Why can personal data processing carried out in the field of the usage of green digital certificates, under the decree law of the 22nd of April 2021, n. 52, breach the GDPR? Before getting into these technical questions we have to mention some considerations that once again underline a poor attitude to face problems with a holistic approach, by neglecting fundamental aspects that at the end they only waste your credibility to applicants.
It was necessary the intervention of the Italian Data Protection Authority which has recalled the principles that should be already known…
The superficiality with which are faced those sensitive questions sometimes is amazing.
In particular it was not kept in mind the risks for rights and freedoms of data subject and were not implemented adequated technical and organizational measures in order to implement in a efficient way the principles of personal data protection and for protect right and freedoms of data subjects.
We invite you to study the provision taken by the Authority as a warn on processing carried out on the green certificate for Covid-19 required by the decree law of the 22nd of April 2021, n. 52 – 23rd April 2021 – Register of measures n. 156 of 23rd April 2021. 6 the criticalities detected by the Authority:
- Lack of consultation of the Authority
- Unfitness of the legal basis
- Principle of data minimization
- Principle of accuracy
- Principle of transparency
- Principles of retention limitation and integrity and confidentiality
At the end, the introduction of the green certification determines a systematical processing of personal data, also about health, on large scale, which presents an high risk for rights and freedoms of data subjects compared to consequences that can arise to people with reference to the personal freedoms limitation.
All prerequisites to make it appropriate to carry out a prior impact assessment pursuant to article 35, paragraph 10 of the Regulation.
In summary, the Authority notes that the green certification discipline is not proportionate to the objective of public interest, although legitimate, pursued, as it does not precisely identify the purposes for which green certification is intended to be used and, in accordance with the principles of privacy by design and by default, the appropriate measures to ensure the protection of data, including those belonging to particular categories, at every stage of processing, and a fair and transparent treatment towards data subjects.
SOURCE: FEDERPRIVACY