Brussels and Brussels South Charleroi Airports fined for use of thermal cameras

Brussels and Brussels South Charleroi Airports fined for use of thermal cameras
May 6, 2022

The Belgian Data Protection Authority (“DPA”) has fined Brussels Airport and Brussels South Charleroi Airport 200,000 and 100,000 EUR respectively for their use of thermal cameras during the Covid-19 pandemic.

In two extensive decisions (Brussels decision and Charleroi decision), the DPA has fined the two airports for their use of thermal cameras. The DPA has decided that the airports did not have a sufficiently clear legal basis for the processing of health data, stating they could not rely on “public interest” to process health data. The DPA has determined that the information provided to passengers was insufficient, and that the data protection impact assessment (“DPIA”) and the record of processing activities did not meet the legal requirements. Read further for a short summary of the decisions.

Press articles triggered DPA investigation on the use of thermal cameras by airports during Covid-19

The DPA learned via the media that Brussels Airport had measured passengers’ temperatures and started an investigation. At the same time, the DPA’s inspection service started, on its own initiative, an investigation into Brussels South Charleroi Airport’s taking of passengers’ temperatures.

The two Belgian airports used thermal cameras to identify and screen passengers who had a temperature of more than 38°C. Once identified, that temperature was confirmed by a second manual temperature check, and then the passengers concerned were asked to answer a questionnaire concerning Covid-19 symptoms.

Lack of adequate processing ground

As with any processing of personal data, the airports needed a processing ground for processing the passengers’ temperatures. This is especially true as a temperature check entails the processing of health data.  

Considering that a processing ground under both article 6 and 9 GDPR was required according to the DPA, the latter ultimately concluded that the conditions for “legal obligation” (Article 6.1.c GDPR) and the “public interest” (Article 9.2.i GDPR) as processing ground were not met because there was no clear, precise standard of law, the application of which was foreseeable for the data subjects (i.e. the passengers).

The temperature controls relied primarily on a protocol issued by the Federal public service Mobility and Transport of Belgium, which, in the DPA’s opinion, did not strictly oblige the airports to use temperature checks. The DPA has also determined that the protocol is not a law sensu stricto and so is not a legal basis in the sense of Article 6 GDPR. Finally, the DPA has found that the protocol was not precise enough regarding the processing activities. For all these reasons, the DPA has decided that the airports infringed the GDPR’s Articles 6 and 9.

Lack of sufficient information and an insufficient DPIA

Besides the lack of a valid processing ground, the DPA has also found some other GDPR infringements.

First, the DPA has determined that the information provided to passengers about thermal cameras was insufficiently clear and detailed. Although, it was clear that passengers’ temperatures were being checked, the DPA considered the use of thermal cameras was not transparent enough. The DPA has also found that the processing ground (even if was not satisfactory in this case) should have explicitly referred to the relevant legal act(s) and article(s).

The DPA has also found that it should have been made clear in every relevant document (i.e. in the internal regulations, and also the privacy policy) that a passenger’s temperature above 38°C could result in the need to leave the airport.

Second, the DPA retained an infringement because of the lack of quality of each airport’s data protection impact assessment (“DPIA”).

In this case, the DPA has decided that the DPIAs lacked sufficient quality, as some information was not detailed enough. The lack of details in certain fields then prevented the DPA from verifying that sufficient thought had been made, such as for the measures designed to deal with the risks that the processing entailed for the data subjects (i.e. the passengers).

Third, for the Charleroi Airport, the DPA also found an infringement of Article 30 GDPR for the incomplete record of processing activities, as some mandatory information was lacking.

Fines despite the Covid-19 pandemic

Brussels Airport was fined 200,000 EUR, and Brussels South Charleroi Airport was fined 100,000 EUR.

The DPA has stated that it took the health crisis of the Covid-19 pandemic into account when making its decision. However, it has argued that it transparently informed the companies at the outset of the pandemic as to what actions they could, or could not, take in light of the pandemic. The DPA referred to its website page about temperature checks in this regard.

Brussels Airport has already confirmed that it will appeal the DPA’s decision.  

Written by

Recommended articles

December 02, 2022

Are parallel importers necessarily allowed to rebox medicines in case of visible traces from ATDs? The CJEU says NO

Pharmaceutical companies are obliged to affix an anti-tampering device (‘ATD’) on prescription-only medicines to enable verification of whether a medicine’s packaging has been tampered with. Parallel importers argue that this results in an overarching objective necessity to ‘rebox’ such medicines.

Read on
November 24, 2022

Can parallel importers (re)brand generic medicines? The CJEU limits the ‘room for manoeuvre’

If a branded medicine and its generic version are put on the EEA market by economically-linked undertakings, is a parallel importer then allowed to rebrand and repackage the imported generic version as the branded reference medicine? After the Brussels Court of Appeal had referred questions on this issue for a preliminary ruling two years ago, the CJEU has now clarified the limits.

Read on
November 23, 2022

New rules on medical force majeure and the medical certificate

A new Act, which includes various provisions on incapacity for work, was published in the Belgian State Gazette on 18 November 2022.

Read on