its power. According to the Airport, the purpose of the contested decision was to set an example and to denounce the practice of not consulting the DPA in any legislative initiative. In addition, the DPA allegedly breached the principles of reasoning and due care.

Further, Ambuce stated that the publication of the press release of 17 June 2020 infringed Article 54(2) GDPR and Article 48(1) and Article 64(3) WOG. This press release described that the DPA was 'worried' about the installation of these thermal camera's.

In addition, Ambuce held that it's rights of defence and article 92(3) WOG were not respected by the DPA. A number of GDPR violations were found in the contested decision on the part of Ambuce, whereas the Inspection Service Report only held Brussels Airport responsible for the GDPR violations committed in the context of the second-line inspection. The DPA upheld infringements on Ambuce’s behalf without any rebuttal, violating Ambuce's right of defence. It would also make the contested decision incompatible with Article 92(3) WOG, as that provision would imply that the DPA may not find infringements other than those that in the Inspection Report.

Holding

On the impartiality of the litigation chamber, the Market Court held that it was only for the Parliament to remove one of its members from office. The Court had no jurisdiction to do so. It further noted that the decision is collegial, and no element proved that the member was irregularly appointed or biased in a way that could lead to the annulment of the decision.

Regarding the press release, the Court again stated that it had no jurisdiction to rule on the legitimacy of the publication of the press release. It was only competent to rule on the decisions of the DPA. Insofar that the parties invoked Article 54(2) GDPR, the Court stated that this merely stipulated that members and staff of national supervisory authorities were bound by professional secrecy. However, this provision was not to be interpreted so broadly that it would prevent the DPA from communicating (possible) breaches of the GDPR to the general public.

Regarding the alleged abuse of power, the Court reminded that this can only be the case when a public authority used its power, meant to serve the public interest, for another purpose. The unauthorised purpose must moreover be the sole purpose of the contested act. Since both parties didn’t demonstrate that the DPA pursued an objective other than the enforcement of the right to data protection, this plea was unfounded.

Regarding Ambuce’s right of defence, the Court found that Ambuce was made aware of all the issues that could cause a debate before the litigation chamber. Furthermore, Ambuce was sufficiently heard during the hearing based on the official report. There was therefore no violation of its right to defence. Regarding the violation of Article 92(3) WOG, the Court held that the DPA cannot be bound by what was stated in the Inspection Report for the establishment of potential violations and sanctions.

On the qualification by the DPA of the parties as joint controllers, the Court noted that this qualification was not in line with the inspection report and the conclusions of Ambuce and Brussels Airport. The Court stated that the DPA could have, for example, invited the Inspection Service to the hearing and/or ask it to conduct an additional investigation, which the DPA did not do. Therefore, the contested decision was not carefully prepared on this point and the reasoning of the DPA was inadequate. Thus, no sanction could in any event be imposed on Ambuce since the alleged infringement was not established with due care and was not adequately reasoned.

The Court reduced the amount of the fine on the Airport. In particular, the court stated that the DPA should have paid more attention to the following factors: (Article 83 GDPR)

  • The Airport had fully cooperated with the DPAs during the procedure
  • The controller had not profited economically from these temperature checks.
  • The sole purpose of the temperature checks was to support public health.

Therefore, it reduced the fine given to Brussels Airport to €50,000.

Comment

Similar temperature checks were performed at Brussels Charleroi Airport. This was the subject of a separate decision of the DPA (47/2022), also issued on 4 April 2022 and appealed at the Market Court (2022/AR/556). Both the decision of the DPA and the decision of the Market Court are summarised on the GDPRhub.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                  1/82





                                                                                 Disputes Chamber



                                                Decision on the merits47/2022 of 4 April 2022

                                         This decision was partially set aside by the judgment

                                            2022/AR/556 of the Market Court dated 7 December 2022


File number: DOS-2020-04002



Subject:Use of thermal imaging cameras at Brussels South Charleroi Airport

in the fight against COVID-19



The Disputes Chamber of the Data Protection Authority, consisting of Mr Hielke Hijmans,

chairman, and Mr Jelle Stassijns and Mr Romain Robert;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of individuals with regard to the processing of

personal data and on the free movement of such data, and repealing Directive

95/46/EC (General Data Protection Regulation), hereinafter 'AVG';


Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter

'WOG';


Having regard to the Act of 30 July 2018 on the protection of natural persons with regard to

the processing of personal data (hereinafter 'WVP');



Having regard to the Rules of Internal Procedure, as approved by the House of Representatives
on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019;



Having regard to the documents on file;




has taken the following decision regarding:

                                                                                                  .
The defendant: BSCA SA, with its registered office at Rue des Frères Wright 8, 6041 Charleroi,
                                                                                                  .
                   registered with company number 0444.556.344, represented by Mr .

                   Frédéric Deschamps and Mr. Nathan Vanhelleputt, hereinafter referred to as 'the defendant'.                                                                                 Decision on the merits 47/2022 - 2/73




I.  Facts and procedure


  1.  On 28 August 2020, the Inspectorate decided to file the case on its own initiative

      in accordance with Article 63, 6° of the Act of 3 December 2017 establishing the

      Data Protection Authority.


  2.  This decision was taken following serious indications about the use of

      thermal imaging cameras by the public limited company Brussels South Charleroi Airport (hereafter

      'BSCA SA') to combat the spread of COVID-19. In particular, the decision was

      justified on the basis of the following elements:

    - Articles and publications by several Belgian newspapers and media sites that referred to the

        use of thermal imaging cameras by BSCA SA;


    - The FAQ (Frequently Asked Questions) on the website of the Data Protection Authority

        (hereinafter 'GBA') on body temperature monitoring as part of the fight against

        COVID-19;

                                                                     1
    - The press release dated17 June 2020 published by the GBA on its website regarding the contact

        made with Brussels Airport regarding the temperature checks carried out by the latter
        temperature controls;


    - The possible processing of data related to health 'for which better

        protection is required' as stated in the AVG; 2


    - The possible processing on a large scale;


    - The importance the GBA attaches to processing related to 'the use of photographs and
                                           3
        cameras' and 'sensitive data' in line with its 2020-2025 strategic plan.

  3.  On18april2021the Inspectorate completed the investigation and the report was finalised by the inspector-

      General to the President of the Disputes Chamber (art. 91, §2 WOG).


  4.  The report contains the following findings and refuted the following violations:


         Finding 1: Violation of the principle of lawfulness of processing and the

         necessity of the measure in accordance with Articles 5.1.a, 5.1.c, 6 and 9 of the AVG


         Finding 2: Violation of the principle of purpose limitation in accordance with Article 5.1.b of the AVG






1Available at the following link: https://www.gegevensbeschermingsautoriteit.be/burger/temperatuurcontroles-de-gba-neemt-
contact-with-brussels-airport
2
 AVG, recital 53.
3Data Protection Authority, 'Strategic plan 2020-2025',page 23.                                                                             Decision on the merits 47/2022 - 3/73



        Finding 3: Violation of the principle of transparency and the duty to disclose information in accordance with the

        Articles 5.1.a, 12 and 13 of the AVG


        Finding 4: Violation of the obligation to provide a pre-processing

        data protection impact assessment (breach of Article 35.1)

        Finding 5: Violation of the confidentiality principle and of the obligation to carry out technical

        and organisational measures to secure the data (Articles 5.1.f and 32

        AVG)

        Finding 6: Violation of data protection principle by design and by

        default settings (Article 25 AVG)


        Finding 7: Breach of the obligation to keep a full register of the

        processing activities

        Finding 8: Breach of the obligation to ensure the independence of the officer for

        data protection officer in accordance with Article 38.3 of the AVG


5.   On 5 October 2021, the Disputes Chamber decided on the basis of article 95, §1, 1°and article 98 of the
     CPC that the file could be dealt with on the merits. The defendant was informed of this by

     registered letter, as article 95, §2 and article 98 of the CPC

     Pursuant to Article 99 of the CPC, the defendant was also informed of the time limits for processing the case.

     to submit his claim.


6.   The deadline for receipt of the respondent's submission was
     set at 16 June 2021.


7.   On 20 May 2021, the defendant requested a copy of the file (art. 95, §2, 3° WOG), which was provided to him on 31

     May 2021 was transmitted to him.

8.   The defendant agreed to send all communications concerning the case electronically to

     and informed that he wished to avail himself of the opportunity to be heard

     pursuant to Article 98 of the CPC. He also requested an extension of the deadline to conclude

     until 1 September 2021.

9.   In its letter of 31 May 2021, the Disputes Chamber agreed to extend the

     conclusion period until9July2021. In an e-mail message dated1June2021, the Respondent requested a new

     for an extension of the conclusion period until 1 September.


10. In an e-mail message from the clerk of the Dispute Chamber dated 4 June 2021, the concluant was
     requested to file his submission by 23 July 2021.


11. On 23 July 2021, the Disputes Chamber received the respondent's brief.                                                                               Decision on the merits 47/2022 - 4/73



  12 On 6 September 2021, all parties were informed that the hearing would be held on 6 October

      2021 would take place.


  13. On 1 October 2021, the Dispute Chamber sent the Respondent a list of questions for preparation

      of the hearing.

  14. At the Respondent's request, the hearing was postponed until 22 October 2021.


  15. On 18 October 2021, the Disputes Chamber received the Respondent's Statement of Reply.


  16. On 22 October 2021, the parties were heard by the Dispute Chamber. In addition to the elements
      already set out in its conclusion, the Respondent submitted additional elements, with

      particularly in relation to transparency and confidentiality policy.


  17. On 18 November 2021, the transcript of the hearing was submitted to the parties.


  18. On 25 November 2021, the Disputes Chamber received the Respondent's comments on
      the minutes.


  19. On 15 February 2022, the Dispute Chamber informed the Respondent of its intention to issue a

      administrative fine, as well as the amount of this fine.


  20. On 9 March 2022, the Disputes Chamber received the Respondent's response regarding the
      intention to impose an administrative fine and the amount of the fine. This

      arguments are summarised under point 'III. Penalty'.






II. Justification


    II.1.Preliminary considerations


  21. The Disputes Chamber first notes that this decision concerns the processing of

      personal data within the context of the COVID-19 pandemic.

  22. In the context of this health crisis, unprecedented measures have been and are being taken that will increase the

      involve the processing of (special categories of) personal data.


  23. Given this crisis situation, the Dispute Chamber understands the urgency with which some of the

      these measures had to be taken by competent authorities and services and implemented by the
      concerned controllers had to be implemented. It also listens to the

      difficulties inherent in this situation. However, it should be stressed that this is nothing

      detracts from the fact that the AVG and other legislation on the protection of

      personal data, which provide essential protection for the rights and freedoms of the

      data subjects, still apply. Crisis situations do not justify Decision on the merits 47/2022 - 5/73




      On the contrary, such circumstances, in which a crisis situation occurs, do not justify a deviation from the provisions of the AVG.

      individual freedoms are often threatened, it is important to respect the legal framework

      with which abuses and violations of fundamental rights can just be prevented.


  24. The Data Protection Authority's monitoring of technological, commercial or other
                     4
      developments and the prior opinions of the Knowledge Centre shall not affect the

      duty of data controllers to comply with applicable law, nor the
      that they may be sanctioned by the Dispute Resolution Chamber where appropriate.





    II.2.Preliminary questions regarding the capacity of the Disputes Chamber of the
        Data Protection Authority as an administrative authority:



  25. In its conclusions, the defendant raises three preliminary questions that will be addressed

      before the case will be heard on the merits.

        II.2.1.  Failure to state reasons for the decision to hear the case on the merits for

            merits


  26. In its briefs, the defendant states that "the decision to take the file on the merits

      was not legally justified within the meaning of the Act of 29 July 1991 on formal

      reasoning of administrative acts and the case-law of the Brussels Court of Appeal, section

      Market Court." [free translation]

  27. According to the Market Court case law referred to, the Disputes Chamber is

      is obliged "to state in its statement of reasons the legal and factual considerations on which

      on which the decision is based, whereas such reasoning must be sufficient to justify the decision.

      substantiate the decision." [free translation] This duty to state reasons exists from both formal and substantive

      point of view. The Markets Court added that "it is sufficient to make the rationale clear, so

      succinctly, if necessary, in the decision itself." [free translation]


  28. The Disputes Chamber finds that these conditions have been met in this case. The decision to

      hear the case on the merits was in fact communicated to the defendant in a letter dated 5

      May 2021. The letter expressly stated that the decision to hear the case on the merits was

      is based on the findings of the Inspectorate's investigation report. The

      letter lists the eight possible breaches of the AVG identified by the Inspectorate and explains

      that these are the subject of a substantive investigation. The investigation report was

      incidentally also attached to the letter. The letter dated 5 May 2020 also further states that the decision




4
 Article 10 WOG.
5Brussels, (Markets Court section), (19th Chamber A), 21 January 2021, paragraph 7.3, available in French at
https://www.autoriteprotectiondonnees.be/publications/arret-du-27-janvier-2021-de-la-cour-des-marches-ar-1333.pdf.                                                                              Decision on the merits 47/2022 - 6/73



      to hear the case on the merits was taken on the basis of Articles 95, §1, 1° and 98 of

      the CPC.


        II.2.2. Lack of independence and impartiality of the
               Data Protection Authority


 29. The defendant argues in its brief that the Data Protection Authority as a whole

      fails in its duty of impartiality and independence. The

      Respondent bases this argument on several press articles, reporting on

      conflicts within the Data Protection Authority and the initiation of infringement proceedings

      by the European Commission.

 30. The Disputes Chamber notes first of all that the Respondent relies in very general terms on

      a lack of impartiality and independence of the Data Protection Authority

      invokes, without referring to specific facts or a specific member of the Authority, and without

      linking its considerations to any decision or administrative act of the

      Data Protection Authority in this case.


 31. At no point does the Respondent indicate how the independence or impartiality of
      the Dispute Chamber could be called into question.


       II.2.3. Misuse of power


 Criticism of the content and format of the inspection report, the assertion made on that basis

 and the resulting misuse of powers


 32. In its conclusion, the Respondent disputes that the Inspectorate has changed the form or content of a

      enforceable legal standard may be questioned in cases other than those in which Article 6 of the

      Act of 3 December 2017. He formulates this criticism as follows:

       "By openly criticising the ministerial decision and the protocol and its legality

       and then, on that basis, establishing that there has been an infringement of

       under concluant, the Inspectorate thus questions the substance of the legal basis

       on which concluant relied for the processing of personal data. Actually, the

       inspection thus questioning the content of a standard issued by the
       executive branch."  6


 33. Within the framework of its missions set out in Article 4 of the CPC, the

      Data Protection Authority "responsible for monitoring compliance with the

      fundamental principles of personal data protection." One of the fundamental principles of

      the right to protection of personal data is the principle of lawfulness, which is



6Conclusion of the defendant, §23. [free translation] Decision on the merits 47/2022 - 7/73




      laid down in Articles 5.1.a and 6 of the AVG. This principle establishes any processing of

      personal data subject to a basis for lawfulness, the

      controller must be able to demonstrate the existence of that basis on the basis of the principle of accountability laid down in Article 24 of
      the AVG.


  34. In this case, during the Inspectorate's investigation and in its

      conclusion, relied on Article 6.1.c as the basis for lawfulness. This article reads as follows:


        "The processing is necessary for compliance with a legal obligation imposed on the

        controller."

  35. In this regard, the Disputes Chamber recalls that, although the Inspectorate's

      investigating body of theGBA,onlytheDispute Chamber has the power to take a decision

      on the basis of the Inspectorate's findings. There can therefore be no abuse of

      jurisdiction by the Inspectorate, which is not competent to decide on the merits of the case.


  36. Furthermore, compliance with the principle of legality consists in verifying whether the land granted by

      the controller invoked legal obligation does exist and whether the

      processing is necessary to fulfil this legal obligation. It is therefore not the
                                                                                        8
      intention, as the respondent argues, to challenge the ministerial decision and the protocol, but rather to examine whether the processing carried out by the controller is necessary to comply with that legal obligation.
      but rather to ascertain whether the processing operations carried out by the controller are

      are lawful and fall within the legal framework established by those legal instruments.

      established. If, during its investigation, the Dispute Resolution Chamber finds that the standard on which a

      processing would be based on does not meet the requirements of the AVG, it may conclude

      that the processing is unlawful.


  37. This approach is also followed in the Inspectorate's investigation report in which with

      notably stating that "an investigation into the lawfulness of processing should include

      consider whether:

        - there is a public health reason in accordance with Article

            9.2.i of the AVG;


        - there is a legal provision on which the controller can validly rely

            invoke in accordance with Articles 6.1.c, 6.3 and 9.2.i of the AVG;


        - the processing operations in question are necessary:

              ▪ to fulfil the legal obligation invoked in accordance with Article 6.1.c;

                  and




7
 Article 28 of the Act of 3 December 2017 establishing the Data Protection Authority.
8Belgian FPS Mobility and Transport, Protocol 'Commercial Aviation Passengers' (see paragraph 62 et seq.).                                                                                      Decision on the merits 47/2022 - 8/73



                ▪ for public health reasons in accordance with

                    Article 9.2.i of the AVG. "9


  38. It is clear from this wording that the lawfulness of the processing will be examined

       and not the validity of the standards themselves. This is confirmed by the wording in which the

       Inspectorate describes the findings of its investigation. The Inspectorate states

       indeed, that the defendant is processing personal data without an appropriate legal framework, which in

       violates Articles 6.1, 6.3 and 9.2.i of the AVG. This shows that it is indeed processing

       itself that is deemed problematic.


  39. Based on these considerations, the defendant's argument regarding a possible

       abuse of discretion must be rejected.


  The fact that any fine would constitute an abuse of discretion


  40. Relying on the jurisprudence of the Market Court, the defendant cites that "since

       concluant never received a compliance order or any other sanction, and the

       processing subject to these proceedings was discontinued on 15 October 2020 for the

       controls on arrival and on 21 March 2021 for the controls on departure, it should be

       assumed that any possible financial penalty under the Dispute Chamber is a form of

       abuse of power would be, within the meaning of the case-law of the Brussels Court of Appeal,

       Markets Court section." [free translation]


  41. The Data Protection Authority, like all supervisory authorities, has the

       power to impose administrative fines to prevent the effective application of the

       AVG, in accordance with the text of the AVG itself. As can be seen from recital 148, in addition to or

       instead of some appropriate measures, an administrative fine may be imposed.                      10

       The Disputes Chamber applies Article 58.2.i of the AVG in this case. The possibility of imposing an


       administrative fine is thus in no way dependent on a prior order to

       comply with the rules. The effectiveness of the application of the AVG would be compromised,

       if controllers were to hide behind the lack of a prior




9Investigation report, p. 25. [free translation]
10
  Recital 148 reads as follows: "In order to strengthen the enforcement of the rules of this Regulation, sanctions, including administrative fines, should be imposed for any breach of the Regulation in addition to, or instead of, the imposition of fines.
Penalties, including administrative fines, should be imposed for any breach of the Regulation, in addition to or instead of any
appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If the infringement is
a minor infringement or if the likely fine would impose a disproportionate burden on a natural person, a fine may be chosen instead of a fine.
instead of a fine, a reprimand may be chosen. However, the nature, seriousness
and duration of the breach, the intentional nature of the breach, harm reduction measures, the degree of
responsibility, or previous relevant breaches, how the breach came to the attention of the supervisory
authority, with compliance with measures taken against the controller or the
processor, with adherence to a code of conduct and with any other aggravating or mitigating factors. The imposition of
penalties, including administrative fines, should be subject to appropriate procedural safeguards
in accordance with general principles of Union law and the Charter, including effective remedy and

due process of law. See also the guidelines of the European Data Protection Board on the application of
administrative fines of 3 October 2017, WP 253, which confirms that authorities may choose to apply
cumulate several measures, including an administrative fine."                                                                               Decision on the merits 47/2022 - 9/73




      default notice could hide in order to escape a fine. Therefore, the

      AVG and WOG provide for various remedies, including the remedies provided for in Article 100, §1, 8° and 9°

      of the WOG. The supervisory authority must always take appropriate

      measure to ensure the effective application of the AVG, using

      haardiscretionarycompetencedefinedbytheprocedural safeguardsand the fact that

      fines must be 'effective, proportionate and dissuasive'.12










        II. 3. Tengronde

               II.3.1 Identification of the processing operations at issue and applicability of the AVG



  42. The documents in the file and the investigation report of the Inspectorate show that the file

      relates to temperature measurements taken by the defendant at Brussels South Airport.

      Charleroi in the context of the COVID-19 pandemic.


  43. The system used involves two separate procedures: one for departing flights and

      one for arriving flights.


  44. For the departing flights, the defendant introduced a temperature check for all

      passengers departing from Brussels South Charleroi and their companions. In the pre-checking tent

      two thermal imaging cameras were installed. With these cameras, an initial

      temperature measurement was taken. The aircraft was monitored by the Red Cross and the

      fire services of the defendant.


  45. If the temperature exceeded 38°C, the person concerned was subjected to a second test

      This was carried out by the person who held the screens in the holes, with the help of

      of a digital forehead thermometer. If the temperature again exceeded 38°C, the
      the passenger was requested to proceed to the sickbay where a new temperature reading

      was taken with adigital thermometer under the arm. If the temperature at this third measurement

      was again above 38°C, the fire brigade was informed by radio or telephone on the

      number 112. A fireman was responsible for taking the anamnesis of the affected

      person. This involved asking the passenger additional questions to ascertain whether he was







11Market Court, NDPK t. GBA, 7 July 2021. Available at: https://www.autoriteprotectiondonnees.be/publications/arret-du-7-juillet-
2021-de-la-cour-des-marches-ar-320-disponible-en-neerlandais.pdf

12Art. 83.1of the AVG.                                                                          Decision on the merits 47/2022 - 10/73



    had other typical symptoms of COVID-19. The information was exchanged orally

    without notes being taken of it.


46. If this led to a suspicion of COVID and the airline with which the passenger was

    flew did not allow people with fever on board, the passenger was denied access to the terminal

    denied.

47. The system was introduced on 15 June 2020. It was operational during the opening hours of the

    airport (between 04:00 and 21:00). The Red Cross was at the procedure until 6 November

    involved. From that date, this task was taken over by the fire service of the

    defendant. Controls ended on 22 March 2021. Between 15 June 2020 and 31

    October 2020, about 457,000 passengers were checked on departure.

48. TheBelgianRed Cross had to fill in a document each day which had to state

    how many passengers had a temperature above 38°C and the body temperature of

    these passengers was. The document did not contain the first or last names of these people and was

    destroyed every week.

49. On arrivals, the system was operational from 7 September 2020 to 15 October 2020. The

    included the use of 6 thermal imaging cameras to monitor the temperature of the

    passengerswho arrived from a red zone.The aircraft was kept under surveillance by theRed Cross

    and fire services. If the temperature exceeded 38°C, the passenger received a

    document asking him to watch for other possible symptoms of COVID and to
    contact a doctor if required.


50. According to the defendant, the system was only used for incoming flights from a red

    zone. The defendant states it cannot say how many affected persons from a red zone

    returned and underwent a body temperature check.

51. The thermal imaging cameras are equipped with software that sounds an alarm when a

    temperature of 38°C or higher is detected. At that time, an image of the

    passenger with his mask in the computer's event centre. At the request of the defendant

    the cameras were configured for a pre-alarm at 37.5°C and an alarm at 38°C.


52. The cameras' software temporarily stores the most recent twenty alarm images in the
    cache memory. At the end of each day, they are deleted.


53. The Inspectorate notes that the thermal imaging camera system installed by BSCA nv

    used must therefore be regarded as an automated process for processing

    of personal data falling within the material scope of the AVG pursuant to Article

    2.1 of the AVG, as images of
    passengers with a temperature above 38°C.                                                                              Decision on the merits 47/2022 - 11/73




 54. The Inspectorate also notes that the processing operations covered by this report involve

      data on health within the meaning of Article 4.15 of the AVG, as they are an aspect of

      a person's physical health, namely fever. The Inspectorate also considers that the
      oral history may contain other information of a medical nature.


 55. The defendant has not disputed these two determinations by the Inspectorate. The

      Disputes Chamber specifies, however, that the data processing at issue is limited to the

      images taken with the thermal imaging cameras. The subsequent steps in the

      procedure (taking the temperature without images and anamnesis) do not involve any processing

      of personal data within the meaning of Articles 2.1, 4.1 and 4.2 of the AVG. Measuring the

      temperature using a manual thermometer does not constitute processing of

      personal data within the meaning of Article 4.2 of the AVG, since this measurement - as far as the
      Disputes Chamber is aware - was not subjected to any of the processing mentioned in that article.    13






        II.3.2 Identification of the controller



 56. The Inspectorate notes that BSCA nv has been identified for the

      processing operations must be regarded as the controller in accordance with Article 4.7of

      the AVG. The Inspectorate bases this conclusion on the fact that the Respondent is itself

      asdusdanigansandhasconcludedanagreementwithboththeBelgianRedKruisand

      I-CARE SPRL for the supply of the thermal imaging cameras.

 57. This finding is not disputed by the Respondent. The Disputes Chamber follows the

      Inspectorate on this point, moreover.


       II.3.3 Finding 1: Breach of the principle of lawfulness of processing and

       necessity of the measure in accordance with Articles 5.1.a, 5.1.c, 6 and 9 of the AVG



       Findings of the Inspectorate



 58. The investigation report shows that the Respondent relies on Articles 6.1.c and 9.2.i of the

      AVGas the basis for legitimacy of processing. The two articles are reproduced below
      reproduced:




                                               "Article 6




13The recording and/or communication of data resulting from the manual temperature measurement and anamnesis to an
arbitrary recipient (such as an airline) would, however, constitute such processing.                                                                               Decision on the merits 47/2022 - 12/73




                                    Lawfulness of processing

        Processing shall be lawful only if and to the extent that at least one of the following

        conditions are met:

                                                       [...]

           (c) the processing is necessary to comply with a legal obligation imposed on the

           controller;"





                                                 "Article 9

                        Processing of special categories of personal data



      1. Processing of personal data revealing racial or ethnic origin, political opinions,

        religious or philosophical beliefs, or trade union membership, and

        processing of genetic data, biometric data for the purpose of unique

        identification of a person, or data concerning health, or data relating to

        a person's sexual behaviour or sexual orientation are prohibited.



      2. Paragraph 1 shall not apply if any of the following conditions are met:

                                                       [...]
           (i) the processing is necessary for reasons of public interest regarding the

            public health, such as protection against serious cross-border threats to the

            health or ensuring high standards of quality and safety of the

            healthcare and of medicinal products or medical devices, under Union law

            or Member State law providing for appropriate and specific measures to

            protect the rights and freedoms of the data subject, in particular the

            professional secrecy."



  59. With regard to the legal obligation ofarticle6.1.c, the investigation report states that the

      Respondent invokes Article 4 of the Ministerial Decree of 30 June 2020 containing

      urgent measures to limit the spread of coronavirus COVID-19.             14This

      ministerial order followed several similar ministerial orders and was subsequently

      replaced by a succession of other ministerial decrees. The most recent on the

      time of writing the research report is the ministerial order of 28 October 2020.    15

      It was only in the course of the Inspectorate's investigation that the complainant referred to the legal grounds.




14Ministerial Decree of 30 June 2020 on urgent measures to limit the spread of the coronavirus COVID-19
limit.

15Ministerial decree of 28 October 2020 on urgent measures to limit the spread of coronavirus COVID-19.
limit.                                                                             Decision on the merits 47/2022 - 13/73



60. Article 4 of the Ministerial Decree of 20 June read as follows:


     "Without prejudice to Article 5, the companies and associations that exercise goods or services

      offer to consumers and, from 1 September 2020, organisers of trade fairs.

      including fairs, shall carry on their activities in accordance with the Protocol or the arrangements made for that purpose at the

      website of the competent government department published minimum general rules. [...]"


61. This article was repealed by Ministerial Decree of 18 October 2020, Article 5 of which reads as follows

     of Article 4 of the Ministerial Decree of 30 June 2021. This decree was subsequently

     replaced by a ministerial order of 28 October 2020, article 5 of which read as follows:


     "Without prejudice to Article 8, companies and associations that offer goods or services
      offer goods or services to consumers shall carry out their activities in accordance with the Protocol or the arrangements made for that purpose on the

      website of the competent public authority."



62. Theseministerialdecisionsrequirethatcompaniesandassociationswhich

     offer goods or services to consumers must carry out their activities in

     accordance with the protocol or minimum rules published on the website of the competent
     public administration published. The protocol applicable to the defendant is a

     protocol entitled 'Commercial Aviation Passengers' of the Belgian FPS Mobility and

     Transport (hereinafter 'the Protocol').


63. The Protocol contains on page 5 specific health measures applicable to

     airports, including the following measure:



















64. The Inspectorate also notes that the Protocol contains the following provision:                                                                             Decision on the merits 47/2022 - 14/73
















65. The paragraph copied above on checking the temperature of passengers

     comes from Chapter 2 of the Protocol.

66. The Inspectorate noted thattheProtocolwaspublishedon12October2020onthewebsite

     of the FPS Mobility and Transport.


67. The investigation report shows that with regard to the reasons of general

     public health interest in accordance with Article 9.2.i of the AVG specifies that the

     more specifically, "the protection against serious cross-border threats
     to health, in this case the COVID-19 epidemic." [free translation] In this context, he points out

     that recital 46 of the AVG explicitly mentions the control of epidemics.


68. Furthermore, the Respondent indicated (Exhibit 7) that the processing within the established legislative framework

     i.e. the Ministerial Decision of 30 June 2020 and the Protocol.

69. On the basis of Articles5.1.a,6.1,6.3and9.2.ivof theAVG, the Inspectorate considers that, in order to be

     of the lawfulness of the processing, it is necessary to verify the following

     elements below.


70. Firstly, the Inspectorate considers that the fight against the spread ofCOVID-19shouldbe
     a matter of general public health concern in accordance with Article .

     9.2.i of the AVG.


71. Second, the Inspectorate believes that the data were collected without an appropriate legal framework

     processed, in violation of Articles 6.1.c, 6.3 and 9.2.i of the AVG, so the processing was therefore

     was unlawful. To reach this conclusion, the Inspectorate relies on the following
     elements:


        - the purpose of the invoked standard was not established by law and, moreover, the Protocol has

         a different purpose than the ministerial decree;

        - the basic modalities for measuring body temperature were not defined

         by law;
        - the foreseeability of the Protocol is problematic as it was not published;

        - the legal norms invoked are not laws in the strict sense; Decision on the merits 47/2022 - 15/73




         - the legal norms invoked do not provide for the necessary safeguards that the processing

           framing.



  72. Third, the Inspectorate believes that the extent to which it was medically necessary is disputed

      to check the passengers' body temperature.



      Position of the defendant




  73. In its conclusion, the Respondent recalls the legal framework for data processing: the
      successive ministerial decisions and the Protocol, which is binding on the Respondent.


  74. The Respondent further considers that the existence of a public interest in the field of the

      public health under Article 9.2.i is clearly demonstrated in this case.


  75. He is also of the view that there is a statutory provision on which the

      controller can validly invoke in accordance with Articles6.1.c,6.3and9.2.i

      of the AVG.


  76. He argues the following four elements to demonstrate this:


         - First, as already explained above (para. 32

            et seq.), that it is not for the Inspectorate to rule on the validity of a

            legal or enforceable standard. The Service is only required to verify whether a legal

            obligation exists that makes the processing valid under Article 5.1.c (sic) of the

            AVG.



         - He then argues that the temperature measurements were imposed on him by the

            Protocol, which was itself mandated by the ministerial decisions. The defendant argues

            for the first time expressly that these ministerial decisions were based on Article 4 of the
                                        16
            Act of 31 December 1963 (hereinafter 'the Civil Protection Act') and the Act of 15 May
                  17
            2007 (hereinafter 'the Civil Security Act'). The defendant states that these

            laws were endorsed by the Council of State as the legal basis for the ministerial

            decrees. The defendant also states, for the first time in its conclusion, that it relies on the
                                                                   18
            Decree of 23 June 1994 (hereinafter 'the Walloon Decree'). He adds that the ministerial
                                                                                                       19
            decrees were ratified by the Council ofState in a judgment of30 October 2020. The




16Law of 31 December 1963 on civil protection.
17Law of 15May 2007 on civil security.

18Decree of 23 June 1994 on the creation and operation of airports under the Walloon Region.
19Arrestnr.248.818oftheCouncilofStateof30October2020,availableathttp://www.raadvstconsetat.be/arr.php?nr=248818.                                                                              Decision on the merits 47/2022 - 16/73




            The defendant reports having participated in the workshops for the drafting of the
            Protocol, together with FPS Mobility, the airports and the main Belgian

            airlines.



        - Regarding the purpose, basic modalities and delay in publication, the

            Respondent that it cannot be held responsible for compliance with these

            obligations (which are not imposed by Article 9.2.ivof theAVG)and that these matters are not

            affect its obligation to implement the measures set out in theProtocol.



        - With regard to the condition that the processing must be necessary, the
            defendant - like the Inspectorate - that it is not for the GBA to pronounce on

            the medical necessity of thermal imaging cameras to prevent the spread of COVID-19

            counter. The Respondent also questions whether it is possible to make this retrospective analysis

            and recalls the uncertainty at the time. He adds that at that time

            no other pragmatic solution was available to meet the requirements of the imposed

            Protocol. He also notes that no actual COVID tests were being

            performed, but only temperature checks. The term 'positive/negative tests' is

            irrelevant, according to him. He adds that as many as 65 other European
            airports introduced such systems and that at his airport they have not been

            being used anymore (see paragraphs 47 and 49). He adds that he has no interest in

            in the processing of the data and notes the risk involved,

            is very limited. He concludes that the processing was necessary at the time and proportionate

            was proportionate to the purposes of the processing.



  77. At the hearing, the Respondent stated that the decision to stop the temperature measurements was

      was taken because of the increased use of PCR tests and the introduction of the
      quarantines, as well as due to financial considerations.20


  78. The defendant explains that,as far as the departing flights are concerned, only three people after the

      taking their temperature were requested not to enter the terminal. If they did

      wanted to do so, their identity would have been communicated to the airline. The

      final decision to allow them to board or not, according to the international

      law would have rested with the flight commander.

  79. In relation to other legal basesthe Protocol, the defendant maintained during the hearing that

      he was subject to a legal obligation under the Protocol, even though he believes that

      the Protocol was clumsily drafted which could give rise to various




20Notes to the PV of the hearing held on 22 October 2021, p. 1.                                                                                      Decision on the merits 47/2022 - 17/73




       interpretations.The defendant added that he was not involved in the drafting of

       Protocol and believes that a law would have been more appropriate. He adds

       that the EASA guidelines are not always clear either.    22 He also notes to have

       requested government intervention regarding the legality of the

       processing after the Inspectorate opened an investigation.





      Assessment by the Disputes Chamber



  80. The Dispute Chamber underlines that a processing of personal data is only lawful

       if it is done on a legal basis as referred to in Article 6.1 of the AVG.


  81. Sinceinthiscaseitwasfound(seeabove)thatthescreeningsystemalsotheprocessingof

       special categories of personal data (more particularly of data


       concerning the health of data subjects within the meaning of Article 4.15 of the AVG), the

       controllers must also demonstrate that one of the conditions set out in

       Article 9.2 of the AVG that prohibit the processing of this type of

       personal data does not apply. As the Disputes Chamber has previously

       held, 23the processing of special categories of personal data within the meaning of

       Article 9 of the AVG must indeed be based on Article 9.2 of the AVG, read in conjunction with

       Article 6.1 of the AVG. This was established by the European Commission and the EDPB.           24 It becomes


       also confirmed by recital 51 of the AVG which states the following about the processing of

       special categories of personal data: "In addition to the specific requirements for those

       processing, the general principles and other rules of this Regulation should be

       applied, in particular as regards the conditions for lawful processing."              25




      Application of Articles 6.1.c and9.2.i of the AVG to this case



  82. In this case, during the discussion with the GBA, the controller stated that it was


       based on Articles 6.1.c and 9.2.i of the AVG.




21Notes to the PV of the hearing held on 22 October 2021, page 2.
22See also the Inspectorate's response dated 24November 2020.

23Cfr the decision on the merits 76/2021, paragraph 33, available at:
https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-76-2021.pdf.
24
  In this regard, see: GEORGIEVA, L. and KUNER, C., "Article 9. Processing of special categories of personal data" in KUNER, C.,
BYGRAVE,L.A.andDOCKSEY,C.,TheEUGeneralDataProtectionRegulation(GDPR).ACommentary,OxfordUniversityPress,Oxford,
page 37: "The Commission has stated that the processing of sensitive data must always be supported by a legal basis under Article 6
GDPR,inadditiontocompliancewithoneofthesituationscoveredinArticle9(2).TheEDPBhasalsostatedthat'Ifavideo surveillance
systemisusedinordertoprocessingspecialcategoriesofdata,thedatacontrollerermustidentifybothanexceptionforprocessingspecial

categories of data under Article 9 (i.e. and exemption from the general rule that one should not process special categories of data)
and a legal basis under Article 6."
25Especially vetoed by the Disputes Chamber.                                                                                 Decision on the merits 47/2022 - 18/73




  83. The Disputes Chamber emphasises that the controller can only rely on

      the legality basis of Article 6.1.c and to the exception provided for in Article 9.2.i of the AVG

      if it demonstrates:

        (i) that there is an important public health reason

                (Article 9.2.i.);

        (ii) that a legal provision exists on which the controller relies

                may validly invoke in accordance with Articles 6.1.c, 6.3 and 9.2.i of the AVG;



        (iii) that the processing operations in question are necessary
                o to fulfil the legal obligation invoked in accordance with Article

                    6.1.c; and

                o for reasons of public interest in the field of public health

                    in accordance with article 9.2.i.



  84. With regard to the first constitutive element of Article 9.2.i of the AVG, namely the

      existence of a 'compelling public health interest',doubts

      in its investigation report, the Inspectorate does not doubt the existence of such an interest in this case.

      In this regard, the Disputes Chamber finds that there is indeed a 'substantial

      public health interest' within the meaning of Article 9.2.i of the AVG. The

      Disputes Chamber indeed finds that there can be no doubt that combating the

      COVID-19 pandemic should be considered as such. As also argued by the Respondent,
      this is expressly stated in recital 46 of the AVG which refers to "[the

      monitoring] of an epidemic and its spread" as a "weighty reason of general

      interest".


  85. The second constitutive element relates to the existence of a legal provision

      on which the processing in question is based in accordance with Articles 6.1.c and 9.2.i of the AVG.


  86. In accordance with Article 6.3 of the AVG, viewed in the light of recital 41 of the AVG, the

      processing of personal data necessary for the fulfilment of a legal
                  26
      obligation and/or for the performance of a task of public interest or a task within the framework of
                                                                                                          27
      the exercise of official authority vested in the controller,
      be based on clear and precise rules, the application of which is foreseeable for

      those to whom it applies.


  87. Article 6.3 of the AVG stipulates more specifically in this regard: 'The legal basis for the data referred to in paragraph 1,

      points (c) and (e), must be established by: a) Union law; or b) the



26
  Article 6.1.c of theAVG.
27Article 6.1.e of theAVG.                                                                           Decision on the merits 47/2022 - 19/73



    Member State law applicable to the controller. The purpose of the

    processing shall be established by the Member State law or shall be in relation to the

    processing is necessary for the performance of a task carried out in the public interest or for the performance of

    public authority vested in the controller."


88. Recital 41 of the AVG specifies in this regard, "Where reference is made in this Regulation to a
    legal basis or a legislative measure, it does not necessarily require that a

    legislative act adopted by a parliament is necessary, without prejudice to the requirements

    in accordance with the constitutional order of the Member State in question. This legal basis or

    legislative measure must, however, be clear and precise, and its application must be

    foreseeable for those to whom it applies, as required by the case law of

    the Court of Justice of the European Union ('Court of Justice') and the European Court of Human Rights
    of Human Rights."


89. With regard to the legal basis invoked by the defendants, it should be noted that

    the processing at issue as such is not subject to the Decree on the Establishment

    and Operation of Airports and Aerodromes, nor to the Ministerial Decree or the Law

    on civil security (see points 59 et seq. and 76 et seq. above).This processing is foreseen
    intheProtocolCommercialAir Navigation,whichisprovidedforbytheFederalGovernment ServiceMobilityTransport

    (DG Aviation) after negotiations with the industry concerned. This is reflected in the

    wording of article 1, 3° of the ministerial decree: "protocol: the document determined by the

    competent minister in consultation with the sector concerned (...)". This is also evident from the documents in the

    file and from the e-mail message sent by the competent minister's office on 11 June 2020 to the

    airport operators, airlines and regional authorities. The
    Disputes Chamber argues that in the context of Article 6.3 and recital 41 of the AVG

    cooperation and consultation with the industry is not a problem in itself, provided that the

    obligation is expressly imposed by a law in the broad sense. This is not the case here (see

    below).


90. In this regard, the Disputes Chamber refers in particular to the Privacy International judgment of the
    Court of Justice of 6 October 2020, in which the Court stated that the regulation in question was clear and

    must contain clear and precise rules 'on the scope and application of the measure concerned'.

    [and impose minimum requirements], so that those whose personal data are at issue

    have sufficient guarantees that those data are effectively protected

    against the risk of misuse." And the Court added: "That regime must be legally binding

    be binding under domestic law and specify, in particular, the circumstances and conditions in which
    conditions under which a measure providing for the processing of such data may be

    and thus ensure that interference is limited to what is strictly necessary.

    considerations apply in particular where the protection of a special

    category of personal data, namely sensitive data.                                                                            Decision on the merits 47/2022 - 20/73




 91. In relation to the said standards, the defendant in its reply states that the

      Council ofState with its judgment of30October2020 "the legal basis ofarticle4oftheLaw of

      31december1963endeartikelen181,182en187vandeWetvan15mei2007[heeft]goedgekeurd.”

      It should be noted, however, that the aforementioned judgment does not cover the use

      of this legislation as a legal basis for the processing of (special categories of)

      The judgment

      relates to the closure to which restaurants and public houses in the context of COVID-

      19 were required and is therefore not relevant to this case. More importantly, the judgments
      of the Council ofState concern the legality of the measures adopted by ministerial

      order were imposed. However, it should be pointed out that ministerial decisions in the

      Belgian law have a clear normative character. However, this is not the case for the

      Protocol in question.


 92. This was moreover confirmed by the Council of State in its Opinion No 69.253/AG of 23 April 2021,

      issued by the General Assembly of the Legislative Section, in which it stated the following

      position:


 93. "Of two after all, one: either the protocols have no ordained character but then the

      concretisations they contain are not binding, the protocols cannot deviate from the

      ministerial decree, and their compliance cannot be monitored and enforced by the

      instituting criminal proceedings for non-compliance with them; alternatively, the protocols are, however, regulatory

      and the measures they contain are binding, but then these measures must be
                                                                  28
      included in decisions of the competent authority for that purpose."

 94. With this position, the Council of State responds to the question of the Minister's deputy

      regarding the legal value of the Protocol:


 95. "The protocols and guides constitute an indicative assessment framework. The protocols and guides

      can only concretise ordinance measures, as stipulated in the MB, but are not themselves

      ordinative." 29


 96. Moreover, the Disputes Chamber notes that the French Council of State stated the following about

      the processing of special categories of personal data using

      thermal imaging cameras without a valid legal basis: 'It can be assumed that compliance with

      the legal conditions for processing personal data concerning health

      as referred to inarticle9.2.goftheAVG,asthereisnotextthattheuseofthehehemedicatedhealthcameras




28The Council of State reiterated this paragraph in its opinion 69.305 of 6 May 2021. Opinion no. 69.253/AG of 23 April 2021 is the
first opinion issued by the Council of State on the successive ministerial decrees (see paragraph 62 et seq.). Due to the
urgency, the opinion of the Legislative Section of the Council of State had not been sought in advance. This is therefore the first

opinion of the Council of State on the issue of protocols provided for in these successive ministerial decrees.
29Department of Legislation of the Council of State, No 69.253/AG of 23 April 2021, p. 42.                                                                                Decision on the merits 47/2022 - 21/73



      regulates thermal imaging cameras deployed by the municipality and specifies that the public interest so

      makes it necessary." 30[free translation]


  97. During the hearing, the defendant also stated that he considered the legal basis unclear

      and that a statute would have been more appropriate.31


  98. Accordingly, the Disputes Chamber finds that the Protocol does not provide a valid legal basis for the

      processing within the meaning of Article 6.1 of the AVG.


  99. Further, as regards the non-binding nature of the invoked Protocol, the

      Disputes Chamber notes the following on the basis of the documents:


    - The Protocol says: "Measuring the body temperature of the passengers so that they can communicate with

        an "immunity passport" is not recommended by EASA and the ECDC. The

        EASA recalls that the relevance of such measurement is not substantiated by current

        scientific knowledge of SRAS-CoV-2. Nevertheless, EASA and ECDC follow the

        scientific developments and will update their recommendations as appropriate if a

        suitable test becomes available.


            At the request of airlines operating flights there, the airport of

            Charleroi (Brussels South Charleroi Airport), however, has decided to make tests for measuring

            body temperature for persons entering the airport building.

            entering. The airport guarantees that the method chosen will not cause any

            delay, nor a concentration of persons at the entrance to its infrastructure will

            cause." 32


    - The airport has twice taken the initiative to stop processing. This is evident from

        its reply to the question of 6 January 2021 in which it stated that measuring the

        temperature on arrival was stopped at the airport's initiative on 15 October 2020. In

        relation to arrivals, the Respondent, in its letter of 18 October 2021, stated the

        following: "The Respondent has implemented the temperature measurement system for the departing

        flights on 22 March 2021 due to the additional measures taken by the


        variousnationalgovernmentswereimplementedtocontrolthespreadofcoronavirusagainst

        "[free translation]This was reiterated during the hearing as the defendant clearly

        indicated that, when processing ceased in March 2021, "the cessation was a decision of
                    33
        BSCA."





30French Council of State, ordinance of 26 June 2020, no. 441065. Available at: https://www.conseil-etat.fr/decisions-de-
justice/dernieres-decisions/conseil-d-etat-26-juin-2020-cameras-thermiques-a-lisses
31
  See paragraph 79 above.
32End veto mark of the Disputes Chamber.
33
  Notes to the PV of the hearing held on 22 October 2021, p. 1.                                                                               Decision on the merits 47/2022 - 22/73




100. For the Disputes Chamber, these elements demonstrate - quite apart from the question whether there is a legal
      basis exists - that the Protocol specifically for temperature measurement has no binding character.


101.  Furthermore, the Disputes Chamber is of the opinion that, for the reasons stated below, the Protocol is not

      meets the requirements of Article 6.3 of the AVG and European case law.


            The purpose(s) of the contested processing(s) is (are) not stated in the invoked
            standards do not state in a sufficiently clear and coherent manner



102. As mentioned above, under Article 6.3 of the AVG, the legal basis of the standards set out in paragraph 1,

      points (c) and (e) must be determined by Union law or Member State

      law applicable to the controller.Recital 45 specifies that: "The

      should also be Union law or Member State law which determines the purpose of the processing. Furthermore

      that law could specify the general conditions of such

      Regulation that personal data processing must fulfil in order to be lawful, and

      could lay down specifications for determining the controller, the type of

      personal data processed, the data subjects, the entities to which the personal data
      may be disclosed, the purpose limitation, the storage period and other measures to

      ensure lawful and proper processing. Also, Union law or member state

      law should establish whether the controller entrusted with a task of

      public interest or a task carried out in the exercise of official authority, a

      public authority or another person governed by public law (...)."


103. However, the Disputes Chamber finds that the standards invoked by the Respondent do not
      unambiguously and clearly set out the precise purpose of the processing. Nor do they contain

      them the basic modalities of the processing, as listed in the previous paragraph.


104. With regard to the Ministerial Decree of5 June 2020, the decree on the establishment and

      operation of airports and airfields, and law on civil security should be

      none of these three standards mention the processing at issue. From the

      wording of the ministerial decree shows that the purpose of the

      measures is to "limit the spread of coronavirus COVID-19."

105. The Commercial Aviation Protocol - which does refer to the processing at issue - also contains

      no clear definition of the purposes of pre-trial processing. The title of the protocol

      of the document that the objective of the measures it contains is "to ensure the

      restart of activities related to commercial aviation passengers".




            The processing modalities were not defined in the Protocol


34Specific boldface mark of the Disputes Chamber.                                                                             Decision on the merits 47/2022 - 23/73





106. As explained above, in accordance with Article 6.3 of the AVG, read in

      conjunction with Article 22 of the Constitution and Articles 7 and 8 of the Charter of the

      Fundamental Rights of the European Union, a legislative norm should lay down the essential characteristics

      of a data processing operation necessary for the performance of a task of general

      interest or in the exercise of official authority vested in the controller.
      is entrusted with. In this regard, the aforementioned provisions emphasise that the processing in question must be

      be framed by a sufficiently clear and precise standard whose application for

      the persons concerned is foreseeable.


107. The Commercial Aviation Protocol lays out the essential elements of the processing at issue

      however, in no way defines it. It leaves a wide margin of appreciation to processors
      as to how the measurement of body temperature should be

      carried out. Consequently, the Protocol leaves airport controllers free to carry out this screening already

      or not with processing of personal data and even to determine the other modalities

      determine, such as the number of temperature measurements, the technology used, the type and the

      amount of data processed and the retention period of the data.



           The foreseeability (or unforeseeability) of the Commercial Aviation Protocol



108. TheEuropean Court of Justice imposes the requirement of foreseeability of legislation.Theappeals

      standards should further be made sufficiently accessible to those concerned by their publication

      particularly as regards their nature and legal effects on the person concerned.

109. In this regard, it should be noted that the Protocol does not determine the consequences for

      a data subject who refuses to submit to temperature control. This element appears

      only from the joint operational guidelines of EASA and ECDC. The purpose of the

      identification and the principle of monitoring by imaging are also not apparent from the

      Protocol. Moreover, the Protocol was not published timely and correctly. Indeed, it was published on the

      website of the Federal Public Service of Mobility and Transport after it applied

      became applicable.

110.  Because these modalities are not defined in the invoked standard or instrument,

      create important derivative risks to the rights and freedoms of data subjects (e.g.

      finality blurring and complicating the exercise of data subjects' rights).

      In accordance with the case-law of the Court of Justice cited above (Privacy
      International), this does not satisfy the condition that a law (even in a broad sense)

      provide for appropriate and specific measures to protect fundamental rights and the

      fundamental rights and freedoms of data subjects.                                                                           Decision on the merits 47/2022 - 24/73



111.  The Disputes Chamber notes the urgency with which the measures were taken in the

      context of the fight against theCOVID-19 pandemic. However, it stresses that this does not alter the

      that the requirements of the above-mentioned provisions must be complied with. They constitute a

      essential protection for the rights and freedoms under the regulation of the

      protection of personal data.


112.  As a controller, under the principle of the
      accountability obligation under Articles 5.2and24oftheAVG('accountability'), the defendant is responsible for

      compliance with personal data protection principles (including

      lawfulness and necessity) and must be able to demonstrate that it has complied with its legal

      obligations.The Disputes Chamber reiterated that the defendant's failure to

      lack of clarity of the Protocol.


113.  The Disputes Chamber stresses that, from the outset of the disputed
      processing should have ascertained the existence of a valid legality and

      ground for exception within the meaning of Articles 6.1 and 9.2 of the AVG. From the analysis of the documents

      of the file shows that this ground of lawfulness at the start of the processing was not

      explicitly established. This is also evidenced by the absence of any concrete reference to the

      relevant legal basis in the defendant's privacy notice (cf. infra). Only during the

      Inspectorate's investigation, mention was first made of this legal basis, which was

      was then incompletely included in the privacy policy from 2 December onwards.

114.  It should also be stressed that the legal standards on which the

      controllers invoke do not impose any obligation and do not impose any

      legal framework for the implementation of a temperature control involving personal data

      are recorded.

115.  The Disputes Chamber therefore concludes that the second constitutive element has not been demonstrated.


116.  With regard to the third constitutive element, namely that the processing operations in question were

      must be necessary to fulfil the invoked legal obligation pursuant to Article 6.1.c

      as well as for reasons of public interest in the area of public health in accordance with Article 9.2.i.


117.  The Disputes Chamber firstly considers that the reference to other similar processing operations
      in 65 other European airports is not relevant as evidence that the

      necessity requirement has been met in this case. In this regard, it points out that the enumeration in the

      conclusion of the first defendant also implies that a (significant) number of airports

      (including Belgian airports) have not used the

      The Disputes Chamber also notes that the Protocol indicates that

      processing would be implemented at only two airports in Belgium (the airports


35See paragraph 76 above.                                                                            Decision on the merits 47/2022 - 25/73




      of Charleroi and Zaventem), without affecting the other airports on the Belgian territory.

      mention.

118.  With regard to compliance with the principle of necessity in the context of the disputed

      processing, the Disputes Chamber, like the Respondent, stresses that it cannot express an opinion

      on the medical necessity of this measure in the context of combating COVID-19 as

      as such, nor on the scientific accuracy and correctness of the quoted

      views and reports. However, this analysis is not necessary to make a judgment on the necessity of the

      processing from a legal point of view.


119.  The Disputes Chamber did note, however, that theProtocolCommercialAir TransportoftheMinisterof
      Mobility - both in its version of 11 June 2020 and that of 31 July 2020 - states on page 5 the following

      states:


      "Measuring the body temperature of passengers so that they can use a

       'immunity passport' is not recommended byEASAandECDC. TheEASA

       recalls that the relevance of that measurement is not substantiated by current
                                                      36
       scientific knowledge of SARS-CoV-2. (...)."



120. The Disputes Chamber therefore finds that the legal basis put forward by the defendant itself is

      states that the need for the processing in question has not been demonstrated. It therefore concludes
      that the necessity of the processing as required by Articles 6.1.c, 6.3 and 9.2.i of the AVG is not

      been demonstrated.


121.  In this regard, the Disputes Chamber notes that the Commercial Aviation Protocol and the other

      standards invoked by the Respondent do not constitute a valid basis for processing and

      concludes that there was a breach of Articles 6.1.c, 6.3 and 9.2.i of the AVG.



                         37
    II.3.Finding 3 : Breach of the principle of transparency and the obligation to provide information
    in accordance with Articles 5.1.a, 12 and 13 of the AVG




122. The Inspectorate notes that the individuals involved in the processing fall into two categories

      can be divided into: passengers and any accompanying persons (at departure) and persons coming from

      returning from a red zone (on arrival).


123. The modalities for providing information may also differ, since part of

      communication modalities apply to all stakeholders, whereas certain additional information



36
  Commercial Aviation Protocol, page 5. Dispute Chamber's own boldface mark.
37For the sake of readability and for proper understanding of the decision, finding 3 is discussed before finding 2.                                                                              Decision on the merits 47/2022 - 26/73



      communicated only to the departing passengers and their escorts, if any. This

      information is provided using the following four means of communication:


        - an information banner on the defendant's website;

        - an FAQ page on the Respondent's website;

        - the internal regulations published on the website and displayed before the
            passengers' body temperature checks;

        - the privacy statement on the defendant's website.



124. As for departing flights, the defendant also stated that a poster was

      hung with an informative illustration of a temperature of over 38°C and the words

      'no access to the terminal'. The poster also showed a face in profile showing the temperature being
      measured with a forehead thermometer.


125. The Inspectorate finds deficiencies in relation to Articles 5.1.a, 12 and 13 of the

      AVG as regards the information provided to data subjects at the time of departure. There may

      A distinction is made between the breaches according to whether they occurred

      between15June2020and2december2020(date on which the newprivacypolicywasonline)
      or date from after the latter date.


126. In general, the Respondent agreed at the hearing that some points

      could be improved, particularly in terms of the detention period and the reference to

      According to the Respondent, the Inspectorate was adding a criterion to the SAA by requiring

      that the exact legal basis be stated, but he understands that this could improve the quality of the
      information may improve. The privacy policy was amended in several respects in November 2020

      (with publication on 2 December 2020), but it does not yet include a reference to Article 9 of the AVG.


127. The fact that no request for clarification or exercise of rightswas received,

      although the contact details of the data protection officer on various

      were available, proves to the defendant that transparency was ensured.

128. As the information provided to data subjects varied depending on the

      time and circumstances, the Inspectorate chose to monitor compliance with these

      principles in three different situations. These are listed below.



    (a) Breaches that took place between15 June and 2 December 2020 at the time of departure


        Findings of the Inspectorate Decision on the merits 47/2022 - 27/73




129. With regard to the breaches committed between 15 June and 2 December 2020 at the time of departure

      took place, the Inspectorate considers that they are related to the following
                  38
      elements:


       - None of the communications mention that temperature using

           thermal imaging cameras (breach of Article 5.1.a);

       - The legal basis for the processing is never communicated (breach of Article 13.1.c), neither
           as is the regulatory framework for the obligation to monitor body temperature

           (breach of Article 13.2.e);

       - There is no defined retention period or the criteria for determining it are not stated

           (breach of Article 13.2.a);

       - The right to complain to the GBA is also not mentioned (13.2.d);

       - The purpose of processing is not stated (article 13.1.c).



        Position of the defendant



130. The defendant is of the opinion that the Inspectorate, in checking compliance with its statutory

      obligations did not take into account certain published documents.


131.  Indeed, he believes that it was not necessary to provide information on measuring the

      body temperature with thermal imaging cameras, as this information was already available through

      the national press and a press release issued by the airport on 10 June 2020, and thus those concerned were already

      had this information at their disposal (Article 13.4 AVG).


132. Under the same exception, the Respondent further considers that data subjects were already on the

      had to be aware of the existence of the legal obligation regarding the processing, since

      this obligation arises from the Protocol which in turn was imposed by ministerial
      decrees published in the Belgian Official Gazette.     39The Respondent considers that it did not

      can be held responsible for the delay in publishing the Protocol.


133. In relation to the retention period, the Respondent acknowledges that it should have accurately

      specified. He also acknowledges that the existence of the right to complain to the GBA does not

      mentioned in the privacy policy.


134. He makes the same arguments as these in relation to finding 2 that specifically about the purpose

      (see paragraph 187 et seq.)





38Because the privacy notice does not explicitly mention temperature monitoring among the data subjects, it was not investigated by the
Inspectorate not investigated.The breaches identified therefore relate to the three other means of communication.

39Concluant reiterates that he cannot be held responsible for the delay in disclosing the
Protocol.                                                                          Decision on the merits 47/2022 - 28/73








       Assessment by the Disputes Chamber


135. The transparency principle is enshrined in Article 5.1.a of the AVG which says that personal data must be

      must be processed "in a manner which is lawful, proper and

      transparent ('lawfulness, fairness and transparency')";


136. This principle is applied, inter alia, in Article 12.1 of the AVG. This says that the

      controller "shall take appropriate measures to ensure that the data subject receives the information referred to in
      Articles 13 and 14 and the information referred to in Articles 15 to 22 and Article 34

      communications relating to the processing in a concise, transparent, intelligible and

      easily accessible form and in clear and plain language (...)."


137. Recitals 58 and 60 of the AVG specify: "In accordance with the principles of proper and

      transparent processing, the data subject should be informed that there will be

      processing is taking place and of its purposes" and "In accordance with the

      principle of transparency, information intended for the public or the data subject must be
      concise,easily accessible and understandablemust be provided in clear and simple language[...].

      used."


138. As highlighted by Advocate General P. Cruz Villalón as well as by the Court of Justice of the

      European Union in the Bara case, compliance with the provisions relating to transparency and

      disclosure is essential, as it is a prerequisite for the exercise
                                                                                              40
      by data subjects of their rights, which is one of the foundations of the AVG.

139. Article 13 of the AVG specifies what information must be provided to the data subject in the

      cases where the personal data concerned are collected from him/her.


140. In its guidelines on transparency, the Data Protection Working Party clarified

      Article 29 that Article 13 of the AVG applies both in cases where the

      personal data are knowingly transferred by the data subject to the

      controller as well as in cases where the data are collected by the
      controller are collected by observation (e.g. by means of the

      useofautomateddata-gatheringapparatusor softwarefordata-gathering

      such as cameras).1


141.  In relation to the first element, i.e. thermal imaging camera-based processing,

      the Disputes Chamber notes that the Respondent relies on the application of Article 13.4 of


40
  ECJ, 1 October 2015, C-201/14, para 33 (Opinion of Advocate General P. Cruz Villalón, 9 July 2015, para 74).
4GroupData Protection Article 29, Guidelines on transparency under Regulation 2016/679,11 April 2018, pp. 14-15, para. 26.                                                                           Decision on the merits 47/2022 - 29/73



      the AVG and indicating that he was not obliged to inform data subjects as they were already

      had the information through the media and a press release from the airport.


142. Article 13.4 of the AVG clearly states that paragraphs 1, 2 and 3 do not apply

      when and insofar as the data subject already has the information. Article 13.4 provides

      derhalvendoesnotprovideanexceptiontothetransparencyprincipleasformulatedinarticle

      AVG. However, it is on the basis of this article that the Inspectorate has identified a shortcoming
      established with regard to the obligation to inform data subjects about the existence

      of the thermal imaging cameras. In the opinion of the Disputes Chamber, a

      distinction must be made between, on the one hand, the principle of fairness and transparency (article

      5.1.a) and, on the other hand, the obligations arising from this principle (in particular Articles 13 and

      14).


143. The principle of propriety and transparency laid down in Article 5.1.a goes beyond the
      simple information and transparency obligations set out in the articles of the AVG

      and constitutes a general principle, the scope and philosophy of which apply to every processing operation.

      must be complied with.


144. This position was formally adopted by the EDPS in its Decision 01/021 on WhatsApp,

      in which the regulator stated:



       "Based on the above considerations, the Committee underlines that the

       principle of transparency is not limited to obligations under Articles 12 to

       to 14 AVG, even if they are a concretisation of that principle. The transparency principle is

       indeed an overarching principle that not only reinforces other principles (i.e. fairness,

       accountability), but from which numerous other provisions of the AVG also flow.
       Moreover, as already noted, Article 83(5) AVG contains the possibility of a breach of

       transparency obligations independently of the breach of the transparency principle.

       determination. The AVG thus distinguishes between the broader dimension of the

       principle and the more specific obligations.  In other words, with the

       transparency obligations do not cover the full scope of the transparency principle
                    42
       delineated."


145. The Inspectorate thus rightly relies on the transparency principle of Article 5.1.a to

      judging that the interested parties should have been informed of the existence of the

      thermal imaging cameras, although this obligation is not expressly included in the

      transparency obligations under Article 13 of the AVG.



42EDPB, Binding Decision 1/2021 on the dispute arising over the draft decision of the Irish Supervisory Authority
on WhatsApp Ireland under Article 65(1)(a) of the AVG, 28 July 2021, §192.                                                                           Decision on the merits 47/2022 - 30/73




146. However, recital 60 of the AVG says: "In accordance with the principles of proper and

      transparent processing, the data subject should be informed that there will be

      processing is taking place and of its purposes. The controller should provide the
      provide the data subject with such further information as is necessary to enable him/her to contact

      ensure fair and transparent processing, having regard to the specific

      circumstances and context in which the personal data are processed."


147. The fact that temperature is measured using thermal imaging cameras is so important

      that data subjects should be informed about the processing of their data. The in

      Article 5.1.a in fact requires, by definition, that

      data subjects know when their data are or are not being processed.

148. The Disputes Chamber notes that during the period under review, in two different documents

      provided by the Respondent mentioned temperature controls: the internal

      regulations (hereinafter IR) and the FAQ page accessible via the banner on the website. None of

      thetwo sources of information mentioned that the processing would or could be carried out with

      using thermal imaging cameras.


149. As highlighted by the Respondent, the fact that thermal imaging cameras are used at the airport is

      used, information that was covered in several press articles. In the opinion of the

      Disputes Chamber, it is not sufficient for the Respondent to rely on the existence of
      informationin the press to evade its transparency obligations under theAVG

      and with regard to the persons concerned. Indeed, it cannot be assumed that every

      passenger in transit at an airport has read a press article which fully informs him/her about the

      existence and conditions of the processing. Furthermore, controllers may

      not transfer their responsibility for transparency to the press and should

      take it personally and directly.


150. The use of thermal imaging cameras was also disclosed by the defendant in a

      press release published on10June2020onitswebsite.While this is in itself a commendable
      initiative but it is insufficient for the Disputes Chamber. The principle of transparency requires

      after all, that information be accessible in a centralised and consolidated manner,

      for example, through the IR or the privacy policy that can be easily consulted.   43 A

      press release, which after some time in the digital archives of a data controller should be

      be looked up, cannot be described as 'easily accessible'.








43Recital 58: "[...] In accordance with the principle of transparency, information intended for the public or for the
data subject should be concise, easily accessible and comprehensible, and clear and simple language and, where appropriate
supplementary visualisation should be used. [...]"                                                                              Decision on the merits 47/2022 - 31/73




151.  In addition, the Disputes Chamber finds that the poster displayed by the defendant (see para.

      124) states that the temperature is measured with a manual forehead thermometer, while

      the initial temperature measurement is carried out using thermal imaging cameras.


152. In view of the foregoing, the Disputes Chamber finds that the parties concerned did not properly

      were informed that their temperature could be monitored with thermal imaging cameras

      recorded, and that it is therefore possible that a data subject's temperature was recorded
      without his/her knowledge.


        The Disputes Chamber therefore found a breach of Article 5.1.a of the AVG.


153. The second element under assessment concerns the information on the legal basis

      of the processing (Article 13.1.c) and the regulatory framework for the obligation to provide the

      body temperature monitoring (Article 13.2.e). The Inspectorate noted that these

      information could not be found in any of the information sources available to data subjects.

      In this regard, the Respondent invoked the applicability of Article 13.4, arguing that the

      data subjects could not have been unaware of the existence of this obligation, as it was

      based on the Protocol expressly provided for by the ministerial decisions adopted in

      the Belgian Official Gazette.

154. The Disputes Chamber cannot accept this argument of the defendant.This would imply that a

      controller never has to inform data subjects about the legal basis

      ofprocessing,ifitispublishedintheBelgian Official Journal.Thislogicisclear

      contrary to Articles 13.1.c, 13.2.e and Recital 58 which require such information to be

      should be provided in a manner that is 'concise, easily accessible and comprehensible' and that for this purpose

      clear and simple language' should be used.44


155. Incidentally, the exception provided for in Article 13.4 of the AVG applies only

      'where and insofar as the data subject already has the information', which implies that the

      data subject must effectively have that information. The mere fact that the information

      is available in the Belgian Official Gazette does not meet this criterion. In any event, the Protocol

      on which the Respondent relies for the processing at issue was not even required before mid

      August 2020, although it was supposed to apply from 8
          45
      June.

156. Moreover, contrary to the Respondent's contention, the Controller is

      obliged to inform the data subject not only on which paragraph of Article 6 the

      data processing is based on, but also on exactly which text and provision forms the basis




44AVG, recital 58.

45Investigation report, page 32. The Inspection Service reports that the FPS only proceeded with publication after the intervention of the
Inspection Service in another similar case.                                                                                Decision on the merits 47/2022 - 32/73




      of the legal obligation on which the processing is based under Article 6.1.

      is. A mere reference to 'a legal obligation' without mentioning it cannot

      sufficient to assume that data subjects were adequately informed. The data subjects
      would in such a case never be able to ascertain whether a legal obligation within the meaning of Article

      6.1.c effectively exists and follows from the relevant legal provision.


157. The Disputes Chamber finds that, in this case, those concerned could indeed not do so, as

      the Respondent did not refer to the relevant Protocol nor to the ministerial decisions on the

      at the time of processing as the basis for its legal obligation to process

      carry out. Because the data processed is health data, the defendant must rely

      additionally be able to justify any of the grounds set out in Article 9.2 of the AVG

      exceptions. This justification must also be included in the information provided to the
      data subject. Reference to the precise legal standards is essential

      important to ensure that the data subject is aware of their rights and obligations in any

      processing.


158. The Disputes Chamber therefore finds a breach of Articles 13.1.c and 13.2.e of the AVG.


159. In relation to the third and fourth elements, i.e. the data retention period and the

      right to lodge a complaint with a data protection authority, the Disputes Chamber states

      finds that the Respondent acknowledges these shortcomings. The breach of Articles 13.2.a and 13.2.d is
      demonstrated.


160. With regard to the fifth element, i.e. purpose, the Disputes Chamber refers to its

      considerations below in which it considers that the purpose was not sufficiently explained in

      the information documents before the amendment of the privacy policy on 2 December 2020 (para. 195

      et seq.). It therefore finds a breach of Article 13.1.c on this point.


161.  The Disputes Chamber thus finds a violation of Articles 5.1.a, 13.1.c, 13.2.d, 13.2.a and 13.2.e

      between 15 June and 2 December 2020 as regards departures.




    (b) infringements that took place from 2 December 2020 as regards departures


        Findings of the Inspectorate


                                                                                                    46
162. With regard to the breaches that took place as of 2 December 2020 on departure, the

      Inspectorate considers that they are related to the following elements:






46Date on which the amended privacy notice was posted online.                                                                               Decision on the merits 47/2022 - 33/73



        - The appealed court's ground of justification is insufficiently specified (infringement of Article

            13.1.c);

        - it is nowhere mentioned that the temperature using thermal imaging cameras is being

            monitored (breach of Article 5.1.a);

        - the possible consequences of failing to provide the data are not mentioned and there are

            no reference is made to the IR (breach of Article 13.2.e);
        - the purpose of the processing is insufficiently defined (see paragraph 184 et seq.);

        - the privacy notice still refers to the law of 8 December 1992, which has since become

            repealed.



        Position of the defendant


163. The Respondent believes that the amendment to its privacy notice (on 23 November 2020, with

      publication on 2 December 2020) clearly indicates the legality basis. He believes that the

      Inspectorate is adding a condition to Article 13.1.c by requiring the statutory

      provision(s) on which the processing is based is clearly stated.

164. Regarding the lack of information on the use of cameras and the issue of the

      purpose, the Respondent refers to its aforementioned considerations (see paragraph 141 et seq. and paragraph

      160) and contests the grievances.


165. With regard to the reference to IR, he believes that this could indeed have been better, but that this in itself
      does not constitute a failure in respect of his duty to inform, especially as the IR in the premises

      present before any temperature control.


166. The defendant acknowledges that the reference to the 1992 Act is a material error, which will be

      corrected.



        Position of the Disputes Chamber



167. The first element concerns compliance with Article 13.1.c, which prescribes that the legal basis for

      processing must be stated. As both the Inspectorate and the Respondent have

      stated, as of 2 December 2020, the Respondent's privacy policy contained the following

      statement:

168. "At the time of an epidemic or pandemic, we may measure temperature to check whether

      it exceeds38°C.This is done only on the basis of a legal obligationthese data

      are not stored or reused for purposes other than protecting the

      health of people in transit at the airport. The data will be kept

      for a few minutes." [free translation] Decision on the merits 47/2022 - 34/73




169. The Respondent believes that this satisfies the requirement of Article 13.1.c of the AVG, while the

      Inspectorate believes that the exact statutory provision(s) should have been mentioned,

      as well as the exception contained in Article 9.2 of the AVG to prevent the processing of

      health data.

170. For the Dispute Resolution Chamber, compliance with Article 13.1.c implies that the data subject must fully

      be informed of both the precise legal basis for the processing and the text and

      precise provision creating the legal obligation on which the processing under article

      6.1.c is based on. In this regard, it refers to paragraphs 153 et seq. above and notes a

      breach of Article 13.1.c of the AVG.


171.  The second issue concerns the fact that temperature measurement using thermal imaging cameras

      would not have been mentioned anywhere (breach of Article 5.1.a). In this regard, the Disputes Chamber refers to

      its view expressed above, which remains valid on this point (see paragraph 141 et seq.) and states a

      breach of Article 5.1.a of the AVG.

172. The third issue concerns the failure to mention the possible consequences of not providing

      the data by failing to refer to the IR (breach of Article 13.2.e). The

      Inspectorate considers that the obligation to refer to the

      regulatory nature of the obligation to provide the data and the possible

      consequences of not providing the personal data, as Article 13.2.e of the AVG

      The defendant is of the opinion that, since this information is included in theIR, the

      the obligation of Article 13.2.e was met, although a reference to the IR in the privacy policy would have

      could have been included.


173. TheGeschillenkamer findsdiscrepanciesbetweentheinformationprovidedinvariousinvestigated
      documents were provided to data subjects. Indeed, the privacy policy states that the

      processing is based on a legal obligation (this statement is also incomplete, see point

      However, it says nothing about the consequences of refusing processing.

      TheIR does indeed state that access to the terminal will be refused "to any person who refuses to comply with

      to a temperature check and in whom a body temperature of more than 38°C

      is detected after at least two measurements."     47 However, it does not mention the source of this

      obligation. The same applies to the "Frequently asked questions(FAQ)" page: it mentions which

      consequences are when a temperature of more than 38°C is detected, but not the

      is the source of this obligation. None of these three documents refers to the other

      documents, implying that a data subject who had consulted only one document did not

      had all the information to which he was entitled. The Disputes Chamber considers this to be contrary to the

      requirement that information be "concise, easily accessible and comprehensible" and that for this


47
  IR, article8 and FAQ [free translation]
48IR, Article8: "The airport is obliged to do so." [free translation] Decision on the merits 47/2022 - 35/73



                                                             49
      'clear and simple language' must be used."     It therefore finds a breach of Article
      13.2.e of the AVG.


174. The fourth element concerns the statement of purpose. In this regard, the Disputes Chamber notes

      that, as of 2 December 2020, the purpose was described in the Respondent's privacy policy as

      "to protect the health of people in transit at the airport". This purpose

      however, is not reflected as such in the IR.


175. The fifth element is the reference to the Act of 8 December 1992 (which has been repealed) in the
      privacy policy. This element is not disputed by the defendant and the Disputes Chamber states

      therefore finds that this privacy policy is incorrect and should be updated.


176. The Disputes Chamber thus finds a breach of Articles 5.1.a, 13.1.c and 13.2.e.




    (c) Arrivals from a red zone


        Findings of the Inspectorate



177. With regard to arrivals from a red zone, the Inspectorate found an infringement

      of Articles 5.1.a, 12.1 and 13 of the AVG on the basis of the following elements:


        - according to the information in the IR and on the website, the purpose of these controls is to control access

            to the terminal for people with a temperature above 38°C, which in the

            context of arrival checks is incorrect (see paragraph 49);
        - nowhere is it mentioned that temperature is checked with thermal imaging cameras;

        - the information provided to passengers returning from a red zone says

            nothing about the conditions under which the check is carried out (Article 5.1.a).



        Position of the defendant


178. First, the Respondent is of the view that the Inspectorate is of the wrong

      starting point, because it wrongly based its views on only two documents instead of

      considering all sources of information.


179. He added that one version of the IR had been put online for reasons of efficiency and

      cost savings. Moreover, the IR clearly states that the temperature of passengers will be

      be measured.

180. Finally, the defendant disputes the innovative nature of the thermal imaging cameras.




49AVG, recital 58.                                                                               Decision on the merits 47/2022 - 36/73





        Position of the Disputes Chamber




181.  On the first point - the purpose of temperature control - the
      Disputes Chamber notes that the IR states that temperature control is mandatory and that access

      to the terminal will be refused to those who refuse to submit to it or a temperature

      exceeds 38°C after at least two measurements. The IR says nothing about returning from a

      red zone, where the only consequence of a temperature of more than 38°C is that the person concerned may be refused admission.

      receives an awareness document. The handing over of this document has no significant

      implications for the data subject's rights. By not specifying that the control described

      applies only to the departures, however, the text of the IR suggests that a person may be subject to the document at

      arrival may be denied access to the terminal, which creates confusion and is
      problematic with regard to the principle of transparency.


182. Regarding the wording of the information banner and the published 'Frequently Asked

      Questions (FAQs)', it is noted that these do not specify that the ban on access to the terminal

      only applies at departures,which could lead people to believe that they would also be prohibited from entering the

      access to the terminal can be denied. This also poses a problem in terms of the

      transparency principle (Article 5.1.a AVG).

183. As regards the second question, the Disputes Chamber refers to its above-formulated

      considerations, which remain valid. It also notes that, as reported by the Inspectorate, the posters that are

      were displayed at the departures (see paragraph 124 above) are not present at the arrivals, so that the

      information for passengers arriving from a red zone is even more deficient than those arriving at

      departing passengers.


184. The Disputes Chamber therefore finds a breach of Articles 5.1.a and 12.1.




    II.3.5 Finding 2: 50 Violation of the principle of purpose limitation in accordance with Article 5.1.b
    of the AVG


      Findings of the Inspectorate



185. According to the Inspectorate, the purpose of the processing is to "protect the health of the

      persons in transit at the airport and of employees working in the terminal",

      as this is the answer given by the Respondent during the investigation and repeated in





50 As indicated earlier, the Disputes Chamber decided to reverse the assessment of findings 2 and 3 of the
investigation report to be reversed.                                                                            Decision on the merits 47/2022 - 37/73



      The data protection impact assessment submitted by the defendant to the Inspectorate

      transmitted.


186. The Inspectorate notes that the defendant's purpose of the relevant processing operations

      insufficiently and accurately determined the purpose of the processing in question in accordance withArticle5.1.b of theAVG,as

      the controller did not indicate that the processing had different purposes and effects for the data subjects
      different purposes and had different effects according to the type of monitoring that was

      carried out (on departure or on arrival).




     Position of the defendant


187. The Respondent first recalls that the term 'purpose' is not defined in the AVG and

      that he therefore relies on a definition provided by the CNIL (French Data Protection Authority). He

      considers that the purpose of the processing was sufficiently defined: to protect the health of the

      persons in transit at the airport and of staff at the terminal. Defining

      the effects of processing is not, according to the regulations, a condition for the validity of

      the purpose limitation principle. The defendant added that the difference in treatment at departure
      and on arrival was justified in view of the different situations and resulted from the healthy

      People coming from a red zone cannot be sent back.

      added that it had never been necessary to deny access to the terminal to persons

      whose temperature was higher than 38°C, as they freely decided not to continue their journey.

      continue.

188. He concluded that the purposes of the processing were clear, well-defined and justified

      and that he had always respected the principle of proportionality by maintaining the balance

      between the interests of public health and the private life of the data subjects.




     Assessment by the Disputes Chamber


189. Article 5.1.b of the AVG requires the data to be used only for specified, explicitly

      defined and legitimate purposes. The Disputes Chamber considers

      that the issue of the defendant's stated processing purpose and the issue of the

      legal basis of this purpose can be analysed separately in this case (see paragraphs 102 et seq.

      above). The legal basis invoked does not - or not clearly enough - provide for a purpose (see

      paragraph 195 et seq. above). Therefore, the purpose stated by the controller must be
      examined.


190.  For the interpretation of this principle, the Disputes Chamber refers to the opinion of the Working Party

      Data Protection Article 29 which further defines what is meant by a Decision on the merits 47/2022 - 38/73




      expressly defined purpose within the meaning of Directive 95/46. 52It is important to note that the

      main features of the purpose limitation principle have remained identical between Directive 95/46 53and

      the AVG.


191.  In relation to the well-defined nature of the purpose, the Disputes Chamber notes that the

      Respondent, in its response to the Inspectorate's questions, clearly defines this purpose as

      being "to protect the health of persons in transit at the airport",

      which is subsequently repeated in the

      data protection impact assessment. This is also reflected in the Register of

      processing activities where it is abbreviated as 'protection of health'.


192. The Disputes Chamber therefore finds that the purpose is sufficiently defined.


193. With regard to the expressly defined nature of the purpose, the opinion of the

      Data Protection Working Party Article 29 explains the following:




      "The purposes of the collection should not only be clearly known by the persons who

      responsible for collecting the data. They must also be explicitly

      formulated. [...]



      The ultimate purpose of this requirement is to ensure that the purposes are meaningful and

      intention are stated unambiguously and accurately. The meaning must be clear and may

      not raise doubts or be difficult to understand. [...]



      The obligation to state the objectives 'explicitly' contributes to transparency and

      predictability. It allows unambiguous definition of the boundaries within which the

      controllers may use the personal data collected, with the aim of

      protecting data subjects.        It helps anyone processing data on behalf of the

      controller, as well as data subjects, data protection authorities and

      other concerned parties, to have a common understanding of how data may be

      be used. This reduces the risk that data subjects' expectations differ from

      those of the controller."  54








5Group on Data Protection Article 29, 'Opinion 03/2013 on purpose limitation', op. cit., p. 17.
52
  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data
53Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural
individuals with regard to the processing of personal data and on the free movement of such data
54
 Article 29 Data Protection Working Party, 'Opinion 03/2013 on purpose limitation', op. cit., p. 17. Free translation.                                                                               Decision on the merits 47/2022 - 39/73




194. The working group's opinion thus emphasises the need for the explicit disclosure of

      purpose, so that everyone understands the reason for data processing and misunderstandings are avoided.

      avoided. In relation to how that purpose should be formulated, the

      opinion highlights the following elements:



      "In terms of accountability, the written statement of purpose and creation will

      appropriate documents help to demonstrate that the controller has
                                                       55
      complied with the requirement in Article 6(1)(bThis will also allow data subjects to

      to exercise their rights more effectively - it will, for example, serve the original purpose
                                                                                                56
      prove and allow comparison with subsequent purposes of processing."



195. In the opinion of the Disputes Chamber, this point is thus closely related to the issue of

      transparency and information.In this regard, it refers to the comments made above(see

      paragraphs 162 and 174) which she also adds here. The various sources of documentation show that
      the privacy policy contained no information on the purpose of the processing before it was issued on 2

      December2020were amended.Only in response to this amendment was the purpose added and

      described as "to protect the health of persons passing through the airport."


196. The IR did contain an Article 8 stating that access to the terminal will be denied

      to "any person who refuses to submit to a temperature check and in whom a

      body temperature of more than38°C is detected after at least two measurements." The purpose

      can be inferred from the text of the IR, but it is not explicitly defined and the

      is not linked to any particular processing. The FAQ page also contains a similar sentence.


197. Based on the foregoing points, the Disputes Chamber concludes that the purpose of the

      processing was not explicitly defined. Not only was the purpose not defined at the start of the

      processing, it was also only drafted, expressly formulated and submitted to the GBA

      and data subjects after answering a question from the Inspectorate, the
      adaptation of the privacy policy in December2020and the completion of the GBA three months after the

      commencement of processing.


198. In relation to the lawfulness of the purpose, the Disputes Chamber considers that the purpose is "the

      protect the health of persons in transit in the airport and staff

      working in the terminal" is indeed lawful, particularly in view of the fact that the processing

      was recognised as being justified for reasons of public interest in the field of the

      public health in accordance with Article 9.2.i of the AVG (see paragraph 84 above).




55From Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural

persons with regard to the processing of personal data and on the free movement of such data.
56GroupData Protection Article 29, 'Opinion 03/2013 on purpose limitation', op. cit., p. 18. Freetranslation.                                                                               Decision on the merits 47/2022 - 40/73



199. The Disputes Chamber therefore finds a breach of Article 5.1.b of the AVG on account of the non

      express nature of the purpose.




    II.3.6Conclusion 4: breach of the obligation to carry out a data protection impact assessment before processing
    data protection impact assessment in respect of the

    data protection (breach of Article 35.1)




200. Based on its investigation, the Inspectorate concludes that Article 35.1 of the AVG was

      breached for the following reasons.



    (a) In connection with the obligation to carry out a GEB



        Findings of the Inspectorate



201. The Inspectorate believes that a GEB was necessary based on the following criteria:

        - the processing involves sensitive data, i.e. data related to the

            health;

        - the processing is large-scale;

        - the treatment implies systematic monitoring of certain passengers who will be

            required to submit to a monitoring of their body temperature;

        - the treatment involves the use or application of innovative technological or
            organisational systems;

        - the processing involves vulnerable persons and more particularly

            minors;

        - Article 23 of the Law of 30 July 2018 57 expressly provides, "In implementation of Article 35.10

            of the Regulation, a specific data protection impact assessment shall be carried out

            prior to the processing activity, even if a general

            data protection impact assessment was carried out in the context of establishing the
            legal basis."



      Position of the defendant



202. The Respondent first argues that only the data of those with a temperature of

      above 38°C are processed, as only they are recorded with a camera.



5Law of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data.                                                                             Decision on the merits 47/2022 - 41/73



203. In relation to the concept of 'large scale', the Respondent considers that the Inspectorate is not

      based on the correct figures as it takes into account everyone who was at the airport in

      rather than those with a body temperature above 38°C. It is currently

      impossible to ascertain the exact number, as the summary files with the

      number of interventions were destroyed on a weekly basis.

204. For passengers returning from a red zone, the Inspectorate assumes without any

      motivation that this would be large-scale processing.


205. The Respondent considers that only the criterion of systematic monitoring of certain

      passengers is relevant to the matter. Only this criterion obliged the Respondent to issue an GEB

      conduct.

206. Finally, the Respondent disputes the innovative nature of the cameras. According to him, they involve

      an old technology.



     Assessment by the Disputes Chamber



207. Article 35 sets out the circumstances in which it is appropriate for a controller

      necessary to carry out an EIO. This article is reproduced in part below:




                                                 "Article 35
                                 Data protection impact assessment



     1. Where a type of processing, in particular one involving new technologies

     is likely, having regard to its nature, size, context and purposes, to involve a

     presents a high risk for the rights and freedoms of natural persons, the

     controller shall, prior to the processing, carry out an assessment of the impact of the intended processing activities on the protection of personal data.
     processing activities on the protection of personal data. One assessment may include a series of

     similar processing operations that pose similar high risks.



     2.      Where a data protection officer has been appointed, the

     controller when carrying out a data protection impact assessment

     seek his or her advice.


     3.  A data protection impact assessment referred to in paragraph 1 shall be required in particular in the

     following cases:                                                                                     Decision on the merits 47/2022 - 42/73



      (a) a systematic and comprehensive assessment of personal aspects of natural


          individuals, which is based on automated processing, including profiling, and on which

          decisions which produce legal effects concerning natural persons

          or which substantially affect the natural person in a similar way;



     (b) large-scale processing of special categories of personal data as referred to in

          Article 9(1) or of data relating to criminal convictions and offences

          offences referred to in Article 10; or



     (c) systematic and large-scale monitoring of publicly accessible areas."



208. The Disputes Chamber further specifies that the GBA has established a list of processing

       for which an EIO is required.  58 It also notes that, as for the use of thermal imaging cameras

       regarding the use of thermal imaging cameras, the European Data Protection Supervisor (EDPS), in a position paper of 1

       February 2015, it was already able to confirm that an EIO is indeed required.      59


209. The Disputes Chamber considers, moreover, that recital 91 of theAVGdemonstrates the necessity of an AGEBin this

       case. Indeed, it reads as follows: "A data protection impact assessment should also

       be made when personal data are processed for the purpose of taking

       decisions relating to specific and natural persons after a systematic and comprehensive

       assessment of personal aspects of natural persons based on profiling

       of these data, or after the processing of special categories of personal data,

       biometric data,or data relating to criminal convictions and criminal offences

                                                                   60
       or related security measures."

210. It was shown that the processing in question concerns special categories of


       data (health data) and that, at least at the time of departure, it has the effect of deciding

       whether or not passengers and escorts are allowed to enter the terminal.


211.   The Disputes Chamber notes that the Respondent does not dispute that an AET for the relevant

       processing was mandatory. Its criticism mainly concerns the Inspectorate's use of the

       criteria, the relevance of which he disputes in certain cases (see paragraphs 202-206 above).


212. According to the Dispute Chamber, the Respondent assesses the criteria for determining whether or not a GEB is

       not required,after the factand not in the correct way.When the defendant had to carry out its GEB(see

       paragraph261ff. below), it did not know what percentage of passengers had a temperature of



58Data Protection Authority, Decision No. 01/2019 of 16 January 2020.     Available at:
https://gegevensbeschermingsautoriteit.be/publications/beslissing-nr.-01-2019-van-16-januari-2019.pdf

59 EDPS, Letter of 1 February 2015 Available at: https://edps.europa.eu/sites/default/files/publication/16-02-
01_letter_klimowski_2015_en.pdf
60
  Dispute Chamber's own veto mark.                                                                           Decision on the merits 47/2022 - 43/73




      would have more than 38°C and therefore could not establish that this was 'extremely low', as he does a
      posteriori in his conclusion.The defendant should have taken into account that all the

      expected passengers could potentially be an affected person. This was therefore the figure by which

      had to be taken into account in assessing whether or not it was a large-scale

      processing was involved.


213. Although the temporarily stored images only relate to individuals with a temperature

      of more than 38°C, in addition, all passengers and attendants on departure and all

      passengers returning from a red zone are subjected to a temperature check. The
      Inspectorate thus ruled, based on sound reasoning, that for the purpose of determining 'the

      nature,scope and context' of the processing, it was necessary to start from the assumption

      that it applied to all passengers concerned and not only those with a

      temperature above 38°C.


214. Due to the innovative nature of thermal imaging cameras, the Disputes Chamber of

      considers that this criterion, even if not demonstrated, does not detract from the following

      conclusion, namely that a GEB was necessary.

215. The Inspectorate also held that a GEB was required under section 23 of the Act

      of30July2018(see point201)which says that "a specific data protection impact assessment

      [shall] be carried out prior to the processing activity, even if a general

      data protection impact assessment has already been carried out in the context of establishing the

      legal basis." However, the Dispute Chamber points out that this article only applies

      to the public sector, as specified in Article 19 of the same law, and that in this case it is therefore

      does not apply.




    (b) In connection with the obligation to carry out an EIA prior to processing



     Findings of the Inspectorate


216. TheInspection Service finds thatBSCAnv'sGEB was implemented on18September2020,while

      the relevant processing operations were implemented on 15 June 2020 for the persons concerned

      on departure and on 7 September 2020 for passengers on arrival from a red zone. According to

      the Inspectorate, the GEB must be implemented before the start of processing and provides for

      Article 35 of the AVG no exception.







6Conclusion of the defendant, p. 45.                                                                             Decision on the merits 47/2022 - 44/73




     Position of the defendant



217. The Respondent stresses the exceptional nature of the situation it found itself in. The

      AVG does not contain any exception to this obligation, but the Respondent considers
      considers that this is clearly a case of force majeure that the legislature could not have

      foreseen. He notes that the data protection officer had been dismissed, as had the

      majority of the staff. It was only when the health crisis was somewhat under control that the

      defendant was able to implement the GEB, albeit in hindsight. He also recalls that he had no other choice

      than to set up the control system - which obviously does not relieve him of this obligation - but

      that he fulfilled this obligation as soon as he was able to do so.


     Assessment by the Disputes Chamber


                                                           62
218. For the Disputes Chamber, it is clear from the text of theAVG,as the defendant acknowledges, that the
      GEB must be carried out before processing takes place. The text does not provide for

      exceptions. The Disputes Chamber notes that the GEB was not implemented until 18 September 2020

      implemented, i.e. three months after the start of processing (15 June 2020).


219. The Respondent does not demonstrate what the circumstances of such force majeure would be

      been.


220. The Disputes Chamber therefore finds a breach of Article 35.1 of the AVG.



    (c) In relation to the quality of the GEB provided by the Respondent under Article 35.7 of

        the AVG was carried out



        In connection with the description of the data processing operations and the purposes of the

        processing in the GEB (article 35.7.a AVG)



        Determinations of the Inspectorate



221. The Inspectorate notes, as above (see paragraph 186), that the purpose of processing is not

      sufficiently specified.

222. It also considers that the GEB does not describe with sufficient precision the procedure used in connection with the

      monitoring of passengers' body temperature, and specifically the consequences

      that this check may have on the persons concerned.





62AVG, article 35.1 and recital 90.                                                                              Decision on the merits 47/2022 - 45/73



223. Furthermore, the Inspectorate considers that the GEB contains a number of inconsistencies (in particular regarding

      the recording/storage of personal data derived from the thermal imaging cameras) and does not contain any

      analysis regarding the soundness of the legal basis established under Articles 6.1,

      6.3 and 9.2.i of the AVG is invoked.



     Position of the defendant



224. In general, the defendant is surprised at some of the criticisms expressed,

      as he relied on the CNIL model for the implementation of his GEB, as

      the GBA does not have any tool for this purpose.

225. The Respondent recalls that the GBA does not contain a definition of the term 'purpose' and that it ensures that

      chose to define it as 'to protect the health of people travelling through the territory'.

      The defendant is of the opinion that

      This definition is very clear.


226. In relation to the type of procedure, the Respondent believes that this is left to the appreciation of the
      controller and that there are different methods. The

      Respondent argues that it is hardly imaginable that the use of an instrument of a

      other authority leads to the finding of a deficiency, while the GBA itself does not have an instrument

      available.


227. The Respondent adds that the effects on data subjects are well known to
      the controller - and to the data subjects, given the information provided to them -, and

      that it is therefore not in itself necessary to include every consequence in the CGE as long as the end result is the

      risks to the rights and freedoms of the data subjects.


228. In connection with the said inaccuracies, the Respondent argues that the GEB has made all the

      information about the processing, including why the software keeps the last 20 images
      retains,and that this information can be found in various places in the GEB.He is therefore

      considers that this information is not missing, as it is found in other places in the GEB.

      mentioned.


229. As for the legal basis, the Respondent considers that it is not up to the

      Inspectorate to blame a data controller for any
      gaps in the executive branch charged with applying the laws and issuing

      of the corresponding implementing decrees.




     Assessment by the Disputes Chamber Decision on the merits 47/2022 - 46/73




230. Article 35.7 lists the elements to be included in a GEB. This

      provision is reproduced below:

     "7. The assessment shall include at least:


     (a) a systematic description of the intended processing operations and the processing purposes,

         including, where applicable, the legitimate interests pursued by the

         controller;

     (b) an assessment of the necessity and proportionality of the processing operations in relation to
         the purposes;

     (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

     (d) the measures envisaged to address the risks, including safeguards,

         safeguards and mechanisms to ensure the protection of personal data

         and to demonstrate compliance with this Regulation, taking into account the

         rights and legitimate interests of data subjects and other persons concerned."



231. In relation to the purpose of the processing, the Dispute Chamber refers to recitals

      above (see paragraph 189 et seq.) and considers that the purpose stated by the Respondent is

      defined and justified.Within the framework of the CGE, the purpose can be considered to be sufficient

      defined.

232. With regard to the description of the procedure put in place to determine the temperature of the

      passengers,the Disputes Chamber cannot agree with the defendant's argument

      complaining about the lack of guidance from the GBA which required him to use

      instrument made available by another body.

      recalls that the GBA published a recommendation on CDEs at the beginning of 2018.63Further believes

      The Disputes Chamber considers that a controller cannot invoke a lack of

      guidelines of a supervisory authority, as this would be contrary to the principle of

      responsibility under Article 24 of the AVG. A controller is free to

      to use tools that supervisory authorities in other EU member states make available
      make available to the public. However, their use is left to the discretion of

      the controller, who must ensure that the tool used is

      meets the requirements of the supervisory authority to which it is subject.


233. This recommendation includes the following paragraph:


      "Other elements relevant to determine the nature, extent and context of the processing

      include: the categories of data subjects, the scale of data processing, the

      origin of the data, the relationship between controller and data subjects.


63 Data Protection Authority Recommendation No 01/2018 of 28 February 2018.   Available at:
https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.-01-2018.pdf Decision on the merits 47/2022 - 47/73




      the potential impact on data subjects, and how easy it is for data subjects to
                    64
      identify."



234. Here, the GBA had already indicated in 2018 that the GEB would provide a description of the potential impact on

      those affected. This is all the more important in the present case, as the

      consequences for data subjects are just the purpose of the processing, i.e. preventing people with

      a temperature above 38°C enter the terminal and take their flight. Since this purpose

      is the raison d'être of the processing, it was not to be concealed in the description of the


      processing under the GEB.


235. In relation to the statement regarding the duration of data storage, the Disputes Chamber notes

      notes that the GEB executed by the defendant both states "no local retention of data at
                        65
      PC or on paper" and "the images taken are not stored. They are real time
                  66 67
      monitoring" , while the procedure provides that the most recent 20 images are accessible.   To the

      opinion of the Disputes Chamber, this inconsistency detracts from the clarity of the

      description of the processing.


236. Finally, regarding the quality of the legal basis, the Disputes Chamber considers that the

      is for the controller to assess, in the context of the GEB, the impact of the

      processing choices made on the legal basis or, in the case of a

      insufficient legal basis, to describe which processing methods were chosen (and

      why)for the purpose of remedying the deficiencies of the legal basis.This appliesthe more


      in this case, as the defendant acknowledged the inaccuracy of the Protocol and admitted that
                                           68
      a law would have been preferable.


237. Based on the above considerations, the Disputes Chamber finds a breach of Article

      35.7(a) of the AVG.




    In connection with the assessment of the necessity and proportionality of the processing operations with

    in relation to the purposes(Article 35.7.b AVG)



    Determinations of the Inspectorate









64Ibid., pg. 17.
65
  Respondent's data protection impact assessment, pg. 4. [free translation]
66Ibid., pg. 5. [free translation]

67Ibid, pp. 3 and 7.
68See paragraph 79.                                                                           Decision on the merits 47/2022 - 48/73



238. The Inspectorate finds that, if the purpose of processing is not correctly determined within the meaning of

      ofArticle5.1.bvoftheAVG,theassessmentofnecessityand proportionalityofthemeasureisnot

      can be deemed to have been carried out correctly.


239. The Inspectorate also notes that the analysis of the storage of personal data is quite

      summary and even incorrect, and that the analysis of the necessity and proportionality of the
      processing was limited to assessing the extent to which the collected

      body temperature data are adequate and relevant and limited to what is necessary for

      the intended purpose, whereas it should also have taken into account the number of cameras and the location

      where they were installed to measure the body temperature of the data subjects, whether or not

      permanent nature of the processing operations, and the categories of data subjects whose data are

      are collected.

240. The Inspectorate added that it was not demonstrated that the personal data was adequately

      and limited to what is necessary, nor that the collection of these categories of data is

      is relevant.



     Position of the defendant



241. The Respondent regrets that the GBA does not have a more comprehensive tool than that of the CNIL

      prepared to indicate what information would be lacking according to the Inspectorate.He points out

      that it must supplement this tool because the elements listed by the Inspectorate are strictly

      strictly speaking, are not requested in the CNIL's tool.

242. He reiterates his earlier criticism that, unless he is mistaken, neither the GBA nor himself are internally about the

      scientific expertise to analyse the extent to which it is relevant to

      collect data on body temperature as a factor potentially indicating infection with

      the coronavirus.

243. He adds that it is not appropriate to retrospectively conduct a scientific analysis of these

      necessity.   The concluant chose this course of action based on a

      pragmatic analysis of the options available to him and, as already mentioned, of the

      practices used at 65 other airports around the world.


244. He stressed that it was not for the Inspectorate to approve or disapprove a method that was
      was chosen by the concluant to achieve its intended purpose - to protect the

      health - to be achieved.




    Assessment by the Disputes Chamber Decision on the merits 47/2022 - 49/73




245. The Disputes Chamber already ruled that the purpose stated by the defendant was sufficiently
      definedinthesenseofarticle5.1.boftheAVG(point189ff.).Theotherwouldneverbevalidlybecome

      used as a starting point for assessing the necessity and proportionality of the

      processing.


246. The analysis of the extent to which the data collected is relevant and sufficient, as well as

      limited to what is necessary, however, is deemed insufficient by the Disputes Chamber. It remains

      namely limited to a few lines that in no way demonstrate an in-depth assessment

      of the necessity and proportionality of the processing operations. As mentioned earlier, the information in
      relating to the storage period of the data is furthermore inaccurate.The assessment carried out by the defendant

      analysis relates only to the temperature data and at no point does it address

      the fact that images are taken of those involved. Yet it is perfectly possible to assess the

      temperatureofpeoplewithoutphotographing.AGEBisjustintendedtoincreasetheeffect

      of the choices made with regard to processing modalities.


247. Moreover, as the Inspectorate underlines, the defendant does not take into account at all

      certain modalities of processing, such as the number of cameras and their location, and does not justify
      he does not justify some of his claims. At no point does he examine the need for these

      data, even though the text of the Protocol states that the invoked legal basis is

      is: "To measure the body temperature of passengers so that they can be taken with a

      'immunity passport' is not recommended by EASA and the ECDC. The

      Agency recalls that the relevance of this test is not supported by current
                                                   69
      scientific knowledge on SARS-CoV-2."     (see paragraph 99)


248. In other words, the GEB carried out by the defendant is not a genuine analysis of the
      processing operations and all their modalities from the point of view of necessity and proportionality.

      However, it was important to carry out these investigations, particularly because of the lack of a framework in

      the legal basis invoked, which gave the defendant a great deal of latitude in choosing

      of processing activities.


249. Based on the above considerations, the Disputes Chamber finds a breach of Article

      35.7.b of the AVG.



    In connection with the assessment of risks to the rights and freedoms of data subjects

    (Article 35.7.c of the AVG)



     Findings of the Inspectorate





69Protocol, p. 5.                                                                              Decision on the merits 47/2022 - 50/73



250. BSCA nv analysed the risks relating to confidentiality, availability and the

      integrity of data, but not the risks related to 'false positive' and 'false negative'

      results,taking into accounttheimpactthata similarriskmayhave.


251. The Inspectorate also believes that the risk associated with the availability and integrity of the

      data was insufficiently taken into account and that the controller could not correctly assess the
      risk that could arise in the event of non-availability of the data could not correctly

      assess.


252. The risk that could arise in case of non-availability of the data could

      furthermore not be correctly assessed by BSCA nv.

253. BSCA nv also did not assess the integrity risk that could arise if the

      settings of the device used in a given situation would be changed (adjustment

      to a temperature lower than 38°C).


254. The risk analysis conducted by the concluant, according to the inspection report, is
      inadequate, as the GEB is limited to an analysis of risks related to the

      confidentiality, availability and integrity of data.




     Position of the defendant



255. According to the Respondent, the GEB's analysis is limited to a few points because the instrument proposed by the
      CNIL proposed instrument does not provide for the analysis of the other aspects referred to in the

      inspection report. The concluer believes it has opted for an official

      methodology that was approved and made available by a European-level

      recognised data protection authority. He had valid reasons for not knowing that the

      GBA Inspectorate would consider the instrument in question incomplete.

256. The defendant adds that the risks of false positive and false negative results in the

      need not be analysed under these proceedings because he does not understand how these

      risks could be his responsibility or should affect

      on the processing of the body temperature data. The Respondent states that he did not perform PCR-

      tests and that the terms 'false positive' and 'false negative' were used in his

      processing performed, therefore, did not occur.

257. The defendant recalls that after the third test to measure body temperature (the

      anamnesis)nooitiemandetheaccesstotheterminal.Thepartiesinvolveddecidedbythemselves to take the

      terminal.                                                                               Decision on the merits 47/2022 - 51/73




258. With regard to theinaccuraciesincompleteness to which theInspection Service referred

      in relation to the availability and integrity risks, the Respondent notes that the

      Inspection Service finds its analysis insufficiently substantiated and takes due note of what it

      needs to improve in the AGEs it is required to conduct in the future.




     Assessment by the Disputes Chamber



259. For the Disputes Chamber, it is clear that the risk analysis conducted by the defendant was flawed

      is. To the question "2.1 What could be the main consequences for those affected if

      the risk [unlawful access to data] occurs?" the Respondent replied

      for example, "Limited consequences." This extremely brief answer in no way shows that the

      Respondent has considered the risks of unauthorised access. The defendant points out with

      in other words, does not point out the risks that a data subject might face if a third party were to access a photograph

      of him/her were to obtain one showing a temperature of more than 38°C.

260. The information provided by the defendant in assessing risk4('data loss')isaleven

      sparse. The defendant repeatedly states that the risk is 'not applicable (no storage)', which is

      incorrect as images are indeed stored, albeit limited in time. The

      Disputes Chamber also finds on this point that the Respondent has not demonstrated that it has a

      correct and complete risk analysis.


261. The Disputes Chamber also considers that the Respondent failed in its GEB to

      examined certain risks. The Respondent states that the risks examined are those that are

      included in the tool provided by CNIL. However, this is not a

      excuse forthefactthatenumberofidentifiedriskswasnotcovered.Article35.7.c

      of the AVG in fact explicitly refers to an "assessment of the risks to the rights and

      freedoms of data subjects." It is not clear how an additional document could

      confirm what is already mentioned in the legal text.Moreover, the GBA mentions in its Recommendation

      No 01/2018 specifically mentions the following elements to be considered as risk: financial

      losses, the circumstance that data subjects cannot exercise their rights and freedoms or

      are prevented from exercising control over their personal data, and any other significant
                                             70
      economic or social disadvantage.


262. Recommendation No 01/2018 states that "loss of an opportunity" and "denying or limiting access

      to spaces or events otherwise open to the public" are examples of
      infringements of rights and freedoms. In the opinion of the Disputes Chamber, the fact that the

      concerned is denied access to the terminal and that he is prevented from boarding a




70 Data Protection Authority Recommendation No 01/2018 of 28 February 2018, §46.  Available at:
https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.-01-2018.pdf Decision on the merits 47/2022 - 52/73




      escape, an infringement of identified rights or a risk as referred to in the

      recommendation. Therefore, the defendant should have examined these risks. The

      Disputes Chamber considers that the Respondent has provided an example of such an analysis

      in its conclusion responding to finding 5 of the Inspectorate concerning the breach

      breach of confidentiality and the obligation to implement technical and organisational
      measures to protect the data (see paragraph 274 et seq.) and finding 6 regarding

      the principle of data protection by design and by default (paragraphs 291 et seq.).

      The Disputes Chamber regrets that this analysis was not included in the GEB, as it should have been

      been done.


263. The Disputes Chamber also notes that in establishing the alleged legal basis for the

      no impact assessment was carried out.It was nevertheless very important for the defendant
                                                 71
      to prepare a full risk analysis.


264. The Disputes Chamber therefore finds a breach of Article 35.7.c.



    In connection with the measures envisaged to address the risks (Article 35.7.d

    AVG)



     Findings of the Inspectorate



265. Taking into account the above, the Inspectorate finds that BSCA nv, due to the risks

      to the rights and freedoms of the data subjects, it was not able to assess the

      analyse possible measures by which these risks could be addressed in accordance with

      Article 35.7.d of the AVG.







     Position of the defendant



266. According to the Respondent, this is not entirely correct. Indeed, he says he has the measures

      analysed based on the criteria included in the CNIL tool. It is therefore

      incorrect to claim that without further substantiation this assessment cannot possibly be

      used.






71Article 35.10 of the AVG provides that a controller may be exempted from carrying out an
impact assessment if it was already carried out when the legal basis was established in accordance with Article 6.1.c, which does not seem to be the case here
case appears to be.                                                                            Decision on the merits 47/2022 - 53/73



267. The defendant would like the Inspectorate to consider how and why the

      proposed measures are not sufficient given the risks revealed by the GEB

      conducted by the Respondent.


268. He believes that without substantiation, it cannot be held that the defendant's

      failed to fulfil its obligations.



    Assessment by the Disputes Chamber



269. Like the Inspectorate, the Disputes Chamber is of the opinion that the shortcomings regarding

      Article 35.7.a, b and c make it impossible to carry out a proper assessment of the measures to address the risks that were not assessed.
      measures to address the risks which were not assessed.

      opinion of the Disputes Chamber, there is therefore a breach of Article 35.7.d.




    Concluding remarks


    Findings of the Inspectorate



270. The Inspectorate wishes to emphasise that, in view of the determinations made, it does not consider it necessary to

      considered it necessary to analyse each of the elements of the GEB of BSCA SA, as the

      Inspection Service believed that these findings were in themselves sufficient to prove the infringement of Article 35.7 of

      the CGU.



    Position of the defendant



271. The defendant does not respond to the Inspectorate's findings on this point.



    Assessment by the Disputes Chamber



272. In conclusion and in view of the above, it can be stated that the Respondent's GEB does not have any

      constitute a sufficiently detailed and complete impact assessment to satisfy the requirements of

      Article 35.7 of the AVG. Indeed, the submitted document looks more like a description and

      validation of the processing system that is widely applied,rather than a genuine assessment of

      risks to the rights and freedoms of data subjects and a general reflection on the
      application of this system. On the basis of the above points, the Disputes Chamber therefore states

      a breach of Article 35.7.                                                                           Decision on the merits 47/2022 - 54/73





    II.3.Finding 5: Breach of confidentiality and obligation

    to take technical and organisational measures to secure the data
    (Articles 5.1.f and 32 AVG)




     Findings of the Inspectorate


273. The Inspectorate finds that BSCA nv, in breach of Article 5.1.f and Article 32 of the AVG, violated the

      confidentiality principle and failed to comply with the obligation to provide appropriate

      measures to ensure data security. This finding is

      based on the fact that the identification data and passwords used to access

      to the computer controlling the thermal imaging cameras were included in the Note
      communicated to the BelgianRed Cross and to the defendant's fire brigade, which made the

      risk that the data could be accessed by persons other than those authorised to do so.

      consulted.




     Position of the defendant


274. Forthedefendant,ariskcanbedefinedas "acenariodateofeventrequirements.

      consequences estimated in terms of severity and probability."


275. In analysing the risk inherent in unauthorised access to the computer with which

      the cameras, it must be concluded that the measures taken reduce this risk to an extremely low level
      reduce (or even eliminate) this risk to an extremely low level, both in terms of probability and of

      severity, and that they are therefore proportionate to the risk, as required by Article 32 of the AVG.


276. The defendant believes that the PC in question is never accessible to people other than the

      employees of the fire brigade or the Red Cross and that, even if someone could have gained access
      been able to gain access to this room and computer, this person should also have had the codes

      had the codes that are in the Note kept by the fire service. This, according to him, is highly

      unlikely.


277. On risk, the defendant argues that an unauthorised person who had the
      access codes would have had access to the computer but not to the

      personal data,since the system knew the data when it was restarted.

      However, given that Red Cross staff were on duty during airport opening hours, the

      were always present, along with the fire brigade, no other person would be able to access the data during the day's

      have had access to the room where the data was processed.                                                                              Decision on the merits 47/2022 - 55/73



    Assessment by the Disputes Chamber



278. Article5.1.fof theAVG establishes the principle of integrity and confidentiality.This provision

      is reproduced below:


     "1. Personal data must:
     [...]

     (f)bythe adoptionofappropriatetechnicalororganisationalmeasuresinaningthat

     be processed in such a way that appropriate security is ensured and that, inter alia, they are protected.

     against unauthorised or unlawful processing and against accidental loss, destruction or accidental damage

     damage (integrity and confidentiality)."


     Recital 39 of the AVG adds, "Personal data should be processed in a

     manner that ensures appropriate security and confidentiality of that data, including for the purpose of

     preventing any unauthorised access to or use of personal data and

     the equipment used for processing."



279. This principle is further elaborated in Article 32 on security of processing. It reads as

      as follows:



                                                 "Article 32:



                                       Security of processing


   1.  Taking into account the state of the art, the implementation costs, as well as the nature, the

    extent, context and purposes of processing and varying degrees of probability and gravity of

    risks to the rights and freedoms of individuals, the controller and the

    processor shall implement appropriate technical and organisational measures to ensure a risk-adapted

    security level, which shall include, where appropriate, the following:


       (a) the pseudonymisation and encryption of personal data;



       (b) the ability to ensure, on an ongoing basis, the confidentiality, integrity, availability

        and resilience of processing systems and services;



       (c) the ability, in the event of a physical or technical incident, to restore the availability of and
        access to personal data in a timely manner; Decision on the merits 47/2022 - 56/73



       (d) a procedure for periodically testing, assessing and evaluating the

        effectiveness of technical and organisational measures to secure the

        processing.



   2. In assessing the appropriate level of security, particular account shall be taken of the

    processing risks, in particular those resulting from the destruction, loss, alteration or unauthorised
    disclosure of or unauthorised access to transmitted, stored or otherwise processed

    data, whether accidental or unlawful.



   3.  Joining an approved code of conduct as referred to in Article 40 or an approved

    certification mechanism referred to in Article 42 may be used as an element to demonstrate

    compliance with the requirements referred to in paragraph 1 of this Article.


   4. The controller and the processor shall take measures to ensure that

    any natural person acting under the authority of the controller or the

    processor and has access to personal data, does so only on the instructions of the

    controller, unless he is required to do so pursuant to Union or Member State law

    obliged to do so."


280. According to theInspection Service, the risk exists that the data in question will be held by an unauthorised person

      person, because both the password and the login to access

      the computer to which the thermal imaging cameras are connected can be read in the Note attached to the

      Belgian Red Cross was communicated.


281. Based on the elements presented by the Respondent, the Dispute Chamber considers that this risk is
      unlikely. An unauthorised entry is possible only if all the following

      conditions are met:


        - Having access to the Red Cross note;

        - Having access to the room with the personal computer. According to the defendant, the PC is always manned

            by a team during airport opening hours at departure and during the
            arrivals of passengers from a red zone on arrival. Consequently, it seems impossible

            that a third party could use the computer given the presence of the teams;

        - Being able to log in with login and password.



        The Disputes Chamber therefore finds that the likelihood of the risk of unauthorised

        access is very limited.

282. Moreover, the Disputes Chamber agrees with the Respondent's conclusion that a third party, even

      if he managed to gain unauthorised access to the PC, would at best only Decision on the merits 47/2022 - 57/73



      would have access to the most recent 20 photographs of people with a temperature of more than

      38°C. These are personal data which, outside the specific context of their processing and the

      possible refusal to enter the terminal, present little risk and only slightly personal

      are, as the vast majority of people have had a fever at some point in their lives. In the case of a non-

      authorised access to the PC after it was switched off at the end of the day, all images would
      would, moreover, have already been erased. The Disputes Chamber is therefore of the opinion that the security risk is very

      minor and that no breach of Articles 5.1.f and 32 of the AVG can be established.


283. In general, however, it recommends that, as a security measure, logins and passwords

      For example, a password can be kept in a single document,
      but it is clearly safer to send it via another communication channel (e-mail, SMS,

      etc.), which also allows the password to be renewed more often and more easily.


284. In the Disputes Chamber's view, in implementing the GEB, the Respondent should have

      demonstrate that it had correctly assessed the safety risks. It can only regret that the
      three pages of arguments and explanations in the Respondent's conclusion were not included in the

      relevant section of the GEB were included. In this regard, she refers to her earlier

      conclusions above (see paragraph 262).




    II.3.8Conclusion 6: Violation of the data protection principle by
    designs by standard institutions (Article 25 AVG)




    Determinations of the Inspectorate



285. Because the use of smart cameras, which include thermal imaging cameras, can pose serious risks
      may pose serious risks to the rights and freedoms of data subjects, the Inspectorate considers it of

      essential that the controller take appropriate measures to protect the

      effectiveness of the principle of data protection by design and by

      default settings. This is all the more important when the processing in question is

      involves sensitive data, namely data relating to health.

286. In the first place, the Inspectorate considers that the Respondent, by prior to processing

      not carrying out an EIA, it was not in a position to properly implement the various appropriate measures

      document and analyse them. In this regard, it refers to the findings above (see

      paragraph 262).

287. TheInspection Service finds thatderecenttwenty alarm images are in the cache memory (RAM) of

      the management software of the thermal imaging cameras and that they are stored one by one

      deleted, even when the computer is shut down (which happens every evening). In the opinion of Decision on the merits 47/2022 - 58/73



      the inspectorate, this temporary storage is not necessary to single out certain people and to

      additional checks (on arrivals) or to inform them of the possible

      symptoms of COVID-19 (at departures). A simple representation of the warnings in

      real time on the screen would be sufficient.


288. The Inspectorate further believes that the Respondent did not make any
      inquired about the storage period, although it should have done so and the

      supplier itself made enquiries about this to the Respondent.


289. Finally, the Inspectorate is of the opinion that the control of the temperature of the conductors does not

      necessary to achieve the objective described. It adds that the heading of the

      Protocol which refers to temperature control refers only to the
      passengers and not the attendants.


290. On the basis of these elements, the Inspectorate finds that BSCA nv has both the principle of the

      minimum data processing as well as the principle of data protection by

      design of Articles 5.1.c and 25 of the AVG.



     Position of the defendant





291. First, the Respondent considers that the Inspectorate's findings reflect a lack of

      practical sense. He believes that the Inspectorate's analysis lacks insight into the concrete
      situationin practice.Given the large number of people who pass through the terminal every day,it is

      namely impossible to immediately check everyone with a temperature above 38°C at the pre-

      check immediately. It is therefore necessary to record camera images so that people

      can be recognised and identified. Without these recordings, there is a risk that

      identified people can walk through anyway. The defendant fails to see how it had the system

      work with a "simple real-time display of warnings on the
      screen", as the Inspectorate suggests.


292. The Respondent adds that the recorded images are limited to a maximum of 20 at a time

      and that they are systematically weighted at the end of the day, i.e. after a maximum of 17 hours (between 4.00am

      hours and 9pm).

293. He denies the finding that he did not check with the processor about the storage period

      and says that this cannot be concluded from the very brief e-

      e-mail correspondence referred to.


294. Nor does the defendant see how it could have avoided processing the data from the

      attendants who presented themselves at the airport, except by separating them from the passengers, which Decision on the merits 47/2022 - 59/73



      he considers neither humanly nor organisationally reasonable. He further states that on his

      website reported that access to the terminal was reserved for travellers with a valid

      plane ticket, but that it was difficult to refuse an adult to allow his child into the terminal

      He added that they were also a health risk from the moment they were

      entering the airport. With a view to applying the compulsory protocol which he was

      imposed and taking into account his organisation, the concluant considered that all those who passed
      the pre-check was a passenger within the meaning of the Protocol.




     Assessment by the Disputes Chamber



295. The Inspectorate's findings are based on Articles 5.1.c and 25 of the AVG, which
      relate respectively to the principle of minimum data processing and the

      principle of data protection by design and by default settings. The text is

      shown below:




                                                  "Article 5:


                            Principles relating to the processing of personal data



      1. Personal data must:



      [...]


       (a) adequate, relevant and limited to what is necessary for the purposes

          for which they are processed (minimum data processing);"







                                               "Article 25:


                     Data protection by design and by default settings



      1. Taking into account the state of the art, implementation costs, and nature, scope,

      context and purpose of the processing as well as the likelihood and seriousness

      varying risks to the rights and freedoms of natural persons resulting from the processing
      processing, the controller shall, both in determining the

      means of processing and the processing itself, the controller shall implement appropriate technical and organisational measures, both when determining the means of processing and at the time of the processing itself.



      measures, such as pseudonymisation, which are designed with the aim of ensuring the

      data protection principles, such as minimal data processing, in an effective

      manner and to build the necessary safeguards into the processing to comply with the

      requirements of this Regulation and to protect the rights of data subjects.



      2. The controller shall implement appropriate technical and organisational measures
      to ensure that, in principle, only personal data necessary

      for each specific purpose of processing. That obligation shall apply to the amount of personal data collected

      personal data, the extent to which they are processed, the period for which they are stored

      and their accessibility. In particular, these measures ensure that personal data

      in principle not accessible without human intervention to an unlimited number of natural persons

      are made accessible.


      3. A certification mechanism approved in accordance with Article 42 may be used if

      element to demonstrate compliance with the requirements of paragraphs 1 and 2 of this Article."



296. The principle of minimum data processing is afundamental principle for the application

      oftheprincipleofdataprotectionbydesignbystandardinstitutions.Thereare

      directly referred to in the first and second paragraphs of Article 25.

297. These articles impose various obligations on the controller, which are as follows

      can be summarised. First, only the data necessary for the purpose must be

      be processed (Article 5.1.c AVG). Secondly, the controller must process appropriate

      technical and organisational measures to implement the principles of data protection

      implementation (Article 25.1 AVG). Finally, the controller must implement appropriate
      technical and organisational measures to ensure that, in principle, only

      personal data are processed that are necessary for each specific purpose of the processing

      (Article 25.2 AVG).


298. First, the Disputes Chamber agrees with the Inspectorate that compliance with this

      obligations should have been demonstrated in the GEB that the controller should have
      should have carried out prior to the start of processing. In this regard, the Disputes Chamber refers

      to the findings above (see paragraph 262 above). However, it relies for its analysis on the

      additional elements that the Respondent provided in its submission.


299. The documents on file show that the data processed were the temperature and a photograph taken by the
      cameras were photographs taken of persons with a temperature above 38°C that the

      terminal or passengers returning from a red zone. He also notes that

      up to 20 photographs were kept at a time and that these were replaced one by one with

      older photographs according to the 'first in, first out' principle. According to the defendant, these photographs were attached to Decision on the merits 47/2022 - 61/73



      erased at the end of the day, meaning that the photos were theoretically kept for a maximum of 17 hours.

      This processing was to allow individuals with temperatures above 38°C

      who wanted to enter the terminal or were on a flight from a red zone

      were returning.


300. Initsinvestigationreport,theInspection Service judgedthatthisstorageisoftenlongandthatitisnot
      necessary to pick out people and carry out additional checks (on departure) or to make them

      inform them about the possible symptoms of COVID-19 (on arrival). A simple

      display of real-time alerts on the screen would suffice.


301. The Disputes Chamber finds that the controller has limited itself to the

      two types of data: the temperature and a photograph identifying the person with a temperature of more than38°C.
      The photographs were kept for a maximum of 17 hours.

      The temperature is the data collected and the photograph is the data enabling identification

      of the person with a temperature of more than 38°C. The Disputes Chamber considers that in

      this situation, the temporary retention of the photograph is necessary in order to correctly identify the

      person concerned. Limiting oneself to a simple screen display in real time would

      indeed mean that it should be possible to address the data subject immediately, which
      could be very complex with a large influx of passengers. Furthermore, temporarily retaining

      of a photograph may be necessary to ensure that the person being stopped does

      is indeed the person to whom the processing relates. In this context, the storage duration and -

      modalities are necessary to achieve the purpose of the processing, since a more restrictive

      methodcouldprovideexcessivepracticalproblemsin pursuing the purpose.

      In the Disputes Chamber's view, the Respondent did have technical and

      organisational measures to mitigate the risks of the processing.


302. The Disputes Chamber also notes that particular attention appears to have been paid to the principle of

      of minimum data processing, as the identity of the data subjects was not

      recorded and the only anonymous register of the number of data subjects was destroyed weekly.

303. In connection with the processing of the data of escorts,who are thus not passengers, refers

      the Disputes Chamber refers to its conclusions under determination 2 regarding the purpose of processing.

      It recalls that the purpose stated by the defendant is "to protect the health of

      persons in transit in the airport and of terminal staff." (see paragraph 191
      et seq.).The purpose of processing is therefore not limited to recording the temperature of

      passengers, but of all persons wishing to enter the terminal. In this respect, the

      taking the temperature of escorts is consistent with the purpose.                                                                              Decision on the merits 47/2022 - 62/73



304. The Disputes Chamber finds that the principle of minimum

      data processing (Article 5.1.c AVG) or the principle of data protection by design

      and by default settings (Article 25 AVG).






    II.3.Finding 7: Breach of the obligation to keep a complete register of the
    processing activities(Article 30.1 AVG)




    Findings of the Inspectorate


305. The Inspectorate notes that the register does not contain all the mandatory information required by Article

      30.1 of the AVG must be included in a register of processing activities, as the

      following information is missing:


       - the name and contact details of the controller, i.e. BSCA SA. The

              document contains a column 'processing manager' in which the natural
              person(s) responsible within BSCA nv for the

              data processing;

       - the name and contact details of the data protection officer;

       - the categories of recipients to whom the personal data have been or will be

              disclosed.


    Position of the defendant



306. The defendant admits the deficiency in relation to the name and contact details of the

      controller and the data protection officer, and has provided a

      updated version of its register.


307. In relation to the categories of recipients, the Respondent considers that the Inspectorate
      adds categories not provided for by the AVG, as the latter does not require the

      relevant entity or category of processor to be listed.




     Assessment by the Dispute Resolution Chamber



308. The Inspectorate alleges that the defendant failed to comply with article30.1oftheAVG.Thisarticle

      is reproduced below:


                                                 "Article 30.                                                                           Decision on the merits 47/2022 - 63/73




                                   Register of processing activities


    Each controller and, where applicable, the representative of the
    controller shall keep a register of processing activities that take place under their
    responsibility. That register shall contain all of the following information:


    (a) the name and contact details of the controller and any joint
       controllers, and, where applicable, the representative of the controller and of the data protection officer
       controller and of the data protection officer;


    (b) the processing purposes;

    (c) a description of the categories of data subjects and the categories of
       personal data;


    (d) the categories of recipients to whom the personal data are or will be disclosed, including recipients in
       including recipients in third countries or international organisations;

    (e) where applicable, transfers of personal data to a third country or an international
       organisation, indicating that third country or international organisation and, in the case of

       the transfers referred to in the second subparagraph of Article 49(1), the documentation of the appropriate
       safeguards;

    (f) if possible, the time limits envisaged for the different categories of data

       must be erased;

    (g) if possible, a general description of the technical and organisational
       security measures referred to in Article 32(1)."


309. The Disputes Chamber notes that the Defendant's deficiency with regard to the name and

      contact details of the controller and the officer for

      admits (Article 30.1.a), and that it has provided an updated version of its register

      has provided. The name and contact details of the controller and the

      data protection officer are included therein.

310. In relation to the categories of recipients to whom personal data have been or will be

      provided, the Disputes Chamber notes that Article 30.1.d of the AVG requires "the categories of

      of recipients to whom personal data have been or will be disclosed".The

      term 'recipient' is defined in Article 4.9 of the AVG as "a natural or
      legal person, public authority, agency or any other body, whether a third party or not, to

      whom/to which personal data are disclosed."


311.  The Disputes Chamber should rule on how precise the categories of

      recipients should be identified in the register of processing activities.

312. The defendant's register of processing activities contains a title 'Recipient?'. This title

      contains several tabs structured as follows:


        - a 'processor' tab with two options: 'yes' or 'no'; Decision on the merits 47/2022 - 64/73




         - a tab 'application used', under which the name of the application is listed;

         - an 'internal or external application' tab, where either option can be selected;

         - a tab 'digital/paper', where either option can be chosen;

         - a tab 'third country (non-EU)' under which the answer 'no' appears systematically.



313. CBPL Recommendation No 06/2017 of 14 June 2017 on the register of the
                                                                                72
      processing activities(article30oftheAVG)deals with this issue. It clarifies: "Here are

      thus refers to both possible internal and external recipients (such as processors or third parties) who are in or

      outside the European Union. The explanatory note to the pre-processing declaration

      gives as examples: the personal relationships of the person concerned, employers, other
      services or companies of the controller, social security, police and

      judiciary, personal data brokers or direct marketing, etc. (Annex 1)."


314. From the text of the AVG, axed by a CBPL recommendation and the doctrine, 73

      thus shows that it is admittedly not necessary to specify the individual recipients of the data,

      but it is necessary to group them by category of recipients. By stating only whether

      it is or is not a processor, this requirement is therefore not met.


315. Based on the above elements, the Disputes Chamber concludes that there is a

      breach of Articles30.1.a and 30.1.d of the AVG.



    II.3.10Findings 8: Breach of the obligation to ensure the independence of the
    data protection officer in accordance with Article 38.3 of the AVG




    Findings of the Inspectorate



316. The Inspection Service finds that BSCA nv, contrary to what Article 38.3 of the AVG

      prescribes, failed to ensure that the data protection officer did not have a

      receive instructions regarding the performance of his duties, particularly in view of his function

      within the company's organisational chart and his duty to report to the legal

      director.



    Position of the defendant








72Available at: https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.-06-2017.pdf

73W. Kotschy, "Article 30: records of processing activities", in Ch. Kuner The EU General Data Protection Regulation (GDPR), a
commentary, 2020, p. 621.                                                                              Decision on the merits 47/2022 - 65/73



317. The defendant believes that the Inspectorate's conclusions are incorrect. He considers - and

      refers to the Guidelines in support of his argument - that the Inspectorate's

      independence of the Data Protection Officer has not analysed but

      merely adopted the information from the organisation chart and did not demonstrate how he then

      would have received instructions regarding the performance of his duties. For that, the

      service should have relied on concrete deficiencies. According to the defendant, the
      attending meetings 'between departments' does not constitute proof of a lack of independence,

      but rather of involvement within the company. The defendant refers to the reply

      he already sent to the Inspectorate stating that the officer for

      data protection is part of the legal department, reports annually to the

      management and receives an annual budget.

318. At the hearing, the defendant's data protection officer stated that his

      position within the company is clear and that the management listens to him. He added

      that he used to report to the legal director and work in the legal department. Meanwhile,

      become the legal director's number 2 in the company and the officer stands for

      data protection officer is therefore directly under his authority, even though he is still on the payroll

      of the legal department.



    Assessment by the Disputes Chamber





319. The Inspectorate finds a breach of Article 38.3 of the AVG. This article is reproduced below
      reproduced:




                                                  "Article 38.

                           Position of the data protection officer


    The controller and the processor shall ensure that the data protection officer

        is properly and timely involved in all matters that are

        related to the protection of personal data.


    2.    The controller and the processor shall support the officer for

        Data Protection Officer in performing the tasks referred to in Article 39 by providing him with access

        personal data and processing operations and by providing him with the necessary

        providing him with the resources necessary to perform these tasks and maintain

        his expertise.                                                                              Decision on the merits 47/2022 - 66/73




    3.   The controller and the processor shall ensure that the officer for

        receives no instructions regarding the performance of those duties.

        He shall not be dismissed or penalised by the controller or processor for the

        performance of his duties. The data protection officer shall report directly

        to the most senior manager of the controller or processor."



320. According to the Inspectorate, the controller met the obligations of Article

      38.3, as the position of the data protection officer under the authority

      of the Respondent's legal director and the fact that every fortnight he had to report to the latter

      report to the latter, are contrary to the prohibition on receiving "instructions relating to the performance of his duties".
      of his duties".


321. The Article 29 Data Protection Working Party drafted guidelines in relation to the officer

      Data Protection Officer which were adopted by the EDPS.          74About independence

      of the data protection officer, the guidelines contain the following paragraphs:




      "This means that data protection officers, in performing their duties, should

      under Article 39 may not receive instructions in connection with the handling of a case.

      such as as as to the result to be achieved, the manner in which a complaint is to be investigated or the

      whether or not to consult the supervisory authority. Furthermore, they should not be required

      to take a particular position on a matter relating to legislation on

      data protection law such as a particular interpretation of the law.



      [...]


      If a controller or processor takes decisions that are incompatible

      with the AVG and the advice of the data protection officer, the latter must be

      dissenting opinion to the highest management level and to the
                      75
      decision-makers."



322. The guidelines thus show that the issue of the independence of the officer for

      data protection officer is based on two different criteria. First, his
      independence should be assessed within the context and in situ: one should make sure of

      that he is not influenced or pressurised to perform the tasks assigned to him under the AVG

      entrusted to him in a certain way. This is therefore an obligation to




74 Data Protection Working Party Article 29, Guidelines on Data Protection Officers, WP 13 rev 2016. Available at:

https://ec.europa.eu/newsroom/article29/items/612048.
75Ibid. pg. 18. [free translation] Own boldface mark of theGeschillenkamer.                                                                               Decision on the merits 47/2022 - 67/73




      refrain from any interference with its duties and the absence of retaliatory measures. From the

      text of the AVG and the guidelines, a second - this time positive - obligation arises.

      This entails that the controller must ensure that the data protection officer
      data protection officer is accountable at the highest hierarchical level for his

      advice and work. This is an additional form of protection that the officer for

      data protection officer should be able to make his voice heard within the organisation.


323. The Disputes Chamber notes that the Inspectorate has no comments on the second

      obligation, i.e. being able to report to the highest hierarchical level.


324. However, the Inspectorate does consider that the position of the Data Protection Officer according to
      the organisational chart impairs his independence, as it conflicts with the first

      obligation, namely that there should be no interference with his work. As

      it explained above, however, the Disputes Chamber considers that from the position on the

      organisational chart and the obligation to report biweekly to the legal director

      cannot be inferred that the data protection officer receives instructions which are

      This should be assessed on the basis of concrete indications of

      interference which were not presented in this case. The AVG does not prohibit the Data Protection Officer from

      data protection officer having a hierarchical superior.


325. Article 38.3 of the AVG also specifies that the data protection officer "shall not be dismissed or punished by the
      controller or processor shall not [be] dismissed or penalised for performing

      of his duties." From the documents on file and, in particular, the defendant's response to the

      questions posed by the Disputes Chamber in preparation for the hearing, however, show that the

      data protection officer between MayandAugust2020was very vague and technically unemployed

      was. The Respondent provides the following breakdown in this regard:




           "In conclusion, the full settlement of the number of working days of the officer for

           Data Protection Officer of the Respondent between April 2020 and August 2020:
           - Three (3) days in April 2020;

           - Five (5) days in May 2020;

           - Three (3) days in June 2020;

           - Nine (9) days in July 2020; and

           - Thirteen (13) days in August 2020. "76










76Brief of 18 October 2021, p. 5. [free translation] Decision on the merits 47/2022 - 68/73




326. These documents show that between April 2020 and
                                                             77
      August 2020 only worked a total of 33 days.

327.  The Respondent's response shows that a large proportion of its staff at that time were

      was technically unemployed. Thus, the Disputes Chamber cannot conclude that the officer for

      data protection officer was particularly affected by this technical unemployment and was

      "penalised for performing his duties" within the meaning of Article 38.3.


328. However, it is clear from the above figures that the data protection officer is very

      few effective working days when the implementation of processing was

      prepared (in June 2020). The Dispute Chamber therefore doubts whether he "could [be] properly and timely involved
      be] involved in all matters relating to the protection of

      personal data" as required by Article 38.1 of the AVG. The Disputes Chamber is aware

      aware that on 30 April 2020, the data protection officer was requested to submit a note

      on the lawfulness of the processing of temperature measurements, and that the

      data protection officer had the same note with a shortfall of 2.5 pages.

      replied. It also noted that the file contains some e-mail messages that were sent in the relevant

      period with the data protection officer. However, she is of

      considers that this in itself does not constitute conclusive evidence of the appropriate and timely involvement of the

      data protection officer.

329. On the contrary, the Disputes Chamber questions the fact that the officer for

      data protection officer was placed on technical unemployment during the period in which the disputed

      processing operations were introduced, which may have affected his ability to 'properly

      and timely' to be involved in the reflection on the said processing.         78The

      Disputes Chamber considers that the decision to place the data protection officer on

      technical unemployment could prevent him from performing his duties in accordance with

      with Article 38.1 of the AVG. However, the Chamber does not have sufficient evidence to conclude

      rule on this in this case and establish a breach.




III. Infringements and sanctions




 330.   According to Article 100 of the CPC, the Disputes Chamber has the power to:


         1° dismiss the complaint;

         2° order the exclusion of proceedings;



77
  Ibidem.
78Art. 38.1AVG.                                                                               Decision on the merits 47/2022 - 69/73



         3° order a stay of judgment;

         4° propose a settlement;

         5° issue warnings and reprimands;

         6° order that the requests of the person concerned for his rights be complied with

         exercise his rights;

         7° order that the data subject be informed of the security problem;
         8° order that the processing be temporarily or definitively frozen, restricted or

         prohibited;

         9° order that the processing be brought into compliance;

         10° the rectification, restriction or deletion of data and the

         order their notification to the recipients of the data;

         11° order the withdrawal of the accreditation of certification bodies;
         12° impose periodic penalty payments;

         13° impose administrative fines;

         14° suspend cross-border data flows to another State

         or an international institution;

         15° transfer the file to the public prosecutor's office in Brussels,

         which shall inform it of the action taken on the file;
         16° decide on a case-by-case basis to publish its decisions on the website

         of the Data Protection Authority.





331. With regard to the administrative fine that may be imposed under Articles
     58.2.i and 83 of the AVG and Articles 100.13 and 101 of the WOG, Article 83 of the AVG provides:




       "1. Each supervisory authority shall ensure that administrative fines resulting from

       imposed under this Article for the breaches of

       this Regulation are effective, proportionate and dissuasive in each case.

       Administrative fines shall be imposed, depending on the circumstances of the case,

       imposed in addition to or instead of the fines provided for in points (a) to (h) and (j) of Article 58(2),

       measures referred to. When deciding whether an administrative fine shall be

       imposed and on the amount thereof, due account shall be taken for each specific case

       account of the following:

       (a) the nature, gravity and duration of the breach, taking into account the nature, extent

       or purpose of the processing in question as well as the number of data subjects affected

       and the extent of the harm suffered by them; Decision on the merits 47/2022 - 70/73




       (b) the intentional or negligent nature of the infringement;


       (c) the measures taken by the controller or processor

       measures taken to mitigate the harm suffered by data subjects;

       (d) the extent to which the controller or processor is responsible

       in view of the technical and organisational measures it has implemented

       in accordance with Articles 25 and 32;


       (e) previous relevant breaches by the controller

       or the processor;


       (f) the degree of cooperation with the supervisory authority in order to

       remedy the breach and mitigate its potential negative consequences;

       (g) the categories of personal data affected by the breach;

       (h)the manner in which the supervisory authority became aware of the breach, with

       in particular

       whether, and if so to what extent, the controller or processor had knowledge of the breach

       reported;


       (i) compliance with the measures referred to in Article 58(2), to the extent previously

       in respect of the controller or processor in question

       with respect to the same matter;

       (j) adherence to approved codes of conduct in accordance with Article 40 or

       to approved certification mechanisms in accordance with Article 42; and


       (k) any other aggravating or

       mitigating factor, such as financial gains made, or losses avoided,

       arising directly or indirectly from the infringement."


332. The Disputes Chamber recalls that a fine is not intended to put an end to a

      committed infringement, but to effectively enforce the rules of the AVG. As is clear from
      recital 148, the AVG indeed requires that for any serious breach - including the first

      determination of a breach-sanctions(including administrative monetary fines)shall be imposed in addition to

      or instead of the appropriate measures imposed.      79 This same recital



79Recital148 states that in this context: "In order to strengthen the enforcement of the rules of this Regulation
penalties, including administrative fines, should be imposed for any breach of the Regulation, in addition to or instead of any
appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If
the infringement is minor or if the likely fine would impose a disproportionate burden on a natural
A reprimand may be chosen instead of a fine.
nature, seriousness and duration of the infringement, the intentional nature of the infringement, damage limitation measures, the degree of responsibility, or previous relevant
degree of responsibility, or previous relevant breaches, the manner in which the breach came to the notice of the
supervisory authority, with the compliance with the measures taken against the
controller or processor, with adherence to a code of conduct and with any other aggravating or
mitigating factors. The imposition of penalties, including administrative fines, should be subject to Decision on the merits 47/2022 - 71/73



      provides for two cases in which it is possible to waive a fine, namely in the case of small

      infringementsorwhenthefinewouldbeunreasonablyburdensomeforthenaturalperson,

      meaning of recital 148 of the AVG. In both cases, a fine could be waived.

      That it concerns the first finding of a data controller's breach of the

      AVG, does not alter the fact that the Dispute Resolution Chamber may impose an administrative fine.

      An administrative fine is not intended to put an end to infringements. To this end
      the AVG and the WOG provide for a number of remedies, including orders

      referred to in Article 100, §1, 8° and 9° of the CPC.


333. In this case, the Disputes Chamber found that the Respondent had infringed the

      following articles:

           (a) Infringement of Articles 6.1.c, 6.3 and 9.2.i, as it was not shown that the

               processing is necessary for reasons of public interest in the field of the

               public health,such as protection against serious cross-border threats to the

               health or ensuring high standards of quality and safety of the

               healthcare and of medicines or medical devices, on the basis of

               Union law or Member State law laying down appropriate and specific measures
               to protect the rights and freedoms of the data subject, in particular the

               professional secrecy.    Moreover, the arguments put forward by the defendant

               legal bases (namely the Decree of 23 June 1994 on the establishment and

               operation of airports and airfields under the Walloon Region, the

               Ministerial Decree of 30 June2020containing urgent measures to spread the

               coronavirus COVID-19, the law of 31 December 1963 on civil
               Protection (as replaced by the law of 15 May 2007) and the Protocol on Commercial

               Aviation Passengers" of 11 June 2020) do not meet the requirements of Article 6.1c, read in

               in conjunction with Article 6.3 of the AVG.


           (b) Breach of Articles 5.1.a, 12.1, 13.1.c, 13.2.a, 13.2.d and 13.2.e due to non-compliance

               of the obligation of transparency towards the persons concerned by failing to inform them
               of the fact that the temperature measurement would be done with thermal imaging cameras;

               for failing to properly inform passengers leaving a red area

               about the legal basis of the processing, the purpose of the processing and

               the regulatory framework for the obligation to monitor body temperature;

               For failing to properly inform these passengers about the period during

               for which the data will be kept and on the right to complain to the
               data protection authority.




appropriate procedural guarantees in accordance with general principles of Union law and the Charter, including an
effective remedy and due process. [own emphasis by theGeschillenkamer] Decision on the merits 47/2022 - 72/73



           (c) Infringement of Article 5.1.b. as the purpose of the processing is not sufficiently explicit

               was stated at the start of the processing, as it was not stated in any of the documents submitted by the defendant

               sources of information used was expressly stated. The purpose of the processing was

               explicitly stated only in the response to the Inspectorate's questions and after the

               update of the privacy policy in December 2020.


           (d) Breach of Articles35.1and35.7because no data protection impact assessment
               was carried out before the start of processing. Moreover, the impact assessment is

               incomplete in that it does not contain an adequate description of the processing operations envisaged

               and the purposes of the processing, the necessity and proportionality of the

               processing insufficiently analyses the risks to the rights and freedoms of the

               data subjects not properly assessed.


           (e) Breach of Articles30.1.aand30.1.dom in that the register of processing activities contains
               at the time of the investigation, the name and contact details of the

               controller and the data protection officer were missing,

               and that the categories of recipients of the data were inadequate and inaccurate

               specified.


334. In accordance with Article 101 of the CPC, the Disputes Chamber decides to impose a fine of

      100,000uros for violations of Articles 5.1.a,5.1.b,6.1.c,6.3and9.2.i,12.1,13.1.c,
      13.2.a, 13.2.d, 13.2.e, 35.1 and 35.7.


335. Taking into account Article 83 of the AVG, the Disputes Chamber justifies the imposition of a

      administrative sanction in concreto0on the basis of the following criteria derived from this article

      which it considers relevant in this case:

    - the nature, gravity and duration of the infringement (Article 83.2.a) - The infringements established include

       a breach of the provisions of theAVG relating to the principles of data protection

       (Article 5 AVG) and lawfulness of processing (Article 6 AVG). According to article 83.5 of the

       AVG, violations of the above provisions are subject to the highest fines.


       The breaches identified also include a breach of the information and

       transparency obligations (Articles 5.1.a, 12.1 and 13 AVG). Compliance with the above
       provisions is essential. They must be notified no later than the start of the processing of the

       personal data are complied with. This is also necessary to ensure the exercise of the rights of the

       data subjects possible.


       The breaches identified are also related to the implementation of the

       data protection impact assessment. This obligation was fulfilled only after the start of



80Court of Appeal Brussels (Markets Court section), X. v. GBA, Judgment 2020/1471 of 19 February 2020 Decision on the merits 47/2022 - 73/73




        of processing, whereas this should have been done earlier(Article 35.1 AVG). It was furthermore
        not complied with the criteria of Article 35.7, which significantly impaired

        the credibility of the exercise and the potential benefits for rights.


    - Previous relevant breaches by the controller or processor (art. 83.2.e

        AVG): The defendant has never previously been the subject of a breach procedure before the

        Data Protection Authority.


    - Categories of personal data affected by the breach (Article 83.2.g AVG): The
        identified breaches relate to a category of personal data within the meaning of

        Article 9 of the WOG (data concerning the health of data subjects).


    - Other aggravating or mitigating circumstances applicable to this file

        (Article 83.2.k AVG): the defendant did not benefit from the processing operations carried out or

        infringements committed.

336. The totality of the elements set out above justifies an effective, proportionate

      and deterrent sanction provided for in Article 83 of the AVG, taking into account the

      defined assessment criteria.


337. A sanction form was also sent on 15 February 2022 to which the defendant replied on 9 March

      2022. These arguments can be summarised as follows:


            a. He was subject to the obligation to carry out the processing operations. He had no
               choice and could not rely on guidance from the GBA.


            b. A fine should remain an exceptional measure, especially given the state of

               force majeure in which the airport found itself and taking into account that the

               processing was very limited in time and is currently no longer taking place.


            c. The airport suffered extremely high losses as a result of COVID and needed a
               recapitalisation to avert bankruptcy. This recapitalisation was

               made conditional on the conclusion of a social agreement that provided for wage cuts for the

               employees (this agreement was reported in the press).


338. The Disputes Committee considers that the argument raised under point (a) in the decision section

      of the decision was addressed (see paragraph 58 et seq.). The Disputes Chamber reiterates that the Protocol

      is not a valid legal ground within the meaning of the AVG and that the Respondent has acknowledged that the Protocol
                                                                 81
      lacks clarity and that a law would have been preferable. She also refers to point 232 with regard to
      the lack of guidance.






81The Disputes Chamber also sends a copy of this decision to the competent minister.                                                                              Decision on the merits 47/2022 - 74/73



339. In the operative part of the decision, the Disputes Chamber also replied to point (b) already

      above (see paragraph 217 et seq.). With regard to the fact that the processing was limited in time and

      is no longer taking place at present, the Disputes Chamber recalls that it took place during a

      period of approximately 9 months (between June 2020 and March 2021), it took place for all passengers

      and attendants on departure, and for a period of just over a month for those from

      returning from a red zone (September-October 2020). It also recalls that the defendant
      although could not provide the total number of people involved, indicated that for the period alone

      between 15 June 2020 and 31 October 2020, some 457,000 passengers were affected at departure

      checked. Therefore, the processing cannot be considered to have been very limited in the

      time nor in terms of the number of people involved.


340. With regard to point (c), the Disputes Chamber recalls that turnover is the criterion for the
      calculation of the maximum amount of fines under the AVG, and not profit and

      loss account. The European legislator deliberately chose this to avoid variations in the

      profit and loss account the ability of data protection authorities to

      impose effective fines.


341. The Disputes Chamber further emphasises that the other criteria of article83.2 of theAVGin this case
      are not relevant and therefore do not lead to an administrative fine different from those imposed by the

      Disputes Chamber has determined in the context of this decision.


342. In view of the above, the Disputes Chamber finds that it may rely on the annual figures of

      Brussels South Charleroi Airport S.A. to determine the amount of the administrative fine imposed by

      it intends to impose on the Respondent.

343. The Disputes Chamber refers to the claim filed by the Respondent with the Disputes Chamber

      as well as to the financial statements filed with the National Bank of Belgium (BNB) on 5 July 2021 that

      shows a turnover of €28,859,291.41 for the 2020 financial year.

344. The provided administrative fine of 100,000 euros in this case corresponds to 0.34 %

      of the Respondent's annual turnover for the year 2020. The Disputes Chamber refers to the

      conclusion filed by the Respondent with the Dispute Chamber as well as to the complaint filed on 5 July 2021 with the

      National Bank of Belgium (BNB) financial statements filed for the 2020 financial year which show a turnover

      of €28,859,291.41.

345. The provided administrative fine of 100,000 euros in this case corresponds to 0.34 %

      of the defendant's annual turnover for the year 2020.


346. The Disputes Chamber states that the maximum amount of the administrative fine for a

      infringement is determined by Articles 83.4 and 83.4 of the AVG. The amount of the fine imposed by these

      imposed by this decision is significantly lower than the maximum amount provided for (which is a maximum of
      1,154,371.65 euros), as the Disputes Chamber took into account Decision on the merits 47/2022 - 75/73



      with all the relevant criteria listed in Article 83.2 of the CPC. Furthermore, the

      Disputes Chamber considers the concrete elements of each case individually to impose an appropriate sanction.

      impose.


347. For violations of Articles 30.1.a and 30.1.d, the Disputes Chamber, pursuant to Article

      100,§1,5°oftheWOG,decides to impose a reprimand.The infringements found concern relatively minor elements
      relatively insignificant elements, the violation of which does not in itself constitute justification

      for the imposition of a fine.







IV. Publication of the decision


348. Having regard to the importance of transparency with regard to the decision-making of the Disputes Chamber

      this decision is published on theData Protection Authority's website in accordance with
      Article 95, §1, 8° of the CPC, indicating the identification details of the respondent, and

      this due to the specific nature of the decision - making re-identification inevitable,

      even if the identification data are omitted-also because of the general interest of

      this decision.








    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority shall, after deliberation, decide to:

    - Impose a monetary fine of €100,000 on the defendant under Article 101 of the WOG

       for breaches of Articles 5.1.a, 5.1.b, 6.1.c, 6.3 and 9.2.i, 12.1, 13.1.c, 13.2.a, 13.2.d, 13.2.e,

       35.1 and 35.7;
    - Under Article 100, §1, 5° of the WOG, to impose a reprimand for the breaches of the

       Articles 30.1.a and 30.1.d.



    Pursuanttoarticle108,§1oftheWOG,thisdecisionmustbe takenwithin30daysofthenotification

    appeal to the Market Court, with the data protection authority as

    defendant.                                                                              Decision on the merits 47/2022 - 76/73









(signed) Hielke Hijmans

President of the Disputes Chamber