Garante per la protezione dei dati personali (Italy) - 9578184

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9578184
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6(3) GDPR
Article 9 GDPR
Article 13 GDPR
Article 14 GDPR
Article 25 GDPR
Article 32 GDPR
Type: Other
Outcome: n/a
Decided: 22.04.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 9578184
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA found that a Government decree implementing a system to regulate citizens’ movements and access to events during the Covid-19 pandemic violates Articles 5, 6(3)(b), 9, 13, 14, 25 and 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

On the 22nd of April 2021, the Decree Law (decreto legge) n° 52/2021 was adopted by the Italian Government. The decree introduced urgent measures to contain and combat the Covid-19 epidemic, and in particular it introduces a “green certification” that allows citizens to move between orange and red-coded territories within Italy, as well as to participate in some events under certain circumstances. A citizen can therefore ask for a green certification to be issues after completion of the vaccination process, recovery from Covid-19, or following the negative results of a quick antigenic test or a molecular test. Depending on these cases, the certification will have a different period of validity.

These provisions are applicable until the national “Digital Green Certificate” platform (DGC) will be activated by the delegated acts for the implementation of the Digital Green Certificate Regulation, which is still being negotiated by EU institutions.

The decree law also provides for the Prime Minister to adopt a decree to implement “technical specifications to ensure the interoperability of the Covid-19 green certifications and the national platform for the DGC”, and of those with other EU Member States’ platforms.

Finally, Decree Law 52/2021 provides that, “pending the adoption of the aforementioned implementing decree, public and private healthcare facilities, pharmacies, general practitioners and freely chosen paediatricians may, however, issue the aforementioned green certificates, ensuring the completeness of the elements indicated” in an Annex 1 to the decree law.

Holding[edit | edit source]

According to the Garante, the Government failed to adequately take into account the risks posed by the above-mentioned measures to the rights and freedoms of data subjects, and hence failed also to adopt “the appropriate technical and organisational measures […] to effectively implement the principles of data protection”. In particular, the Garante found that the decree law had the following shortcomings.

1. Failure to consult the DPA[edit | edit source]

This happened notwithstanding the velocity with which the Garante provided for opinions to the Government during the Covid-19 pandemic so far, and the fact that the Garante itself represented to the Constitutional Affairs Committee of the Senate the need for a prior consultation with the supervisory authority before issuing the decree on green certification. Moreover, the Garante noted that given the nature of the processing activities foreseen by the decree law, a DPIA should have been carried out before issuing the decree.

2. Unsuitability of the legal basis[edit | edit source]

According to the Garante, the Decree Law 52/2021 “lacks some of the essential elements required by the GDPR (Articles 6(2) and 9) and by the Personal Data Protection Code (Articles 2(b) and 2(e)).” This is due to the fact that “does not provide an explicit and exhaustive indication of the specific purposes pursued through the introduction of the green certification, an essential element in order to assess the proportionality of the provision”. This aspect is particularly concerning because the green certification could be used in the future to regulate access to places and services, “or for the establishment or identification of the modalities of performance of legal relations, which are not currently expressly indicated in the decree law”. Moreover, “the provision also lacks an indication of the reasons why it is necessary to introduce, on a provisional basis, these green certificates, given the forthcoming adoption” of EU rules on the same subject matter.

3. Principle of data minimisation[edit | edit source]

The Garante considers that the only personal data necessary for the green certification are the following: “personal data necessary to identify the data subject; a unique identification of the certificate; the date of expiry of the certificate.” These categories of personal data are sufficient to allow checks on the validity of the certifications themselves. Conversely, it is not needed to issue different models of certifications depending on the specific situation of the data subject (if she has been vaccinated, recovered from Covid-19, or tested negative). The date of expiry of the certification is sufficient to allow for validity checks without revealing further health data related to the data subject.

4. Principle of accuracy[edit | edit source]

According to the Garante, this principle is especially important in order to assess “the proportionality of the restriction and the suitability of the measure to contain and combat the Covid-19 epidemiological emergency.” However, the above-mentioned transitional system, in the absence of the expected DGC platform, cannot account for new events that changes the status of the data subject (e.g., a new test with positive results), thus failing to respect the principle of accuracy and undermining the effectiveness of the system itself.

5. Principle of transparency[edit | edit source]

This principle is considered to be violated as there is a lack of a precise description of the purposes for which personal data are processed, of the main features of the data processing itself, and of the actors involved in the processing. The decree law does not even specify who is actually the data controller, nor who can verify the certifications and for which reasons, nor the institution that will host the platform for the green certifications. Ultimately this does not only violate the transparency principle, but also the possibility for data subjects to exercise their rights.

6. Principles of storage limitation, integrity and confidentiality[edit | edit source]

There are no mentions in the decree of retention periods or measures to ensure the integrity and confidentiality of the personal data processed.

In light of these observations, the Garante found that Law Decree 52/2021 is not proportionate to the public interest pursued, which is nevertheless legitimate, “as it does not accurately identify the purposes for which green certifications will be used and, in accordance with the principles of privacy by design and by default, the appropriate measures to ensure the protection of data, including those belonging to special categories, at every stage of processing, and a fair and transparent treatment towards the data subjects.” Hence, “there is an urgent need to intervene in order to protect the rights and freedoms of data subjects.” The Garante therefore warned the actors involved in the data processing “that the processing of personal data carried out in the context of the use of the green certifications referred to in Decree-Law no. 52 of 22 April 2021, in the absence of corrective measures, may violate the provisions of the [GDPR] referred to in Articles 5, 6(3)(b), 9, 13, 14, 25 and 32.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.




SEE ALSO PRESS RELEASE OF 23 APRIL 2021



[doc. web n. 9578184]

Warning provision regarding the treatments carried out in relation to the green certification for COvid-19 provided for by the legislative decree 22 April 2021, n. 52 - April 23, 2021
(Published in the Official Gazette no.104 of 3 May 2021)

Record of measures
n. 156 of 23 April 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (Legislative Decree no. 196 of 30 June 2003, hereinafter the "Code");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

RAPPORTEUR prof. Pasquale Stanzione;

WHEREAS

With the decree law of 22 April 2021, n. 52, urgent measures were introduced to contain and combat the epidemiological emergency from Covid-19 also concerning travel within the national territory, the methods of conducting shows open to the public and sporting events and fairs, conferences and congresses.

In particular, the decree provides that the movements in and out of the territories of the Regions and autonomous Provinces located in the orange or red zone are also allowed to subjects with green certifications (art. 2). These certifications can also constitute a condition of access to events if provided for by the guidelines adopted by the Conference of Regions or Autonomous Provinces or by the undersecretary in matters of sport (Article 5, paragraph 4). The guidelines adopted pursuant to art. 1, paragraph 14, d.l. n. 33/2020 may provide that access to trade fairs, conferences and congresses can be reserved only for those in possession of green certifications (Article 7, paragraph 2).

The decree provides that green certifications can be issued, at the request of the interested party, in order to certify the completion of the vaccination cycle, the successful recovery from Covid-19 and the carrying out of rapid or molecular antigen tests with negative results for the virus. SARS-CoV-2 (Article 9, paragraph 2).

The decree provides for a different duration of validity of the aforementioned certifications in relation to the conditions for issue: six months in the event of completion of the vaccination cycle and healing, 48 hours in the case of tests with negative results (Article 9 paragraphs 3, 4 and 5).

The provisions relating to green certification are applicable at national level, up to the date of entry into force of the delegated acts for the implementation of the provisions referred to in the regulation of the "European Parliament and of the Council on a framework for issuing, verifying and '' acceptance of interoperable certifications relating to vaccination, tests and healing to facilitate free movement within the European Union during the Covid-19 pandemic which will enable the activation of the "digital green certificate" national platform (National Platform-DGC ) (Article 9, paragraph 9).

The decree law also provides that by decree of the President of the Council of Ministers, adopted in concert with the Ministers of health, technological innovation of the digital transition and the economy and finance, having heard the Guarantor for the protection of personal data, established: "the technical specifications to ensure the interoperability of the Covid-19 green certifications and the national platform for the DGC, as well as between this and the similar platforms established in the other Member States of the European Union, through the European Gateway", "i data that can be reported in the COVID-19 green certifications, the procedures for updating the certifications, the characteristics and operating modes of the national platform -DCG, the structure of the unique identifier of the COVID-19 green certifications and the interoperable barcode which allows to verify the authenticity, validity and integrity of the same, the indication of the subjects de put in place to check the certifications, the retention times of the data collected for the purpose of issuing the certifications, and the measures to ensure the protection of personal data contained in the certifications "(art. 9, paragraph 10).

From the date of entry into force of the law decree and pending the adoption of the aforementioned implementing decree, public and private health facilities, pharmacies, general practitioners and free choice pediatricians may in any case issue the aforementioned green certifications ensuring "the completeness of the elements indicated "in Annex 1 to the decree.

OBSERVE

As regards the Authority's competence profiles, it is noted that the law decree of 22 April 2021, no. 52, does not represent a valid legal basis for the introduction and use of green certificates at national level.

In planning the introduction of green certification, as a measure aimed at containing and contrasting the epidemiological emergency from Covid-19, it is believed that the risks, illustrated below, that the implementation of the measure determines for the rights and freedoms of the data subjects, and, therefore, adequate technical and organizational measures have not been adopted to effectively implement the principles of data protection, integrating in the processing of the same the guarantees necessary to meet the requirements of the Regulation (EU ) 2016/679 and to protect the rights of the interested parties (Article 25, paragraph 1, of the Regulation).

In particular, it is believed that the provisions of the decree law of 22 April 2021, n. 52, have the following critical issues:

1. Failure to consult the Guarantor

At the outset, it is noted that, in violation of art. 36, par. 4, of the Regulations, the decree law of 22 April 2021, 52, was adopted without the Guarantor having been consulted.

The timely and necessary involvement of the Authority, also envisaged "during the drafting of a legislative act proposal", in addition to avoiding the procedural flaw, would have allowed the Authority to promptly indicate methods and guarantees, contributing to the introduction of a necessary measure to contain the epidemiological emergency, respecting the regulations on the protection of personal data from the design stage.

The urgency of the law does not constitute an impediment to the prior involvement of the Authority, given that the Guarantor, in the last year, aware of the need for the provisions submitted to its attention to be adopted promptly, has always made the opinions of its competence on the legislative acts prepared in relation to the health emergency in a very short time, providing, where necessary, its own opinion, even urgent, signed by the President (see ex multis Opinion on the legislative proposal for the provision of an application aimed at tracking infections from Covid-19 of 29 April 2020; Opinion on a regulatory provision scheme aimed at allowing seroprevalence investigations on SARS-COV-2 to the Ministry of Health and Istat for epidemiological and statistical purposes of 4 May 2020; Authorization to the Ministry of health to start the treatment relating to the Covid-19 alert system, pursuant to art. and 2020, n. 20 of 1.6.2020; Opinion on the draft decree of the Ministry of Economy and Finance, in agreement with the Ministry of Health, relating to the processing of personal data carried out through the Health Card System as part of the Covid 19 Alert system pursuant to art. 6, paragraph 1 of the law decree n. 30/04/2020, n. 28 of 1.6.2020; Urgent opinion of the President to the MEF on the dematerialized electronic prescription of 19.3.20, ratified by the College on 26.3.20).

In this regard, it should be noted that, already on 8 April last, the President of the Authority had represented to the Constitutional Affairs Commission of the Senate of the Republic the need for a preventive involvement of the Authority in the legislative process, in relation to the introduction of vaccination passports. , recalling the fruitful institutional collaboration provided with reference also to the national Covid alert system (Memory of the President of the Guarantor - Constitutional profiles of the possible introduction of a "vaccine passport" for citizens who have been administered the anti SARS COV2 vaccine of 8 April 2021).

In the run-up to the adoption of the aforementioned decree law, the President also sent a note to the President of the Council of Ministers and to the Minister of Health precisely regarding the necessary involvement of the Authority in the phase of adoption of the legislative act on passports vaccine (notes of 21 April 2021).

It should also be noted that the introduction of green certification, as a measure aimed at containing and contrasting the epidemiological emergency from Covid-19, resulting in a systematic processing of personal data, including health-related, on a large scale, which presents a high risk for the rights and freedoms of the interested parties in relation to the consequences that may arise for persons with reference to the limitation of personal freedoms, would certainly have made it appropriate to carry out a preventive impact assessment pursuant to art. 35, par. 10 of the Regulation. This, in particular, as the measure, provided for by the law decree, enters into force from the day following its publication.

2. Unsuitability of the legal basis

As aforementioned, the aforementioned law decree does not represent a valid legal basis for the introduction and use of green certificates at national level as it lacks some of the essential elements required by the Regulation (articles 6, paragraphs 2 and 9) and from the Code regarding the protection of personal data (articles 2 ter and 2 sexies).

Mainly, the regulatory system does not provide an explicit and mandatory indication of the specific purposes pursued through the introduction of green certification, an essential element in order to assess the proportionality of the standard, required by art. 6 of the Regulation, also in light of what the Constitutional Court affirmed in sentence no. 20 of 21 February 2019, according to which the legal basis that identifies an objective of public interest must provide for the processing of personal data that is proportionate to the legitimate purpose pursued.

As represented by the President of the Authority in the aforementioned brief, only a state law can make the exercise of certain rights or freedoms subject to the presentation of this certification. In light of this, it becomes clear, first of all, the indeterminacy of the purposes of the provision relating to the introduction of green certifications, determined by the failure to accurately identify the cases in which they can be used with the exclusion of the use of such documents in other cases not expressly provided for by law.

The failure to specify the purposes for which the aforementioned certifications can be used takes on particular importance with reference to the possibility that these documents may subsequently be considered a valid condition also for access to places or services or for the establishment or identification of the procedures for carrying out legal relationships, currently not expressly indicated in the decree law (eg in the workplace or at school).

The absence of a precise indication of the purposes does not even allow an assessment of the compatibility of the aforementioned certifications with the provisions at European level, also taking into account that their use would seem to be temporary pending the adoption of the similar certifications identified by the European Union.

In this regard, it should be noted that the provision also lacks the indication of the reasons for which it is necessary to provisionally introduce the aforementioned green certifications, given the forthcoming adoption of the proposal for a regulation of the European Parliament and of the Council on the certificate digital green (2021/0068 (COD) of 17.3.2021), with reference to which indications were provided by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) in the joint opinion delivered on 31 March 2021 (EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate).

The failure to indicate the reasons that led the Government to provisionally adopt the aforementioned certifications, pending the similar documents envisaged at EU level, does not allow us to assess whether it has taken into due consideration the risks of any misalignments regarding the characteristics and the functionalities of the two documents.

It should also be noted that the provisions according to which, pending the adoption of the envisaged implementation decree, the use of green certifications drawn up on the basis of what is indicated in Annex 1 to the decree and the healing certificates issued by health facilities is allowed, before the entry into force of the law decree, they do not comply with the regulations on the protection of personal data, as such documents would appear to have been issued in the absence of the measures that will be identified with the delegated decree indicated in art. 9, paragraph 10 (Article 9, paragraphs 4 and 10).

3. Principle of data minimization

The law decree violates the principle of data minimization according to which the same must be adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed (Article 5, paragraph 1 letter c) of the Regulation).

In particular, given that, by virtue of the provisions of Articles 2, 5 and 7 of the decree, the movements in and out of the territories of the Regions and autonomous Provinces located in the orange or red zone are also allowed to subjects with green certifications and that participation in certain events and events open to the public it can be conditional on the display of these certifications, it is believed that they must report only the following data: personal data necessary to identify the person concerned; unique identification of the certification; date of end of validity of the same.

These data are in fact configured as necessary to allow the persons in charge of controls to verify that the person who exhibits the certification is in one of the conditions indicated by the decree (vaccination, cure or negative test) to take advantage of the green certification (in this sense, see also the position expressed by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) in the joint opinion delivered on 31 March 2021).

In light of the aforementioned principle of minimization, it is believed that it is not pertinent to indicate further information on the certification and that it is not necessary to use different green certification models depending on the condition (vaccination, recovery, negative test) under which they are issued, given that the decree does not provide for different hypotheses for their use.

The verification of the validity of the certification, depending on the different duration of validity of the same, can be usefully carried out on the basis of the indication in the certification of the validity end date of the same, a field currently not provided for among those indicated in Annex 1 to the decree.

In accordance with the aforementioned principle of data minimization, such information would be sufficient to allow the verification of the documents without letting the person in charge of the control know the condition, also relating to health events of the interested party, according to which the same was released.

In view of this, the provision of three different models of green certifications according to the condition of the interested party and the indication on the same of numerous personal data, also relating to health, expressly listed in Annex 1 to the decree, are placed in contrast with the aforementioned principle of data minimization.

4. Principle of accuracy

The decree law of 22 April 2021, 52, is also considered to violate the principle of accuracy of the data according to which the same must be accurate and, if necessary, updated and all reasonable measures must be taken to promptly delete or rectify inaccurate data with respect to the purposes for which they are processed (Article 5, paragraph 1, letter d) of the Regulation).

Considering that, according to what is indicated in the decree, the use of the aforementioned certifications would constitute one of the conditions to allow travel from the regions and autonomous provinces located in the orange or red zone, or to limit the freedom of individual movement, as well as to be able to participate in events and events open to the public, it is necessary that they are drawn up on the basis of accurate and up-to-date information. The requirement of data accuracy is in fact essential in assessing the proportionality of the limitation and the suitability of the measure of containment and contrast of the epidemiological emergency from Covid-19.

The transitional provision according to which, pending the adoption of the implementing decree establishing the national DGC platform, the use of healing certifications issued before the entry into force of the law decree and green certifications drawn up on the basis of the annex is allowed 1 to the aforementioned decree appears to be in contrast with the principle of data accuracy, also posing significant risks with regard to the actual effectiveness of the containment measure and the undue compromise of the rights and fundamental freedoms of the interested party.

In fact, the aforementioned transitional system does not allow to verify the actuality of the conditions attested in the certification, because it cannot take into account, in the absence of the platform, any changes to the conditions relating to the interested party (positive result) subsequent to the time of issue of the same ( art. 9, paragraph 4).

5. Principle of transparency

The decree law violates the principle of transparency by not clearly indicating the precise purposes pursued, the characteristics of the processing and the subjects who can process the data collected in relation to the issuance and control of green certifications (articles 5, paragraph 1, letter e) and 6, par. 3, lett. b) of the Regulation). In fact, the decree, in addition to not accurately identifying the purposes, does not indicate the subjects who process the aforementioned information and who can access it, as well as those appointed to check the validity and authenticity of the green certifications.

In this regard, it is noted that the decree law does not specify the ownership of the treatments carried out for the purpose of issuing and controlling the aforementioned green certifications and in particular those put in place through the "DGC National Platform" for the issue and validation of Covid-19 digital green certifications. This platform, as indicated in art. 9 of the decree, would constitute the national information system for the issue and verification and acceptance of interoperable Covid-19 certifications at national and European level. In particular, it is noted that the law decree does not identify the body in which the aforementioned platform will be established and does not specify the related ownership of the processing of personal data carried out through this information system.

The absence of indications regarding the ownership of the processing therefore does not allow interested parties to exercise their rights regarding the protection of personal data provided for by the Regulation (Articles 15 et seq. Of the Regulation).

6. Principles of Limitation of Retention and of Integrity and Confidentiality

The provisions of the decree also violate the conservation limitation principle, according to which the data must be kept in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed (articles 5 , par. 1, lett. e) and 6, par. 3, lett. b) of the Regulation).

This is particularly important given that the provisions seem to introduce temporary measures, intended to be replaced by those identified at European level.

It is also noted that the provisions of the decree do not provide adequate guarantees with respect to the principle of integrity and confidentiality, given that the measures to be adopted to ensure adequate security of personal data, including protection, through technical and organizational measures are not indicated. adequate, from unauthorized or unlawful processing and from accidental loss, destruction or damage (articles 5, paragraph 1, letter f) and 32 of the Regulation).

CONSIDERED

In light of the relevant critical issues illustrated above, it should be noted that the green certification discipline outlined by the law decree of 22 April 2021, n. 52, is therefore not proportionate with respect to the objective of public interest, albeit legitimate, pursued, as it does not promptly identify the purposes for which it intends to use the green certification and, in compliance with the principles of privacy by design and by default, the adequate measures to guarantee the protection of data, including those belonging to particular categories, at every stage of processing, and correct and transparent processing towards the interested parties (articles 5, 6, par. 3, letter b), 9, 13 , 14, 25 and 32 of the Regulation).

Considering that the use of green certification is operational from the day following the publication of the decree law, there is therefore an urgent need to intervene in order to protect the rights and freedoms of those concerned.

The Regulation attributes to the Guarantor, among others, the power to issue warnings to the data controller or data processor on the fact that the envisaged treatments may likely violate the provisions of the Regulation (Article 58, paragraph 2, letter a)).

Given the high risks for the freedoms and rights of the data subjects, it is therefore necessary to warn all those involved in the treatment and, in particular, the Ministries of health, of the interior, of technological innovation and of the digital transition, of the economy and of regional finance and affairs and the Conference of Regions or Autonomous Provinces of the fact that the processing of personal data carried out in the context of the use of green certifications referred to in the decree law of 22 April 2021, n. 52, in the absence of corrective measures, may violate the provisions of the Regulation pursuant to art. 5, 6, par. 3, lett. b), 9, 13, 14, 25 and 32.

The Guarantor also believes to communicate this provision to the President of the Council of Ministers, for the relevant assessments, making himself available to promptly establish an institutional dialogue aimed at overcoming the aforementioned criticalities.

WHEREAS, THE GUARANTOR

a) pursuant to art. 58, par 2, lett. a), of the Regulation warns all the subjects involved in the processing and, in particular, the Ministries of health, of the interior, of technological innovation and of the digital transition and of the economy and finance, of regional affairs and the Conference of Regions o of the autonomous provinces of the fact that the processing of personal data carried out in implementation of the provisions referred to in the decree law of 22 April 2021, n. 52, on the basis of the reasons expressed in the introduction, may violate the provisions of the Regulation pursuant to art. 5, 6, par. 3, lett. b), 9, 13, 14, 25 and 32;

b) sends a copy of this provision to the President of the Council of Ministers for the relevant assessments;

c) pursuant to art. 154-bis, paragraph 3, of the Code, orders the publication of this provision in the Official Gazette of the Italian Republic.

Rome, April 23, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei