Green pass, between control requirements and risks for the person in charge

On October 15 came into force the obligation under DL No. 127/2021, for employers to check the possession of the Green Pass obtained as a result of vaccination or the negative outcome of an antigenic or molecular swab to all employees, as well as suppliers and consultants called to work within the company. The text of the DL had also found the approval of the Data Protection Authority already on October 12 in all its aspects.

But what are the ways of control of the green certificate?

Currently, the possibilities are limited to the exhibition of the paper format, the control of the photo, eventually kept on the Smartphone of the green certificate and the scanning through App C19 of the QR Code associated with the Green Pass.

Recently introduced is the Greeenpass50+ system, which can be used through the INPS platform, thanks to which, by querying the National DGC Platform, which in this case acts as an intermediary, it is possible to verify Green Passes starting from the tax codes of employees known to the institute.

It is important to emphasize that the verification activities should be carried out only against employees actually in service and for whom it is therefore expected to have real access to the workplace at the time of the check.

The use of the Greeenpass50+ service involves three distinct phases:

– The accreditation phase, in which the employers will have to register the company and appoint the verifiers, i.e. the individuals who will proceed to the green pass verifications;

– The second phase will be the elaborative one, in which it will be the INPS itself by accessing the national platform DGC to retrieve information on the possession of the green pass of the employees;

– And finally, the third phase, that of verification, is in which the previously appointed verifiers will access the service to control and verify the possession of the green pass of the employees of accredited companies after selecting the names for which to verify the possession of certification.

It is good to clarify that these methods will not be, or at least we hope, the only ones to be used.

In fact, further control methods are being studied that can also be adopted by Public Administrations, and specifically, we are talking about:

Open-source packages released by the Ministry of Health;

The creation of a special section of the NoiPA website for the control of the green certificate of the public employees adhering to the platform;

and finally, a system of connection between offices that can manage the control of the validity of the green certificate for PAs with more than 1000 employees.

Having clarified what are, or will be, the methods and modalities of control, the question we must ask ourselves is: “What will the verification consist of?” And it was precisely the Data Protection Authority to answer this question, stating that: “The verification activity shall not involve the collection of data of the interested party in any form, except those strictly necessary, in the work environment, to the application of the measures resulting from the lack of possession of the certification. The system used for the verification of the Green Pass shall not store the QR code of the green certifications subject to verification, nor extract, consult, record or otherwise process for other purposes the information detected”.

The indications of the Data Protection Authority are, therefore very clear, NO to the storage of the QR code, NO to the extraction of information for purposes other than those related to knowing if you are in possession of green certification or if you should apply the measures resulting from the lack of possession of the same.

Based on the above, what will those who want to be in compliance with current regulations have to do?

The first step will certainly be to provide adequate training to the staff in charge of control; this must be appointed by the owner of the company with a specific letter of appointment and will have a crucial role since it will be entrusted not only with the mere control of the Green Pass, but also with the rejection of all proposals, and there will be some, of those who will propose: “I’ll leave you a copy”, “take a picture of it” or even worse “take note of the data and the deadline”.

Another activity will be the adjustment of the privacy register in which it will be necessary to make a note of the control activity of the Green Pass and also of the fact that the data will not be treated for purposes other than knowing whether or not the certification itself has been issued.

The same applies to the information in which, as recommended by authoritative voices, it will be advisable to provide broad formulas but at the same time the specific indication that no data relating to green certification will be processed for different purposes. A final mention concerns the consent forms, which also need to be revised in a broad form, without prejudice to the impossibility of processing.

What sanctions are foreseen in case of non-compliance with the regulations both on the employer side and of the workers?

On the employer’s side, the applicable sanctions will be both an administrative fine for an amount between € 400.00 and € 1000.00 and a fine established by the Privacy Code, up to 10 million euros.

Any other breaches will be sanctioned according to art. 83 par. 3 and 4, which specifically states “administrative fines up to 10 000 000 euros, or for companies, up to 2% of the total annual worldwide turnover of the previous year……”.

On the employee’s side, on the other hand, we will find not only the sanction of suspension from work but also salary, but also the administrative sanction from € 600,00 to € 1500,00 imposed based on the communication that the employer will have to forward to the police Prefect’s office and finally the sanctions provided for by the collective agreement of the sector will be applied.

A particular case is that of the dismissal of the employee who refuses the vaccine, a circumstance on which more normative references would be necessary.

The Paoletti Law Group will be able to assist you in all of the obligations relating to the Privacy Law both in the drafting phase of the DPIA (Data Protection Impact Assessment) and the PIA (Privacy Impact Assessment) and in the adaptation phase to the changes introduced by DL n. 127/2021 as well as in all of the practices relating to the adaptation of the Privacy Law necessary for companies that intend to operate in the EU market and beyond.

Author – Alessio Masala