Brussels Zaventem Airport fined for processing health data about travelers Summary Decision of the Belgian DPA Brussels Zaventem Airport installed thermal cameras The Belgian DPA imposed a fine of 200,000 EUR on to identify and screen passengers with a body Brussels Zaventem Airport for the following violations: temperature of more than 38°C, thus processing health • Lacking a valid legal basis and basic data data of passengers entering the airport (first line of protection principles (GDPR, Articles 5(1)(c), 6(1)(e) control). Furthermore, a specialized ‘Ambuce Rescue andand 9(2)(g)). Team’ was engaged to conduct second temperature scans and examinations of further symptoms of • Failure to comply with information and passengers whose temperatures were above 38°C transparency requirements (GDPR, Articles 12, 13(1) (second line of control). Findings were then issued (c) and 13(2)(g)). in a report based on the examinations. Both Brussels Zaventem Airport and the Ambuce Rescue Team were • Failure to conduct comprehensive impact considered data controllers. assessments (GDPR, Articles 35(1), 35(3) and 35(7) (b)). The data processing was based on a Protocol which, according to the Belgian DPA, was not binding under The Belgian Data Protection Authority imposed a fine Belgian law. of 20.000 EUR on the Ambuce Rescue Team for the following violations: The decision of the DPA was later partly annulled by the Market Court of Brussels. • Lacking a valid legal basis and breach of basic data protection principles (GDPR, Articles 5(1)(c), 6(1)(e) and 9(2)(g)). • Failing to conduct comprehensive impact assessments (GDPR, Articles 35(1) and 35(3)). Published: 07-12-2022, Journal number: 2022/AR/560&564 Tags: 01 Legal basis and principles of processing, 74 02 Right of access and obligation to provide information