Brussels South Charleroi Airport fined for processing health data about travelers Summary Decision of the Market Court of Brussels Brussels South Charleroi Airport installed thermal The Market Court reduced the fine to 25,000 EUR. cameras to identify and screen passengers with a body temperature exceeding 38°C, thus processing health Our remarks data of passengers entering the airport (first line of • When indicating the legal basis for processing control). The scans were conducted both for departing activities in a privacy policy, general references to and arriving passengers. Furthermore, a specialized “legal obligations and tasks of general interest” do team was assigned to conduct second temperature not meet the transparency requirements outlined in scans and examinations of further symptoms of the GDPR. Instead, the policy must clearly indicate passengers displaying temperatures above 38°C which of the cases listed in Articles 6 or 9 are (second line of control). Findings were then issued in a applicable to the disputed processing activities. report based on the examinations. • Invoking a legal obligation within the meaning of The data processing was based on a Protocol which, GDPR, Article 6(1)(c) or a public interest within the according to the Belgian DPA, was not legally binding meaning of GDPR, Article 9(2) requires the presence under Belgian law. of legal necessity under national or EU law. The Protocol invoked by the airport did not, however, Decision of the Belgian DPA directly impose the use of temperature checks on The Belgian DPA imposed a fine of 100,000 EUR on passengers in the opinion of the Belgian DPA. As Brussels South Charleroi Airport for the following the protocol in question did not constitute a law violations: in a strict sense, the legal obligations originating • Lacking a valid legal basis and disregarding basic from it could not be considered sufficiently clear data protection principles (GDPR, Articles 5, 6 and and precise to constitute legal standards within the 9). meaning of GDPR, Articles 6(1) and 9(2). • Failure to comply with information and transparency requirements (GDPR, Articles 12 and 13). • Failure to conduct comprehensive impact assessments (GDPR, Articles 35(1)). • Breaching the obligation to implement technical and organizational measures to secure data (GDPR, Article 32). • Breaching the principle of data protection by design and default (GDPR, Article 25). • Failing to ensure the independence of the data protection officer (DPO) (GDPR, Article 38(3)). Published: 07-12-2022 Journal number: 2022/AR/556 Tags: 01 Legal basis and principles of processing, 76 02 Right of access and obligation to provide information