Belgium
Brussels Airport Charleroi
GDPR enforcement action by Belgian Data Protection Authority (APD) on 2022-04-04.
Case details
- Authority
- Belgian Data Protection Authority (APD)
- Date
- 2022-04-04
- Controller / Processor
- Brussels Airport Charleroi
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 5 (1) a), b) GDPR, Art. 6 (1) c) GDPR, Art. 6 (3) GDPR, Art. 9 (2) i) GDPR, Art. 12 (1) GDPR, Art. 13 (1) c) GDPR, Art. 13 (2) e) GDPR, Art. 35 (1), (7) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000.
The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport.
Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms.
The DPA particularly noted that the airport did not have a valid legal basis for processing this health data.
Health data constitute sensitive data according to Art. 9 GDPR. These may only be processed in exceptional cases pursuant to Art. 9 (2) GDPR.
One such exceptional case is processing on the grounds of public interest in the area of public health. For this, however, the processing must be based on a clear legal norm. In the present case, the processing was based on a protocol which did not meet these requirements.
In addition, the DPA found deficiencies in the data protection impact assessment. Moreover, the airport failed to properly inform the data subjects about the processing of the data.
Related fines