The Belgian Data Protection Authority (DPA) has imposed a fine of 200,000 euros on Brussels Airport Zaventem, and 100,000 euros on Brussels South Charleroi airport for passenger temperature checks carried out as part of the fight against COVID-19. For the DPA, these airports did not have a valid legal basis to process these travellers’ health data.
Processing of sensitive data without a valid legal basis
In 2020, after learning from the press that Brussels Airport was measuring the temperature of passengers, the DPA’s management committee decided to call on its Inspection Service. At the same time, the Inspection Service itself began an investigation on its own initiative into similar data processing at Charleroi airport. The DPA mainly questioned the legal basis on which this processing of data related to the health of passengers was based.
In these two airports, thermal cameras made it possible to filter people with a temperature of more than 38°C. In Zaventem, these people were then submitted to a questionnaire on possible symptoms linked to the coronavirus. This second control was carried out by the company Ambuce Rescue Team.
These temperature checks took place from June 2020 to March 2021 in the case of Charleroi airport, and from June 2020 to January 2021 at Zaventem airport.
At the end of its analysis, the Litigation Chamber noted, supported by a report from the Inspection Service, that the airports lacked a valid legal basis for processing data relating to the temperature of travellers, and this in particular given that it’s all about health data. Since data of this type is sensitive data, it cannot in principle be processed, except in a very limited number of exceptions (listed in Article 9.2 of the GDPR). Processing for reasons of public health or important public interest is, for example, part of these exceptions, provided that it is based on a legal standard that is clear, precise and whose application is foreseeable for the data subjects, or the temperature controls here were mainly based on a protocol, which does not meet these requirements.
In addition, the DPA observed shortcomings in terms of the information provided to travellers and the quality of the impact analyses (i.e. the analysis of the risks associated with data processing).
David Stevens, President of the DPA: “This decision highlights the importance of carrying out a rigorous and complete impact analysis, before implementing any data processing likely to create a risk for the people. Prevention is better than cure is a principle that is also very important in the field of data protection.”
Sanctions for a measure taken in the context of the fight against Covid-19
For these breaches, the Litigation Chamber imposes a reprimand, as well as a fine on each of the airports, namely:
- 200,000 euros fine at Brussels Airport Zaventem;
- 100,000 euros fine at Brussels South Charleroi Airport.
It also imposes a fine of 20,000 euros on Ambuce Rescue Team.
The DPA stresses that in its decision, it took into account the context of the health crisis. It recalls that from the start of the Covid-19 pandemic, it made a point of proactively informing organisations of the rules applicable to data processing carried out in the context of the Covid-19 crisis, including temperature checks in particular.
The organisations concerned may lodge an appeal against this decision with the Market Court.
Hielke Hijmans, President of the Litigation Chamber: “We understand that companies have been hit hard by the pandemic and that they have had to urgently put in place measures never seen before. However, privacy rules are an essential protection for the rights and freedoms of individuals, and must therefore be respected. It is our duty as the Data Protection Authority to enforce them. Our decision today is all the more important as it can serve as a guide for possible processing of similar data, whether or not in the context of the health crisis.”
