Italian DPS considers not respected the privacy legislation related to , in relation to covid green certification (resolution April 23, 2021; Italian Official Gazette no. 104/2021).
The system introduced by Legislative Decree 52/2021 would configure:
1 Failure in consulting Italian DPS
Considering the systematic treatment of (health) data on a large scale.
2 Unsuitable legal basis
The decree does not represent a valid legal basis under the REGULATION (EU) 2016/679 (GDPR).
3 Violation of the minimization principle
The data is not adequate, relevant and limited to what is necessary in relation to the purposes.
4 Violation of the principle of accuracy
Data is not accurate, updated and easily erasable or correctable.
5 Violation of the principle of transparency
Not clearly indicating the specific purposes pursued, the characteristics of the treatment and the subjects who can process the data collected in relation to the issuance and control of green certifications.
6 Violation of the principles of limitation, integrity and confidentiality
Data is not stored in a form that allows the identification of the interested parties for a period of time not exceeding the achievement of the purposes.
In conclusion, the Italian DPS considers the discipline of green certification not proportionate to the objective of public interest pursued, albeit legitimate.