Background information
Date of final decision: 4/04/2020
Cross-border case or national case: National case
Controller: Brussels Airport Company & Ambuce Rescue team
Legal Reference: Article 5 § 1 c) of the GDPR; Article 6 of the GDPR; Article 9 of the GDPR; Article 12 combined with 13 §1 c) of the GDPR; Articles 35 §§ 1, 3 and 7 b) of the GDPR
Decision: Reprimand and fine
Key words: Temperature checks, special categories of data, Article 9, airports, covid-19, health data, cameras
Summary of the Decision
Origin of the case
Thermal cameras were used to check whether the passengers at Brussels airport (Belgium) had a body temperature of 38° Celsius or above, in which case the they were subjected to a second check (carried out by an organization called Ambuce Rescue team), during which they had to fill out a questionnaire concerning possible symptoms of the coronavirus and other health data.
This processing of special categories of personal data (health data) happened in the context of the Covid-19 pandemic, between June 2020 and January 2021.
The Belgian SA had started an ex officio investigation against both controllers in 2020.
Key Findings
The BE SA established that the controllers did not have a valid legal basis (Art 6.1 and 9.2 GDPR). The processing was mainly based on a Protocol which, according to the SA, did not meet the requirements of the aforementioned provisions nor of Article 6.3 of the GDPR and the case-law of the Court of Justice of the European Union ("Privacy International"). In particular, it emphasized that the Protocol was not binding under national law and that the necessity of the processing of the collected personal data for compliance with a legal obligation or task carried out in the public interest had not been demonstrated. In addition, it stated that the invoked legal basis was not clear, precise and foreseeable and did not clearly mention the purpose and other conditions of the processing.
One of the controllers violated Articles 12 to 14 of the GDPR because of a lack of transparency vis-à-vis the data subjects. The controller's privacy policy did not mention the legal basis for the processing.
What's more, the controllers did not carry out a DPIA with regard to the second part of the processing, i.e. the collection of health data by means of a written questionnaire and the storage of these data for a period of five years. The BE SA considered that the latter should be considered as a processing on a large scale of special categories of data and that, therefore, a DPIA was required.
Decision
The Litigation Chamber of the BE SA imposed administrative fines of respectively 200.000 EUR and 20.000 EUR on Brussels Airport and Ambuce Rescue team for the carrying out of these temperature checks on the passengers and for the processing of special categories of personal data (health data). The Litigation Chamber stresses that, when taking this decision, it took Into account the difficult context of the Covid-19 crisis.
The Market Court of Brussels (Court of Appeal) annulled the decision with regard to Ambuce Rescue Team and cancelled the fine imposed on Ambuce Rescue Team.
For further information: https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-48-2022.pdf (in Dutch)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.