The Belgian Data Protection Authority (DPA or APD) has imposed a fine of 200,000 euros on Brussels Airport Zaventem, and 100,000 euros on Brussels South Charleroi airport for passenger temperature checks carried out as part of the fight against COVID-19.
Article continues below
For the DPA, these airports did not have a valid legal basis to process these traveler health data.
In 2020, after learning through the press that Brussels Airport was measuring the temperature of passengers, the APD's management committee had decided to seize its Inspection Service. At the same time, the Inspection Service itself began an investigation on its own initiative into similar data processing at Charleroi airport.
The DPA mainly questioned the legal basis on which this processing of data related to the health of passengers was based.
In these two airports, thermal cameras made it possible to filter people with a temperature of more than 38°C. In Zaventem, these people were then submitted to a questionnaire on possible symptoms linked to the coronavirus. This second control was carried out by the company Ambuce Rescue Team.
These temperature checks took place from June 2020 to March 2021 in the case of Charleroi airport, and from June 2020 to January 2021 at Zaventem airport.
At the end of its analysis, the Litigation Chamber noted, supported by a report from the Inspection Service, that the airports lacked a valid legal basis for processing data relating to the temperature of travelers, and this in particular given that it's all about health data.
Since data of this type is sensitive data, it cannot in principle be processed, except in a very limited number of exceptions (listed in Article 9.2 of the GDPR).
Processing for reasons of public health or important public interest are, for example, part of these exceptions, provided that it is based on a legal standard that is clear, precise and whose application is foreseeable for the data subjects, or the temperature controls here were mainly based on a protocol, which does not meet these requirements.
For these breaches, the Litigation Chamber imposes a reprimand, as well as a fine on each of the airports, namely:
• 200,000 euros fine at Brussels Airport Zaventem;
• 100,000 euros fine at Brussels South Charleroi Airport.
It also imposes a fine of 20,000 euros on Ambuce Rescue Team.
The APD stresses that in its decision, it took into account the context of the health crisis. It recalls that from the start of the Covid-19 pandemic, it made a point of proactively informing organizations of the rules applicable to data processing carried out in the context of the Covid-19 crisis, including temperature checks in particular.
Hielke Hijmans, President of the Litigation Chamber: “We understand that companies have been hit hard by the pandemic, and that they have had to urgently put in place measures never seen before. However, privacy rules are an essential protection for the rights and freedoms of individuals, and must therefore be respected.
"It is our duty as the Data Protection Authority to enforce them. Our decision today [April 4] is all the more important as it can serve as a guide for possible processing of similar data, whether or not in the context of the health crisis." ■