Covid-19 Green Certifications for sport events: Italian Supervisory Authority imposes a temporary limitation of the processing for the Mitiga app due to lack of legal basis

The service provided the user with the certification of possessing the so called COVID-19 Green Certifications requirements for the purpose of participation in sporting events and other public shows.

The Italian Authority considered that there is not a valid legal basis for the processing of data - even particular ones, such as those related to the state of health - carried out by the Mitiga Italia app.

The provision is based on the statements exposed in the 2021, 23rd of April pronounce regarding “the treatments carried out in relation to the green certification for COVID-19 provided by the Legislative Decree of the 2021, 22nd of April”. It noted that the Legislative Decree no. 52 of 2021, 22nd of April 2021, which adopts measures for the reopening of public shows and sporting events, does not constitute a legitimate legal basis for the introduction and use of Green Certifications at national level; in fact, it lacks some of the essential required elements by the Regulation (Articles 6(2) and 9) and the Italian Privacy Code (Articles 2-ter and 2-sexies). 

Specifically, the Authority considered:

The Authority first pointed out that only a State law can subject certain rights to the exhibition of the COVID-19 Green Certification. In addition, it observed that, “for a legal processing, it is essential that the law provides a sufficiently determined border to the extent of its force, both from a subjective and objective point of view, that it introduces adequate guarantees to the impact of the processing on citizen rights and to the nature of the data the Treaties”.

The Authority also noted that the L.D. no. 52/2021 does not appear to comply with the data protection set of rules, according to which, in the after-hours of the adoption of the decree of the President of the Council of Ministers referred to in art. 9, paragraph 10, it is allowed the use of Green Certifications issued before the entry into force of the aforementioned Decree (art. 9, paragraphs 4 and 10 of the L.D. no. 52/2021); in fact “those documents would be issued in the absence of the measures that will be identified by the aforementioned delegated Decree" (provision of 2021, 23rd of April, point 2).

Since having Mitiga submitted the application to the Authority on the 1st of April, the company should have refrained from any data processing for not having expired the time provided for in the Regulation for issue of a decision by the Authority.