Covid green certification: Italian Data Protection Supervisor’s analysis

green pass-e6c63b33

Italian DPS considers not respected the privacy legislation related to , in relation to covid green certification (resolution April 23, 2021; Italian Official Gazette no. 104/2021).

The system introduced by Legislative Decree 52/2021 would configure:

1 Failure in consulting Italian DPS

Considering the systematic treatment of (health) data on a large scale.

2 Unsuitable legal basis

The decree does not represent a valid legal basis under the REGULATION (EU) 2016/679 (GDPR).

3 Violation of the minimization principle

The data is not adequate, relevant and limited to what is necessary in relation to the purposes.

4 Violation of the principle of accuracy

Data is not accurate, updated and easily erasable or correctable.

5 Violation of the principle of transparency

Not clearly indicating the specific purposes pursued, the characteristics of the treatment and the subjects who can process the data collected in relation to the issuance and control of green certifications.

6 Violation of the principles of limitation, integrity and confidentiality

Data is not stored in a form that allows the identification of the interested parties for a period of time not exceeding the achievement of the purposes.

In conclusion, the Italian DPS considers the discipline of green certification not proportionate to the objective of public interest pursued, albeit legitimate.

Allavelli Legal