A recent regulatory change allows the storage in Italy of employees’ green pass certificates by employers with significant consequences in terms of privacy compliance.
With the publication in the Official Gazette of Law No. 165 of November 19, 2021, ratifying the Law Decree on the mandatory green pass certificate in the workplace in Italy, the possibility has been introduced for employees to hand over their green pass certificates to their employers who are consequently allowed to proceed to their storage.
This conduct was strictly forbidden by the previous regime, which only allowed controls through the display of green pass certificates without retaining any information relating to the same.
Handing the green pass certificate means that employees are exempt from the relevant checks while the green pass certificate is valid. This change may entail a considerable operational advantage for employers, but also some onerous new obligations under a data protection law perspective, which can be listed as follows:
- updating of the privacy information notice to be made available to the individuals subject to the controls, with the modification in particular of the applicable data retention period;
- modification of the letters of appointments of the persons or data processors in charge to carry out the controls and of the internal procedure for the management of the checks;
- adoption of stringent security measures for the collection and storage of green pass certificates. Specifically, employers will need to decide (i) whether to store them in paper or electronic format, (ii) who will have the right to access the certificates and how to protect this documentation from access by unauthorized third parties, and (iii) if opting for electronic storage (e.g., on a cloud platform or through a third-party vendor), assess whether this will result in a transfer of data outside the EEA. In addition, since green pass certificates will not have to be requested from those who have already handed them over during the validity period of the green pass, a database will also have to be created that defines the relevant validity terms to which the above security measures will have to be applicable;
- carrying out a data protection impact assessment, the so-called DPIA, on the green pass certificates verification process, given the new processing operations that emerge from the regulatory change; and
- updating the registry of processing activities, where it will be necessary to account not only for the display but also for the storage of the green pass certificates.
It is interesting to note that the new rules only provide for the right of employees to hand over their green pass certificates, but not the possibility for employers to request their delivery. This circumstance means that there may be some sort of dual regime applicable between those who choose to turn it in and those who prefer to have it checked every day. Similarly, if the worker asks to turn in his green pass, the employer will have a hard time denying this option.
This regulatory change had already led to the reaction of the Italian Data Protection Authority, which had opposed it, sending a report to the Parliament. However, the Parliament decided to proceed in this direction, which makes the need to comply with privacy compliance obligations in the storage of the green pass certificate even more relevant. Indeed, the risks of challenge in the event of a data breach impacting green pass certificates would be high.
On a similar topic, you may find the infographic “What to do and what not to do with the mandatory green pass in the workplace” from about a month ago. However, we did not take into account the recent regulatory change in the infographic.