As the vaccine campaign continues with few cornerstones and many unknows, several interesting questions regarding protection and processing of vaccine-related data are starting to arise.
One of these came to the attention of the Italian Data Protection Authority (“Authority”) and concerns the legitimacy of instruments of vaccine tracking such as electronic passes or Apps. These instruments – yet to be discussed officially by the Italian Parliament – would allow only vaccinated individuals to access certain areas (airports, cinemas, restaurants) and services (public transport, circulation in general). The Authority has underlined, through a memo dated March 1, 2021, how such tools should not be considerate legitimate from a data protection standpoint unless a national law regulates the whole subject matter. In fact, an inappropriate treatment of vaccine-related data – according to the Authority – may cause extremely dangerous consequences in terms of risks for discrimination and unjustified compression of constitutional freedoms. Given the non-mandatory nature of vaccine themselves – as reminded by the Resolution of the Parliamentary Assembly of the Council of Europe on January 27 – it would be unreasonable to punish, in fact, those who freely decide not to get vaccinated, by preventing them the access to the almost all public spaces and services. Considering that such balance between public needs and individual freedoms can (and must) only be stroke by the national legislator, also to avoid fragmented rules, the Authority submitted a notice to the Italian Parliament to promptly address the matter.
The issue is relevant also on a European level: the official proposal of the “Green Pass” is expected to be unveiled on March 17, 2021. This Pass – according to the remarks by the President of the European Commission Ursula von der Leyen – should substantially be a European passport including information on vaccination and, for those who are not vaccinated, the results of the Covid-19 tests. Such instrument would hopefully facilitate international mobility. It is still to be seen whether European countries will reach consensus on the matter, as some of them (France and Belgium, among others) already pointed out the unfairness of a mechanism that would facilitate the mobility of only those who are vaccinated, in prejudice of others.
Another related issue which the Authority has addressed, with FAQs on its website, concerns the processing of vaccination-related data in the workplace. In particular, the employer is not entitled to have access to the information on whether his/her employees are vaccinated or not, being the competent doctor the only subject able to process and assess data concerning vaccination. Even if the employee, due to the fact that he/she is not vaccinated, must be considered as non-suitable for specific duties (for example in the healthcare sector, where vaccinated workers would be preferable), the employer will only be able to have access to the information on the total or partial non-suitability, while only the competent doctor would be able to process information regarding vaccination of single employees.
It seems quite evident the need for a step in of the national legislator to address these matters.
Unless you are exclusively devoting this lockdown to following webinars on the Schrems II decision (there is an impressive offering out there), you may have missed a couple of interesting developments in the area of data protection:
- the European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which can be found here. In short, the EDPB sets forth a to-do-list for data controllers exporting data composed of 6 steps:
- 1. map your transfers outside the EU;
- 2. verify the transfer tool you are using;
- 3. assess the law or practice of the country of destination (refer to the EDPB European Essential Guarantees recommendation);
- 4. identify and adopt supplementary measures;
- 5. take any formal step to introduce any supplementary measures; and
- 6. re-evaluate periodically.
- The Italian Data Protection Authority is increasingly worried by threats to privacy posed by apps (not just TikTok). It has issued a presentation to warn users about the use and misuse of personal data by various apps.
The Italian Data Protection Authority has recently reiterated what to do when an employee leaves the company, i.e.:
- Close down email accounts attributable to the former employee;
- Adopt automatic response systems indicating alternative addresses to those who contact the mailbox; and
- Introduce technical measures to prevent the display of incoming messages to unauthorized subjects.
The automatic forwarding of emails to colleagues of the former employee amounts to a breach of principles of data protection, which impose on the employer the protection of confidentiality even of the former worker.
In the case decided by the Authority the e-mail account had remained active for over a year and a half after the end of the employment relationship and before its elimination, which took place only after a formal complaint filed by the worker.
Our life sciences team at Gitti and Partners wishes you a relaxing Christmas break and a 2020 full of happy innovation, useful technology and interesting legal developments!
There are a few interesting developments in the area of data protection that you may have missed and we can recap for you:
- CONDITIONS TO PROCESS CERTAIN DATA ISSUED BY THE ITALIAN DATA PROTECTION AUTHORITY. According to section 9 paragraph 4 of the GDPR, Member States are entitled to introduce additional conditions for the processing of genetic, biometric or health data. On July 29, 2019 the final version of such conditions issued by the Italian Data Protection Authority has been published on the Official Journal. Such conditions apply to processing of data (i) in employment relationships, (ii) by associations, (iii) by private investigators, (iv) that are genetic or (v) for purposes of scientific research.
- RIGHT TO BE FORGOTTEN. On September 24, 2019 the European Court of Justice has issued a judgment on the right to be forgotten in case C‑507/17 against Google Inc. The Court has ruled that “there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.” While the right to be forgotten must be enforced in all Member States, there is no obligation to do that in all national search engines. The Court, however, added that a supervisory or judicial authority, after balancing all rights concerned, would be able to order de-referencing on all search engines in the world since “EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice.” Given the reaction to the judgment by the Chairperson of the Italian Garante (the data protection authority) Mr. Antonello Soro, it cannot be excluded that that the Garante may issue a universal, rather than EU-wide, dereferencing order.
- PROCESSING FOR “OWN PURPOSES”. A med-tech company has been sanctioned for having used patient data (medical scans) in a public tender process and in a subsequent litigation in an anonymized form. The company had been appointed by the hospital as a data processor but, the Garante ruled, had further processed such patient data for an own purpose rather than for the purposes mandated by the data controller (i.e., maintenance of equipment generating scans for patients).
- AGAIN ON THE RIGHT TO BE FORGOTTEN. In a decision by the Italian Garante dated July 24, 2019 Google LLC has been ordered to de-reference from its search engine news about criminal facts occurred in 2007 for which an individual, without any public role, had been condemned, but who had been fully rehabilitated.
- CONSUMER CREDIT CODE OF CONDUCT. On September 19, 2019 the Italian Garante approved a new code of conduct for companies operating in the areas of consumer credit, credit worthiness analysis and payment punctuality.