The Privacy Authority has received several questions, from subjects to various recipients of the new obligations, introduced by Decree-Law No 105 of 2021, in relation to the use of the Green Pass in.

Even qualified as civic access bodies

These requests aim, in particular, to obtain a decision of the Privacy Guarantor on these obligations and the implications of their eventual non-compliance by their respective recipients.

The questions raised are of undoubted general interest, involving the relationship more complex

Privacy Guarantor, Green Pass clarifications

The internal regulation of the Green Pass moves in this perspective and, from the point of view of data protection, implies legitimate treatment insofar as it is inserted in the scope outlined by the current legislation. It is represented, in particular, in the case of the subject of questions referred to it by the combined provisions of Articles. 9 of Legislative Decree no. 52 of 2021 (converted, with amendments, by Law No. 87), 9-bis, introduced into the body of Legislative Decree no. 52 by art. 3 of Legislative Decree No 105 of 2021 and, for implementing measures, 13 of the DPCM 17 June 2021, referred to in art. 9-bis, c. 4, second period, of the aforementioned Legislative Decree no. 52.

Legislative Decree no. 105 of 2021 Plus introduce the provision of a specific certificate for those excluded from the vaccination campaign , with the aforementioned art. 9-bis, the objective scope of application of green certifications governed, in general, by art. 9 of Legislative Decree No 52, extending them also, in the white zone, to the places and activities specifically indicated therein. By excluding, here, from the examination of the reasonableness of the extension of the scope of application of green certifications in the terms progressively outlined by the dd.ll. nn. 105 and 111 of 2021 and the implications of this extension on the proportionality of the corresponding treatment, it can be noted that it is legitimate in so far as it is limited to the data actually essential to verify the existence of the subjective requirement under consideration (titolarity of the certification 9 of Legislative Decree No 52 of 2021.

In this overall framework , already the subject of analysis by the Privacy Authority, both in the parliament hearing on the bill of conversion of Legislative Decree no. 52, and in the opinion on the relative dPCM implementation

In particular, as expressly clarifies art. 9-bis, c. 4, second period, of Legislative Decree no. 52, introduced by art.3 of Legislative Decree no. 105, also in the new hypotheses of green certification, introduced by the latter measure, the procedural rules provided for by d The Commission has also decided to initiate proceedings under Article 9 of Legislative Decree No 52 for the purposes of the procedure for verifying the certifications. This procedural framework includes, moreover, beyond the regulation of the specific digital channels for reading green certification (in particular through the only app allowed, or that developed by the Ministry of Health 13, c. 4, of the aforementioned dPCM, to be read also in the light of the recent circular of the Ministry of the Interior of 10 August u.s.. Among the guarantees provided by the aforementioned dPCM 17 June 2021 is, moreover, also the exclusion of the collection by the verifiers of the data of the holder of the certification, in any form (art. 13, c. 5).

However, the transitional rules on the paper certification to be issued to persons exempt from the obligation to extend the green pass should be subject to greater safeguards in terms of data protection, which must not lead to data collection in accordance with the principle of minimization.

The combined provisions of the Decree Nos. 52 and 105 of 2021, and of the aforementioned dPCM 17 June 2021, therefore and despite the above-mentioned emphasis, outlines the assumptions and limits of the duties of verification of green certifications established by the operators of the structures concerned. The processing of personal data functional to such compliance, if carried out in accordance with the above-mentioned rules and in compliance with the rules on the protection of personal data (and first of all the principle of minimization) cannot, therefore, involve the integration of the details of any unlawful activity

The processing in question does not require authorisation by the Guarantor and must be carried out, as already noted, in compliance with the overall regulatory framework referred to above.

Leave a Reply

Your email address will not be published.

You May Also Like