Brussels airport – €200,000 Fine (Belgium, 2022)

The inspection service of the Belgian DPA conducted an inspection on the temperature checks carried out by the Brussels Airport, as instructed by the Board of Directors of the DPA. As a first step, the passengers' temperature was measured with thermal cameras. In a second step, all passengers with a temperature above 38°C were invited to be examined by a medical service, to carry out a diagnosis (performed by a doctor and using a form). The information was stored on paper and electronically and potentially shared for contact tracing. The DPA issued a €200,000 fine against the airport for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 12, 13(1)(c), 13(2)(e), 35(1), 35(3) and 35(7)(b) GDPR. It also fined the medical service €20,000 for violation of Articles 5(1)(c), 6(1)(e), 9(2)(g), 35(3) and 35(7)(b) GDPR. Finally, it issued a a reprimand against the airport for violation of Articles 5(2), 24 and 35(1) GDPR. = The DPA concluded that the airport was the controller for the processing of data in the context of the first step. The airport and the medical service were considered as joint controllers for the second line of processing. The DPA considered that the qualification under the contractual agreement was not binding upon the DPA (in accordance with the EDPB guidelines on the same). = During the procedure, the airport stated that it relied on Article 6(1)(e) and 9(2)(g) GDPR for the processing. The DPA considered that the decrees and the protocol on which the airport relied as a legal basis were not creating any legal obligation to check the temperatures of the passengers. Moreover, the texts the airport relied upon did not refer, as required by Article 6(3) GDPR, to the purpose of the processing, to the description of the processing operations, nor did the text mention the measures to ensure a lawful and fair processing of the data. The DPA also noted that the airport itself remarked in its data protection impact assessment (DPIA) that no legal text provi