The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Green pass: Interactions with the related processing of personal data -2

The discipline of the use of the green pass, as indicated by the Legislative Decree 52/2021 and 127/2021 and as reiterated by the regulation 2021/953, inevitably involves the processing of personal data so, within these areas, you must make sure to comply with both disciplines. Below we will analyse the data protection implications of the use of the green pass for access to workplaces, starting from the operations resulting from the employer’s obligation of verification and assessment and their eventual configurability as processing of personal data under the GDPR.


Verification of the certificate

The employer, by means of special appointees, is obliged to verify the existence of a valid green pass, being able also to ascertain the correspondence between the holder and the data subject, as well as possible violations of the prohibition of access without a green pass. Before examining the implications that such operations may have under the GDPR, it must be established whether the regulation itself is applicable to these cases: that is, whether such operations may constitute processing of personal data falling within the scope of the GDPR. 

As regards the nature of the data involved, there is no doubt that the majority of the data consists of information that can be directly or indirectly traced back to a data subject, the holder of the certificate: in other words, it consists of “personal data” as defined by the GDPR.

The definition of “processing” contained in the regulation, referring to “any operation or set of operations, carried out with or without the help of automated processes and applied to personal data or sets of personal data” does not seem to raise doubts about the traceability of the operations of verification of the green pass within the scope of this definition. 

Therefore, the operations related to the verification of the green pass qualify as “processing of personal data” according to the definitions of the regulation.


Applicability of GDPR to processing of personal data related to verification

Having established that verification operations are a processing of personal data, the question of whether such “processing” can fall within the scope of the GDPR must be answered. Article 2 of the regulation, on the material scope, states that the GDPR “applies to the processing of personal data wholly or partially by automatic means and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.”


Verification of digital or paper certificate

On the basis of what has been indicated above, it is necessary to establish whether the operation of verification

  • of the digital certificate, obtained by scanning the QR Code through the “VerificaC 19” app, is a “wholly or partially automated processing of personal data”; or
  • of the paper certificate, through visualization by the person in charge, is a “non-automated processing of personal data contained in a file or intended to appear in it”.


A) Digital certificate verification

The first question seems to be answered in the affirmative for the following reasons:

  • the verification of the digital certificate is a processing operation, both because the definition of the term “processing” has no predefined boundaries regarding the type of operations that make it up and because the examples of extraction, consultation and use contained in the same definition lead to the conclusion that the scanning of the QR Code through which the VerifyC 19 app finds as a result the existence of a valid certificate is a process of consultation, extraction and use of personal data carried out by the app, even if the result obtained is limited to validation or rejection. Consequently, the verification of the digital certificate is a processing of personal data obtained through an automated process. 
  • As noted in the EDPB’s Guidelines 07/2020 on the concepts of data controller and data processor, the acquisition of personal data by the data controller is not a necessary condition for the attribution of ownership.


B) Paper certificate verification

The verification of the paper certificate is carried out in a way that excludes the collection and storage of the data contained in the certificate. Therefore, the operation consists in the mere visualization of the relevant data present on the green pass (potentially only those present in the first quarter, i.e. the quarter visible after folding the sheet into four parts) by the person in charge. Therefore, the treatment is not automated, not even in part, nor are the data – only viewed and not collected – destined to be stored in an archive. From these considerations, it could be concluded that the GDPR does not apply to the verification of the paper green pass. In this sense, the Dutch supervisory authority has pronounced itself regarding the measurement of the body temperature of those who enter the workplace, by a single person in charge, by means of analogue and not automated instrumentation, without data collection.


Ascertainment of violations

There seems to be no doubt about the applicability of the GDPR to the operations of ascertainment of violations to the prohibition of access without holding a green pass, even in the case of paper verification, since the latter entails the triggering of the sanctioning procedure, with inevitable collection and storage of personal data destined for structured archives.