The Italian Data Protection Authority has given a favorable opinion, as a matter of urgency, on the draft Dpcm introducing new ways of verifying the green pass in public and private employment.
The draft decree of the President of the Council of Ministers, to be adopted in consultation with the Minister of Health, the Minister for Technological Innovation and Digital Transition and the Minister of Economy and Finance, takes into account the discussions with the Office of the Authority in order to ensure, while respecting the freedom of choice in vaccination, both the correct fulfilment of the verification obligations by public and private employers, and compliance with the rules on the protection of personal data and with the European and national sector regulations on green certifications, similarly to what has already been provided for the Green Pass checks for school staff.
The scheme submitted to the Authority provides, in particular, that the verification of possession of green certifications Covid-19 can also be carried out through alternative methods to the app VerifyC19, such as the use of a development package for applications (SDK), released by the Ministry under an open source license, to be integrated into the access control systems or, for public and private employers, through the use of a specific feature of the platform NoiPA or INPS institutional portal.
Finally, a service of application interoperability with the national platform-DGC is envisaged only for public entities with more than one thousand employees.
The verification activity should not involve the collection of data from the interested party in any form, except for those strictly necessary, in the working environment, for the application of the measures resulting from the lack of certification. The system used for the verification of the green pass shall not store the QR code of the green certificates submitted for verification, nor shall it extract, consult, record or otherwise process the information collected for other purposes.
With regard to verification through the NoiPa platform (for participating public administrations), the Inps portal (for employers with more than 50 employees who are not members of NoiPa) or through interoperable applications, the national DGC platform will only display information on whether or not the employee has a valid green pass. Only employees actually on duty for whom access to the workplace is foreseen can be checked, excluding employees who are absent for holidays, illnesses, leaves of absence or who work in agile mode.
Employees will have to be duly informed by their employer about the data processing through a specific information notice.
As regards the functionalities available on the NoiPa platform and on the INPS Portal, technical and organizational measures will have to be adopted to ensure a level of security appropriate to the risks presented by the processing. Verification through application interoperability will instead be made available to employers through a specific agreement with the Ministry of Health.