The Italian SA (Garante per la protezione dei dati personali) officially warned the Campania Region that the system the Region planned to implement in order to certify COVID-19 vaccination, recovery or negativity was in breach of privacy laws. The certification was intended to be a precondition to access several services including tourism, hotels, weddings, transportation and entertainment. The system was envisaged in an order by the President of the Campania Region, entrusting the Regional Crisis Management Unit to lay down operational arrangements and distribute smart cards where the regional COVID-passes would be stored.
The investigation by the Garante showed that this initiative had no appropriate legal basis. Any measure limiting the rights and freedoms of individuals is only admissible if it is grounded in suitable national legislation, not in a regional order. The order in question required producing the green pass as an additional precondition to enable free movement and to access basic services; accordingly, the order also fell short of the criteria set forth in the so-called ‘Italy Reopens’ decree, which was fraught per se by criticalities which the Italian SA had already highlighted.
The order envisaged use of a smart card as a ‘system to issue vaccination certificates’, however it did not specify who was the controller of this processing, who was authorised to access and use the data, or who was tasked with checking that the certificates were valid and genuine. From this standpoint, the system was in breach of basic principles of the EU GDPR such as lawfulness, fairness, transparency, and privacy by design and by default. At all events, the Region should have performed a data protection impact assessment beforehand in order to implement adequate data protection safeguards – partly considering the sensitive nature of health-related information.
The Garante emphasized that initiatives like the one by the Campania Region would implement mechanisms for the release and verification of vaccination status departing from those set out at national level; more importantly, they would jeopardise the interoperability of certificates at both national and European level and would thus stand in the way of the ultimate objective of such certificates – i.e., facilitating the free movement of individuals in the EU during the COVID-19 pandemic.
The Prime Minister and the Conference of Regions and Autonomous Provinces were also informed of the formal warning issued to the Campania Region with a view to the appropriate follow-up.
You can find the original press release on the Italian DPA's website here.
For further information, please contact the Italian SA: ufficiostampa@gpdp.it
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.